Find notable cyber news and cases, enriched with sources, timelines, and signals.

ClayRat Telegram phishing distribution campaign targeting Android users in Russia

Campaign
First reported
Last updated
Happening score
H score 27
3 unique sources, 3 articles

Summary

Hide ▲

The ClayRat campaign is an active Android spyware operation that now includes a newer iteration with expanded surveillance and device-control features. Researchers reported keylogging, full screen recording, deceptive overlays, and automated actions that can block shutdown or app removal, while the malware continues to spread through phishing sites and Dropbox-hosted APKs. The campaign has also been observed using 25 active phishing domains impersonating services such as YouTube, and the report says it targets BYOD environments where an infected device could enable data theft, fraud, and unauthorized access.

Related Happenings

Asin Android spyware distribution through fake utility, PDF, and war-map apps

Malware Activity
H score22 First: 05.06.2026 17:53 Last: 05.06.2026 17:53 Sources 1

About this happening: The **Asin** Android spyware activity is being distributed through fake utility, PDF, and war-map apps, putting **Arabic-speaking users** at risk of covert surveillance on **Andro...

WeedHack Minecraft MaaS campaign expands with malicious JARs and remote access

Malware Activity
H score65 First: 03.06.2026 00:54 Last: 03.06.2026 00:54 Sources 1

About this happening: **WeedHack** is a **Minecraft-focused malware-as-a-service** operation that has been active since **January 2026** and uses **SEO poisoning** and **YouTube** to push malicious dow...

WeedHack YouTube and SEO poisoning campaign targeting Minecraft players

Campaign
H score73 First: 03.06.2026 00:54 Last: 03.06.2026 00:54 Sources 1

About this happening: **WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...

LLMShare ChatGPT share-link malware lure campaign

Campaign
H score47 First: 29.05.2026 21:21 Last: 29.05.2026 21:21 Sources 1

About this happening: The **LLMShare** campaign is using **Google ads** and a legitimate **chatgpt.com** shared page to route people searching for **ChatGPT** into a fake **OpenAI outage** lure that pu...

GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy

Malware Activity
H score41 First: 29.05.2026 01:24 Last: 29.05.2026 01:24 Sources 1

About this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...

Timeline

  1. 09.10.2025 18:30 4 articles · 9mo ago

    ClayRat Android spyware campaign uses Telegram and phishing sites

    Technical Analysis Update

    ClayRat is a rapidly evolving Android spyware campaign targeting users in Russia through Telegram channels and lookalike phishing websites that impersonate WhatsApp, Google Photos, TikTok, and YouTube. Some samples act as droppers with a fake Play Store update screen and an encrypted payload hidden in app assets, then use standard HTTP to reach C2 infrastructure, request the default SMS app, and enable collection of SMS messages, call logs, notifications, device information, photos, phone calls, and installed-app lists; the malware can also self-propagate by sending malicious links to contacts. Zimperium identified at least 600 samples and 50 droppers over the last 90 days.

    Show sources