<!doctype html> <html lang="en-US"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="https://gmpg.org/xfn/11"> <link rel="preconnect" href="https://www.paloaltonetworks.com"> <link rel="preconnect" href="https://cdn.cookielaw.org"> <link rel="preconnect" href="https://fonts.googleapis.com"> <!-- Start: Scripts Migrated From Unit42-v5 --> <script type="text/javascript"> var main_site_url = 'https://www.paloaltonetworks.com'; var maindomain_lang = 'https://www.paloaltonetworks.com'; function getParameterByName(name, url) { if(url == null){ url = window.location.href; } name = name.replace(/[\[\]]/g, '\\$&'); var regex = new RegExp('[?&]' + name + '(=([^&#]*)|&|#|$)'), results = regex.exec(url); if (!results) return null; if (!results[2]) return ''; return decodeURIComponent(results[2].replace(/\+/g, ' ')); } var container_q = getParameterByName('container'); var d_lang = 'en'; </script> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.css"></noscript> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.css"></noscript> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/deferedProductNav.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/deferedProductNav.min.css"></noscript> <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' /> <style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style> <link rel="alternate" hreflang="en" href="https://unit42.paloaltonetworks.com/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" /> <link rel="alternate" hreflang="ja" href="https://unit42.paloaltonetworks.jp/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" /> <link rel="alternate" hreflang="x-default" href="https://unit42.paloaltonetworks.com/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" /> <!-- This site is optimized with the Yoast SEO Premium plugin v24.2 (Yoast SEO v24.2) - https://yoast.com/wordpress/plugins/seo/ --> <title>DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices</title> <meta name="description" content="Over the past two years, we’ve observed many cases of Microsoft Windows and Apple iOS malware designed to attack mobile devices." /> <link rel="canonical" href="https://unit42.paloaltonetworks.com/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="article" /> <meta property="og:title" content="DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices" /> <meta property="og:description" content="Over the past two years, we’ve observed many cases of Microsoft Windows and Apple iOS malware designed to attack mobile devices." /> <meta property="og:url" content="https://unit42.paloaltonetworks.com/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" /> <meta property="og:site_name" content="Unit 42" /> <meta property="article:published_time" content="2016-09-13T12:00:55+00:00" /> <meta property="article:modified_time" content="2022-01-28T20:38:39+00:00" /> <meta property="og:image" content="http://blog.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_1-500x244.png" /> <meta name="author" content="Claud Xiao" /> <meta name="twitter:card" content="summary_large_image" /> <!-- / Yoast SEO Premium plugin. --> <link rel="alternate" type="application/rss+xml" title="Unit 42 &raquo; Feed" href="https://unit42.paloaltonetworks.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="Unit 42 &raquo; Comments Feed" href="https://unit42.paloaltonetworks.com/comments/feed/" /> <link rel="alternate" type="application/rss+xml" title="Unit 42 &raquo; DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices Comments Feed" href="https://unit42.paloaltonetworks.com/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/feed/" /> <script type="text/javascript"> var globalConfig = {}; var webData = {}; webData.channel = "unit42"; webData.property = "unit42.paloaltonetworks.com"; webData.language = "en_us"; webData.pageType = "blogs"; webData.pageName = "unit42:dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices"; webData.pageURL = "https://unit42.paloaltonetworks.com/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices"; webData.article_title = "DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices"; webData.author = "Claud Xiao"; webData.published_time = "2016-09-13T05:00:55-07:00"; webData.description = "Over the past two years, we’ve observed many cases of Microsoft Windows and Apple iOS malware designed to attack mobile devices."; webData.keywords = "Malware,Threat Research,AceDeceiver,adb drivers,Android,apps,DualToy,iappstore,iOS,iTunes,mobile,Trojan"; webData.resourceAssetID = "a4f0ef511ed673407520d1748fab6caf"; </script> <script type="text/javascript"> var globalConfig = {}; globalConfig.buildName = "UniqueResourceAssetsID_DEC022022"; </script> <meta property="og:likes" content="13"/> <meta property="og:readtime" content="9"/> <meta property="og:views" content="43,366"/> <meta property="og:date_created" content="September 13, 2016 at 5:00 AM"/> <meta property="og:post_length" content="2422"/> <meta property="og:category" content="Malware"/> <meta property="og:category" content="Threat Research"/> <meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/malware/"/> <meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/threat-research/"/> <meta property="og:author" content="Claud Xiao"/> <meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/claud-xiao/"/> <meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/> <meta name="post_tags" content="AceDeceiver,adb drivers,Android,apps,DualToy,iappstore,iOS,iTunes,mobile,Trojan"/> <script type="application/ld+json">{"@context":"https:\/\/schema.org","@type":"BlogPosting","headline":"DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices","name":"DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices","description":"Over the past two years, we\u2019ve observed many cases of Microsoft Windows and Apple iOS malware designed to attack mobile devices. This attack vector is increasingly popular with malicious actors as almost everyone on the planet carries at least one mobile device they interact with throughout any given","url":"https:\/\/unit42.paloaltonetworks.com\/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices\/","mainEntityOfPage":"https:\/\/unit42.paloaltonetworks.com\/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices\/","datePublished":"September 13, 2016","articleBody":"Over the past two years, we\u2019ve observed many cases of Microsoft Windows and Apple iOS malware designed to attack mobile devices. This attack vector is increasingly popular with malicious actors as almost everyone on the planet carries at least one mobile device they interact with throughout any given day. Thanks to a relative lack of security controls applied to mobile devices, these devices have become very attractive targets for a broad range of malicious actors. For example:\n\n \tWireLurker installed malicious apps on non-jailbroken iPhones\n \tSix different Trojan, Adware and HackTool families launched \u201cBackStab\u201d attacks to steal backup archives of iOS and BlackBerry devices\n \tThe HackingTeam\u2019s RCS delivered its Spyware from infected PCs and Macs to jailbroken iOS devices and BlackBerry phones\n\nRecently, we discovered another Windows Trojan we named \u201cDualToy\u201d which side loads malicious or risky apps to both Android and iOS devices via a USB connection. \n\nWhen DualToy began to spread in January 2015, it was only capable of infecting Android devices. However, within six months the malicious actors added the capability to infect iOS devices. DualToy is still active and we have detected over 8,000 unique samples belonging to this Trojan family to date. It mainly targets Chinese users, but has also successfully affected people and organizations in the United States, United Kingdom, Thailand, Spain, and Ireland.\n\nIn addition to found in traditional Windows PC malware such as process injection, modifying browser settings, displaying advertisements et al, DualToy also performs the following activities on Android and iOS devices:\n\n \tDownloads and installs Android Debug Bridge (ADB) and iTunes drivers for Windows\n \tUses existing pairing\/authorization records on infected PCs to interact with Android and\/or iOS devices via USB cable\n \tDownloads Android apps and installs them on any connected Android devices in the background, where the apps are mostly Riskware or Adware\n \tCopies native code to a connected Android device and directly executes it, and activates another custom to obtain root privilege and to download and install more Android apps in the background\n \tSteals connected iOS device\u2019s information including IMEI, IMSI, ICCID, serial number and phone number\n \tDownloads an iOS app and installs it to connected iOS devices in the background; the app will ask for an Apple ID with password and send them to a server without user\u2019s knowledge (just like AceDeceiver)\n\nSeveral years ago, Android and iOS began requiring user interaction to authorize a device to pair to another device to prevent the kind of sideloading attack used by DualToy. However, DualToy assumes any physically connected mobile devices will belong to the same owner as the infected PC to which they are connected, which means the pairing is likely already authorized. DualToy tries to reuse existing pairing records to directly interact with mobile devices in the background. Although this attack vector\u2019s capability can be further limited by additional mechanisms (e.g., ADB enabling, iOS sandbox) which make this threat not so severe, DualToy reminds us again how attackers can use USB sideloading against mobile devices and how malware can be spread between platforms.\nInfecting Android Devices\nAlmost all samples of DualToy are capable of infecting Android devices connected with the compromised Windows PC via USB cable. This functionality is usually implemented in a module named NewPhone.dll, DevApi.dll or app.dll.\n\nDualToy assumes ADB is enabled on the connected Android device. If ADB isn't enabled (which is the default option), the . However, some users, especially those who want to install Android apps from a PC or Mac, or who want to do advanced operations with their Android devices, This is because ADB is both the only official interface for a Windows or Mac computer to operate an Android device via USB and it is a debugging interface.\nInstall ADB drivers\nOnce loaded, the module will first download universal Windows ADB drivers from its C2 server (e.g., from http[:]\/\/www.zaccl.com\/tool\/new_tool.zip) and install them.\n\n\nFigure 1 Windows ADB driver files downloaded from the \u00a0C2 server\nThen, some variants will directly drop a file named adb.exe which is the standard ADB Windows client. Other variants have compiled the ADB client\u2019s source code into the module so that they could also perform ADB operations. Instead of adb.exe, the newest variant will drop tadb.exe, a customized ADB client from Tencent\u2019s Android management software.\n\nNote that since version 4.2 (released in early 2013), Android requires a user\u2019s manual confirmation to authorize a PC before building an ADB session. This was designed to prevent attacks such as sideloading apps via USB. However, if a user has authorized his PC in the past, the related key files will be stored in the %HOME%\/.android directory on the PC. DualToy reuses these key files to bypass the intended security check.\nDownload and install apps\nAfter the ADB environment is set up, DualToy will wait for an Android device to connect via USB. Once connected, it will fetch a list of URLs from the C2 server, download the apps, and install them on Android device in the background via the \u201cadb.exe install\u201d command.\n\n\nFigure 2\u00a0 Android app downloading URLs on the C2 server\n\n\nFigure 3\u00a0 Apps installed on the \u00a0Android device \u00a0by DualToy\nFigure 3 shows the apps downloaded and installed by DualToy. They\u2019re all games which use Chinese as the default language, and none of them are available in the official Google Play store.\n\nInstall and execute binary code\nIn a recent variant, DualToy will download a PE executable named \u201cappdata.exe\u201d as well as an ELF executable file named \u201cguardmb\u201d from the C2 server. The appdata.exe file was compiled from ADB\u2019s source code with some customizations -- DualToy will execute it with the command line \u201cappdata.exe shell am start\u201d. When invoked by this command line, the appdata.exe copies the guardmb file to connected Android device\u2019s \/data\/local\/tmp directory, and executes it.\n\n\nFigure 4\u00a0 appdata.exe executes guardmb on the Android device\n\nFigure 5\u00a0 guardmb starts a specific service on the Android device\nThe guardmb file is an ELF executable for ARM architecture. Its functionality is simple \u2013 execute Android\u2019s system command \u201cam\u201d to start the service \u201ccom.home.micorsoft.service.BootWakeService\u201d. Guardmb also specified the same service was implemented in a third party app with package name of \u201ccom.home.micorsoft\u201d.\n\nDuring the analysis, we weren't able to find the \u201ccom.home.micorsoft\u201d app. However, we discovered another Android app with a similar package name \u201ccom.mgr.micorsoft\u201d. Due to the same typo (\u201cmicorsoft\u201d) and same binary code fingerprints, we believe these two apps have the same sources and likely have identical functionalities.\n\nThe app embedded a modified SU daemon program which was re-compiled from SuperSU project\u2019s source code. We named this specific Android Trojan \u201cRootAngel\u201d. After the service is started by guardmb, and install the SU daemon. It will also connect with its C2 server, download more Android apps and install them in background through \u201cpm install\u201d command.