Tag #analysis | CERT Polska

03 April 2026 Kacper Ratajczak #android #analysis #booking #banker #rat

Analysis of cifrat: could this be an evolution of a mobile RAT?

CERT Polska analyzed a Booking themed Android malware chain delivered through phishing and a fake update website. The sample is a multistage dropper that installs a hidden accessibility controlled RAT with WebSocket C2.

30 March 2026 Kacper Ratajczak #android #analysis #fvncbot

Analysis of FvncBot campaign

CERT Polska has analyzed an SGB-branded Android malware sample from the FvncBot campaign targeting Poland. The app installs a second-stage implant, coerces the victim into enabling accessibility, and registers the device to a backend that issues per-device credentials.

17 February 2026 Jarosław Jedynak #malware #analysis #dfir

ClickFix in action: how fake captcha can lead to a company-wide infection

We assisted a large organisation in the investigation and remediation of a live malware infection caused by a successful Fake Captcha attack. In this report, we summarize our observations and publish an in-depth malware analysis.

03 November 2025 Kacper Ratajczak #nfc #analysis #android #analiza

Analysis of NGate malware campaign (NFC relay)

CERT Polska has observed new samples of mobile malware in recent months associated with an NFC Relay (NGate) attack targeting users of Polish banks.

05 June 2025 CERT Polska #analysis #CVE-2024-42009 #roundcube #unc1151

UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign

CERT Polska is observing a malicious email campaign conducted by the UNC1151 group against Polish entities, exploiting a vulnerability in the Roundcube software.

24 April 2025 Jarosław Jedynak #re #deobfuscation #malware #analysis

Deobfuscation techniques: Peephole deobfuscation

In this article we describe a basic deobfuscation technique by leveraging a code snippet substitution.

01 October 2024 Kacper Ratajczak #joker #analysis #android

The Dark Knight Returns: Joker malware analysis

CERT Polska has recently observed new samples of the “Joker” mobile malware. The applications are present in the Google Play Store and target Polish users, among others.

24 October 2023 Jarosław Jedynak #dropper #malware #analysis #xworm #malwarestory

Malware stories: Deworming the XWorm

XWorm is a multi-purpose malware family, commonly used as RAT. This post contains a detailed analysis and walk-through the reverse-engineering process.

18 September 2023 Jarosław Jedynak #dropper #malware #analysis #agenttesla #dotrunpex

Unpacking what's packed: DotRunPeX analysis

When, what and why As a national CERT we analyse all kinds of incidents. Some of them involve widespread APT campaigns, othertimes we just focus on everyday threats. Recently we got notified about a new malspam campaign targeting Polish users and decided to investigate. It all started with this phishing …

09 May 2023 Michał Praszmo #malware #powershell #analysis

Malspam campaign delivering PowerDash – a tiny PowerShell backdoor

In late April we observed a malspam campaign delivering a previously unseen PowerShell malware. We decided to provide an overview of the campaign and some of the malware capabilities. We're also dubbing this malware family as "PowerDash" because of the "/dash" path on C2 server, used as a gateway for bots.