Mobdro lure campaign delivering Klopatra to illegal streaming users
Campaign
Summary
Hide ▲
Show ▼
The Mobdro lure campaign is pushing Klopatra to users of illegal streaming services, widening the risk of covert banking theft across Europe. By disguising the Trojan as a familiar pirate-streaming app, the operators are using brand recognition to drive sideloading outside official stores. The result is an active delivery operation tied to Italy and Spain, where infected devices have already been reported in the thousands.
Related Happenings
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
H score25
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
**BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityAbout this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
BTMOB phishing campaign targeting Android users in Brazil and beyond
Campaign
H score34
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
About this happening:
The **BTMOB phishing distribution campaign** is pushing **malicious APKs** through **fake app stores**, expanding Android compromise risk across **Brazil and beyond**. Operators l...
BTMOB phishing campaign targeting Android users in Brazil and beyond
CampaignAbout this happening: The **BTMOB phishing distribution campaign** is pushing **malicious APKs** through **fake app stores**, expanding Android compromise risk across **Brazil and beyond**. Operators l...
BTMOB Android RAT no-code builder malware activity
Malware Activity
H score28
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
About this happening:
**BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
BTMOB Android RAT no-code builder malware activity
Malware ActivityAbout this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
Latest development: 29.05.2026 00:10
BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.
TrickMo C TikTok-lure campaign targeting banking and wallet users in France, Italy, and Austria
Campaign
H score38
First: 11.05.2026 18:15
Last: 11.05.2026 18:15
Sources 1
About this happening:
The **TrickMo** operators ran an active **TikTok-themed** campaign between **January and February 2026**, targeting **banking and wallet users** in **France, Italy and Austria**....
TrickMo C TikTok-lure campaign targeting banking and wallet users in France, Italy, and Austria
CampaignAbout this happening: The **TrickMo** operators ran an active **TikTok-themed** campaign between **January and February 2026**, targeting **banking and wallet users** in **France, Italy and Austria**....
TrickMo Android banking malware adds TON-based covert command-and-control
Malware Activity
H score33
First: 11.05.2026 12:03
Last: 11.05.2026 12:03
Sources 1
About this happening:
The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...
TrickMo Android banking malware adds TON-based covert command-and-control
Malware ActivityAbout this happening: The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...
Timeline
-
30.09.2025 23:28 2 articles · 8mo ago
Klopatra banking Trojan disclosed as a Mobdro-disguised Android campaign
Initial DisclosureCleafy describes Klopatra as a new Android banking Trojan/RAT that is disguised as the Mobdro pirate-streaming app, abuses Accessibility Services after sideloading, and uses Virbox plus anti-sandboxing and native-library techniques to hinder analysis. The reported campaign is tied to Turkish-language cyberattackers, targets users of illegal streaming services, and has infected more than 3,000 devices in Italy and Spain since initial builds were first observed in March and the malware matured in the summer.
Show sources
- 'Klopatra' Trojan Makes Bank Transfers While You Sleep — www.darkreading.com — 30.09.2025 23:28
- 'Klopatra' Trojan Makes Bank Transfers While You Sleep — www.darkreading.com — 30.09.2025 23:28