\n\n\nFigure 6\u00a0 RootAngel installs Android apps downloaded from the C2 server\n\nInfecting iOS Devices\nWe observed the first sample of DualToy capable of infecting iOS devices on June 7, 2015 (SHA-256: f2efc145d7d49b023d97a5857ad144dd03a491b85887312ef401a82b87fb1b84). Later in 2016, a new variant appeared. Our analysis below focuses primarily on the first variant.\n\nDuring execution, the sample will drop some PE and .ini files. Among them, insapp.dll is the module used to infect an iOS device. It was developed using Delphi and C++ and then packed with a standard UPX packer. There\u2019s another file, insapp.ini, which contains configurations including URLs to download iTunes drivers as well as iOS apps to install.\nDownload and install iTunes\nAfter being loaded, the insapp.dll will check whether iTunes is installed on the infected computer. If not, it will download two MSI format installers from its C2 server. For example, for a 64-bit Windows PC, \u201cAppleMobileDeviceSupport64.msi\u201d and \u201cAppleApplicationSupport64.msi\u201d will be downloaded. These two installers are part of Apple\u2019s official iTunes for Windows software that contains all necessary driver files that iTunes uses to interact with iOS devices.\n\nAfter that, DualToy will execute \u201cmsiexec.exe\u201d to install the installers shown in Figure 8 in background via the \u201c\/qn\u201d parameter.\n\n\nFigure 7\u00a0 The config file specifies URLs of the iTunes installer and iOS app(s)\n\nFigure 8\u00a0 DualToy install iTunes installers via msiexec.exe\n\nOperate iOS devices\nIn order to operate iOS devices through installed iTunes drivers, DualToy reused an open source project \u201ciphonetunnel-usbmuxconnectbyport\u201d. Using this, DualToy invokes APIs in iTunes\u2019 iTunesMobileDevice.dll file via reflection, so that it can interact with iOS devices just like iTunes does.\n\n\nFigure 9\u00a0 DualToy reflects symbols from iTunesMobileDevice.dll\nDualToy will watch for USB connections. Once there\u2019s a valid iOS device connected, it will try to connect to it using iTunes APIs. Like Android, Apple also introduced manual user authorization starting with iOS 7 to prevent sideloading. As it does with Android devices, DualToy will check whether the iOS device was previously paired so that it can reuse existing pairing record (Figure 10).\n\n\nFigure 10 \u00a0DualToy checks whether the device was paired by owner before\n\nSteal iOS device information\nAfter successfully connecting with an iOS device, DualToy will collect device and system information, encrypt them and send to its C2 server. The collected information includes:\n\n \tDevice name, type, version and model number\n \tDevice UUID and serial number\n \tDevice baseband version, system build version, and firmware version\n \tDevice IMEI\n \tSIM card\u2019s IMSI and ICCID\n \tPhone number\n\n\nFigure 11 \u00a0 DualToy collects iOS device information\n\nDownload and install app\nIn addition to collecting device information, DualToy also tries to download IPA file(s) from the C2 server and install them on the connected iOS device. The URL it used to fetch the downloading list is http:\/\/www.zaccl[.]com\/tool\/apple\/wj_app.xml. During our analysis in April and in August 2016, this URL always returned a single file, \u201ckuaiyong.ipa\u201d. After downloading it, DualToy will copy the IPA file via the AFC service to the iOS device\u2019s \/var\/mobile\/Media\/PublicStaging directory, and then install it via the installation_proxy service.\n\n\nFigure 12 \u00a0 DualToy fetch iOS app downloading URLs\n\nFigure 13 \u00a0Install iOS app via iTunes API\nThe downloaded kuaiyong.ipa has an obfuscated bundle ID of \u201cpWsbshWBn5XN9kk0twBUECAVt2E.dsE7UfuXZdinV60edM4u1Ul0d6hSf66akdZrmp\u201d. It was signed by an enterprise certificate issued to \u201cNingbo Pharmaceutical Co., Ltd.\u201d The certificate the app won\u2019t be successfully installed on iOS devices anymore. However, the attacker could easily change the URL list replied by C2 server to push other apps.\n\n\nFigure 14 \u00a0The iOS app was signed by enterprise certificate\n\nAceDeceiver-like behavior\nSince the kuaiyong.ipa has an expired certificate, we resigned it with a personal development certificate and then installed it on our testing device.\n\nThe app is yet another third party iOS App Store just like \u201cZergHelper\u201d. It also has exactly the same behavior as AceDeceiver. When launched for the first time, the app will ask the user to input his or her Apple ID and password (Figure 15). The nearby disclaimer says the credentials won\u2019t be uploaded to any server. However, through our reverse engineering and debugging, we discovered the Apple ID and password will be encrypted by DES algorithm by a fixed key of \u201cHBSMY4yF\u201d and 4 of \u201c\\x12\\x34\\x56\\x78\\x90\\xab\\xcd\\xef\u201d, and sent to the server proxy.mysjzs[.]com after encoding the ciphertext with Base64. Figure 16 shows the output by hooking the CCCrypt function with Frida. And Figure 17 shows the credentials being uploaded to the server.\n\nNote that, since the C2 traffic was HTTP instead of HTTPS, and the credential payload was just encrypted by DES with a fixed key, an attacker could sniff network traffic to capture the payload and steal the Apple ID and password in the payload.\n\n\nFigure 15 \u00a0Kuaiyong.ipa asks user to input Apple ID and password\n\nFigure 16 \u00a0Apple ID username and password was encrypted with DES\n\nFigure 17 \u00a0Encrypted Apple ID and password was sent to a server\n\nMitigation\nPalo Alto Networks WildFire has successfully . URL Filtering has also blocked its C2 traffic so that it can\u2019t download drivers, malicious payloads or apps. We have also created an AutoFocus tag to identify known DualToy samples.\n\nTo prevent similar attacks, we suggest users and organizations deploy both endpoint and network-based malware prevention solutions. We also suggest users avoid connecting their mobile phones to untrusted devices via USB. The popularity and ubiquitous nature of mobile devices ensures malicious attackers will only continue to refine and develop new mobile malware, which means users and organizations will need to employ similar levels of protection and user awareness historically provided to desktops, laptops, and networks.\nAcknowledgements\nWe would like to thanks Zhi Xu and Josh Grunzweig from Palo Alto Networks for their assistance during the analysis.\nAppendix\nSHA-256 of selected samples\nb028137e54b46092c5349e0d253144e2ca437eaa2e4d827b045182ca8974ed33\u00a0 jkting.zip\nbbe5fcd2f748bb69c3a186c1515800c23a5822567c276af37585dab901bf550c\u00a0 new5.zip\n26ff76206d151ce66097df58ae93e78b035b3818c24910a08067896e92d382de\u00a0 NewPhone.dll\n24c79edc650247022878ddec74b13cf1dc59a6e26316b25054d015bdc2b7efc7\u00a0 new_tool.zip\ncd432a8a0938902ea3016dae1e60c0a55016fd3c7741536cc9f57e0166d2b1b8\u00a0 appdata.exe\n42290cefc312b5f1e4b09d1658232838b72d2dab5ece20ebf29f4d0d66a7879a\u00a0 guardmb\n7f7a3ed87c63bd46eb8b91a5bb36b399b4eebaf7d01342c13ef695340b9964a6\u00a0 Mgr_700003.apk\n9f84665a891e8d9d3af76b44c1965eba605f84768841dfb748cb05ec119ffd9d\u00a0 phonedata.exe\nc8695fe9decbeedfe1f898464b6aa9da511045721c399486d00b889d888c8121\u00a0 zWDLzv.dll\nf2efc145d7d49b023d97a5857ad144dd03a491b85887312ef401a82b87fb1b84\nc32c64196bb4e038657c3003586563407b5a36db74afb837a5b72f71cf1fadf1\u00a0 DevApi.dll\ndee13984156d1b59395126fcac09f407ef7c7d7308643019ccee6e22683ea108\u00a0 insapp.dll\neae9fda5ca026d2cc0fbdd6f6300d77867dae95a5c1ab45efdb4959684f188d2\u00a0 insapp.ini\n899e3c72e2edf720e5d0f3b0dfbf1e2dcc616277c11cf592ab267a9fa0bfbac9\u00a0 kuaiyong.ipa\nc8695fe9decbeedfe1f898464b6aa9da511045721c399486d00b889d888c8121\nC2 Domains\nwww.zaccl[.]com\npack.1e5[.]com\nrsys.topfreeweb[.]net\nabc.yuedea[.]com\nreport.boxlist[.]info\ntt.51wanyx[.]net\nhk.pk2012.info\ncenter.oldlist[.]info\nup.top258[.]cn\ndl.dswzd[.]com\n\n&nbsp;","publisher":{"@type":"Organization","@id":"#panworg"},"image":{"@type":"ImageObject","url":"","width":"","height":""},"speakable":{"@type":"SpeakableSpecification","xPath":["\/html\/head\/title","\/html\/head\/meta[@name='description']\/@content"]},"author":[{"@type":"Person","name":"Claud Xiao"}]}</script><link rel='stylesheet' id='crayon-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/css/min/crayon.min.css?ver=_2.7.2_beta' media='all' /> <style id='co-authors-plus-coauthors-style-inline-css'> .wp-block-co-authors-plus-coauthors.is-layout-flow [class*=wp-block-co-authors-plus]{display:inline} </style> <style id='co-authors-plus-avatar-style-inline-css'> .wp-block-co-authors-plus-avatar :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-avatar :where(img){vertical-align:middle}.wp-block-co-authors-plus-avatar:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-avatar.aligncenter{display:table;margin-inline:auto} </style> <style id='co-authors-plus-image-style-inline-css'> .wp-block-co-authors-plus-image{margin-bottom:0}.wp-block-co-authors-plus-image :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-image :where(img){vertical-align:middle}.wp-block-co-authors-plus-image:is(.alignfull,.alignwide) :where(img){width:100%}.wp-block-co-authors-plus-image:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-image.aligncenter{display:table;margin-inline:auto} </style> <style id='safe-svg-svg-icon-style-inline-css'> .safe-svg-cover{text-align:center}.safe-svg-cover .safe-svg-inside{display:inline-block;max-width:100%}.safe-svg-cover svg{height:100%;max-height:100%;max-width:100%;width:100%} </style> <style id='classic-theme-styles-inline-css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='post-views-counter-frontend-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/post-views-counter/css/frontend.min.css?ver=1.4.8' media='all' /> <link rel='stylesheet' id='wpml-legacy-post-translations-0-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-post-translations/style.min.css?ver=1' media='all' /> <link rel='stylesheet' id='unit42-v6-style-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/style.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-head-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/head-styles.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v5-custom-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/main.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-plugin-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/plugin.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-custom-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/main-redesign.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='like-dislike-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/css/ldc-lite.css?ver=1.0.0' media='all' /> <script src="https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script src="https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script id="crayon_js-js-extra"> var CrayonSyntaxSettings = {"version":"_2.7.2_beta","is_admin":"0","ajaxurl":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","prefix":"crayon-","setting":"crayon-setting","selected":"crayon-setting-selected","changed":"crayon-setting-changed","special":"crayon-setting-special","orig_value":"data-orig-value","debug":""}; var CrayonSyntaxStrings = {"copy":"Press %s to Copy, %s to Paste","minimize":"Click To Expand Code"}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/js/min/crayon.min.js?ver=_2.7.2_beta" id="crayon_js-js"></script> <script id="post-views-counter-frontend-js-before"> var pvcArgsFrontend = {"mode":"js","postID":18856,"requestURL":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","nonce":"d24afd310d","dataStorage":"cookies","multisite":false,"path":"\/","domain":""}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/post-views-counter/js/frontend.min.js?ver=1.4.8" id="post-views-counter-frontend-js"></script> <script id="wpml-xdomain-data-js-extra"> var wpml_xdomain_data = {"css_selector":"wpml-ls-item","ajax_url":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","current_lang":"en","_nonce":"c383cea0ce"}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/res/js/xdomain-data.js?ver=4.6.15" id="wpml-xdomain-data-js" defer data-wp-strategy="defer"></script> <link rel="https://api.w.org/" href="https://unit42.paloaltonetworks.