{
	"id": "44e78ef9-8070-4458-8c70-23e334980370",
	"created_at": "2026-04-23T02:54:14.449844Z",
	"updated_at": "2026-04-25T02:18:16.413576Z",
	"deleted_at": null,
	"sha1_hash": "c5d6e42e94abf42afc32c9af10ebe808aceef889",
	"title": "Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5746989,
	"plain_text": "Albiriox Exposed: A New RAT Mobile Malware Targeting Global\r\nFinance and Crypto Wallets\r\nBy Gianluca Scotti, Simone Mattia\r\nArchived: 2026-04-23 02:51:37 UTC\r\nKey Points:\r\nEmergence of a new MaaS: Albiriox is a newly identified Android malware family offered as a Malware-as-a-Service (MaaS), showing signs of active development and rapid iteration. Evidence suggests the\r\noperation is managed by Russian-speaking Threat Actors (TAs).\r\nTwo-stage deployment chain: The malware leverages dropper applications distributed through social\r\nengineering lures, combined with packing techniques, to evade static detection and deliver its payload.\r\nOn-Device Fraud capabilities: Albiriox exhibits the core features of modern Android Banking Trojans,\r\nenabling TAs to perform On-Device Fraud through remote control, screen manipulation, and real-time\r\ninteraction with the infected device.\r\nGlobal targeting of financial and crypto institutions: Hardcoded targets indicate a broad target\r\nspectrum, encompassing major banking and cryptocurrency applications worldwide (over 400).\r\nOverlay and RAT combined: Beyond remote device takeover with screen streaming and UI manipulation,\r\nAlbiriox supports targeted overlay attacks for credential harvesting, covering the full spectrum of Android\r\nbanking fraud techniques.\r\nExecutive Summary\r\nOver the past few months, the Cleafy Threat Intelligence team has identified and analyzed Albiriox, a newly\r\nemerging Android malware family promoted as a Malware-as-a-Service (MaaS) within underground cybercrime\r\nforums. First observed in September 2025 during a limited recruitment phase targeting high-reputation forum\r\nmembers, the project transitioned to a publicly available MaaS offering in October 2025. Forum activity, linguistic\r\npatterns, and infrastructure analysis indicate that Russian-speaking Threat Actors (TAs) are behind the operation.\r\nDespite its recent emergence, Albiriox already demonstrates a well-structured architecture explicitly designed for\r\nOn-Device Fraud (ODF), a tactic in which attackers take control of a victim's mobile device and execute\r\nfraudulent actions directly within legitimate banking or cryptocurrency apps. The malware's design clearly reflects\r\nthis objective, prioritizing Full Device Takeover, Real-Time Interaction, and the ability to perform unauthorized\r\noperations while remaining undetected by the user.\r\nAlbiriox combines two core attack vectors: a VNC-based Remote Access module for real-time device control,\r\nand an Overlay Attack mechanism for credential harvesting. While the remote control functionality is fully\r\noperational, the overlay component is under active development, with generic templates currently in place rather\r\nthan application-specific phishing pages.\r\nhttps://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nPage 1 of 20\n\nEven in its early stage, Albiriox already exhibits the defining traits of the latest generation of ODF-oriented\r\nAndroid banking malware, including stealthy delivery, evasion techniques, dynamic device manipulation, and\r\nbroad targeting across the financial sector. Its MaaS business model and ongoing development suggest that\r\nAlbiriox may rapidly gain traction among TAs seeking efficient and scalable tools for high-impact mobile fraud.\r\nFrom private beta to public MaaS\r\nThe first traces of Albiriox emerged in late September 2025 within a specific Telegram channel, where the\r\nsuspected author was discussing the project with a small community of followers. In these early conversations,\r\nTAs announced plans to release Albiriox as a MaaS offering, mentioning that a beta phase would be made\r\navailable exclusively to high-reputation members of the underground forums where the malware would be\r\npromoted.