Articoli di approfondimento sulla diffusione di Malware principalmente legati al nostro territorio Italiano ma non solo.

In June 2026, we analysed a malware campaign distributed through Italian-language phishing emails. The message pretended to deliver an invoice and used the subject Fattura #2818999851.

The victim was shown what looked like a PDF document. The downloaded file was instead an obfuscated Windows JavaScript file named Fattura-2819889242.pfd.js. The unusual pfd.js ending was likely intended to look similar to .pdf at a quick glance.

The most interesting part of this infection was not the initial JavaScript. The malware installed a malicious Google Chrome extension and paired it with a Native Messaging Host. This combination allowed code running inside Chrome to request PowerShell commands on the Windows system.

An extension normally cannot start local programs. Native Messaging changed that security boundary.

Continua a leggere

Since February 2026, we have been tracking an invoice-themed malware campaign targeting Italian users and organizations. The messages are written in Italian and abuse a familiar business pretext: a short invoice notification that asks the recipient to open an attached HTML document. The lure is minimal, credible enough for a busy inbox, and designed to move the victim from email to browser to script execution.

One of the analyzed emails used the subject Nostra fattura nr. 91B. The body asked the recipient to review the attached document to view invoice details. The attachment was named Fattura_00121.html.

Continua a leggere

In January 2026, we analyzed NFCShare, an Android banking trojan distributed as a malicious APK through a phishing flow impersonating Deutsche Bank. The malware presented a fake card-verification interface, asked the victim to place a payment card near the phone, collected the card PIN, and exfiltrated NFC-derived payment-card data to a WebSocket endpoint.

Since 14 May 2026, we have observed a newer wave of NFCShare APKs impersonating Italian and European banking brands. The campaign we investigated started from an ad hoc phishing website, areaclienti-intesa.com, which mimicked the look and feel of Intesa Sanpaolo. After the victim entered home-banking credentials, the phishing flow prompted the user to update the banking application. At that point, the website visually directed the victim to a shortened URL, such as https://tinyurl[.]com/Intesa-Carte, which then redirected toward APKs hosted in the GitHub repository antoniocastaldo1998/app-scuola.

The newer samples are still NFCShare. The core NFC and exfiltration logic remains largely unchanged. The relevant evolution is operational and anti-analysis oriented: more frequent APK rebuilds, brand rotation, a new C2 endpoint, a 10-DEX layout, and malformed ZIP paths designed to break naive APK extractors.

Continua a leggere

Executive Summary

The D3Lab team analyzed an Android application distributed through a Deutsche Bank phishing campaign. Victims are prompted to enter their phone number, then instructed to “update” their banking app by downloading a malicious APK named deutsche.apk. The APK presents itself as “Support Nexi” and guides the user through a fake “card verification” flow: bring the card near the phone, keep it close while “authenticating,” and enter the card PIN. Under the hood, the app reads NFC card data (ISO‑DEP) and exfiltrates it to a remote WebSocket endpoint.

Based on consistent internal artifacts (package naming, classes, messages, and UI flow), we assign this new cluster the family name NFCShare.

Distribution: Deutsche Bank phishing flow

The infection chain starts with a bank‑themed phishing site mimicking Italian Deutsche Bank. The victim is asked for a mobile number and then told to update the bank app. The “update” is delivered as an APK (deutsche.apk). After installation, the app claims to be “Support Nexi” and drives the user through a fake security verification designed to harvest NFC card data and the card PIN.

Continua a leggere

During a recent investigation, we obtained access to a multi-package archive containing the complete development toolkit behind the Android malware known as BTMOB RAT. The archive includes the Android payload source code, its dropper, a builder environment, the operator panel for Windows, the command-and-control backend, and all the software dependencies required to deploy the full platform.

Every component is stored inside password-protected ZIP files. While ZIP file headers remain readable without a password, allowing us to inspect the file tree, their binary contents cannot be extracted. We intentionally chose not to acquire or circumvent the passwords, avoiding any action that may financially support or operationally benefit a criminal actor.

Continua a leggere

During D3Lab’s continuous monitoring of newly registered domains through our Brand Monitor service, we identified a domain crafted to impersonate the Google Play Store.

