CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

NFC Relay Malware Surge Targeting European Payment Cards

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A surge of NFC relay malware targeting payment cards has been observed in Eastern Europe. Over 760 malicious Android apps have been identified, exploiting Host Card Emulation (HCE) to steal contactless credit card data. The malware captures EMV fields, manipulates APDU commands, and enables unauthorized payments. The malware has evolved into multiple variants, including data harvesters, relay toolkits, and ghost-tap payments. It has spread across Poland, the Czech Republic, Russia, and Slovakia. The apps impersonate Google Pay and various financial institutions, with over 70 command-and-control servers and Telegram bots facilitating the attacks. New research reveals over 54 malicious APK samples, often disguised as legitimate financial apps, are being sold and promoted within Chinese-language cybercrime communities on Telegram. Victims are targeted through smishing and vishing campaigns, and card data is transmitted via C2 servers to complete fraudulent transactions. Prominent vendors like TX-NFC, X-NFC, and NFU Pay sell access to this malware, with TX-NFC alone having over 21,000 subscribers.

Timeline

  1. 07.01.2026 18:00 1 articles · 23h ago

    Ghost Tap Malware Fuels Remote NFC Payment Fraud

    Over 54 malicious APK samples have been identified, many disguised as legitimate financial or payment apps. Victims are targeted through smishing and vishing campaigns to install the malicious app and tap their payment card against their phone. Card data is transmitted via a command-and-control (C2) server to a criminal-controlled device, which completes transactions using illicitly obtained point-of-sale (POS) terminals. Prominent vendors operating on Telegram, including TX-NFC, X-NFC, and NFU Pay, sell access to tap-to-pay malware for fees ranging from short-term trials to multi-month subscriptions. Between November 2024 and August 2025, at least $355,000 in illegitimate transactions were linked to one POS terminal vendor advertising openly on Telegram.

    Show sources
    Open in new tab
  2. 30.10.2025 22:17 2 articles · 2mo ago

    NFC Relay Malware Surge in Eastern Europe

    A massive surge of NFC relay malware has been observed in Eastern Europe, with over 760 malicious Android apps identified. The malware exploits Android's Host Card Emulation (HCE) to steal contactless payment data. The malware has evolved into multiple variants and has spread across Poland, the Czech Republic, Russia, and Slovakia. The apps impersonate Google Pay and various financial institutions, with over 70 command-and-control servers and Telegram bots facilitating the attacks. New research reveals over 54 malicious APK samples, often disguised as legitimate financial apps, are being sold and promoted within Chinese-language cybercrime communities on Telegram. Victims are targeted through smishing and vishing campaigns, and card data is transmitted via C2 servers to complete fraudulent transactions. Prominent vendors like TX-NFC, X-NFC, and NFU Pay sell access to this malware, with TX-NFC alone having over 21,000 subscribers.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud

A new Android malware named Albiriox, operating under a malware-as-a-service (MaaS) model, targets over 400 applications for on-device fraud (ODF), screen manipulation, and real-time device interaction. The malware uses dropper applications distributed through social engineering lures and packing techniques to evade detection. It leverages a custom builder and a third-party crypting service to bypass antivirus and mobile security solutions. The primary goal is to seize control of mobile devices and conduct fraudulent actions while remaining undetected. The malware has been advertised on cybercrime forums, with evidence suggesting Russian-speaking threat actors. Initial campaigns have targeted Austrian victims using German-language lures and fake Google Play Store app listings. The malware's subscription access launched at $650 per month before rising to $720 after October 21.

Open in new tab

FBI Warns of $262M Stolen in Account Takeover Fraud Schemes

Since January 2025, cybercriminals impersonating bank support teams have stolen over $262 million through account takeover (ATO) fraud schemes. The FBI's Internet Crime Complaint Center (IC3) has received over 5,100 complaints, affecting individuals and businesses across various sectors. Criminals gain unauthorized access to online financial accounts using social engineering techniques or fraudulent websites. Once in control, they wire funds to crypto wallets and often change account passwords, making recovery difficult. The FBI advises monitoring financial accounts, using strong passwords, enabling MFA, and avoiding search results for banking websites. Victims are urged to contact their financial institutions immediately and file complaints with the IC3. Recent reports highlight the growing use of AI-powered phishing campaigns, SEO poisoning, and exploitation of e-commerce vulnerabilities, particularly ahead of the holiday season. Additionally, purchase scams and mobile phishing (mishing) sites have seen a significant increase, leveraging trusted brand names to deceive users. The U.S. Justice Department (DoJ) has seized the fraud domain web3adspanels[.]org, which was used to host and manipulate illegally harvested bank login credentials. The scheme targeted 19 victims across the U.S., including two companies in the Northern District of Georgia, with attempted losses of approximately $28 million and actual losses of approximately $14.6 million. The confiscated domain stored the stolen login credentials of thousands of victims and hosted a backend server to facilitate takeover fraud as recently as November 2025. The FBI and Estonian law enforcement collaborated in this seizure, and the domain now displays a law enforcement banner indicating it is under the control of authorities. No arrests have been made yet, but the investigation may reveal clues leading to the operators.