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://unit42.paloaltonetworks.com/wp-json/wp/v2/posts/18856" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://unit42.paloaltonetworks.com/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.7.1" /> <link rel='shortlink' href='https://unit42.paloaltonetworks.com/?p=18856' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fdualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fdualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices%2F&#038;format=xml" /> <meta name="generator" content="WPML ver:4.6.15 stt:1,28;" /> <meta name="google-site-verification" content="zHZtYOWm9hm4SZgsH7wqiYcOwmsAsxDUDU4UD1QxB40" /><style>#wpdevart_lb_overlay{background-color:#000000;} #wpdevart_lb_overlay.wpdevart_opacity{opacity:0.8 !important;} #wpdevart_lb_main_desc{ -webkit-transition: opacity 0.3s ease; -moz-transition: opacity 0.3s ease; -o-transition: opacity 0.3s ease; transition: opacity 0.3s ease;} #wpdevart_lb_information_content{ -webkit-transition: opacity 0.3s ease; -moz-transition: opacity 0.3s ease; -o-transition: opacity 0.3s ease; transition: opacity 0.3s ease;} #wpdevart_lb_information_content{ width:100%; padding-top:0px; padding-bottom:0px; } #wpdevart_info_counter_of_imgs{ display: inline-block; padding-left:15px; padding-right:4px; font-size:20px; color:#000000; } #wpdevart_info_caption{ display: inline-block; padding-left:15px; padding-right:4px; font-size:20px; color:#000000; } #wpdevart_info_title{ display: inline-block; padding-left:5px; padding-right:5px; font-size:15px; color:#000000; } @-webkit-keyframes rotate { to {-webkit-transform: rotate(360deg);} from {-webkit-transform: rotate(0deg);} } @keyframes rotate { to {transform: rotate(360deg);} from {transform: rotate(0deg);} } #wpdevart_lb_loading_img,#wpdevart_lb_loading_img_first{ -webkit-animation: rotate 2s linear infinite; animation: rotate 2s linear infinite; } </style> <link rel="icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" sizes="32x32" /> <link rel="icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" /> <meta name="msapplication-TileImage" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" /> <script>var $ = jQuery;</script> <script type="text/javascript"> ;(function(win, doc, style, timeout) { var STYLE_ID = 'at-body-style'; function getParent() { return doc.getElementsByTagName('head')[0]; } function addStyle(parent, id, def) { if (!parent) { return; } var style = doc.createElement('style'); style.id = id; style.innerHTML = def; parent.appendChild(style); } function removeStyle(parent, id) { if (!parent) { return; } var style = doc.getElementById(id); if (!style) { return; } parent.removeChild(style); } addStyle(getParent(), STYLE_ID, style); setTimeout(function() { removeStyle(getParent(), STYLE_ID); }, timeout); }(window, document, "body {visibility:hidden !important}", 3000)); </script> <script src="https://assets.adobedtm.com/9273d4aedcd2/0d76ae0322d7/launch-425c423d843b.min.js" async></script> <script type="text/javascript" src="https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/attribution.js"></script> <script type="text/javascript"> var isIE11 = !!navigator.userAgent.match(/Trident.*rv\:11\./); if(isIE11){ var polyfill = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/scripts/polyfill.min.js'; document.write('<script type="text/javascript" src="'+polyfill+'">\x3C/script>'); } /** * String.prototype.replaceAll() polyfill * https://gomakethings.com/how-to-replace-a-section-of-a-string-with-another-one-with-vanilla-js/ * @author Chris Ferdinandi * @license MIT */ if (!String.prototype.replaceAll) { String.prototype.replaceAll = function(str, newStr){ // If a regex pattern if (Object.prototype.toString.call(str).toLowerCase() === '[object regexp]') { return this.replace(str, newStr); } // If a string return this.replace(new RegExp(str, 'g'), newStr); }; } /*! lozad.js - v1.16.0 - 2020-09-06 */ !function(t,e){"object"==typeof exports&&"undefined"!=typeof module?module.exports=e():"function"==typeof define&&define.amd?define(e):t.lozad=e()}(this,function(){"use strict"; /** * Detect IE browser * @const {boolean} * @private */var g="undefined"!=typeof document&&document.documentMode,f={rootMargin:"0px",threshold:0,load:function(t){if("picture"===t.nodeName.toLowerCase()){var e=t.querySelector("img"),r=!1;null===e&&(e=document.createElement("img"),r=!0),g&&t.getAttribute("data-iesrc")&&(e.src=t.getAttribute("data-iesrc")),t.getAttribute("data-alt")&&(e.alt=t.getAttribute("data-alt")),r&&t.append(e)}if("video"===t.nodeName.toLowerCase()&&!t.getAttribute("data-src")&&t.children){for(var a=t.children,o=void 0,i=0;i<=a.length-1;i++)(o=a[i].getAttribute("data-src"))&&(a[i].src=o);t.load()}t.getAttribute("data-poster")&&(t.poster=t.getAttribute("data-poster")),t.getAttribute("data-src")&&(t.src=t.getAttribute("data-src")),t.getAttribute("data-srcset")&&t.setAttribute("srcset",t.getAttribute("data-srcset"));var n=",";if(t.getAttribute("data-background-delimiter")&&(n=t.getAttribute("data-background-delimiter")),t.getAttribute("data-background-image"))t.style.backgroundImage="url('"+t.getAttribute("data-background-image").split(n).join("'),url('")+"')";else if(t.getAttribute("data-background-image-set")){var d=t.getAttribute("data-background-image-set").split(n),u=d[0].substr(0,d[0].indexOf(" "))||d[0];// Substring before ... 1x u=-1===u.indexOf("url(")?"url("+u+")":u,1===d.length?t.style.backgroundImage=u:t.setAttribute("style",(t.getAttribute("style")||"")+"background-image: "+u+"; background-image: -webkit-image-set("+d+"); background-image: image-set("+d+")")}t.getAttribute("data-toggle-class")&&t.classList.toggle(t.getAttribute("data-toggle-class"))},loaded:function(){}};function A(t){t.setAttribute("data-loaded",!0)}var m=function(t){return"true"===t.getAttribute("data-loaded")},v=function(t){var e=1<arguments.length&&void 0!==arguments[1]?arguments[1]:document;return t instanceof Element?[t]:t instanceof NodeList?t:e.querySelectorAll(t)};return function(){var r,a,o=0<arguments.length&&void 0!==arguments[0]?arguments[0]:".lozad",t=1<arguments.length&&void 0!==arguments[1]?arguments[1]:{},e=Object.assign({},f,t),i=e.root,n=e.rootMargin,d=e.threshold,u=e.load,g=e.loaded,s=void 0;"undefined"!=typeof window&&window.IntersectionObserver&&(s=new IntersectionObserver((r=u,a=g,function(t,e){t.forEach(function(t){(0<t.intersectionRatio||t.isIntersecting)&&(e.unobserve(t.target),m(t.target)||(r(t.target),A(t.target),a(t.target)))})}),{root:i,rootMargin:n,threshold:d}));for(var c,l=v(o,i),b=0;b<l.length;b++)(c=l[b]).getAttribute("data-placeholder-background")&&(c.style.background=c.getAttribute("data-placeholder-background"));return{observe:function(){for(var t=v(o,i),e=0;e<t.length;e++)m(t[e])||(s?s.observe(t[e]):(u(t[e]),A(t[e]),g(t[e])))},triggerLoad:function(t){m(t)||(u(t),A(t),g(t))},observer:s}}}); </script> <!-- <script src="https://www.google.com/recaptcha/api.js"></script> --> <!-- End: Scripts Migrated From Unit42-v5 --> </head> <body class="post-template-default single single-post postid-18856 single-format-standard no-sidebar"> <header class="haeder py-15 position-relative z-index-2" style="display: none;"> <div class="container px-sm-30 px-35"> <div class="row"> <div class="first-logo col-sm-auto col-6 mb-sm-0 mb-40 text-sm-center order-1"> <a href="https://www.paloaltonetworks.com/"> <img src="/wp-content/uploads/2021/07/PANW_Parent.png" width="140px" alt="Logo" /> </a> </div> <div class="col-sm-auto col-6 text-sm-center order-sm-2 order-4 second-logo-unit"> <a href="https://unit42.paloaltonetworks.com/"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/unit42-logo-white.svg" class="attachment-full size-full" alt="Unit42 Logo" width="150" height="35"/> </a> </div> <div class="col-auto d-sm-none ml-auto mb-40 order-2"> <button class="btn__search" data-toggle="collapse" data-target="#search" aria-label="search"><i class="ui ui-1"></i></button> </div> <div id="search" class="collapse d-sm-block col-sm-auto col-12 ml-auto order-3"> <div class="pt-sm-0 pt-20 pb-sm-0 pb-40 mt-sm-0 mt-n30"> <input type="search" placeholder="Search Unit 42" id="innerSearch" class="header__search" value="" required aria-label="Inner Search"> </div> </div> <div class="col-auto d-sm-none d-flex ml-auto align-items-center order-5"> <button class="btn__menu rounded" data-toggle="collapse" data-target="#navigation">Menu</button> </div> </div> </div> </header> <nav id="navigation" class="site-nav collapse d-sm-block pb-20 mt-sm-10" style="display: none!important;"> <div class="container px-sm-30"> <ul id="menu-primary-navigation" class="main-menu d-sm-flex font-weight-medium"><li id="menu-item-97290" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-97290"><a href="https://unit42.paloaltonetworks.com/tools/">Tools</a></li> <li id="menu-item-41" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-41"><a href="https://unit42.paloaltonetworks.com/atoms/">ATOMs</a></li> <li id="menu-item-119884" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-119884"><a target="_blank" href="https://www.paloaltonetworks.com/unit42">Security Consulting</a></li> <li id="menu-item-81229" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-81229"><a href="https://unit42.paloaltonetworks.com/about-unit-42/">About Us</a></li> <li id="menu-item-121229" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-121229"><a href="https://start.paloaltonetworks.com/contact-unit42.html"><b style="color:#C84727">Under Attack?</b></a></li> </ul> </div> </nav> <div class="panClean pan-template-home" id="main-nav-menu-cont" style="display:none;"> <div class="cleanHeader mainNavigationComp baseComponent parbase"> <div class="productNav2021Component dark default" id="PAN_2021_NAV_ASYNC"> </div> </div> <div class="cleanTopHtml htmlComp baseComponent parbase"><div class="base-component-spacer spacer-none "></div> </div> </div> <!-- Start: Scripts Migrated From Unit42-v5 --> <script type="text/javascript"> function getCookie(cname) { var name = cname + "="; var decodedCookie = decodeURIComponent(document.cookie); var ca = decodedCookie.split(';'); for(var i = 0; i <ca.length; i++) { var c = ca[i]; while (c.charAt(0) == ' ') { c = c.substring(1); } if (c.indexOf(name) == 0) { return c.substring(name.length, c.length); } } return ""; } var referer = "";//sessionStorage.container; var pcontainer = sessionStorage.getItem("container"); var searchResultsPagePath = ""; if(((pcontainer) && pcontainer.indexOf('Prisma')!=-1)){ referer = 'Prisma' ; } else if(((pcontainer) && pcontainer.indexOf('Cortex')!=-1)){ if( pcontainer.indexOf('CloudCortex') != -1){ referer = 'CloudCortex' ; } else{ referer = 'Cortex' ; } } else if(((pcontainer) && pcontainer.indexOf('Sase')!=-1)){ referer = 'Sase' ; } else if(((pcontainer) && pcontainer.indexOf('Unit')!=-1)){ referer = 'Unit' ; } else if(((pcontainer) && pcontainer.indexOf('Ngfw')!=-1)){ referer = 'Ngfw' ; } var fromRef = document.referrer; var nContainer = getCookie("navContainer"); if(nContainer){//If user is coming from main site, we need to reset the container if(fromRef && fromRef.indexOf("prismacloud.io")!=-1){ referer = 'Prisma' ; sessionStorage.setItem("container","Prisma"); } else if(fromRef.indexOf("paloaltonetworks.com")!=-1 || fromRef.indexOf("paloaltonetworks.jp")!=-1 ){ if(nContainer.indexOf('Prisma') != -1){ referer = 'Prisma' ; sessionStorage.setItem("container","Prisma"); } if(nContainer.indexOf('Cortex') != -1){ if( nContainer.indexOf('CloudCortex') != -1){ referer = 'CloudCortex'; sessionStorage.setItem("container","CloudCortex"); } else{ referer = 'Cortex'; sessionStorage.setItem("container","Cortex"); } } if(nContainer.indexOf('Sase') != -1){ referer = 'Sase' ; sessionStorage.setItem("container","Sase"); } if(nContainer.indexOf('Unit') != -1){ referer = 'Unit' ; sessionStorage.setItem("container","Unit"); } if(nContainer.indexOf('Ngfw') != -1){ referer = 'Ngfw' ; sessionStorage.setItem("container","Ngfw"); } document.cookie = 'navContainer=; path=/; domain=.paloaltonetworks.com; expires=' + new Date(0).toUTCString(); } } if(referer != "Prisma" && referer != "CloudCortex" && referer != "Cortex" && referer != "Sase" && referer != "Unit" && referer != "Ngfw") { referer = 'Unit' ; sessionStorage.setItem("container","Unit"); } function callMainSitePrismaNavHTML(){ var referrer_domain = 'https://www.paloaltonetworks.com'; sessionStorage.setItem("domain",referrer_domain); if(referer == 'Prisma'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html'; searchResultsPagePath = referrer_domain+"/search/prismasearch"; } if(referer == 'CloudCortex'){ var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/unit-nav-renderer.php?type=cortexcloud'; searchResultsPagePath = referrer_domain+"/search/cortexcloudsearch"; } if(referer == 'Cortex'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderCortex.cortexRenderer.html'; searchResultsPagePath = referrer_domain+"/search/cortexsearch"; } if(referer == 'Sase'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderSase.saseRenderer.html'; searchResultsPagePath = referrer_domain+"/search/sasesearch"; } if(referer == 'Unit'){ var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/unit-nav-renderer.php?type=unit42'; searchResultsPagePath = referrer_domain+"/content/pan/en_US/search/unit42search"; } if(referer == 'Ngfw'){ var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/ngfw-cdss-nav-renderer.php'; searchResultsPagePath = referrer_domain+"/search/ngfwcdsssearch"; } httpGet(menu_url,'menu_html'); document.getElementById('main-nav-menu-cont').removeAttribute("style"); } function addStyle(styles) { /* Create style document */ var css = document.createElement('style'); css.type = 'text/css'; if (css.styleSheet) css.styleSheet.cssText = styles; else css.appendChild(document.createTextNode(styles)); /* Append style to the tag name */ document.getElementsByTagName("head")[0].appendChild(css); } function httpGet(theUrl,req_type) { if (window.XMLHttpRequest) { // code for IE7+, Firefox, Chrome, Opera, Safari xmlhttp=new XMLHttpRequest(); } else {// code for IE6, IE5 xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { if(req_type == 'menu_html'){ var nav_text = xmlhttp.responseText.replaceAll('https://static.cloud.coveo.com/searchui/v2.9159/js/CoveoJsSearch.Lazy.min.js', ''); nav_text = nav_text.replaceAll('src="/', 'src="'+maindomain_lang+'/'); nav_text = nav_text.replaceAll("'/content", "'"+maindomain_lang+"/content"); document.getElementById("PAN_2021_NAV_ASYNC").innerHTML = nav_text.replaceAll('href="/', 'href="'+maindomain_lang+'/'); var lozad_back = document.getElementsByClassName('lozad-background'); Array.prototype.forEach.call(lozad_back, function(el) { // Do stuff here var el_back_img_path = el.getAttribute('data-background-image'); var first_pos = el_back_img_path.indexOf("'"); var last_pos = el_back_img_path.indexOf("'",first_pos+1); el_back_img_path = el_back_img_path.substring(first_pos+1,last_pos); el.setAttribute("data-background-image",main_site_url+el_back_img_path); }); const observer_lozad = lozad('.lozad, .lozad-background'); // lazy loads elements with default selector as '.lozad' observer_lozad.observe(); } if(req_type == 'head_inline_css'){ addStyle(xmlhttp.responseText); } } } xmlhttp.open("GET", theUrl, true ); xmlhttp.send(); } if(referer == 'Prisma' || referer == 'CloudCortex' || referer == 'Cortex' || referer == 'Sase' || referer == 'Unit' || referer == 'Ngfw'){ const article = document.querySelector('#PAN_2021_NAV_ASYNC'); if(referer == 'Prisma'){ article.dataset.type = 'prisma'; $('#PAN_2021_NAV_ASYNC').removeClass('default').addClass('defaultRedesigned'); } else if(referer == 'CloudCortex'){ article.dataset.type = 'cloudcortex'; } else if(referer == 'Sase'){ article.dataset.type = 'sase'; } else if(referer == 'Unit'){ article.dataset.type = 'unit'; } else if(referer == 'Ngfw'){ article.dataset.type = 'ngfw'; } //set class to default if(referer == 'Unit' || referer == 'Ngfw'){ $('#PAN_2021_NAV_ASYNC').removeClass('default').addClass('defaultRedesigned'); } callMainSitePrismaNavHTML(); } </script> <!