\r\nFigure 1 - Translated Messages from TG \r\nA few days later, the official beta announcement appeared on two well-known Russian-speaking cybercrime\r\nforums. The initial post provided the first technical details about the malware, revealing a fully-featured RAT with\r\nall the capabilities required to perform On-Device Fraud attacks. Among the advertised functionalities, one stands\r\nout: AcVNC (Accessibility VNC).\r\nhttps://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nPage 2 of 20\n\nFigure 2 - Albiriox Free Beta Post on the Forum\r\nThe terminology around this capability (AcVNC) is not standardized across the underground ecosystem. In a later\r\nexchange observed on the same Telegram channel, a potential affiliate expressed confusion about the different\r\nnames used to describe this technique. The Albiriox developer(s) clarified that terms like hVNC, screen reader,\r\nskeleton VNC, AcVNC, and accessibility view are essentially interchangeable, \"purely marketing, and\r\neveryone has different names.\" To address this confusion and demonstrate the malware's capabilities in action, the\r\nauthor subsequently released a series of promotional videos showcasing the core functionalities, providing\r\nprospective affiliates with a clearer understanding of how Albiriox operates.\r\nFigure 3 - Other Translated Messages from TG\r\nhttps://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nPage 3 of 20\n\nFollowing the beta period, the same TA published a more structured announcement promoting the first public\r\nrelease of the Albiriox MaaS. The announcement disclosed the MaaS pricing model: $650 per month until\r\nOctober 21st, 2025, increasing to $720 afterwards. \r\nFigure 4 - Official Albiriox Release Announcement\r\nIn parallel, our Threat Intelligence team identified multiple APK samples that, based on their internal structure\r\nand functionalities, appear to be directly tied to the initial development cycle of Albiriox. The following sections\r\ndetail the distribution campaigns and technical capabilities observed during this early phase. Given Albiriox's\r\nactive development, this analysis represents a snapshot of a rapidly evolving threat that we expect to mature\r\nsignificantly in the coming months.\r\nEarly campaigns\r\nDuring the early monitoring of Albiriox, Cleafy intercepted one of the first distribution campaigns tied to this\r\nmalware. Given the timing—aligned with the beta phase—and the limited scope of the operation, we assess that\r\nthis campaign is likely attributable to a single affiliate, potentially one of the high-reputation forum members\r\ngranted early access to the MaaS platform.\r\nThe campaign targets Austrian victims explicitly, leveraging German-language lures and social engineering\r\ntactics consistent with the broader mobile banking threat landscape. Distribution relies on SMS messages\r\ncontaining shortened links that redirect to fraudulent landing pages impersonating legitimate services.\r\nhttps://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nPage 4 of 20\n\nFake Google Play Page\r\nFigure 5 - First Delivery Method Detected\r\nThe initial delivery mechanism observed was straightforward: victims were directed to a fake Google Play page\r\noffering what appeared to be the official \"Penny Market\" application, a popular discount retail chain in the DACH\r\nregion. The page faithfully reproduced Google's visual identity, displaying German-language elements, including\r\napp descriptions, ratings, and installation prompts. Once the user clicked \"Install,\" the dropper APK was\r\ndownloaded directly from attacker-controlled infrastructure, bypassing the official Play Store entirely.\r\nEvolution: Phone Number Requirement\r\nShortly after the initial wave, we observed a notable shift in the distribution flow. The phishing infrastructure\r\nhas been updated: the landing page no longer exposes a direct APK download. Instead, users were prompted to\r\nenter their mobile phone number, with the page instructing that the download link would be delivered \"via\r\nWhatsApp\". \r\nhttps://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nPage 5 of 20\n\nFigure 6 - Second Delivery Method Detected\r\nThe updated flow unfolds in four stages: the victim selects a fuel provider, spins a promotional \"wheel of fortune,\"\r\nenters their phone number, and receives confirmation that a representative will contact them shortly. Analysis of\r\nthe underlying JavaScript reveals that only Austrian phone numbers are accepted (isValidAustrianNumber\r\nfunction), and submitted data is forwarded directly to a Telegram bot controlled by the TAs.