ClayRat Telegram phishing distribution campaign targeting Android users in Russia
Campaign
Summary
Hide ▲
Show ▼
The ClayRat campaign is an active Android spyware operation that now includes a newer iteration with expanded surveillance and device-control features. Researchers reported keylogging, full screen recording, deceptive overlays, and automated actions that can block shutdown or app removal, while the malware continues to spread through phishing sites and Dropbox-hosted APKs. The campaign has also been observed using 25 active phishing domains impersonating services such as YouTube, and the report says it targets BYOD environments where an infected device could enable data theft, fraud, and unauthorized access.
Related Happenings
LLMShare ChatGPT share-link malware lure campaign
Campaign
First: 29.05.2026 21:21
Last: 29.05.2026 21:21
Sources 1
About this happening:
The **LLMShare** campaign is using **Google ads** and a legitimate **chatgpt.com** shared page to route people searching for **ChatGPT** into a fake **OpenAI outage** lure that pu...
LLMShare ChatGPT share-link malware lure campaign
CampaignAbout this happening: The **LLMShare** campaign is using **Google ads** and a legitimate **chatgpt.com** shared page to route people searching for **ChatGPT** into a fake **OpenAI outage** lure that pu...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
JINX-0164 cryptocurrency recruitment-lure campaign
Campaign
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
JINX-0164 cryptocurrency recruitment-lure campaign
CampaignAbout this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
**BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityAbout this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
BTMOB Android RAT no-code builder malware activity
Malware Activity
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
About this happening:
**BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
BTMOB Android RAT no-code builder malware activity
Malware ActivityAbout this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
Latest development: 29.05.2026 00:10
BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.
Timeline
-
09.10.2025 18:30 4 articles · 7mo ago
ClayRat Android spyware campaign uses Telegram and phishing sites
Technical Analysis UpdateClayRat is a rapidly evolving Android spyware campaign targeting users in Russia through Telegram channels and lookalike phishing websites that impersonate WhatsApp, Google Photos, TikTok, and YouTube. Some samples act as droppers with a fake Play Store update screen and an encrypted payload hidden in app assets, then use standard HTTP to reach C2 infrastructure, request the default SMS app, and enable collection of SMS messages, call logs, notifications, device information, photos, phone calls, and installed-app lists; the malware can also self-propagate by sending malicious links to contacts. Zimperium identified at least 600 samples and 50 droppers over the last 90 days.
Show sources
- New ClayRat Spyware Targets Android Users via Fake WhatsApp and TikTok Apps — thehackernews.com — 09.10.2025 18:30
- New ClayRat Spyware Targets Android Users via Fake WhatsApp and TikTok Apps — thehackernews.com — 09.10.2025 18:30
- New Android spyware ClayRat imitates WhatsApp, TikTok, YouTube — www.bleepingcomputer.com — 10.10.2025 00:06
- ClayRat Android Spyware Expands Capabilities — www.infosecurity-magazine.com — 08.12.2025 18:45