{
	"id": "2dafba3d-f9c8-4335-b9d8-19f5f0873475",
	"created_at": "2026-04-06T00:17:48.657141Z",
	"updated_at": "2026-04-10T03:21:38.835657Z",
	"deleted_at": null,
	"sha1_hash": "97da489cbcbe28e53703d37a56f475cd6da13da8",
	"title": "Despite arrests in Spain, FluBot operations explode across Europe and Japan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 162122,
	"plain_text": "Despite arrests in Spain, FluBot operations explode across Europe\r\nand Japan\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-05 · Archived: 2026-04-05 21:39:51 UTC\r\nCyber-security agencies in Germany and the UK warned the general public this month about a spike in SMS spam\r\nmessages spreading the FluBot Android malware.\r\nIn security alerts published by Germany's Federal Office for Information Security (BSI) and the UK National\r\nCyber Security Centre (NCSC), the two agencies said that malware gangs are sending malicious links to users via\r\nSMS posing as legitimate package delivery services.\r\nIf users click the links, they are taken to a website posing as DHL or FedEx, where they are told to install an app\r\nto track a parcel meant to be delivered at their location.\r\nBut BSI and NCSC officials say the apps are loaded with a new form of Android malware known\r\nas FluBot, Cabassous, or the FedEx Banker.\r\nFirst seen at the end of last year, this malware has slowly become one of the most active operations in the Android\r\ncybercrime ecosystem.\r\nCategorized as a classic Android banking trojan, the malware operates by relying on users downloading\r\nboobytrapped apps from the internet and then side-loading them on their devices, despite repeated security\r\nwarnings from the Android OS.\r\nhttps://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/\r\nPage 1 of 3\n\nOnce a device is infected, the app uses the Android Accessibility service to overlay fake login screens on top of\r\nofficial apps and collect users' credentials, which it then sends to a remote command and control server.\r\nThe FluBot operators then use the collected credentials to access banking apps and empty accounts. Since the\r\nFluBot operators have full control over an infected device, they can also easily bypass any SMS-based two-step\r\nverification process.\r\nOne FluBot distributor gang arrested in Spain\r\nCurrently, the malware is advertised on underground cybercrime forums, where miscreants rent it and then\r\ndistribute it to users across the world.\r\nIn fact, the first time we heard about this malware is after one of these FluBot distributor groups launched a\r\nmassive SMS spam campaign that targeted Spanish users and infected more than 60,000 devices.\r\nBut while Spanish authorities reacted promptly and arrested four suspects believed to have been involved with this\r\ncampaign, other groups renting the FluBot malware are still at large and appear to have launched their own\r\noperations targeting German and UK users as well.\r\nNow, in an attempt to avoid similar incidents like the one in Spain, where the malware made tens of thousands of\r\nvictims in the span of a few weeks, German and UK cybersecurity officials are trying to raise awareness of this\r\nnew threat before it is too late.\r\nExpansion beyond Spain, Germany, and the UK in the works\r\nHowever, more cybersecurity agencies might soon need to warn their own users as well.\r\nNew intelligence shared this week suggests that FluBot distributors have already expanded operations and have\r\nlaunched SMS spam campaigns targeting users in other countries, including Japan, Italy, Norway, Sweden,\r\nFinland, Denmark, Poland, and the Netherlands.\r\n#Cabassous (#FluBot) actors are heavily developing new overlay targets and also performing an\r\nenvironmental checks (av) before it executing the banker payload. Interesting new countries and\r\ndevelopments coming from this private group in such a short period of time.\r\npic.twitter.com/0pWXHaMa1j\r\n— ThreatFabric (@ThreatFabric) April 26, 2021\r\nhttps://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/\r\nPage 2 of 3\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/\r\nhttps://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/"
	],
	"report_names": [
		"despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434668,
	"ts_updated_at": 1775791298,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/97da489cbcbe28e53703d37a56f475cd6da13da8.pdf",
		"text": "https://archive.orkl.eu/97da489cbcbe28e53703d37a56f475cd6da13da8.txt",
		"img": "https://archive.orkl.eu/97da489cbcbe28e53703d37a56f475cd6da13da8.jpg"
	}
}