The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Beyond Banking Trojans: Rokarolla Expands the Android Fraud Playbook

Jun 26, 2026 2:32:36 PM / by The Hivemind posted in Threat Bulletin, Android Malware, Android banking trojan, mobile banking fraud, cryptocurrency malware, Rokarolla, banking malware, Android phishing overlays

0 Comments

Verticals Targeted: Financial, Cryptocurrency
Regions Targeted: Global
Related Families:
Rokarolla

Executive Summary

Researchers have identified Rokarolla, a newly discovered Android banking trojan distributed through malicious websites impersonating trusted applications such as TikTok, Google Chrome, and Google Play Protect. The malware targets at least 217 banking and cryptocurrency applications and leverages Android Accessibility Services, phishing overlays, SMS interception, keylogging, screen monitoring, and call blocking to facilitate financial fraud. Rokarolla exposes at least 137 operator commands and employs multiple persistence and evasion mechanisms, allowing attackers to maintain extensive control over infected devices while minimizing user awareness and intervention.

Read More

Lazarus Expands Financial Espionage Operations With Memory-Resident RemotePE RAT

May 29, 2026 3:21:34 PM / by The Hivemind posted in Threat Bulletin, Lazarus Group, RemotePE, RemotePELoader, North Korea cyber threat, cryptocurrency malware, DPAPILoader

0 Comments

Verticals Targeted: Financial, Cryptocurrency
Related Threat Actors: Lazarus
Related Families: DPAPILoader, RemotePELoader, RemotePE

Executive Summary

Researchers identified a sophisticated Lazarus-linked malware ecosystem composed of DPAPILoader, RemotePELoader, and RemotePE, a chained toolset designed for stealth, persistence, and long-term access in high-value financial and cryptocurrency environments. The malware leverages DPAPI-based environmental keying, direct syscall techniques, ETW suppression, and memory-only payload execution to minimize forensic visibility and evade modern endpoint defenses.

Read More

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts