Overview
- ThreatFabric reports the trojan was advertised on September 7, 2025 as a malware‑as‑a‑service by a developer known as K1R0, with components overlapping Brokewell.
- Operators are delivering it via smishing links to droppers that sideload the payload and prompt users to grant Accessibility permissions.
- Once installed, the malware enables device takeover by driving the UI, presenting opaque overlays, stealing credentials, intercepting SMS one‑time codes, and capturing screen content.
- A built‑in “humanizer” inserts random 0.3–3 second delays between text input events to imitate human typing and evade timing‑based behavioral checks.
- Researchers mapped infrastructure on the google-firebase.digital domain with seven subdomains and an admin panel, and collected overlays for apps used in the US, UK, Turkey, and Poland.