TrickyWonders Wonderland distribution campaign targeting Uzbekistan users
Campaign
Summary
Hide ▲
Show ▼
The TrickyWonders campaign is distributing Wonderland through fake Google Play pages, Facebook ads, dating-app lures, and Telegram, expanding risk to users in Uzbekistan and their contacts. The operation matters because the Android stealer captures SMS messages, intercepts OTPs, and can hijack Telegram accounts to keep the infection chain going. It also relies on stolen Telegram sessions and repeated delivery channels, making the distribution pattern resilient and hard to interrupt.
Related Happenings
FakeWallet crypto wallet phishing campaign targeting users in China
Campaign
First: 21.04.2026 00:52
Last: 21.04.2026 00:52
Sources 1
About this happening:
The **FakeWallet** campaign is actively distributing **26 malicious apps** that impersonate crypto wallets and steal **seed phrases**, putting **users in China** at immediate risk...
FakeWallet crypto wallet phishing campaign targeting users in China
CampaignAbout this happening: The **FakeWallet** campaign is actively distributing **26 malicious apps** that impersonate crypto wallets and steal **seed phrases**, putting **users in China** at immediate risk...
Latest development: 24.04.2026 14:48
Kaspersky said the FakeWallet campaign is gaining momentum with new tactics, including phishing apps published in the Apple App Store, cold wallet impersonation, and phishing notifications, and suspected it may be the work of threat actors linked to SparkKitty because some infected apps use OCR to steal wallet recovery phrases and the two campaigns share native Chinese-speaking operators and cryptocurrency targeting.
Perseus IPTV-lure distribution campaign targeting Europe and the Middle East
Campaign
First: 19.03.2026 14:43
Last: 19.03.2026 14:43
Sources 1
About this happening:
The **Perseus** distribution campaign is actively pushing **Android malware** through **phishing sites** and **IPTV-lure apps**, increasing the risk of **device takeover** and **f...
Perseus IPTV-lure distribution campaign targeting Europe and the Middle East
CampaignAbout this happening: The **Perseus** distribution campaign is actively pushing **Android malware** through **phishing sites** and **IPTV-lure apps**, increasing the risk of **device takeover** and **f...
Perseus Android malware family actively distributed in the wild
Malware Activity
First: 19.03.2026 14:43
Last: 19.03.2026 14:43
Sources 1
About this happening:
The **Perseus** **Android malware** family is being actively distributed in the wild, putting infected devices at risk of **device takeover** and **financial fraud**. It spreads t...
Perseus Android malware family actively distributed in the wild
Malware ActivityAbout this happening: The **Perseus** **Android malware** family is being actively distributed in the wild, putting infected devices at risk of **device takeover** and **financial fraud**. It spreads t...
IPTV app lure campaign distributing Massiv Android banking malware
Campaign
First: 19.03.2026 12:13
Last: 19.03.2026 12:13
Sources 1
About this happening:
A **recent IPTV app lure campaign** is distributing **Massiv Android banking malware**, putting users who seek **free or low-cost live sports broadcasts** at risk of device compro...
IPTV app lure campaign distributing Massiv Android banking malware
CampaignAbout this happening: A **recent IPTV app lure campaign** is distributing **Massiv Android banking malware**, putting users who seek **free or low-cost live sports broadcasts** at risk of device compro...
DarkSword operators phishing and watering-hole campaign
Campaign
First: 18.03.2026 23:15
Last: 18.03.2026 23:15
Sources 1
About this happening:
**DarkSword** operators ran a **cross-border phishing and watering-hole campaign** using an **iPhone exploit chain** against users in **Saudi Arabia** and **Ukraine**, with additi...
DarkSword operators phishing and watering-hole campaign
CampaignAbout this happening: **DarkSword** operators ran a **cross-border phishing and watering-hole campaign** using an **iPhone exploit chain** against users in **Saudi Arabia** and **Ukraine**, with additi...
Timeline
-
22.12.2025 08:11 1 articles · 5mo ago
MidnightDat dropper first seen
Technical Analysis UpdateMidnightDat first appears as a dropper family designed to conceal a primary encrypted payload, with the malicious package deployed locally after installation even without an active internet connection.
Show sources
- Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale — thehackernews.com — 22.12.2025 08:11
-
22.12.2025 08:11 1 articles · 5mo ago
RoundRift dropper first seen
Technical Analysis UpdateRoundRift first appears as a second dropper family designed to conceal a primary encrypted payload, reinforcing the use of layered Android droppers in the campaign infrastructure.
Show sources
- Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale — thehackernews.com — 22.12.2025 08:11
-
22.12.2025 08:11 2 articles · 5mo ago
TrickyWonders Wonderland distribution campaign disclosed
Initial DisclosureTrickyWonders distributes Wonderland to users in Uzbekistan through fake Google Play Store web pages, Facebook ad campaigns, bogus dating-app accounts, Telegram, and stolen Telegram sessions sold on dark web markets, while the malware steals SMS messages and one-time passwords, hijacks Telegram accounts, and can issue arbitrary USSD requests through bidirectional C2.
Show sources
- Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale — thehackernews.com — 22.12.2025 08:11
- Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale — thehackernews.com — 22.12.2025 08:11