TrustBastion Android RAT distributes malicious APKs through Hugging Face repositories
Malware Activity
Summary
Hide ▲
Show ▼
The TrustBastion Android RAT now uses Hugging Face repositories to distribute malicious APKs, making the operation harder to flag while broadening risk for Android users. The infection starts with scareware popups and a fake Google Play or Android system update flow. After installation, the payload abuses Accessibility Services, screen recording, screen casting, and overlays to watch device activity and steal credentials. The repository also shows rapid payload churn and the operation appears to have infected thousands of victims.
Related Happenings
Open-OSS/privacy-filter Hugging Face infostealer activity
Malware Activity
First: 11.05.2026 10:05
Last: 11.05.2026 10:05
Sources 1
About this happening:
A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...
Open-OSS/privacy-filter Hugging Face infostealer activity
Malware ActivityAbout this happening: A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...
Sefirah infostealer delivered through a malicious Hugging Face repository
Malware Activity
First: 09.05.2026 17:26
Last: 09.05.2026 17:26
Sources 1
About this happening:
A malicious **Hugging Face** repository impersonated **OpenAI’s Privacy Filter** and delivered **sefirah**, a **Rust-based infostealer**, to **Windows** users, creating credential...
Sefirah infostealer delivered through a malicious Hugging Face repository
Malware ActivityAbout this happening: A malicious **Hugging Face** repository impersonated **OpenAI’s Privacy Filter** and delivered **sefirah**, a **Rust-based infostealer**, to **Windows** users, creating credential...
CloudZ RAT Pheno Microsoft Phone Link credential-theft activity
Malware Activity
First: 05.05.2026 13:03
Last: 05.05.2026 13:03
Sources 1
About this happening:
The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...
CloudZ RAT Pheno Microsoft Phone Link credential-theft activity
Malware ActivityAbout this happening: The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...
NGate malware trojanized HandyPay NFC-stealing variant
Malware Activity
First: 21.04.2026 12:00
Last: 21.04.2026 12:00
Sources 1
About this happening:
A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...
NGate malware trojanized HandyPay NFC-stealing variant
Malware ActivityAbout this happening: A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...
EngageLab SDK version 5.2.1 patch release
Security Patch Release
First: 09.04.2026 20:26
Last: 09.04.2026 20:26
Sources 1
About this happening:
**EngageLab** released **version 5.2.1** to fix the **EngageLab SDK** flaw affecting Android apps that used vulnerable integrations. The update closed an **intent redirection** is...
EngageLab SDK version 5.2.1 patch release
Security Patch ReleaseAbout this happening: **EngageLab** released **version 5.2.1** to fix the **EngageLab SDK** flaw affecting Android apps that used vulnerable integrations. The update closed an **intent redirection** is...
Timeline
-
02.02.2026 12:30 2 articles · 3mo ago
Bitdefender discloses TrustBastion distribution via Hugging Face
Initial DisclosureBitdefender disclosed that the TrustBastion Android RAT used Hugging Face repositories to host and distribute malicious APKs, with victims first seeing scareware popups and fake Google Play and Android system update dialogs before a redirect from trustbastion[.]com delivered the payload. The malware then abused Accessibility Services, screen recording, screen casting, and overlay permissions to monitor device activity, steal credentials from apps such as Alipay and WeChat, and capture lockscreen verification information. Bitdefender also said the repository had more than 6000 commits, was generating new payloads roughly every 15 minutes, and that the campaign appears to have infected thousands of victims.
Show sources
- Android RAT Uses Hugging Face to Host Malware — www.infosecurity-magazine.com — 02.02.2026 12:30
- Android RAT Uses Hugging Face to Host Malware — www.infosecurity-magazine.com — 02.02.2026 12:30