-- End: Scripts Migrated From Unit42-v5 --> <main class="main"> <section class="section section--article"> <div class="pa article-banner" style="background-image:url('https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/article-banner.jpg')"> <div class="l-container"> <div class="l-breadcrumbs"> <ul> <li> <a href="https://unit42.paloaltonetworks.com" role="link" title="Threat Research" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:hero:breadcrumb:Threat Research">Threat Research Center</a></li><li><a href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" title="Threat Research" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:hero:breadcrumb:Threat Research">Threat Research</a></li><li class="is-current"><a href="https://unit42.paloaltonetworks.com/category/malware/" role="link" title="Malware" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:hero:breadcrumb:Malware">Malware</a></li> </ul> </div> <div class="ab__title"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/malware/" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:hero:Malware"><span class="ab-title__pre">Malware</span></a> <h1>DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices</h1> <div class="ab__video"> <span class="duration"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-clock.svg" alt="Clock Icon"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 9</span> <span class="rt-label rt-postfix"></span></span> min read </span> </div> <div class="ab-lc__wrapper"> </div> </div> </div> <div class="ab__footer"> <div class="l-container"> <div class="ab__footer-wrapper"> <ul class="ab__features" role="list"> <li role="listitem"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-profile-grey.svg" alt="Profile Icon"> <div class="ab__text"><span>By:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:hero:Claud Xiao" href="https://unit42.paloaltonetworks.com/author/claud-xiao/">Claud Xiao</a></li></ul></div></li> <li role="listitem"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-calendar-grey.svg" alt="Published Icon"> <div class="ab__text"><span>Published:</span>September 13, 2016</div></li> <li role="listitem"><img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-category.svg" alt="Tags Icon"><div class="ab__text"><span>Categories:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:hero:Malware" href="https://unit42.paloaltonetworks.com/category/malware/">Malware</a></li><li><a data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:hero:Threat Research" href="https://unit42.paloaltonetworks.com/category/threat-research/">Threat Research</a></li></ul></div> </li> <li role="listitem"><img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-tags-grey.svg" alt="Tags Icon"><div class="ab__text"><span>Tags:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:hero:AceDeceiver" href="https://unit42.paloaltonetworks.com/tag/acedeceiver/">AceDeceiver</a></li><li><a data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:hero:adb drivers" href="https://unit42.paloaltonetworks.com/tag/adb-drivers/">Adb drivers</a></li><li><a data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:hero:Android" href="https://unit42.paloaltonetworks.com/tag/android/">Android</a></li><li><a data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:hero:apps" href="https://unit42.paloaltonetworks.com/tag/apps/">Apps</a></li><li><a data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:hero:DualToy" href="https://unit42.paloaltonetworks.com/tag/dualtoy/">DualToy</a></li><li><a data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:hero:iappstore" href="https://unit42.paloaltonetworks.com/tag/iappstore/">Iappstore</a></li><li><a data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:hero:iOS" href="https://unit42.paloaltonetworks.com/tag/ios/">IOS</a></li><li><a data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:hero:iTunes" href="https://unit42.paloaltonetworks.com/tag/itunes/">ITunes</a></li><li><a data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:hero:mobile" href="https://unit42.paloaltonetworks.com/tag/mobile/">Mobile</a></li><li><a data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:hero:Trojan" href="https://unit42.paloaltonetworks.com/tag/trojan/">Trojan</a></li></ul></div> </li> </ul> <div class="ab__options"> <ul role="list"> <li role="listitem"><a href="https://unit42.paloaltonetworks.com/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/?pdf=download&#038;lg=en&#038;_wpnonce=29f7261932" role="link" target="_blank" title="Click here to download" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:hero:pdfdownload"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-download.svg" alt="Download Icon"></a></li> <li role="listitem"><a href="https://unit42.paloaltonetworks.com/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/?pdf=print&#038;lg=en&#038;_wpnonce=29f7261932" target="_blank" role="link" title="Click here to print" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:hero:pdfprint"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-print.svg" alt="Print Icon"></a></li> </ul> <div class="ab__share" id="shareDropdown" role="button" aria-expanded="false"> <a href="#" role="link" title="Click here to share" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:share" class="">Share<img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/down-arrow.svg" alt="Down arrow"></a><ul class="share-dropdown" role="menu"> <li role="menuitem"> <a href="#" class="copy-url" id="copyUrl" data-url="https://unit42.paloaltonetworks.com/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" role="link" title="Copy link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:share:link"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-share-link.svg" alt="Link Icon"></a> </li> <li role="menuitem"> <a href="mailto:?subject=DualToy:%20New%20Windows%20Trojan%20Sideloads%20Risky%20Apps%20to%20Android%20and%20iOS%20Devices&#038;body=Check%20out%20this%20article%20https%3A%2F%2Funit42.paloaltonetworks.com%2Fdualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices%2F" role="link" title="Share in email" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:share:email"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-sms.svg" alt="Link Email"></a> </li> <li role="menuitem"> <a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Funit42.paloaltonetworks.com%2Fdualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices%2F" target="_blank" role="link" title="Share in Facebook" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:share:facebook"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-fb-share.svg" alt="Facebook Icon"></a> </li> <li role="menuitem"> <a href="https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fdualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices%2F&#038;title=DualToy:%20New%20Windows%20Trojan%20Sideloads%20Risky%20Apps%20to%20Android%20and%20iOS%20Devices" target="_blank" role="link" title="Share in LinkedIn" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:share:linkedin"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-linkedin-share.svg" alt="LinkedIn Icon"></a> </li> <li role="menuitem"> <a href="https://twitter.com/intent/tweet?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fdualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices%2F&#038;text=DualToy:%20New%20Windows%20Trojan%20Sideloads%20Risky%20Apps%20to%20Android%20and%20iOS%20Devices" target="_blank" role="link" title="Share in Twitter" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:share:twitter"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-twitter-share.svg" alt="Twitter Icon"></a> </li> <li role="menuitem"> <a href="//www.reddit.com/submit?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fdualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices%2F" target="_blank" role="link" title="Share in Reddit" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:share:reddit"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-reddit-share.svg" alt="Reddit Icon"></a> </li> <li role="menuitem"> <a href="https://mastodon.social/share?text=DualToy:%20New%20Windows%20Trojan%20Sideloads%20Risky%20Apps%20to%20Android%20and%20iOS%20Devices%20https%3A%2F%2Funit42.paloaltonetworks.com%2Fdualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices%2F" target="_blank" role="link" title="Share in Mastodon" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:share:mastodon"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-mastodon-share.svg" alt="Mastodon Icon"></a> </li> </ul> </div> </div> </div> </div> </div> </div> </section> <section class="section blog-contents"> <div class="pa blog-editor"> <div class="l-container"> <div class="be__wrapper"> <div class="be__contents"> <div class="be__contents-wrapper"> <p class="wpml-ls-statics-post_translations wpml-ls">This post is also available in: <span class="wpml-ls-slot-post_translations wpml-ls-item wpml-ls-item-ja wpml-ls-first-item wpml-ls-last-item wpml-ls-item-legacy-post-translations"><a href="https://unit42.paloaltonetworks.jp/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" class="wpml-ls-link"><span class="wpml-ls-native" lang="ja">日本語</span><span class="wpml-ls-display"><span class="wpml-ls-bracket"> (</span>Japanese<span class="wpml-ls-bracket">)</span></span></a></span></p><p>Over the past two years, we’ve observed many cases of Microsoft Windows and Apple iOS malware designed to attack mobile devices. This attack vector is increasingly popular with malicious actors as almost everyone on the planet carries at least one mobile device they interact with throughout any given day. Thanks to a relative lack of security controls applied to mobile devices, these devices have become very attractive targets for a broad range of malicious actors. For example:</p> <ul> <li><a href="https://blog.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/" target="_blank" rel="noopener">WireLurker</a> installed malicious apps on non-jailbroken iPhones</li> <li>Six different Trojan, Adware and HackTool families launched “<a href="https://blog.paloaltonetworks.com/2015/12/backstab-mobile-backup-data-under-attack-from-malware/" target="_blank" rel="noopener">BackStab</a>” attacks to steal backup archives of iOS and BlackBerry devices</li> <li>The <a href="https://securelist.com/blog/mobile/63693/hackingteam-2-0-the-story-goes-mobile/" target="_blank" rel="noopener">HackingTeam’s RCS</a> delivered its Spyware from infected PCs and Macs to jailbroken iOS devices and BlackBerry phones</li> </ul> <p>Recently, we discovered another Windows Trojan we named “DualToy” which side loads malicious or risky apps to both Android and iOS devices via a USB connection. <span id="more-18856"></span></p> <p>When DualToy began to spread in January 2015, it was only capable of infecting Android devices. However, within six months the malicious actors added the capability to infect iOS devices. DualToy is still active and we have detected over 8,000 unique samples belonging to this Trojan family to date. It mainly targets Chinese users, but has also successfully affected people and organizations in the United States, United Kingdom, Thailand, Spain, and Ireland.</p> <p>In addition to found in traditional Windows PC malware such as process injection, modifying browser settings, displaying advertisements et al, DualToy also performs the following activities on Android and iOS devices:</p> <ul> <li>Downloads and installs Android Debug Bridge (ADB) and iTunes drivers for Windows</li> <li>Uses existing pairing/authorization records on infected PCs to interact with Android and/or iOS devices via USB cable</li> <li>Downloads Android apps and installs them on any connected Android devices in the background, where the apps are mostly Riskware or Adware</li> <li>Copies native code to a connected Android device and directly executes it, and activates another custom to obtain root privilege and to download and install more Android apps in the background</li> <li>Steals connected iOS device’s information including IMEI, IMSI, ICCID, serial number and phone number</li> <li>Downloads an iOS app and installs it to connected iOS devices in the background; the app will ask for an Apple ID with password and send them to a server without user’s knowledge (just like <a href="https://blog.