CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Brokewell Android malware delivered via fake TradingView ads

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

A malware campaign targeting Android users has been using fake TradingView ads to deliver the Brokewell malware since at least July 22. The malware, which has been active since early 2024, steals sensitive data, provides remote control, and monitors compromised devices. The campaign uses Meta’s advertising platforms to lure victims with promises of a free TradingView Premium app. The malware is highly advanced, featuring extensive capabilities to hijack and control devices. The campaign specifically targets cryptocurrency assets and has been running through an estimated 75 localized ads. The malware is distributed via a malicious APK file hosted on a fake TradingView site. Once installed, the malware requests extensive permissions and can perform a wide range of malicious activities, including stealing authentication codes, intercepting messages, and remotely controlling the device.

Timeline

  1. 31.08.2025 21:35 πŸ“° 1 articles

    Brokewell Android malware campaign discovered

    A malware campaign targeting Android users has been using fake TradingView ads to deliver the Brokewell malware since at least July 22, 2025. The malware, which has been active since early 2024, steals sensitive data, provides remote control, and monitors compromised devices. The campaign uses Meta’s advertising platforms to lure victims with promises of a free TradingView Premium app. The malware is distributed via a malicious APK file hosted on a fake TradingView site. Once installed, the malware requests extensive permissions and can perform a wide range of malicious activities, including stealing authentication codes, intercepting messages, and remotely controlling the device.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ChillyHell macOS Backdoor Resurfaces with New Capabilities

The ChillyHell macOS backdoor malware, initially observed in 2022, has resurfaced with a new version. This modular backdoor allows attackers remote access and the ability to drop payloads, brute-force passwords, and evade detection. The malware, disguised as an executable applet, was discovered on VirusTotal and had been publicly hosted on Dropbox since 2021. The malware employs multiple persistence mechanisms and communicates over various protocols, making it highly flexible. It can exfiltrate data, drop additional payloads, and enumerate user accounts. Apple has revoked the notarization of the developer certificates associated with the malware. The resurgence of ChillyHell highlights the increasing threat landscape for macOS, emphasizing the need for robust security measures. A new Go-based remote access trojan (RAT) named ZynorRAT has been discovered, targeting Windows and Linux systems. ZynorRAT uses a Telegram bot for command and control and supports a wide range of functions, including file exfiltration and system enumeration.

Open in new tab

MostereRAT Malware Disables Security Tools, Targets Japanese Windows Users

A new malware campaign, tracked as MostereRAT, targets Japanese Windows users with sophisticated evasion techniques. MostereRAT disables antivirus and endpoint defenses, uses an obscure programming language, and abuses legitimate remote access tools to maintain persistent control over compromised systems. The malware's capabilities include privilege escalation, keylogging, data exfiltration, and the creation of hidden administrator accounts. The campaign's long-term objectives and the full extent of its impact remain unclear. MostereRAT employs Easy Programming Language (EPL) to evade detection and uses Windows Filtering Platform (WFP) filters to block security telemetry. The malware deploys legitimate remote access tools like AnyDesk, TigerVNC, and TightVNC, making it difficult to detect. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools to reduce the attack surface. The malware uses mutual TLS (mTLS) to secure command-and-control (C2) communications and can run as TrustedInstaller, a built-in Windows system account with elevated permissions. MostereRAT can monitor foreground window activity associated with Qianniu - Alibaba's Seller Tool, facilitate RDP logins, and create hidden administrator accounts.

Open in new tab

SVG Files Used to Deploy Phishing Pages in Colombian Judicial System Impersonation Campaign

A malware campaign leveraging SVG files to deploy Base64-encoded phishing pages impersonating the Colombian judicial system has been identified. The SVG files, distributed via email, execute JavaScript payloads to inject phishing pages and download ZIP archives. The campaign involves 523 unique SVG files that have evaded detection by antivirus engines. The earliest sample dates back to August 14, 2025. The campaign highlights the evolving tactics used by threat actors to bypass security measures and target macOS systems with information stealers like Atomic macOS Stealer (AMOS). This campaign also coincides with broader trends in cyber threats targeting macOS and gamers.

Open in new tab

GhostRedirector Compromises 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module

GhostRedirector, a previously undocumented threat cluster, has compromised at least 65 Windows servers primarily in Brazil, Thailand, and Vietnam. The attacks, active since at least August 2024, deployed the Rungan backdoor and Gamshen IIS module. Rungan executes commands on compromised servers, while Gamshen manipulates search engine results for SEO fraud. The threat actor targets various sectors, including education, healthcare, technology, transportation, insurance, and retail, using SQL injection vulnerabilities for initial access. The group is assessed with medium confidence to be China-aligned. The operation involves using PowerShell to download malware tools and exploits like EfsPotato and BadPotato for privilege escalation.

Open in new tab

Malicious link spreading via X's Grok AI

Threat actors exploit X's Grok AI to bypass link posting restrictions and spread malicious links. They embed links in the 'From:' metadata field of video ads, prompting Grok to reveal the links in replies. This technique, dubbed 'Grokking,' boosts the credibility and reach of malicious content, leading users to scams and malware. The abuse affects millions of users, with Grok's trusted status amplifying the spread of malicious ads. Potential solutions include scanning all fields, blocking hidden links, and sanitizing Grok's responses to prevent it from echoing malicious links. The malicious links are part of a Traffic Distribution System (TDS) used by malicious ad tech vendors, and the operation involves hundreds of organized accounts. The Grok 4 model's security is fundamentally weaker than its competitors, relying heavily on system prompts that can be easily bypassed.

Open in new tab