{ "type": "Domain", "indicator": "google-app-get.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/google-app-get.com", "alexa": "http://www.alexa.com/siteinfo/google-app-get.com", "indicator": "google-app-get.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4155541501, "indicator": "google-app-get.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69309b3dc9fb51eed9634ec3", "name": "Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets", "description": "Albiriox is a newly identified Android malware offered as Malware-as-a-Service, likely managed by Russian-speaking threat actors. It employs a two-stage deployment chain using dropper applications and packing techniques to evade detection. The malware exhibits advanced On-Device Fraud capabilities, enabling remote control, screen manipulation, and real-time interaction with infected devices. Albiriox targets over 400 global financial and cryptocurrency applications, combining VNC-based remote access and overlay attack mechanisms. The malware's sophisticated features include device takeover, real-time interaction, and unauthorized operations while remaining undetected. Its MaaS model and ongoing development suggest potential for rapid adoption among threat actors seeking efficient mobile fraud tools.", "modified": "2025-12-04T11:17:30.257000", "created": "2025-12-03T20:19:09.663000", "tags": [ "android", "vnc", "albiriox", "rat", "overlay attacks", "on-device fraud", "maas", "banking trojan", "cryptocurrency", "evasion techniques" ], "references": [ "https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Albiriox", "display_name": "Albiriox", "target": null } ], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 6, "hostname": 1 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 386481, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6932aabd16d44a2bfe8e412e", "name": "Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets", "description": "Albiriox is a newly identified family of Android malware emerging as a Malware-as-a-Service (MaaS) that targets global financial and cryptocurrency sectors. Managed by Russian-speaking threat actors, Albiriox shows active development and a sophisticated two-stage deployment strategy designed to evade detection. The initial delivery mechanism involves dropper applications disguised as legitimate software, utilizing social engineering tactics, including the creation of fake Google Play pages.", "modified": "2026-01-04T09:02:32.925000", "created": "2025-12-05T09:49:49.971000", "tags": [ "albiriox", "android banking", "overlay", "system update", "trojan", "golden crypt", "ac vnc", "accessibility", "install", "unknown apps", "android", "analyzing", "odf", "remote access" ], "references": [ "https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets#6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Albiriox", "display_name": "Albiriox", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" } ], "industries": [ "Financial", "Banking", "Cryptocurrency", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 6, "hostname": 1 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69326c41d42decb549286c69", "name": "EbeeDec2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-04T05:04:24.496000", "created": "2025-12-05T05:23:13.601000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20121823 cve", "cve20213156 cve", "cve20214034 cve", "cve20222588 cve" ], "references": [], "public": 1, "adversary": "APT-C-35 (DoNot), Morte Loader, FunkSec Ransomware, Albiriox, eBPF-based rootkits, Arkanix Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "FileHash-SHA1": 201, "FileHash-SHA256": 191, "CVE": 9, "URL": 35, "domain": 72, "email": 2, "hostname": 26 }, "indicator_count": 681, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "147 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69304a52f2e2b424a8e64d26", "name": "Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets | Cleafy Labs", "description": "A newly identified Android banking malware, Albiriox, is being developed and marketed as a Malware-as-a-Service (MaaS), according to the Cleafy Threat Intelligence team.", "modified": "2026-01-02T14:02:11.156000", "created": "2025-12-03T14:33:54.523000", "tags": [ "albiriox", "android banking", "overlay", "system update", "trojan", "golden crypt", "ac vnc", "accessibility", "install", "unknown apps", "android", "analyzing", "odf", "remote access" ], "references": [ "https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Analyzing", "display_name": "Analyzing", "target": null }, { "id": "ODF", "display_name": "ODF", "target": null }, { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "Albiriox", "display_name": "Albiriox", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" } ], "industries": [ "Financial", "Banking", "Cryptocurrency", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 6, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69304c3bb34b8f2558d05433", "name": "New Albiriox Malware Attacking Android Users to Take Complete Control of their Device", "description": "Researchers at Cleafy have identified and identified a new type of Android banking Trojan malware, which they say is capable of remote access to victims\u2019 devices and hijacking them for financial gain.", "modified": "2026-01-02T14:02:11.156000", "created": "2025-12-03T14:42:03.926000", "tags": [ "albiriox", "dropper", "maas", "cleafy", "austria", "golden crypt", "android malware", "ondevice fraud", "september", "october", "fraud", "android" ], "references": [ "https://cybersecuritynews.com/albiriox-malware-attacking-android-users/" ], "public": 1, "adversary": "", "targeted_countries": [ "Austria" ], "malware_families": [ { "id": "Albiriox", "display_name": "Albiriox", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692ea6a682dacd4b10c122d4", "name": "Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets", "description": "Albiriox