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/" target="_blank" rel="noopener">AceDeceiver</a>)</li> </ul> <p>Several years ago, Android and iOS began requiring user interaction to authorize a device to pair to another device to prevent the kind of sideloading attack used by DualToy. However, DualToy assumes any physically connected mobile devices will belong to the same owner as the infected PC to which they are connected, which means the pairing is likely already authorized. DualToy tries to reuse existing pairing records to directly interact with mobile devices in the background. Although this attack vector’s capability can be further limited by additional mechanisms (e.g., ADB enabling, iOS sandbox) which make this threat not so severe, DualToy reminds us again how attackers can use USB sideloading against mobile devices and how malware can be spread between platforms.</p> <h3>Infecting Android Devices</h3> <p>Almost all samples of DualToy are capable of infecting Android devices connected with the compromised Windows PC via USB cable. This functionality is usually implemented in a module named NewPhone.dll, DevApi.dll or app.dll.</p> <p>DualToy assumes ADB is enabled on the connected Android device. If ADB isn't enabled (which is the default option), the . However, some users, especially those who want to install Android apps from a PC or Mac, or who want to do advanced operations with their Android devices, This is because ADB is both the only official interface for a Windows or Mac computer to operate an Android device via USB and it is a debugging interface.</p> <h4>Install ADB drivers</h4> <p>Once loaded, the module will first download universal Windows ADB drivers from its C2 server (e.g., from http[:]//www.zaccl.com/tool/new_tool.zip) and install them.</p> <p><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_1.png" rel="wpdevart_lightbox"><img class="size-large wp-image-18907 aligncenter lozad" data-src="http://blog.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_1-500x244.png" alt="dualtoy_1" width="500" height="244" /></a></p> <p style="text-align: center;"><em>Figure 1 Windows ADB driver files downloaded from the  C2 server</em></p> <p>Then, some variants will directly drop a file named adb.exe which is the standard ADB Windows client. Other variants have compiled the ADB client’s source code into the module so that they could also perform ADB operations. Instead of adb.exe, the newest variant will drop tadb.exe, a customized ADB client from Tencent’s Android management software.</p> <p>Note that since version 4.2 (released in early 2013), Android requires a user’s manual confirmation to authorize a PC before building an ADB session. This was designed to prevent attacks such as sideloading apps via USB. However, if a user has authorized his PC in the past, the related key files will be stored in the %HOME%/.android directory on the PC. DualToy reuses these key files to bypass the intended security check.</p> <h4>Download and install apps</h4> <p>After the ADB environment is set up, DualToy will wait for an Android device to connect via USB. Once connected, it will fetch a list of URLs from the C2 server, download the apps, and install them on Android device in the background via the “adb.exe install” command.</p> <p><center><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_2.png" rel="wpdevart_lightbox"><img class="size-large wp-image-18904 aligncenter lozad" data-src="http://blog.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_2-500x90.png" alt="dualtoy_2" width="500" height="90" /></a></center></p> <p style="text-align: center;"><em>Figure 2  Android app downloading URLs on the C2 server</em></p> <p><center><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_3.png" rel="wpdevart_lightbox"><img class="size-full wp-image-18901 aligncenter lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_3.png" alt="dualtoy_3" width="357" height="288" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_3.png 357w, https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_3-300x242.png 300w" sizes="(max-width: 357px) 100vw, 357px" /></a></center></p> <p style="text-align: center;"><em>Figure 3  Apps installed on the  Android device  by DualToy</em></p> <p style="text-align: left;">Figure 3 shows the apps downloaded and installed by DualToy. They’re all games which use Chinese as the default language, and none of them are available in the official Google Play store.</p> <h4>Install and execute binary code</h4> <p>In a recent variant, DualToy will download a PE executable named “appdata.exe” as well as an ELF executable file named “guardmb” from the C2 server. The appdata.exe file was compiled from ADB’s source code with some customizations -- DualToy will execute it with the command line “appdata.exe shell am start”. When invoked by this command line, the appdata.exe copies the guardmb file to connected Android device’s /data/local/tmp directory, and executes it.</p> <p><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_4.png" rel="wpdevart_lightbox"><img class="size-large wp-image-18898 aligncenter lozad" data-src="http://blog.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_4-500x193.png" alt="dualtoy_4" width="500" height="193" /></a></p> <p style="text-align: center;"><em>Figure 4  appdata.exe executes guardmb on the Android device</em></p> <p style="text-align: center;"><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_5.png" rel="wpdevart_lightbox"><img class="alignnone size-large wp-image-18895 lozad" data-src="http://blog.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_5-500x197.png" alt="dualtoy_5" width="500" height="197" /></a></p> <p style="text-align: center;"><em>Figure 5  guardmb starts a specific service on the Android device</em></p> <p>The guardmb file is an ELF executable for ARM architecture. Its functionality is simple – execute Android’s system command “am” to start the service “com.home.micorsoft.service.BootWakeService”. Guardmb also specified the same service was implemented in a third party app with package name of “com.home.micorsoft”.</p> <p>During the analysis, we weren't able to find the “com.home.micorsoft” app. However, we discovered another Android app with a similar package name “com.mgr.micorsoft”. Due to the same typo (“micorsoft”) and same binary code fingerprints, we believe these two apps have the same sources and likely have identical functionalities.</p> <p>The app embedded a modified SU daemon program which was re-compiled from SuperSU project’s source code. We named this specific Android Trojan “RootAngel”. After the service is started by guardmb, and install the SU daemon. It will also connect with its C2 server, download more Android apps and install them in background through “pm install” command.</p> <p><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_6.png" rel="wpdevart_lightbox"><img class="size-large wp-image-18892 aligncenter lozad" data-src="http://blog.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_6-500x148.png" alt="dualtoy_6" width="500" height="148" /></a></p> <p style="text-align: center;"><em>Figure 6  RootAngel installs Android apps downloaded from the C2 server</em></p> <h3>Infecting iOS Devices</h3> <p>We observed the first sample of DualToy capable of infecting iOS devices on June 7, 2015 (SHA-256: f2efc145d7d49b023d97a5857ad144dd03a491b85887312ef401a82b87fb1b84). Later in 2016, a new variant appeared. Our analysis below focuses primarily on the first variant.</p> <p>During execution, the sample will drop some PE and .ini files. Among them, insapp.dll is the module used to infect an iOS device. It was developed using Delphi and C++ and then packed with a standard UPX packer. There’s another file, insapp.ini, which contains configurations including URLs to download iTunes drivers as well as iOS apps to install.</p> <h4>Download and install iTunes</h4> <p>After being loaded, the insapp.dll will check whether iTunes is installed on the infected computer. If not, it will download two MSI format installers from its C2 server. For example, for a 64-bit Windows PC, “AppleMobileDeviceSupport64.msi” and “AppleApplicationSupport64.msi” will be downloaded. These two installers are part of Apple’s official iTunes for Windows software that contains all necessary driver files that iTunes uses to interact with iOS devices.</p> <p>After that, DualToy will execute “msiexec.exe” to install the installers shown in Figure 8 in background via the “/qn” parameter.</p> <p><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_7.png" rel="wpdevart_lightbox"><img class="size-large wp-image-18889 aligncenter lozad" data-src="http://blog.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_7-500x252.png" alt="dualtoy_7" width="500" height="252" /></a></p> <p style="text-align: center;"><em>Figure 7  The config file specifies URLs of the iTunes installer and iOS app(s)</em></p> <p style="text-align: left;"><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_8.png" rel="wpdevart_lightbox"><img class="size-large wp-image-18886 aligncenter lozad" data-src="http://blog.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_8-500x214.png" alt="dualtoy_8" width="500" height="214" /></a></p> <p style="text-align: center;"><em>Figure 8  DualToy install iTunes installers via msiexec.exe</em></p> <h4>Operate iOS devices</h4> <p>In order to operate iOS devices through installed iTunes drivers, DualToy reused an open source project “<a href="https://code.google.com/archive/p/iphonetunnel-usbmuxconnectbyport/" target="_blank" rel="noopener">iphonetunnel-usbmuxconnectbyport</a>”. Using this, DualToy invokes APIs in iTunes’ iTunesMobileDevice.dll file via reflection, so that it can interact with iOS devices just like iTunes does.</p> <p><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_9.png" rel="wpdevart_lightbox"><img class="size-large wp-image-18883 aligncenter lozad" data-src="http://blog.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_9-500x287.png" alt="dualtoy_9" width="500" height="287" /></a></p> <p style="text-align: center;"><em>Figure 9  DualToy reflects symbols from iTunesMobileDevice.dll</em></p> <p>DualToy will watch for USB connections. Once there’s a valid iOS device connected, it will try to connect to it using iTunes APIs. Like Android, Apple also introduced manual user authorization starting with iOS 7 to prevent sideloading. As it does with Android devices, DualToy will check whether the iOS device was previously paired so that it can reuse existing pairing record (Figure 10).</p> <p><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_10.png" rel="wpdevart_lightbox"><img class="size-large wp-image-18880 aligncenter lozad" data-src="http://blog.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_10-500x260.png" alt="dualtoy_10" width="500" height="260" /></a></p> <p style="text-align: center;"><em>Figure 10  DualToy checks whether the device was paired by owner before</em></p> <h4>Steal iOS device information</h4> <p>After successfully connecting with an iOS device, DualToy will collect device and system information, encrypt them and send to its C2 server. The collected information includes:</p> <ul> <li>Device name, type, version and model number</li> <li>Device UUID and serial number</li> <li>Device baseband version, system build version, and firmware version</li> <li>Device IMEI</li> <li>SIM card’s IMSI and ICCID</li> <li>Phone number</li> </ul> <p style="text-align: center;"><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_11.png" rel="wpdevart_lightbox"><img class="alignnone size-large wp-image-18877 lozad" data-src="http://blog.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_11-500x209.png" alt="dualtoy_11" width="500" height="209" /></a></p> <p style="text-align: center;"><em>Figure 11   DualToy collects iOS device information</em></p> <h4>Download and install app</h4> <p>In addition to collecting device information, DualToy also tries to download IPA file(s) from the C2 server and install them on the connected iOS device. The URL it used to fetch the downloading list is http://www.zaccl[.]com/tool/apple/wj_app.xml. During our analysis in April and in August 2016, this URL always returned a single file, “kuaiyong.ipa”. After downloading it, DualToy will copy the IPA file via the AFC service to the iOS device’s /var/mobile/Media/PublicStaging directory, and then install it via the installation_proxy service.</p> <p><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_12.png" rel="wpdevart_lightbox"><img class="size-large wp-image-18874 aligncenter lozad" data-src="http://blog.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_12-500x65.png" alt="dualtoy_12" width="500" height="65" /></a></p> <p style="text-align: center;"><em>Figure 12   DualToy fetch iOS app downloading URLs</em></p> <p style="text-align: center;"><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_13.png" rel="wpdevart_lightbox"><img class="alignnone size-large wp-image-18871 lozad" data-src="http://blog.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_13-500x288.png" alt="dualtoy_13" width="500" height="288" /></a></p> <p style="text-align: center;"><em>Figure 13  Install iOS app via iTunes API</em></p> <p>The downloaded kuaiyong.ipa has an obfuscated bundle ID of “pWsbshWBn5XN9kk0twBUECAVt2E.dsE7UfuXZdinV60edM4u1Ul0d6hSf66akdZrmp”. It was signed by an enterprise certificate issued to “Ningbo Pharmaceutical Co., Ltd.” The certificate the app won’t be successfully installed on iOS devices anymore. However, the attacker could easily change the URL list replied by C2 server to push other apps.