Weekly Summary Cyberattacks 09-15 april

Silent Crypto Wallet Takeover Unlimited USDT Approval Exploitation via Trust Wallet QR Code Phishing  

An active cryptocurrency phishing campaign is targeting Trust Wallet users through QR code distribution on Telegram, enabling attackers to silently take over wallets by abusing unlimited USDT token approvals. The operation leverages malicious QR codes embedded in manipulated screenshots that redirect victims via Trust Wallet’s legitimate deep link infrastructure to attacker-controlled phishing domains hosted on Netlify. 

JanelaRAT: A Financial Threat Targeting Users in Latin America  

Researchers reported ongoing campaigns involving JanelaRAT, a financially motivated remote access trojan targeting banking users across Latin America, particularly in Brazil and Mexico. The malware, derived from the earlier BX RAT and active since at least mid-2023, has evolved significantly, with recent variants introducing streamlined infection chains, enhanced evasion techniques, and more sophisticated mechanisms for financial fraud and real-time session hijacking. 

STX RAT: A new RAT with Infostealer Capabilities  

A report details the discovery of a newly identified malware family known as STX RAT, a sophisticated remote access trojan with integrated infostealer capabilities. First observed in late February 2026, the malware targeted a financial sector organization and was delivered through opportunistic infection vectors such as malicious VBScript downloads and trojanized software installers, including fake versions of FileZilla. The technical architecture of STX RAT demonstrates a high level of sophistication, utilizing a multi-stage execution chain that decrypts and decompresses payloads in memory using algorithms like XXTEA and Zlib. 

The long road to your crypto: ClipBanker and its marathon infection chain  

Cybersecurity researchers detailed a ClipBanker malware campaign distributed via trojanized versions of the legitimate Proxifier software, highlighting a complex, multi-stage infection chain leveraging search engine poisoning and GitHub repositories. Victims are typically lured while searching for “Proxifier,” where malicious repositories appear in top results and provide bundled installers combining legitimate software with a hidden Trojan payload. The infection chain is notably long and technically sophisticated, designed to evade detection at each stage. Once executed, the malicious installer performs defense evasion actions, including adding exclusions to Microsoft Defender for specific file types and directories. The attack then progresses through multiple stages involving external payload retrieval, scripting, and fileless execution techniques, making forensic analysis and signature-based detection significantly more difficult. 

Masjesu Botnet Targets Routers in Commercial DDoS Attacks  

Researchers have identified the continued evolution of the Masjesu botnet, a commercially operated IoT-based threat active since 2023 and designed to provide Distributed Denial-of-Service (DDoS)-for-hire services. The botnet primarily targets routers, gateways, and embedded IoT devices across multiple architectures, maximizing its reach across fragmented device ecosystems. Operated and marketed via Telegram, Masjesu maintains a public-facing presence despite prior takedowns, with a new channel created in February 2025 and still active in 2026, advertising high-capacity DDoS services capable of generating attacks reaching hundreds of Gbps.