Open in new tab

Malicious Android apps on Google Play downloaded 42 million times

Between June 2024 and May 2025, 239 malicious Android apps on Google Play were downloaded over 42 million times. These apps primarily targeted mobile payments and financial information using various social engineering techniques. The manufacturing and energy sectors saw significant increases in mobile attacks, with the energy sector recording a 387% annual increase. The geographic impact highlighted substantial increases in attacks targeting India, the United States, and Canada, with notable spikes in Italy and Israel. IoT devices, particularly routers, were also heavily targeted, with Mirai and Gafgyt malware variants accounting for 75% of all blocked IoT requests. The shift to social engineering attacks reflects improved security standards in traditional payment methods. Zscaler observed a 67% year-over-year growth in mobile malware, with banking malware reaching 4.89 million transactions in 2025. Three notable malware families—Anatsa, Android Void, and Xnotice—were highlighted for their impact on Android users.

Open in new tab

ClayRat Spyware Campaign Targets Android Users in Russia

A rapidly evolving Android spyware campaign known as ClayRat continues to target Russian users through Telegram channels and phishing websites. The spyware disguises itself as trusted apps such as WhatsApp, TikTok, Google Photos, and YouTube to trick users into downloading malicious software. Over the past three months, researchers identified more than 700 distinct ClayRat samples and 50 droppers, each version introducing new obfuscation layers to evade security tools. Once installed, the spyware can exfiltrate call logs, SMS messages, and notifications, take photos using the front camera, and send messages or place calls directly from the victim’s phone. The spyware’s operators employ a multifaceted strategy combining impersonation, deception, and automation. Distribution occurs mainly through phishing sites, Telegram channels, step-by-step installation guides, and session-based installers posing as Play Store updates. ClayRat’s most concerning feature is its abuse of Android's default SMS handler role, allowing it to read, store, and send text messages without alerting users. This access is exploited to spread itself further, sending messages to every saved contact. The latest version of ClayRat introduces far broader capabilities by combining Default SMS privileges with extensive abuse of Accessibility Services. Key functions include a keylogger that captures PINs, passwords, and patterns, full screen recording through the MediaProjection API, overlays that disguise malicious activity, and automated taps designed to block users from shutting down the device or deleting the app. These enhancements make the malware more persistent than earlier versions. A new Android remote access trojan (RAT) called Fantasy Hub has been disclosed, sold as a Malware-as-a-Service (MaaS) product on Russian-speaking Telegram channels. Fantasy Hub enables device control and espionage, allowing threat actors to collect SMS messages, contacts, call logs, images, and videos. The malware abuses the default SMS privileges to obtain access to SMS messages, contacts, camera, and files, and uses fake overlays to obtain banking credentials associated with Russian financial institutions. Fantasy Hub is available for $200 per week, $500 per month, or $4,500 per year, and its C2 panel provides details about compromised devices and subscription status. Zimperium's systems detected ClayRat variants as soon as they appeared, before public disclosures. The company shared its findings with Google, helping ensure protection through Google Play Protect. Security experts recommend a layered mobile security posture to reduce installation paths, detect compromise, and limit the blast radius. Users should only install applications from authorized Play/App stores.

Open in new tab

SORVEPOTEL, Maverick, and Eternidade Stealer Malware Campaigns Target Brazilian Banks via WhatsApp