</p> <p><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_14.png" rel="wpdevart_lightbox"><img class="size-full wp-image-18868 aligncenter lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_14.png" alt="dualtoy_14" width="490" height="346" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_14.png 490w, https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_14-300x212.png 300w, https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_14-370x261.png 370w" sizes="(max-width: 490px) 100vw, 490px" /></a></p> <p style="text-align: center;"><em>Figure 14  The iOS app was signed by enterprise certificate</em></p> <h4>AceDeceiver-like behavior</h4> <p>Since the kuaiyong.ipa has an expired certificate, we resigned it with a personal development certificate and then installed it on our testing device.</p> <p>The app is yet another third party iOS App Store just like “<a href="https://blog.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/" target="_blank" rel="noopener">ZergHelper</a>”. It also has exactly the same behavior as <a href="https://blog.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/" target="_blank" rel="noopener">AceDeceiver</a>. When launched for the first time, the app will ask the user to input his or her Apple ID and password (Figure 15). The nearby disclaimer says the credentials won’t be uploaded to any server. However, through our reverse engineering and debugging, we discovered the Apple ID and password will be encrypted by DES algorithm by a fixed key of “HBSMY4yF” and 4 of “\x12\x34\x56\x78\x90\xab\xcd\xef”, and sent to the server proxy.mysjzs[.]com after encoding the ciphertext with Base64. Figure 16 shows the output by hooking the CCCrypt function with Frida. And Figure 17 shows the credentials being uploaded to the server.</p> <p>Note that, since the C2 traffic was HTTP instead of HTTPS, and the credential payload was just encrypted by DES with a fixed key, an attacker could sniff network traffic to capture the payload and steal the Apple ID and password in the payload.</p> <p><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_15.png" rel="wpdevart_lightbox"><img class="size-large wp-image-18865 aligncenter lozad" data-src="http://blog.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_15-500x428.png" alt="dualtoy_15" width="500" height="428" /></a></p> <p style="text-align: center;"><em>Figure 15  Kuaiyong.ipa asks user to input Apple ID and password</em></p> <p style="text-align: center;"><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_16.png" rel="wpdevart_lightbox"><img class="alignnone size-large wp-image-18862 lozad" data-src="http://blog.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_16-500x388.png" alt="dualtoy_16" width="500" height="388" /></a></p> <p style="text-align: center;"><em>Figure 16  Apple ID username and password was encrypted with DES</em></p> <p style="text-align: center;"><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_17.png" rel="wpdevart_lightbox"><img class="alignnone size-large wp-image-18859 lozad" data-src="http://blog.paloaltonetworks.com/wp-content/uploads/2016/09/Dualtoy_17-500x147.png" alt="dualtoy_17" width="500" height="147" /></a></p> <p style="text-align: center;"><em>Figure 17  Encrypted Apple ID and password was sent to a server</em></p> <h3>Mitigation</h3> <p>Palo Alto Networks WildFire has successfully . URL Filtering has also blocked its C2 traffic so that it can’t download drivers, malicious payloads or apps. We have also created an AutoFocus tag to identify known DualToy samples.</p> <p>To prevent similar attacks, we suggest users and organizations deploy both endpoint and network-based malware prevention solutions. We also suggest users avoid connecting their mobile phones to untrusted devices via USB. The popularity and ubiquitous nature of mobile devices ensures malicious attackers will only continue to refine and develop new mobile malware, which means users and organizations will need to employ similar levels of protection and user awareness historically provided to desktops, laptops, and networks.</p> <h3>Acknowledgements</h3> <p>We would like to thanks Zhi Xu and Josh Grunzweig from Palo Alto Networks for their assistance during the analysis.</p> <h3>Appendix</h3> <h4>SHA-256 of selected samples</h4> <p>b028137e54b46092c5349e0d253144e2ca437eaa2e4d827b045182ca8974ed33  jkting.zip<br /> bbe5fcd2f748bb69c3a186c1515800c23a5822567c276af37585dab901bf550c  new5.zip<br /> 26ff76206d151ce66097df58ae93e78b035b3818c24910a08067896e92d382de  NewPhone.dll<br /> 24c79edc650247022878ddec74b13cf1dc59a6e26316b25054d015bdc2b7efc7  new_tool.zip<br /> cd432a8a0938902ea3016dae1e60c0a55016fd3c7741536cc9f57e0166d2b1b8  appdata.exe<br /> 42290cefc312b5f1e4b09d1658232838b72d2dab5ece20ebf29f4d0d66a7879a  guardmb<br /> 7f7a3ed87c63bd46eb8b91a5bb36b399b4eebaf7d01342c13ef695340b9964a6  Mgr_700003.apk<br /> 9f84665a891e8d9d3af76b44c1965eba605f84768841dfb748cb05ec119ffd9d  phonedata.exe<br /> c8695fe9decbeedfe1f898464b6aa9da511045721c399486d00b889d888c8121  zWDLzv.dll<br /> f2efc145d7d49b023d97a5857ad144dd03a491b85887312ef401a82b87fb1b84<br /> c32c64196bb4e038657c3003586563407b5a36db74afb837a5b72f71cf1fadf1  DevApi.dll<br /> dee13984156d1b59395126fcac09f407ef7c7d7308643019ccee6e22683ea108  insapp.dll<br /> eae9fda5ca026d2cc0fbdd6f6300d77867dae95a5c1ab45efdb4959684f188d2  insapp.ini<br /> 899e3c72e2edf720e5d0f3b0dfbf1e2dcc616277c11cf592ab267a9fa0bfbac9  kuaiyong.ipa<br /> c8695fe9decbeedfe1f898464b6aa9da511045721c399486d00b889d888c8121</p> <h4>C2 Domains</h4> <p>www.zaccl[.]com<br /> pack.1e5[.]com<br /> rsys.topfreeweb[.]net<br /> abc.yuedea[.]com<br /> report.boxlist[.]info<br /> tt.51wanyx[.]net<br /> hk.pk2012.info<br /> center.oldlist[.]info<br /> up.top258[.]cn<br /> dl.dswzd[.]com</p> <p>&nbsp;</p> </div> <!--<span class="post__date">Updated 28 January, 2022 at 12:38 PM PST</span>--> <button class="l-btn back-to-top" id="backToTop" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:back to top">Back to top</button> <div class="be__tags-wrapper"> <h3>Tags</h3><ul role="list"><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/acedeceiver/" role="link" title="AceDeceiver" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:tags:AceDeceiver">AceDeceiver</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/adb-drivers/" role="link" title="adb drivers" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:tags:adb drivers">Adb drivers</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/android/" role="link" title="Android" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:tags:Android">Android</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/apps/" role="link" title="apps" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:tags:apps">Apps</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/dualtoy/" role="link" title="DualToy" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:tags:DualToy">DualToy</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/iappstore/" role="link" title="iappstore" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:tags:iappstore">Iappstore</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/ios/" role="link" title="iOS" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:tags:iOS">IOS</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/itunes/" role="link" title="iTunes" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:tags:iTunes">ITunes</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/mobile/" role="link" title="mobile" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:tags:mobile">Mobile</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/trojan/" role="link" title="Trojan" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:tags:Trojan">Trojan</a></li></ul> </div> <div class="be__post-nav"> <a class="prev" href="https://unit42.paloaltonetworks.com" role="link" title="Threat Research" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:article-nav:Threat Research Center"> <span>Threat Research Center</span> </a> <a class="next" href="https://unit42.paloaltonetworks.com/unit42-the-dukes-rd-finds-a-new-anti-analysis-technique/" role="link" title="The Dukes R&#038;D Finds a New Anti-Analysis Technique" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:article-nav:The Dukes R&#038;D Finds a New Anti-Analysis Technique"> <span>Next: The Dukes R&#038;D Finds a New Anti-Analysis Technique</span> </a> </div> </div> <div class="be__nav"> <div class="be__nav-wrapper"> <div class="be-related-articles"> <h3>Related Articles</h3> <ul> <li> <a href="https://unit42.paloaltonetworks.com/apk-badpack-malware-tampered-headers/" role="link" title="article - table of contents" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:sidebar:related-articles:Beware of BadPack: One Weird Trick Being Used Against Android Devices"> Beware of BadPack: One Weird Trick Being Used Against Android Devices </a> </li> <li> <a href="https://unit42.paloaltonetworks.com/unit42-threat-intelligence-roundup/" role="link" title="article - table of contents" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:sidebar:related-articles:From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence"> From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence </a> </li> <li> <a href="https://unit42.paloaltonetworks.com/new-linux-xorddos-trojan-campaign-delivers-malware/" role="link" title="article - table of contents" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:sidebar:related-articles:Blocking Dedicated Attacking Hosts Is Not Enough: In-Depth Analysis of a Worldwide Linux XorDDoS Campaign"> Blocking Dedicated Attacking Hosts Is Not Enough: In-Depth Analysis of a Worldwide Linux XorDDoS Campaign </a> </li> </ul> </div> </div> </div> </div> </div> <div class="pa related-threat"> <div class="l-container"> <h2>Related Malware Resources</h2> <div class="blog-slider" id="blogSlider"> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2025/02/03_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of macOS infostealers. Laptop on a desk displaying advanced cybersecurity software interface with vibrant red graphics, in a dimly lit room." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2025/02/03_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/02/03_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/02/03_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/02/03_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/02/03_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Stealers on the Rise: A Closer Look at a Growing macOS Threat:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2025-02-04T11:00:12+00:00">February 4, 2025</time></span> <a href="https://unit42.paloaltonetworks.com/macos-stealers-growing/" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Stealers on the Rise: A Closer Look at a Growing macOS Threat"> <h4 class="post-title">Stealers on the Rise: A Closer Look at a Growing macOS Threat</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/macos/" title="macOS" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Stealers on the Rise: A Closer Look at a Growing macOS Threat:macOS">MacOS</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/infostealer/" title="Infostealer" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Stealers on the Rise: A Closer Look at a Growing macOS Threat:Infostealer">Infostealer</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/macos-stealers-growing/" title="Stealers on the Rise: A Closer Look at a Growing macOS Threat" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Stealers on the Rise: A Closer Look at a Growing macOS Threat:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/14_Overview_1920x900-786x368.jpg" class="lozad" alt="Digital representation of jailbreaking DeepSeek. A dynamic, multicolored wave pattern with luminous particles, set against a dark background." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/14_Overview_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/14_Overview_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/14_Overview_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/14_Overview_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/14_Overview_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2025-01-30T21:30:36+00:00">January 30, 2025</time></span> <a href="https://unit42.paloaltonetworks.com/jailbreaking-deepseek-three-techniques/" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek"> <h4 class="post-title">Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/llm/" title="LLM" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek:LLM">LLM</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/jailbroken/" title="jailbroken" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek:jailbroken">Jailbroken</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/genai/" title="GenAI" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek:GenAI">GenAI</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/jailbreaking-deepseek-three-techniques/" title="Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/01_Hactivism_Overview_1920x900-786x368.jpg" class="lozad" alt="A pictorial representation of an espionage operation against high-value targets in South Asia. Digital artwork featuring an abstract blend of vibrant blue, pink, and black colors with fragments of HTML code visible, creating a dynamic and modern visual effect against a glitch effect photo of someone typing on a keyboard." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/01_Hactivism_Overview_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/01_Hactivism_Overview_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/01_Hactivism_Overview_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/01_Hactivism_Overview_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/01_Hactivism_Overview_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2025-01-29T23:00:17+00:00">January 29, 2025</time></span> <a href="https://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia"> <h4 class="post-title">CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/china/" title="China" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia:China">China</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/cobalt-strike/" title="Cobalt Strike" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia:Cobalt Strike">Cobalt Strike</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/mimikatz/" title="Mimikatz" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia:Mimikatz">Mimikatz</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/" title="CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/13_Security-Technology_Category_1920x900-786x368.jpg" class="lozad" alt="A pictorial representation of a jailbreaking technique. Abstract digital tunnel with glowing blue lights and intricate patterns, representing data or technology." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/13_Security-Technology_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/13_Security-Technology_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/13_Security-Technology_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/13_Security-Technology_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/13_Security-Technology_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-12-31T23:00:16+00:00">December 31, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/multi-turn-technique-jailbreaks-llms/" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability"> <h4 class="post-title">Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/genai/" title="GenAI" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability:GenAI">GenAI</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/prompt-injection/" title="prompt injection" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability:prompt injection">Prompt injection</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/jailbroken/" title="jailbroken" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability:jailbroken">Jailbroken</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/multi-turn-technique-jailbreaks-llms/" title="Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/04_Tutorial_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of using LLMs to obfuscate malicious JavaScript detection. A man wearing glasses, looking intently at a screen with reflections visible in the glasses of computer code." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/04_Tutorial_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/04_Tutorial_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/04_Tutorial_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/04_Tutorial_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/04_Tutorial_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-12-20T11:00:39+00:00">December 20, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/using-llms-obfuscate-malicious-javascript/" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript"> <h4 class="post-title">Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/credential-stealer/" title="credential stealer" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript:credential stealer">Credential stealer</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/data-augmentation/" title="Data Augmentation" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript:Data Augmentation">Data Augmentation</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/fraudgpt/" title="FraudGPT" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript:FraudGPT">FraudGPT</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/using-llms-obfuscate-malicious-javascript/" title="Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/02_Vulnerabilities_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of attackers leveraging Active Directory or LDAP. Close-up view of a server rack panel with illuminated lights and a digital display reading &#039;SYSTEM HACKED&#039;." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/02_Vulnerabilities_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/02_Vulnerabilities_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/02_Vulnerabilities_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/02_Vulnerabilities_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/02_Vulnerabilities_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-12-17T23:00:43+00:00">December 17, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/lightweight-directory-access-protocol-based-attacks/" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory"> <h4 class="post-title">LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/stately-taurus/" title="Stately Taurus" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory:Stately Taurus">Stately Taurus</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/alphv/" title="ALPHV" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory:ALPHV">ALPHV</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/lightweight-directory-access-protocol-based-attacks/" title="LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/03_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of HeartCrypt. A laptop on a desk displaying a vivid graphical interface with cyber security and data analytics themes, illuminated by red ambient lighting." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/03_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/03_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/03_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/03_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/03_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-12-13T23:00:21+00:00">December 13, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malware/" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation"> <h4 class="post-title">Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/redline-infostealer/" title="Redline infostealer" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation:Redline infostealer">Redline infostealer</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/lumma-stealer/" title="Lumma Stealer" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation:Lumma Stealer">Lumma Stealer</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/remcos/" title="Remcos" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation:Remcos">Remcos</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malware/" title="Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/04_Vulnerabilities_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of suspicious registration scam campaigns. Close-up image of a glowing red WiFi connectivity symbol on a textured black surface, symbolizing digital security technology." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/04_Vulnerabilities_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/04_Vulnerabilities_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/04_Vulnerabilities_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/04_Vulnerabilities_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/04_Vulnerabilities_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-12-06T23:00:40+00:00">December 6, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/suspicious-domain-registration-campaigns/" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams"> <h4 class="post-title">Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/network-scanning/" title="network scanning" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams:network scanning">Network scanning</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/cybersquatting/" title="cybersquatting" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams:cybersquatting">Cybersquatting</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/chatgpt/" title="ChatGPT" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams:ChatGPT">ChatGPT</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/suspicious-domain-registration-campaigns/" title="Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-786x368.jpg" class="lozad" alt="Close-up of a person wearing glasses, reflecting computer code on the lens." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-11-22T11:00:26+00:00">November 22, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/unique-popular-techniques-lateral-movement-macos/" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples"> <h4 class="post-title">Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/remote-code-execution/" title="Remote Code Execution" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:Remote Code Execution">Remote Code Execution</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/python/" title="Python" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:Python">Python</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/macos/" title="macOS" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:macOS">MacOS</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/unique-popular-techniques-lateral-movement-macos/" title="Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of FrostyGoop malware. Close-up view of a digital screen displaying a pixelated, abstract image, possibly representing a face." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-11-19T11:00:15+00:00">November 19, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications"> <h4 class="post-title">FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/bustleberm/" title="BUSTLEBERM" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:BUSTLEBERM">BUSTLEBERM</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/frostygoop/" title="FrostyGoop" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:FrostyGoop">FrostyGoop</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/go/" title="Go" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:Go">Go</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/" title="FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications" role="link" data-page-track="true" data-page-track-value="dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> </div> </div> <div class="l-container bs__controls"> <div class="bs__progress"><span></span></div> <div class="bs__navigation"> <ul> <li> <button id="prevButton"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/slider-arrow-left.svg" alt="Slider arrow"></button> </li> <li> <button id="nextButton"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/slider-arrow-left.svg" alt="Slider arrow"></button> </li> </ul> </div> </div> </div> <div class="be-enlarge-modal" id="enlargedModal"> <div class="be-enlarge-modal__wrapper"> <figure> <button class="close__modal" id="closeModal"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/close-modal.svg" alt="Close button"></button> <img class="be__enlarged-image" id="enlargedImage" src="" alt="Enlarged Image"> <figcaption> </figcaption> </figure> </div> </div> </div> </section> </main> <!-- Start: Footer subscription form --> <div class="newsletter"> <div class="l-container"> <div class="newsletter__wrapper"> <div class="image__wrapper"> <picture> <source class="lozad" media="(max-width:400px)" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/newsletter-Image-mobile.webp"> <source class="lozad" media="(max-width:949px)" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/newsletter-Image-tab.webp"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/Revitalized_newsletter-Image-desktop-copy-1.webp" alt="Newsletter"> </picture> </div> <div class="content__wrapper"> <span class="pre-title"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/palo-alto-logo-small.svg" alt="UNIT 42 Small Logo"> Get updates from Unit 42 </span> <h2>Peace of mind comes from staying ahead of threats. Contact us today.</h2> <form action="https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json" method="post" novalidate class="subscribe-form" name="Unit42_Subscribe" id="unit42footerSubscription_form"> <input type="hidden" name="emailFormMask" value=""> <input type="hidden" value="1086" name="formid"> <input type="hidden" value="531-OCS-018" name="munchkinId"> <input type="hidden" value="2141" name="lpId"> <input type="hidden" value="1203" name="programId"> <input type="hidden" value="1086" name="formVid"> <input type="hidden" name="mkto_optinunit42" value="true"> <input type="hidden" name="mkto_opt-in" value="true"> <div class="form-group"> <label for="newsletter-email" id="newsletter-email-label">Your Email</label> <input type="emal" placeholder="Your Email" name="Email" class="subscribe-field" id="newsletter-email" aria-labelledby="newsletter-email-label"> <p class="error-mail mb-15 text-danger" style="color: #dc3545"></p> <p>Subscribe for email updates to all Unit 42 threat research.<br />By submitting this form, you agree to our <a title="Terms of Use" href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" data-page-track="true" data-page-track-value="Get updates from Unit 42:Terms of Use">Terms of Use</a> and acknowledge our <a title="Privacy Statement" href="https://www.paloaltonetworks.com/legal-notices/privacy" data-page-track="true" data-page-track-value="Get updates from Unit 42:Privacy Statement">Privacy Statement.</a></p> <div class="g-recaptcha" data-expired-callback="captchaExpires" data-callback="captchaComplete" data-sitekey="6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o"></div> <p class="error-recaptcha d-none mt-15 text-danger" style="color: #dc3545">Invalid captcha!