\r\nhttps://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nPage 6 of 20\n\nFigure 7 - JavaScript Code Snippet into Phishing Kit\r\nTechnical Analysis\r\nThis section provides a concise technical overview of the key findings derived from the analysis of the Albiriox\r\nmalware. As with many well‑known Android banking Trojans, its core functionality aligns with established\r\npatterns commonly observed in the mobile threat landscape, including VNC‑based remote control and Overlay\r\nattacks.\r\nInstallation\r\nhttps://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nPage 7 of 20\n\nIn the campaign we examined, the initial attack stage leverages the fake Penny application (dropper), which has\r\nbeen used as a dedicated decoy for the main Albiriox payload. Our analysis revealed that this sample utilizes the\r\nJSONPacker technique, a form of code obfuscation and dynamic unpacking employed to deliver the payload.\r\nBelow are all the steps for installing the malware:\r\nUpon installation and launch, the initial dropper triggers a social engineering sequence immediately.\r\nInstead of behaving like a legitimate application, it displays a fraudulent System Update interface designed\r\nto pressure the victim into granting the requested permissions.\r\nThe dropper’s primary goal is to obtain the critical “Install Unknown Apps” permission, which enables\r\nout‑of‑store installations.\r\nOnce this permission is granted, the application installs the final payload Albiriox on the compromised\r\ndevice.\r\nFigure 8 - Malware Installation\r\nThis intricate, staged deployment highlights the TA's efforts to evade static signature detection by delivering the\r\nmalicious functionality dynamically after the initial dropper installation.\r\nMalware Targets\r\nAnalyzing malware’s source code, we successfully identified all potential application targets used for overlay\r\nattacks and credential harvesting. These targets are hardcoded within a dedicated class named AppInfos, which\r\neffectively acts as the malware’s internal database for application monitoring and fraud execution.\r\nhttps://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nPage 8 of 20\n\nFigure 9 - Targets\r\nIn total, over 400 applications were identified. The targets span a wide range of financial traditional banking,\r\nfintech, payment processors, cryptocurrency exchanges, digital wallets, and trading platforms. This broad\r\nspectrum of targets provides strong evidence that Albiriox is designed to operate as a fully‑fledged banking\r\nTrojan, capable of supporting global ODF campaigns.\r\nTo better illustrate the breadth and intent of the TAs, we grouped all identified applications into several functional\r\nand geographic categories, as shown in the following graph. This classification helps highlight the malware's\r\nstrategic targeting approach, which prioritizes high-value, globally recognized financial brands.\r\nhttps://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nPage 9 of 20\n\nFigure 10 - Target Type\r\nC2 Communication Protocol\r\nThe malware establishes a persistent communication channel with its C2 infrastructure using an unencrypted TCP\r\nSocket connection.\r\nHandshake and Identification: Immediately upon successful execution, the malware initiates a detailed\r\nhandshake with the C2 server. This message contains device identifiers, including the Hardware ID\r\n(HWID), device model, and current Android OS version, effectively registering the victim device within\r\nthe botnet.\r\nhttps://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nPage 10 of 20\n\nFigure 11 - sendHandShake Method\r\nProtocol Management: Communication is managed via structured JSON objects transmitted over a TCP\r\ndata stream. This setup facilitates efficient command parsing and data exfiltration.\r\nHeartbeat Mechanism: A Ping/Pong heartbeat mechanism is implemented to ensure the persistence and\r\nstability of the TCP connection, allowing the TAs to maintain continuous control and readiness for remote\r\noperations.\r\nAlbiriox Functionalities\r\nUpon examining the source code, we identified a comprehensive set of commands (listed in the Appendix) that\r\noutline the operational capabilities of Albiriox. These commands provide a clear view of the malware’s design\r\nphilosophy and confirm that the TAs have implemented all the core components typically found in modern\r\nAndroid banking Trojans. Although the codebase exposes a wide range of device‑level functions, all capabilities\r\nultimately converge toward a single goal: achieving full remote control of the device to enable On‑Device\r\nFraud (ODF).\r\nAt the core of its operational model, Albiriox installs and activates a VNC‑based remote access module,\r\nenabling real‑time interaction with the compromised device. When combined with black-screen overlays, this\r\nallows attackers to execute fraudulent actions while remaining undetected by the victim.\r\nBeyond remote access, the command set enables a broad spectrum of device manipulation features, including:\r\nUI Interaction \u0026 Device Automation:\r\nCommands such as click, swipe, text, back, home, recent, and power allow the operator to fully interact\r\nwith the user interface and navigate across applications.\r\nFraud‑Driven Controls:\r\nFunctions like get_phone_password, clear_phone_password, live_key, live_key_stop, and set_vnc_mode\r\nprovide the attacker with mechanisms to extract sensitive information, maintain session control, and\r\nstreamline ODF activity.\r\nhttps://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nPage 11 of 20\n\nStealth \u0026 Environment Control:\r\nCommands, including blank_screen, black_blank_screen, volume_up, volume_down, and control support\r\nconcealment and operational stealth during fraud execution.\r\nApplication Management:\r\nInstructions such as launch_app and uninstall_app enable Albiriox to manage the lifecycle of installed\r\napplications, allowing for further social engineering, evasion, or cleanup.\r\nC2 Synchronisation \u0026 Session Checks:\r\nThe presence of ping and pong commands highlights the constant communication flow with the\r\ncommand‑and‑control server to validate connectivity and operator presence.\r\nWhile Albiriox exposes numerous capabilities across its command set, these functions collectively support a\r\nunified operational workflow, enabling persistent, covert, and fully interactive control over the victim’s device.\r\nThis allows attackers to perform fraudulent transactions directly from the user’s legitimate session. This approach\r\nis strongly aligned with the most advanced ODF‑oriented mobile malware currently observed in the threat\r\nlandscape.\r\nThe Remote Control and Real-Time Device Streaming\r\nThe most prominent feature confirmed is Albiriox’s ability to operate as a full Remote Controller. This\r\ncapability enables TAs to have real-time, unauthorized access and visual monitoring of the victim’s device. It\r\nmirrors legitimate remote access technologies (such as VNC or similar services), enabling a live stream of the\r\ndevice display and allowing the operator to interact with the device remotely. Such behavior is strongly indicative\r\nof a mobile Remote Access Trojan (RAT) or a highly sophisticated banking Trojan that relies on session hijacking\r\nand on-device fraud.\r\nAs shown in the following figure, we recovered an example of an active device infected with Albiriox, alongside\r\nthe corresponding VNC session. The malware exposes two distinct VNC streaming modes within the panel:\r\nAC VNC:  a stream sourced from Accessibility Services, displaying all UI nodes and accessibility\r\nelements present on the device screen.\r\nVNC: a standard real-time visual stream of the device’s display, similar to traditional VNC\r\nimplementations.\r\nIn the screenshot, the highlighted “AC VNC” tab (visible in the lower-right corner) confirms that the operator can\r\nswitch between the two modes depending on the phase of the fraud operation and the level of interaction required.\r\nhttps://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nPage 12 of 20\n\nFigure 12 - Accessibility AC VNC Connection\r\nThis accessibility-based streaming mechanism is intentionally designed to bypass the limitations imposed by\r\nAndroid’s FLAG_SECURE protection. Since many banking and cryptocurrency applications now block screen\r\nrecording, screenshots, and display capture when this flag is enabled, leveraging Accessibility Services allows the\r\nmalware to obtain a complete, node-level view of the interface without triggering any of the protections\r\ncommonly associated with direct screen-capture techniques.\r\nOverlay Attack Mechanism\r\nA secondary, yet critical, functionality implemented by Albiriox is the use of the Overlay Attack technique, a\r\nstaple of modern Android banking malware.\r\nDuring the analysis, we successfully retrieved data indicating the deployment of at least three distinct types of\r\noverlay screens:\r\nSystem Update Overlay: An overlay designed to impersonate a legitimate System Update screen. This is\r\nused by the attackers when they have established the VNC connection, and they can decide to display this\r\n“Update” screen.\r\nhttps://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nPage 13 of 20\n\nFigure 13 - System Update Overlay\r\nBlack Screen Overlay: A full-screen black overlay is utilized, likely to obscure the victim's view. At the\r\nsame time, the attacker executes unauthorized transactions or operations in the background using the\r\nremote control capability.\r\nhttps://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nPage 14 of 20\n\nFigure 14 - Blank Screen Overlay\r\nTargeted Application Overlay: This third overlay is specifically deployed upon intercepting the execution\r\nof one of the hardcoded target applications monitored by the malware. This screen is not a typical fake\r\nlogin or data-entry form designed to harvest user credentials (e.g., banking passwords or crypto wallet seed\r\nphrases) that mimic the real application.\r\nhttps://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nPage 15 of 20\n\nFigure 15 - Generic Target Overlay\r\nEvading Detection\r\nBeyond the recruitment messages and the initial beta-stage announcements presented in the “From private beta\r\nto public MaaS” chapter, Cleafy’s monitoring activities uncovered an additional discussion thread tied to the\r\nAlbiriox developers. In this conversation, a forum user explicitly asked whether the malware was FUD (Fully\r\nUndetectable), a common indicator of interest among TAs seeking tools capable of bypassing antivirus and mobile\r\nsecurity solutions.\r\nIn response, the Albiriox developers clarified that they provide a custom Builder as part of their MaaS offering. \r\nhttps://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nPage 16 of 20\n\nFigure 16 - User asking for FUD Capability of Albiriox\r\nThis builder reportedly integrates a third-party crypting service known as Golden Crypt, a well-established tool\r\nwithin cybercriminal markets and frequently advertised on the same forum. Notably, the developer of Golden\r\nCrypt is also an active member, reinforcing the tight ecosystem of TAs and service providers collaborating to\r\nenhance stealth and evasive capabilities.\r\nFigure 17 - Albiriox APK Builder\r\nThe inclusion of Golden Crypt within the builder pipeline suggests that the Albiriox operators are deliberately\r\npositioning the malware as a stealth-optimized product, aiming to evade static detection mechanisms and\r\nimprove the likelihood of successful deployment during the early infection stages, especially relevant given the\r\nmalware’s reliance on the two-stage delivery and accessibility-based device takeover.\r\nConclusions\r\nhttps://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nPage 17 of 20\n\nThe analysis of the Albiriox malware, together with its dedicated Penny decoy, highlights the ongoing evolution\r\nand increasing sophistication of mobile banking threats. The evidence suggests that the TAs have adopted a two-stage, obfuscated delivery chain, specifically designed to evade detection while maintaining full control of\r\ncompromised devices, particularly those running high-value financial or cryptocurrency applications.\r\nAlbiriox exhibits all core characteristics of modern On-Device Fraud (ODF) malware, including VNC-based\r\nremote control, accessibility-driven automation, targeted overlays, and dynamic credential harvesting. These\r\ncapabilities enable attackers to bypass traditional authentication and fraud-detection mechanisms by operating\r\ndirectly within the victim’s legitimate session.