Back

Canis C2 Surveillance Framework Targets Japan with Phishing Campaign

Severity: High (Score: 71.5)

Sources: projectzero.google, hunt.io, Technadu

Summary

A previously undocumented surveillance framework, Canis C2, has been identified targeting Japan. The investigation began when researchers discovered a phishing Android application masquerading as Paidy, a buy-now-pay-later service. This app led to an exposed backend API, revealing extensive capabilities including location tracking, media access, credential overlay injection, and arbitrary code execution. The malware is designed for multiple platforms, including Android, iOS, Windows, Linux, and macOS. Attackers utilized deceptive phishing tactics, presenting victims with fake electric billing statements to install the malicious application. The framework demonstrates advanced technical sophistication, with signs of LLM-assisted development in its codebase. A campaign identifier, CANIS_2026_FEB, has been linked to this activity. Users are advised to avoid unofficial applications and be cautious of suspicious emails. Key Points: • Canis C2 framework targets multiple platforms including Android, iOS, and Windows. • Initial access was gained through a phishing app impersonating a legitimate service. • The malware allows extensive permissions, including GPS tracking and media capture.

Key Entities

  • BlueNoroff (apt_group)
  • TA444 (apt_group)
  • Malware (attack_type)
  • Phishing (attack_type)
  • Zero-day Exploit (attack_type)
  • Canis_2026_feb (campaign)
  • Bahrain (country)
  • Italy (country)
  • Japan (country)
  • Morocco (country)
  • South Korea (country)
  • CVE-2021-30860 (cve)
  • android.app (domain)
  • hunt.io (domain)
  • Canis (malware)
  • Pegasus (malware)
  • T1059.001 - PowerShell (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1566.001 - Spearphishing Attachment (mitre_attack)
  • T1566.002 - Spearphishing Link (mitre_attack)
  • Android (platform)
  • IMessage (platform)
  • IOS (platform)
  • Linux (platform)
  • MacOS (platform)
  • F8E9A720468C89F191D8CB12D46D81EF67B87A9EF95A307835C556A0885BD181 (sha256)
  • Canvas (tool)
  • CoreGraphics (tool)
  • HuntSQL (tool)
  • Jbig2 (tool)
  • Xpdf (tool)
  • ImageIO (vulnerability)
  • BlastDoor (vulnerability)
  • Forcedentry (vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed