Android Trojan Campaign Uses Hugging Face Hosting for RAT Payload Delivery
ID: 5803f434-a932-5484-94de-7e7eba681117
STIX ID: report--5803f434-a932-5484-94de-7e7eba681117
Feed Name: Bitdefender Labs
Bitdefender researchers uncovered an active Android RAT campaign (TrustBastion, later rebranded) that uses a dropper to redirect victims to malicious APKs hosted on Hugging Face; attackers generate new polymorphic payloads (~every 15 minutes) to evade detection, then use Accessibility Services, overlays, and screen-capture to harvest credentials (targeting financial apps and lock-screen inputs) and exfiltrate data to a C2 (e.g., 154.198.48.57 / trustbastion.com); the report includes behavior analysis and multiple IOCs (dropper/payload hashes, package names, domains, IPs).
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.