Olivia
Online
Cleafy LABS
@cleafylabs
Technical threat intelligence, malware research, and security insights directly from Cleafy's analysts.
Joined April 2021
0 Following
432 Followers
135 Posts
[4/4] Our full technical analysis is available here π
https://t.co/ze0663NBYd
[1/4]π¨ DevilNFC & NFCMultiPay: two new Android NFC relay malware families actively hitting European and LATAM banking customers. Developed independently by Spanish-speaking and Portuguese (Brazilian) TAs. The Chinese monopoly on NFC relay tooling is over.
![cleafylabs's tweet photo. [1/4]π¨ DevilNFC & NFCMultiPay: two new Android NFC relay malware families actively hitting European and LATAM banking customers. Developed independently by Spanish-speaking and Portuguese (Brazilian) TAs. The Chinese monopoly on NFC relay tooling is over. https://t.co/35tknrj9xg](https://pbs.twimg.com/media/HIr-jR0WIAAuZDg.jpg)
[3/4] DevilNFC's standout: a single Dual-Role APK with a passive reader on the victim's device and a full system-level card emulator on the attacker's rooted hardware via Xposed Framework hooking into the Android NFC daemon.
![cleafylabs's tweet photo. [3/4] DevilNFC's standout: a single Dual-Role APK with a passive reader on the victim's device and a full system-level card emulator on the attacker's rooted hardware via Xposed Framework hooking into the Android NFC daemon. https://t.co/in4Ocbc1k3](https://pbs.twimg.com/media/HIsGC5HWsAAygeW.jpg)
[4/4] Our full technical analysis is available here π https://t.co/ZLfjXTD3cn
Malfixer open-source on GitHub π https://t.co/G4bSCZZQo2
![cleafylabs's tweet photo. [4/4] Our full technical analysis is available here π https://t.co/ZLfjXTD3cn
Malfixer open-source on GitHub π https://t.co/G4bSCZZQo2 https://t.co/WXoYu9Myyo](https://pbs.twimg.com/media/HF8ieD-bkAAG58m.jpg)
Who to follow
Tatyana Shishkova 
@sh1shk0va
Lead Security Researcher @Kaspersky GReAT, Member of "Women of #Suricata". Opinions are my own.
0x6rss
@0x6rss
OSINT & malware enthusiast, CTI analyst https://t.co/bktDzzYyfz
Reversense
@_reversense_
Open-source reverse engineering platform and company. We design offensive tools for experts. #Dexcalibur. @FrenchYeti, France.
[1/4]π¨ APK Malformation is no longer a niche evasion tactic; it is now a standard in the Android MaaS ecosystem. Observed in 3,000+ samples across families like TeaBot, TrickMo, and SpyNote, it keeps malware fully functional while blinding static analysis tools.
![cleafylabs's tweet photo. [1/4]π¨ APK Malformation is no longer a niche evasion tactic; it is now a standard in the Android MaaS ecosystem. Observed in 3,000+ samples across families like TeaBot, TrickMo, and SpyNote, it keeps malware fully functional while blinding static analysis tools. https://t.co/4mx5K2yJpv](https://pbs.twimg.com/media/HF8hbWRWUAAsdaZ.jpg)
[3/4] To counter this, we're open-sourcing Malfixer, presented today at @Botconf 2026. Built over 2 years, it detects and surgically repairs all three malformation categories, rebuilding clean APKs ready for standard pipelines, without altering the payload.
![cleafylabs's tweet photo. [3/4] To counter this, we're open-sourcing Malfixer, presented today at @Botconf 2026. Built over 2 years, it detects and surgically repairs all three malformation categories, rebuilding clean APKs ready for standard pipelines, without altering the payload. https://t.co/lN71rgAk2L](https://pbs.twimg.com/media/HF8isYibUAA18B_.jpg)
[4/4] Our full technical analysis is available here π
https://t.co/5LNJhQAAFe
[1/4] π¨ We tracked Mirax, a new Android RAT and banking malware operating as a private MaaS. First promoted on underground forums in December 2025, it's been actively targeting Spanish-speaking countries through Meta ad campaigns, reaching over 200,000 accounts.