The site advertises a supposed application called “GPT Trade”, presented as an AI-powered trading assistant and visually styled to resemble official ChatGPT / OpenAI branding. Unsuspecting users are encouraged to download an APK directly from the page: https://playgoogle-gpttrade[.]com/GPT%20Trade.apk

Our investigation revealed that GPT Trade is not a legitimate application, but a sophisticated Android dropper engineered to generate, prepare, and install multiple secondary malware payloads, including:

  • BTMob – a powerful spyware family
  • UASecurity Miner – a persistence-oriented component tied to a suspicious Android packing service

The overall structure of the attack shows a modern, modular approach where threat actors rely on packer-as-a-service platforms, Telegram bots, and impersonation techniques to distribute malware effectively.

Continua a leggere

Recentemente una banca italiana è stata oggetto di una sofisticata campagna di phishing che ha portato alla diffusione del malware EagleSpy sui dispositivi Android. Questa minaccia ha lo scopo di rubare informazioni sensibili degli utenti attraverso una falsa richiesta di aggiornamento dell’app ufficiale della banca.

Modalità di Diffusione
La campagna di phishing invia e-mail e messaggi apparentemente provenienti dalla banca, invitando gli utenti a fornire il loro nominativo, e-mail, codice utente e PIN. Una volta ottenute queste informazioni, la vittima viene indirizzata a scaricare un aggiornamento dell’app bancaria che, in realtà, installa il malware.

Android Malware
EagleSpy è un Remote Access Trojan (RAT) progettato per ottenere accesso remoto non autorizzato ai dispositivi infetti, con funzionalità che includono la registrazione delle credenziali, la manipolazione dello schermo, il furto di PIN e codici di autenticazione a due fattori (2FA).

Continua a leggere

Il Threat Intelligence Team di D3Lab nelle quotidiane attività di analisi e contrasto alle frodi online ha rilevato la diffusione di un malware Android attraverso il servizio di allarme pubblico IT-Alert.

IT-alert è un nuovo sistema di allarme pubblico per l’informazione diretta alla popolazione, che dirama ai telefoni cellulari presenti in una determinata area geografica messaggi utili in caso di gravi emergenze o catastrofi imminenti o in corso.

Continua a leggere

D3Lab’s Threat Intelligence Team in its daily activities of analyzing and countering online fraud has detected a phishing campaign sent via SMS to the Italian company Nexi customers (specialises in payment systems) that invited the user to install a malicious application via the official Google Play Store.

Users initially received a text message (smishing) prompting them to check their own Nexi profile to prevent a disabling of the account. If the user clicked on the phishing link, he would see a fake Nexi web page requesting him:

  • Email associated with Nexi account;
  • Password;
  • Codice Fiscale (Italian fiscal code);
  • Credit Card Number, CVV and Expiration Date.

After completing the data entry the victim would saw a pop-up inviting him to download a new security application. The phishing website contained links to the Google Play Store, Huawei App Gallery, and Apple Store. But only the link to the Google Play Store was valid.

Continua a leggere

Since the end of 2019 there has been a change in bank phishing campaigns against Italian users who have introduced the combined use in a massive manner of methods until then used exclusively for targeted attacks, such as:

  • Vishing (telephone phishing);
  • Smishing (SMS with malicious content);
  • Malware (malicious APK);
  • Spoofing (Spoofing of the callerid or sender of the SMS);
  • Ad Hoc Domains (Creating new domains similar in name to the original);
  • Toll Free Numbers (Used to make communications more reliable).

It also changes the criminal figure that is no longer foreign but Italian. A fundamental figure for a social engineering attack that is no longer only spread through digital technology but also by phone, the knowledge of the mother tongue becomes useful to best trick the victim and lead it step by step to perform unwanted actions.

As a result, phishing campaigns have also grown rapidly, reaching more than 800 separate campaigns per week to Italian banks or financial services.

Phishing campaigns against Nexi

Since May 2022 we have identified a new criminal actor which target customers of Nexi SpA, the PayTech of digital payments in Italy, distinguishable from the creation of domains created Ad Hoc very faithful to the original (usually uses different TLDs but the domain uniquely contains the word “Nexi”, ex Nexi[.]shop, Nexi[.]club, etc) and a Phishing SMS full of information and details.

Continua a leggere
D3Lab Srl unipersonale – P.IVA IT01865450496 – Italy – Phone: +3905861946434