A self-spreading malware named SORVEPOTEL targets Brazilian users via WhatsApp. The malware spreads through phishing messages containing malicious ZIP files, primarily affecting Windows systems. The campaign is designed for rapid propagation rather than data theft or ransomware. The malware exploits the trust in WhatsApp to spread across contacts and groups, leading to account bans for excessive spam. The majority of infections are concentrated in Brazil, impacting various sectors including government, public service, and technology. The malware uses a Windows shortcut (LNK) file to execute a PowerShell script, which retrieves the main payload and establishes persistence on the infected system. It also communicates with a command-and-control (C2) server for further instructions. New findings reveal that SORVEPOTEL is linked to a banking malware called Maverick, which targets Brazilian banks and monitors active browser window tabs for URLs matching financial institutions. The malware uses IMAP connections to terra.com[.]br email accounts using hardcoded email credentials to retrieve commands and implements a sophisticated remote control mechanism that allows the adversary to pause, resume, and monitor the WhatsApp propagation in real-time. A newly identified banking Trojan known as Eternidade Stealer has been observed pushing Brazil’s cybercrime ecosystem into a more aggressive phase, with attackers using WhatsApp as both an entry point and a propagation tool. The malware combines a WhatsApp-propagating worm, a Delphi-based stealer, and an MSI dropper to harvest financial data, system details, and contact lists. The campaign leverages a combination of social engineering and WhatsApp hijacking to distribute the trojan, using an obfuscated Visual Basic Script to drop a batch script that delivers two payloads: a Python script for WhatsApp Web-based dissemination and an MSI installer for Eternidade Stealer. The malware harvests a victim's entire contact list, filters out groups, business contacts, and broadcast lists, and sends a malicious attachment to all contacts. The MSI installer drops several payloads, including an AutoIt script that checks if the compromised system is based in Brazil by inspecting the operating system language. The script scans running processes and registry keys to ascertain the presence of installed security products and profiles the machine, sending details to a C2 server. The malware injects the Eternidade Stealer payload into 'svchost.exe' using process hollowing. Eternidade Stealer continuously scans active windows and running processes for strings related to banking portals, payment services, and cryptocurrency exchanges and wallets. The malware uses a terra.com[.]br email address to fetch C2 details, mirroring a tactic recently adopted by Water Saci. The campaign's backend was traced to two panels, one for managing the Redirector System and another login panel, used to monitor infected hosts. The threat actor Water Saci is using a sophisticated, highly layered infection chain that uses HTML Application (HTA) files and PDFs to propagate a worm that deploys a banking trojan via WhatsApp in attacks targeting users in Brazil. The latest wave is characterized by the attackers shifting from PowerShell to a Python-based variant that spreads the malware in a worm-like manner over WhatsApp Web. The PDF lure instructs victims to update Adobe Reader by clicking on an embedded link. Users who receive HTA files are deceived into executing a Visual Basic Script immediately upon opening, which then runs PowerShell commands to fetch next-stage payloads from a remote server, an MSI installer for the trojan and a Python script that's responsible for spreading the malware via WhatsApp Web. The MSI installer serves as a conduit for delivering the banking trojan using an AutoIt script. The script also runs checks to ensure that only one instance of the trojan is running at any given point of time. The script verifies the presence of a marker file named "executed.dat." If it does not exist, the script creates the file and notifies an attacker-controlled server ("manoelimoveiscaioba[.]com"). The script analyzes the user's Google Chrome browsing history to search visits to banking websites, specifically a hard-coded list comprising Santander, Banco do Brasil, Caixa Econômica Federal, Sicredi, and Bradesco. The script then proceeds to another critical reconnaissance step that involves checking for installed antivirus and security software, as well as harvesting detailed system metadata. The main functionality of the malware is to monitor open windows and extract their window titles to compare them against a list of banks, payment platforms, exchanges, and cryptocurrency wallets. If any of these windows contain keywords related to targeted entities, the script looks for a TDA file dropped by the installer and decrypts and injects it into a hollowed "svchost.exe" process, following which the loader searches for an additional DMP file containing the banking trojan. The banking trojan deployed is not Maverick, but rather a malware that exhibits structural and behavioral continuity with Casbaneiro. The trojan carries out "aggressive" anti-virtualization checks to sidestep analysis and detection, and gathers host information through Windows Management Instrumentation (WMI) queries. The trojan makes Registry modifications to set up persistence and establishes contact with a C2 server ("serverseistemasatu[.]com") to send the collected details and receive backdoor commands that grant remote control over the infected system. The trojan forcibly terminates several browsers to force victims to reopen banking sites under "attacker-controlled conditions." The second aspect of the campaign is the use of a Python script, an enhanced version of its PowerShell predecessor, to enable malware delivery to every contact via WhatsApp Web sessions using the Selenium browser automation tool. There is "compelling" evidence to suggest that Water Saci may have used a large language model (LLMs) or code-translation tool to port their propagation script from PowerShell to Python, given the functional similarities between the two versions and the inclusion of emojis in console outputs. The development comes as Brazilian banking users are also being targeted by a previously undocumented Android malware dubbed RelayNFC that's designed to carry out Near-Field Communication (NFC) relay attacks and siphon contactless payment data. RelayNFC implements a full real-time APDU relay channel, allowing attackers to complete transactions as though the victim's card were physically present. The malware is built using React Native and Hermes bytecode, which complicates static analysis and helps evade detection. Primarily spread via phishing, the attack makes use of decoy Portuguese-language sites (e.g., "maisseguraca[.]site") to trick users into installing the malware under the pretext of securing their payment cards. The end goal of the campaign is to capture the victim's card details and relay them to attackers, who can then perform fraudulent transactions using the stolen data. The cybersecurity company said its investigation also uncovered a separate phishing site ("test.ikotech[.]online") that distributes an APK file with a partial implementation of Host Card Emulation (HCE), indicating that the threat actors are experimenting with different NFC relay techniques.

Open in new tab