![cleafylabs's tweet photo. [1/4] π¨ We tracked Mirax, a new Android RAT and banking malware operating as a private MaaS. First promoted on underground forums in December 2025, it's been actively targeting Spanish-speaking countries through Meta ad campaigns, reaching over 200,000 accounts. https://t.co/sIK9QI4lNt](https://pbs.twimg.com/media/HFjWA0lXsAADtsF.jpg)
[3/4] Beyond standard Android RAT capabilities, Mirax introduces an interesting feature: SOCKS5 proxy via Yamux multiplexing. Infected devices become proxy nodes, enabling attackers to mask malicious traffic behind legitimate IPs, even when full RAT infection fails.
![cleafylabs's tweet photo. [3/4] Beyond standard Android RAT capabilities, Mirax introduces an interesting feature: SOCKS5 proxy via Yamux multiplexing. Infected devices become proxy nodes, enabling attackers to mask malicious traffic behind legitimate IPs, even when full RAT infection fails. https://t.co/NCzCmegDgB](https://pbs.twimg.com/media/HFjW1lAWYAAhPnl.jpg)
(7/7) IOCs:
πΉ Dropper MD5: 612e1e4cef13c5c1f5f155d5b1a73016 πΉ Payload MD5 (TeaBot): 574742ad9a1eb519fce8b7c2b8795677
πΉ Play Store: hxxps://play.google[.]com/store/apps/details?id=com.backforge.olimpic.axiomdrivecenter
π¨ (1/7) Guess who's back? We identified a new dropper associated with the TeaBot banking trojan within the Google Play Store, with over 100K downloads. The malicious app masquerades as a PDF reader/file manager and has been active from 12th to 19th February 2026.
(6/7) Following our analysis, the Cleafy Labs team responsibly disclosed all findings to Google. The application was removed from the Play Store on February 19, 2026. We thank Google for the prompt action taken following our report.
[4/4] Our technical analysis is available here π
https://t.co/XYH4dhVWx5
[1/4] π¨ We tracked Albiriox, a newly identified Android malware family offered as a Malware-as-a-Service (MaaS). Hardcoded targets indicate a broad target spectrum, encompassing major banking and cryptocurrency applications worldwide.
![cleafylabs's tweet photo. [1/4] π¨ We tracked Albiriox, a newly identified Android malware family offered as a Malware-as-a-Service (MaaS). Hardcoded targets indicate a broad target spectrum, encompassing major banking and cryptocurrency applications worldwide. https://t.co/djuKezZQS3](https://pbs.twimg.com/media/G61JdblXUAAnEm5.jpg)
[3/4] Albiriox exhibits the core features of modern Android Banking Trojans, enabling TAs to perform On-Device Fraud (ODF) through remote control, screen manipulation, and real-time interaction with the infected device.
![cleafylabs's tweet photo. [3/4] Albiriox exhibits the core features of modern Android Banking Trojans, enabling TAs to perform On-Device Fraud (ODF) through remote control, screen manipulation, and real-time interaction with the infected device. https://t.co/qoBzNtiJ7x](https://pbs.twimg.com/media/G61KAUmXwAA19hK.jpg)
Last Seen Users on Sotwe
BestTokk Official
Seen from Malaysia
emmuachh
Seen from Indonesia
Chromo
Seen from India
ΰΈΰΈ§ΰΈΰΉΰΈ‘ΰΈ΅ΰΈ’(ΰΈ£ΰΈ±ΰΈΰΉΰΈ‘ΰΈ΅ΰΈ’ΰΈΰΈ΅ΰΉΰΈͺΰΈΈΰΈΰΉΰΈ‘ΰΈ΅ΰΈ’ΰΈΰΈ²ΰΈ‘ΰΉΰΈ)β
Seen from Thailand
vck tn some swing
Seen from Vietnam
Yaseminnβ¨
Seen from Turkey
TrαΊ§n
Seen from Vietnam
21muda
Seen from Indonesia
meow
Seen from Malaysia
Mustafa
Seen from Turkey
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers