Find notable cyber news and cases, enriched with sources, timelines, and signals.

BTMOB phishing campaign targeting Android users in Brazil and beyond

Campaign
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

The BTMOB phishing distribution campaign is pushing malicious APKs through fake app stores, expanding Android compromise risk across Brazil and beyond. Operators lure users with phishing sites posing as streaming services, crypto-mining platforms, and other recognizable brands. The operation matters because the same kit can be retooled quickly for different countries and local impersonations, making the delivery chain easy to adapt and hard to contain.

Related Happenings

Sniper Dz free PhaaS ecosystem rebranded to scale phishing operations

Threat Actor Meta
H score43 First: 12.06.2026 11:52 Last: 12.06.2026 11:52 Sources 1

About this happening: A long-running **Sniper Dz** ecosystem operated as a **free phishing-as-a-service (PhaaS)** platform that repeatedly rebranded, lowering the barrier for large-scale credential the...

Latest development: 15.06.2026 09:30

Fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations targeted users across the Middle East and North Africa with fake offers for free mobile internet packages, financial compensation, and government subsidy programs, then routed victims through Linkbio and Linktree decoy pages into Sniper Dz phishing and traffic monetization infrastructure that abuses browser notification permissions, back-button hijacking, tab-under redirections, premium SMS subscriptions, premium-rate calls, and investment scams.

BTMOB phishing campaign targeting Brazil and Latin America

Campaign
H score39 First: 29.05.2026 00:10 Last: 29.05.2026 00:10 Sources 1

About this happening: **BTMOB** phishing activity is using localized fake-app lures to target users in **Brazil** and **Latin America**, increasing the risk of malicious installs and account compromise...

BTMOB Android RAT no-code builder malware activity

Malware Activity
H score28 First: 26.05.2026 17:00 Last: 26.05.2026 17:00 Sources 1

How related: An Android remote access trojan (RAT) that lets buyers build their own custom payloads without writing a line of code has been observed spreading through phishing campaigns across Brazil and beyond.

About this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...

Latest development: 29.05.2026 00:10

BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.

Meta rolls out anti-scam protections and AI scam detection across WhatsApp, Facebook, and Messenger

Security Tool/Service
H score43 First: 11.03.2026 15:29 Last: 11.03.2026 15:29 Sources 1

About this happening: Meta is rolling out **anti-scam protections** across **WhatsApp, Facebook, and Messenger**, using warnings and AI detection to block scams before users engage. The updates target...

Kimsuky QR-phishing campaign distributing DocSwap Android malware

Campaign
H score33 First: 18.12.2025 09:43 Last: 18.12.2025 09:43 Sources 1

About this happening: The **Kimsuky** operation now uses **QR-code phishing** to push **DocSwap Android malware**, raising the risk of mobile compromise for users drawn in by delivery-themed lures. The...

Timeline

  1. 26.05.2026 03:00 2 articles · 1mo ago

    BTMOB spreads through phishing campaigns across Brazil and beyond

    Initial Disclosure

    BTMOB is an Android RAT sold as malware-as-a-service with a no-code APK builder that lets buyers create custom payloads without writing code; ESET says it is being spread through phishing sites that pose as streaming services, crypto-mining platforms, or other recognizable brands and redirect victims to fake app stores, while the malware can exfiltrate data, capture screenshots, record on-device activity, and abuse Android's Accessibility Services for deeper access.

    Show sources