is a newly identified Android malware family that has emerged as a Malware-as-a-Service (MaaS), managed by Russian-speaking threat actors. This malware operates through a two-stage deployment chain, utilizing dropper applications distributed via social engineering tactics to evade detection and deliver its payload. Albiriox is notable for its on-device fraud capabilities, functioning as a remote access Trojan (RAT) with features such as real-time interactivity and screen manipulation. Its targeting of over 400 global banking and cryptocurrency applications underscores its potential impact on financial institutions.", "modified": "2026-01-01T08:04:36.902000", "created": "2025-12-02T08:43:18.201000", "tags": [ "albiriox", "android banking", "overlay", "system update", "trojan", "golden crypt", "ac vnc", "accessibility", "install", "unknown apps", "android", "analyzing", "odf", "remote access" ], "references": [ "https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Albiriox", "display_name": "Albiriox", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" } ], "industries": [ "Financial", "Banking", "Cryptocurrency", "Crypto" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 6, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692d7519544b62e86aa47157", "name": "EbeeNov2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-31T10:00:16.038000", "created": "2025-12-01T10:59:37.970000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "cve20243721 cve", "cve20131599 cve", "cve20143206 cve", "cve20179841 cve", "cve20199082 cve", "cve20208958 cve" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "APT24, Autumn Dragon, Operation DreamJob, Water Gamayun, Shai-Hulud Campaign Infecting Macs via Face", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "CVE": 35, "FileHash-MD5": 221, "FileHash-SHA1": 188, "FileHash-SHA256": 232, "domain": 150, "email": 1, "hostname": 40 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692aecc818f6748f859381ef", "name": "Albiriox Malware Targets Android Users for Full Device Takeover", "description": "This is the full text of Google's search engine, following the results of the search for its most popular app, the Play Store, and a link to the site's website, which is also used by Google.", "modified": "2025-12-29T12:02:49.375000", "created": "2025-11-29T12:53:28.066000", "tags": [ "google", "domain", "hostname", "play", "app get", "get app", "app install" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "152 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://cybersecuritynews.com/albiriox-malware-attacking-android-users/", "Book1.csv", "https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets", "https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets#6" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Albiriox" ], "industries": [] }, "other": { "adversary": [ "APT24, Autumn Dragon, Operation DreamJob, Water Gamayun, Shai-Hulud Campaign Infecting Macs via Face", "APT-C-35 (DoNot), Morte Loader, FunkSec Ransomware, Albiriox, eBPF-based rootkits, Arkanix Stealer" ], "malware_families": [ "Analyzing", "Odf", "Remote access", "Albiriox" ], "industries": [ "Crypto", "Cryptocurrency", "Banking", "Financial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69309b3dc9fb51eed9634ec3", "name": "Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets", "description": "Albiriox is a newly identified Android malware offered as Malware-as-a-Service, likely managed by Russian-speaking threat actors. It employs a two-stage deployment chain using dropper applications and packing techniques to evade detection. The malware exhibits advanced On-Device Fraud capabilities, enabling remote control, screen manipulation, and real-time interaction with infected devices. Albiriox targets over 400 global financial and cryptocurrency applications, combining VNC-based remote access and overlay attack mechanisms. The malware's sophisticated features include device takeover, real-time interaction, and unauthorized operations while remaining undetected. Its MaaS model and ongoing development suggest potential for rapid adoption among threat actors seeking efficient mobile fraud tools.", "modified": "2025-12-04T11:17:30.257000", "created": "2025-12-03T20:19:09.663000", "tags": [ "android", "vnc", "albiriox", "rat", "overlay attacks", "on-device fraud", "maas", "banking trojan", "cryptocurrency", "evasion techniques" ], "references": [ "https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Albiriox", "display_name": "Albiriox", "target": null } ], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 6, "hostname": 1 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 386481, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6932aabd16d44a2bfe8e412e", "name": "Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets", "description": "Albiriox is a newly identified family of Android malware emerging as a Malware-as-a-Service (MaaS) that targets global financial and cryptocurrency sectors. Managed by Russian-speaking threat actors, Albiriox shows active development and a sophisticated two-stage deployment strategy designed to evade detection. The initial delivery mechanism involves dropper applications disguised as legitimate software, utilizing social engineering tactics, including the creation of fake Google Play pages.", "modified": "2026-01-04T09:02:32.925000", "created": "2025-12-05T09:49:49.971000", "tags": [ "albiriox", "android banking", "overlay", "system update", "trojan", "golden crypt", "ac vnc", "accessibility", "install", "unknown apps", "android", "analyzing", "odf", "remote access" ], "references": [ "https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets#6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Albiriox", "display_name": "Albiriox", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" } ], "industries": [ "Financial", "Banking", "Cryptocurrency", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 6, "hostname": 1 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69326c41d42decb549286c69", "name": "EbeeDec2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-04T05:04:24.496000", "created": "2025-12-05T05:23:13.601000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20121823 cve", "cve20213156 cve", "cve20214034 cve", "cve20222588 cve" ], "references": [], "public": 1, "adversary": "APT-C-35 (DoNot), Morte Loader, FunkSec Ransomware, Albiriox, eBPF-based rootkits, Arkanix Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "FileHash-SHA1": 201, "FileHash-SHA256": 191, "CVE": 9, "URL": 35, "domain": 72, "email": 2, "hostname": 26 }, "indicator_count": 681, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "147 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69304a52f2e2b424a8e64d26", "name": "Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets | Cleafy Labs", "description": "A newly identified Android banking malware, Albiriox, is being developed and marketed as a Malware-as-a-Service (MaaS), according to the Cleafy Threat Intelligence team.", "modified": "2026-01-02T14:02:11.156000", "created": "2025-12-03T14:33:54.523000", "tags": [ "albiriox", "android banking", "overlay", "system update", "trojan", "golden crypt", "ac vnc", "accessibility", "install", "unknown apps", "android", "analyzing", "odf", "remote access" ], "references": [ "https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Analyzing", "display_name": "Analyzing", "target": null }, { "id": "ODF", "display_name": "ODF", "target": null }, { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "Albiriox", "display_name": "Albiriox", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" } ], "industries": [ "Financial", "Banking", "Cryptocurrency", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 6, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69304c3bb34b8f2558d05433", "name": "New Albiriox Malware Attacking Android Users to Take Complete Control of their Device", "description": "Researchers at Cleafy have identified and identified a new type of Android banking Trojan malware, which they say is capable of remote access to victims\u2019 devices and hijacking them for financial gain.", "modified": "2026-01-02T14:02:11.156000", "created": "2025-12-03T14:42:03.926000", "tags": [ "albiriox", "dropper", "maas", "cleafy", "austria", "golden crypt", "android malware", "ondevice fraud", "september", "october", "fraud", "android" ], "references": [ "https://cybersecuritynews.com/albiriox-malware-attacking-android-users/" ], "public": 1, "adversary": "", "targeted_countries": [ "Austria" ], "malware_families": [ { "id": "Albiriox", "display_name": "Albiriox", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692ea6a682dacd4b10c122d4", "name": "Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets", "description": "Albiriox is a newly identified Android malware family that has emerged as a Malware-as-a-Service (MaaS), managed by Russian-speaking threat actors. This malware operates through a two-stage deployment chain, utilizing dropper applications distributed via social engineering tactics to evade detection and deliver its payload. Albiriox is notable for its on-device fraud capabilities, functioning as a remote access Trojan (RAT) with features such as real-time interactivity and screen manipulation. Its targeting of over 400 global banking and cryptocurrency applications underscores its potential impact on financial institutions.", "modified": "2026-01-01T08:04:36.902000", "created": "2025-12-02T08:43:18.201000", "tags": [ "albiriox", "android banking", "overlay", "system update", "trojan", "golden crypt", "ac vnc", "accessibility", "install", "unknown apps", "android", "analyzing", "odf", "remote access" ], "references": [ "https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Albiriox", "display_name": "Albiriox", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" } ], "industries": [ "Financial", "Banking", "Cryptocurrency", "Crypto" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 6, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692d7519544b62e86aa47157", "name": "EbeeNov2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-31T10:00:16.038000", "created": "2025-12-01T10:59:37.970000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "cve20243721 cve", "cve20131599 cve", "cve20143206 cve", "cve20179841 cve", "cve20199082 cve", "cve20208958 cve" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "APT24, Autumn Dragon, Operation DreamJob, Water Gamayun, Shai-Hulud Campaign Infecting Macs via Face", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "CVE": 35, "FileHash-MD5": 221, "FileHash-SHA1": 188, "FileHash-SHA256": 232, "domain": 150, "email": 1, "hostname": 40 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692aecc818f6748f859381ef", "name": "Albiriox Malware Targets Android Users for Full Device Takeover", "description": "This is the full text of Google's search engine, following the results of the search for its most popular app, the Play Store, and a link to the site's website, which is also used by Google.", "modified": "2025-12-29T12:02:49.375000", "created": "2025-11-29T12:53:28.066000", "tags": [ "google", "domain", "hostname", "play", "app get", "get app", "app install" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "152 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "google-app-get.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "google-app-get.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780205689.097363 }