ClayRat Telegram phishing distribution campaign targeting Android users in Russia
Campaign
Summary
Hide ▲
Show ▼
The ClayRat campaign is an active Android spyware operation that now includes a newer iteration with expanded surveillance and device-control features. Researchers reported keylogging, full screen recording, deceptive overlays, and automated actions that can block shutdown or app removal, while the malware continues to spread through phishing sites and Dropbox-hosted APKs. The campaign has also been observed using 25 active phishing domains impersonating services such as YouTube, and the report says it targets BYOD environments where an infected device could enable data theft, fraud, and unauthorized access.
Related Happenings
Asin Android spyware distribution through fake utility, PDF, and war-map apps
Malware Activity
H score22
First: 05.06.2026 17:53
Last: 05.06.2026 17:53
Sources 1
About this happening:
The **Asin** Android spyware activity is being distributed through fake utility, PDF, and war-map apps, putting **Arabic-speaking users** at risk of covert surveillance on **Andro...
Asin Android spyware distribution through fake utility, PDF, and war-map apps
Malware ActivityAbout this happening: The **Asin** Android spyware activity is being distributed through fake utility, PDF, and war-map apps, putting **Arabic-speaking users** at risk of covert surveillance on **Andro...
WeedHack Minecraft MaaS campaign expands with malicious JARs and remote access
Malware Activity
H score65
First: 03.06.2026 00:54
Last: 03.06.2026 00:54
Sources 1
About this happening:
**WeedHack** is a **Minecraft-focused malware-as-a-service** operation that has been active since **January 2026** and uses **SEO poisoning** and **YouTube** to push malicious dow...
WeedHack Minecraft MaaS campaign expands with malicious JARs and remote access
Malware ActivityAbout this happening: **WeedHack** is a **Minecraft-focused malware-as-a-service** operation that has been active since **January 2026** and uses **SEO poisoning** and **YouTube** to push malicious dow...
WeedHack YouTube and SEO poisoning campaign targeting Minecraft players
Campaign
H score73
First: 03.06.2026 00:54
Last: 03.06.2026 00:54
Sources 1
About this happening:
**WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...
WeedHack YouTube and SEO poisoning campaign targeting Minecraft players
CampaignAbout this happening: **WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...
LLMShare ChatGPT share-link malware lure campaign
Campaign
H score47
First: 29.05.2026 21:21
Last: 29.05.2026 21:21
Sources 1
About this happening:
The **LLMShare** campaign is using **Google ads** and a legitimate **chatgpt.com** shared page to route people searching for **ChatGPT** into a fake **OpenAI outage** lure that pu...
LLMShare ChatGPT share-link malware lure campaign
CampaignAbout this happening: The **LLMShare** campaign is using **Google ads** and a legitimate **chatgpt.com** shared page to route people searching for **ChatGPT** into a fake **OpenAI outage** lure that pu...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
H score41
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
Timeline
-
09.10.2025 18:30 4 articles · 9mo ago
ClayRat Android spyware campaign uses Telegram and phishing sites
Technical Analysis UpdateClayRat is a rapidly evolving Android spyware campaign targeting users in Russia through Telegram channels and lookalike phishing websites that impersonate WhatsApp, Google Photos, TikTok, and YouTube. Some samples act as droppers with a fake Play Store update screen and an encrypted payload hidden in app assets, then use standard HTTP to reach C2 infrastructure, request the default SMS app, and enable collection of SMS messages, call logs, notifications, device information, photos, phone calls, and installed-app lists; the malware can also self-propagate by sending malicious links to contacts. Zimperium identified at least 600 samples and 50 droppers over the last 90 days.
Show sources
- New ClayRat Spyware Targets Android Users via Fake WhatsApp and TikTok Apps — thehackernews.com — 09.10.2025 18:30
- New ClayRat Spyware Targets Android Users via Fake WhatsApp and TikTok Apps — thehackernews.com — 09.10.2025 18:30
- New Android spyware ClayRat imitates WhatsApp, TikTok, YouTube — www.bleepingcomputer.com — 10.10.2025 00:06
- ClayRat Android Spyware Expands Capabilities — www.infosecurity-magazine.com — 08.12.2025 18:45