\r\nIn conclusion, Albiriox represents a rapidly evolving threat that exemplifies the broader shift toward ODF-focused\r\nmobile malware. Effectively countering such threats requires a layered defense approach that correlates client-side\r\nsignals, behavioral patterns, and transactional anomalies in real-time. This multi-dimensional visibility enables\r\nfinancial institutions to detect compromise at the earliest stages of the attack chain and enforce precise, context-aware response policies before fraud is executed. As mobile banking threats continue to mature, the ability to\r\norchestrate these indicators into actionable defenses will prove essential for staying ahead of this emerging class\r\nof Android malware.\r\nAppendix - IOCs:\r\nMalware Target Apps\r\nDisclaimer: In our standard TLP:WHITE reports, we typically refrain from publishing detailed lists of targeted\r\napplications. Such information is often shared separately with financial CERTs through TLP:AMBER reports to\r\nfacilitate timely distribution to associated financial institutions. If you are interested in which are the targets,\r\nplease contact the labs[at]cleafy.com  in order to get the list.\r\nAPKs:\r\npackage name App name MD5\r\ncom.example.myapplication PENNY (dropper) b6bae028ce6b0eff784de1c5e766ee33\r\ncom.example.myapplication PENNY (dropper) 61b59eb41c0ae7fc94f800812860b22a\r\ncom.example.myapplication PENNY (dropper) f09b82182a5935a27566cdb570ce668f\r\ncom.nmz.nmz nmz.nmz f5b501e3d766f3024eb532893acc8c6c\r\nC2 Server:\r\nIP address Port Sample Related (MD5)\r\n194.32.79.94 5555 f5b501e3d766f3024eb532893acc8c6c\r\nhttps://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nPage 18 of 20\n\nDelivery:\r\nDomains\r\ngoogle-app-download[.]download\r\ngoogle-get[.]download\r\ngoogle-aplication[.]download\r\nplay.google-get[.]store\r\ngoogle-app-get[.]com\r\ngoogle-get-app[.]com\r\ngoogle-app-install[.]com\r\nC2 Command List\r\nCommand Usage\r\nclear_phone_password Removes or resets the phone’s lockscreen password/PIN/pattern.\r\nping Heartbeat request sent by the C2 to check if the device is online.\r\npong Response sent by the malware to confirm it is connected and active.\r\nget_phone_password Retrieves and sends the device’s lockscreen password/PIN/pattern to the C2.\r\ncontrol Enables remote control mode via Accessibility (attacker takes over UI).\r\nclick Performs a tap gesture at a specified screen coordinate.\r\nswipe Performs a swipe gesture on the screen (scroll, navigation, etc.).\r\nvolume_up Increases the device volume remotely.\r\nrecent Opens the “Recent Apps” / Task Manager screen.\r\nvolume_down Decreases the device volume remotely.\r\nuninstall_app Uninstalls a specified app from the device.\r\nblank_screen Displays a blank overlay screen to hide malicious activity.\r\nhttps://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nPage 19 of 20\n\nCommand Usage\r\nlive_key_stop Stops the “live control” or key/screen streaming session.\r\nback Simulates the Android “Back” button press.\r\nhome Simulates the Android “Home” button press.\r\ntext Inputs text into the currently focused text field.\r\npower Simulates the phone’s power button (screen on/off).\r\nlaunch_app Launches a specified application on the device.\r\nset_vnc_mode Enables or configures VNC-like remote viewing/streaming mode.\r\nblack_blank_screen Displays a fully black overlay to hide all activity.\r\nlive_key Starts live control mode (e.g., real-time screen/key streaming).\r\nget_apps Retrieves and sends the list of installed applications.\r\nSource: https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nhttps://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets"
	],
	"report_names": [
		"albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets"
	],
	"threat_actors": [],
	"ts_created_at": 1776912854,
	"ts_updated_at": 1777083496,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c5d6e42e94abf42afc32c9af10ebe808aceef889.pdf",
		"text": "https://archive.orkl.eu/c5d6e42e94abf42afc32c9af10ebe808aceef889.txt",
		"img": "https://archive.orkl.eu/c5d6e42e94abf42afc32c9af10ebe808aceef889.jpg"
	}
}