</p> <button class="l-btn is-disabled" data-page-track="true" data-page-track-value="footer:Get updates from Unit 42:Subscribe" id="unit42footerSubscription_form_button"> Subscribe <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow" class="arrow"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-loader.svg" alt="loader" class="loader"> </button> <div class="form-success-message"></div> </div> </form> </div> </div> </div> </div> <script> (function($) { // Migrated from the unit42-v5 + Modifications var subscribeSuccess = false; var email = document.getElementById('newsletter-email'); var subscription_form = document.getElementById('unit42footerSubscription_form'); var subscription_form_button = document.getElementById('unit42footerSubscription_form_button'); window.captchaComplete = function() { subscribeSuccess = true; if ($(mail).val() != '' && isEmail($(mail).val())) { $(subscription_form_button).removeClass('is-disabled'); } setTimeout(function() { $(email).focus(); $('.g-recaptcha iframe').attr('tabindex', '-1'); }, 100) } window.captchaExpires = function() { subscribeSuccess = false; $(subscription_form_button).addClass('is-disabled', true); } $(subscription_form).submit(function(e) { e.preventDefault(); e.stopImmediatePropagation(); updateEmailMask(); var success = true; var form = $(this); var mail = form.find('input[name="Email"]'); if (mail.val() === '') { mail.addClass('has-error'); showError(1); success = false; } else if (!isEmail(mail.val())){ showError(2); success = false; } else { mail.removeClass('has-error'); $('.error-mail').addClass('d-none'); } if (!subscribeSuccess) { $('.error-recaptcha').removeClass('d-none'); } else { $('.error-recaptcha').addClass('d-none'); } if (success && subscribeSuccess) { $.ajax({ type: 'POST', url: form.attr('action'), data: form.serialize(), beforeSend: function() { form.find('button').addClass('is-loading'); }, success: function(msg) { form.find('.form-success-message').html('<p class="success-message">You have been successfully subscribed</p>'); form.find('button').removeClass('is-loading'); $(email).val(''); clearError(); }, error: function(jqXHR, textStatus, errorThrown) { $(subscription_form_button).addClass('is-disabled', true); form.find('button').removeClass('is-loading'); } }); } return false; }); function showError(error_type){ if(error_type == 1) { $('.error-mail').text("Please enter the email address.").addClass('error-show'); $(subscription_form_button).addClass('is-disabled'); } else if(error_type == 2){ $('.error-mail').text("Please provide a valid e-mail address.").addClass('error-show'); $(subscription_form_button).addClass('is-disabled'); } $(subscription_form_button).removeClass('is-loading'); } function clearError(){ $('.error-mail').text("").removeClass('error-show');; $(subscription_form_button).removeClass('is-loading'); $(subscription_form_button).removeClass('is-disabled'); } $(email).on('input', function (event) { var email = $(this).val(); if (isEmail(email) ) { clearError(); } else if(email == ""){ clearError(); } else{ showError(2); } }); function isEmail(email) { var re = /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/; return re.test(String(email).toLowerCase()); } var captcha_loaded = false; if(!captcha_loaded){ // recaptcha on foucs call $(document).on('change paste keyup', '#newsletter-email', function () { if($('.g-recaptcha').hasClass('d-none')){ $('.g-recaptcha').removeClass('d-none'); } if(!captcha_loaded ){ captcha_loaded = true; // trigger loading api.js (recaptcha.js) script var head = document.getElementsByTagName('head')[0]; var script = document.createElement('script'); script.type = 'text/javascript'; script.src = 'https://www.google.com/recaptcha/api.js?hl=en_US'; head.appendChild(script); } }); } function updateEmailMask() { var email = $("#unit42footerSubscription_form input[name='Email']").val(); if (email && email.trim() != '') { var maskedEmail = maskEmailAddress(email); $("#unit42footerSubscription_form input[name='emailFormMask']").val(maskedEmail); } } function maskEmailAddress (emailAddress) { function mask(str) { var strLen = str.length; if (strLen > 4) { return str.substr(0, 1) + str.substr(1, strLen - 1).replace(/\w/g, '*') + str.substr(-1,1); } return str.replace(/\w/g, '*'); } return emailAddress.replace(/([\w.]+)@([\w.]+)(\.[\w.]+)/g, function (m, p1, p2, p3) { return mask(p1) + '@' + mask(p2) + p3; }); return emailAddress; } }(jQuery)); //# sourceMappingURL=main.js.map </script> <!-- End: Footer subscription form --> <footer class="footer"> <div class="footer-menu"> <div class="l-container"> <div class="footer-menu__wrapper"> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Products and services</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security" role="link" title="Network Security Platform" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform">Network Security Platform</a> </li> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security/security-subscriptions" role="link" title="CLOUD DELIVERED SECURITY SERVICES" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES">CLOUD DELIVERED SECURITY SERVICES</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/advanced-threat-prevention" target=_blank role="link" title="Advanced Threat Prevention" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention">Advanced Threat Prevention</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/advanced-dns-security" role="link" title="DNS Security" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security">DNS Security</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/enterprise-data-loss-prevention" role="link" title="Data Loss Prevention" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention">Data Loss Prevention</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/enterprise-iot-security" role="link" title="IoT Security" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security">IoT Security</a> </li> </ul> </nav> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall" role="link" title="Next-Generation Firewalls" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls">Next-Generation Firewalls</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall-hardware" role="link" title="Hardware Firewalls" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls">Hardware Firewalls</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/strata-cloud-manager" role="link" title="Strata Cloud Manager" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager">Strata Cloud Manager</a> </li> </ul> </nav> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/sase" role="link" title="SECURE ACCESS SERVICE EDGE" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE">SECURE ACCESS SERVICE EDGE</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/access" role="link" title="Prisma Access" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access">Prisma Access</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/sd-wan" role="link" title="Prisma SD-WAN" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN">Prisma SD-WAN</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/adem" role="link" title="Autonomous Digital Experience Management" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management">Autonomous Digital Experience Management</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/next-gen-casb" role="link" title="Cloud Access Security Broker" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management:Cloud Access Security Broker">Cloud Access Security Broker</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/ztna" role="link" title="Zero Trust Network Access" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management:Cloud Access Security Broker:Zero Trust Network Access">Zero Trust Network Access</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/cortex/cloud" role="link" title="Cloud Security" data-page-track="true" data-page-track-value="footer:Products and services:Cloud Security">Cloud Security</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cloud" role="link" title="Cortex Cloud" data-page-track="true" data-page-track-value="footer:Products and services:Cloud Security:Cortex Cloud">Cortex Cloud</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/prisma/cloud" role="link" title="Prisma Cloud" data-page-track="true" data-page-track-value="footer:Products and services:Cloud Security:Cortex Cloud:Prisma Cloud">Prisma Cloud</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/cortex" target=_blank role="link" title="AI-Driven Security Operations Platform" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform">AI-Driven Security Operations Platform</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xdr" role="link" title="Cortex XDR" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR">Cortex XDR</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xsoar" role="link" title="Cortex XSOAR" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR">Cortex XSOAR</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xpanse" role="link" title="Cortex Xpanse" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse">Cortex Xpanse</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xsiam" role="link" title="Cortex XSIAM" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM">Cortex XSIAM</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management" role="link" title="External Attack Surface Protection" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection">External Attack Surface Protection</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/security-operations-automation" role="link" title="Security Automation" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection:Security Automation">Security Automation</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/detection-and-response" role="link" title="Threat Prevention, Detection &amp; Response" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection:Security Automation:Threat Prevention, Detection &amp; Response">Threat Prevention, Detection &amp; Response</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/unit42" role="link" title="Threat Intel and Incident Response Services" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services">Threat Intel and Incident Response Services</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/assess" role="link" title="Proactive Assessments" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments">Proactive Assessments</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/respond" role="link" title="Incident Response" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response">Incident Response</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/transform" role="link" title="Transform Your Security Strategy" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response:Transform Your Security Strategy">Transform Your Security Strategy</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/threat-intelligence-partners" role="link" title="Discover Threat Intelligence" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response:Transform Your Security Strategy:Discover Threat Intelligence">Discover Threat Intelligence</a> </li> </ul> </nav> </div> </div> </div> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Company</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us" role="link" title="About Us" data-page-track="true" data-page-track-value="footer:Company:About Us">About Us</a> </li> <li class="footer-menu-nav__item "> <a href="https://jobs.paloaltonetworks.com/en/" role="link" title="Careers" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers">Careers</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/company/contact-sales" role="link" title="Contact Us" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us">Contact Us</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us/corporate-responsibility" role="link" title="Corporate Responsibility" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility">Corporate Responsibility</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/customers" role="link" title="Customers" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers">Customers</a> </li> <li class="footer-menu-nav__item "> <a href="https://investors.paloaltonetworks.com/" target=_blank role="link" title="Investor Relations" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations">Investor Relations</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us/locations" role="link" title="Location" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations:Location">Location</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/company/newsroom" role="link" title="Newsroom" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations:Location:Newsroom">Newsroom</a> </li> </ul> </nav> </div> </div> </div> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Popular links</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/blog/" role="link" title="Blog" data-page-track="true" data-page-track-value="footer:Popular links:Blog">Blog</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/communities" role="link" title="Communities" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities">Communities</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/resources" role="link" title="Content Library" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library">Content Library</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cyberpedia" role="link" title="Cyberpedia" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia">Cyberpedia</a> </li> <li class="footer-menu-nav__item "> <a href="https://events.paloaltonetworks.com/" role="link" title="Event Center" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center">Event Center</a> </li> <li class="footer-menu-nav__item "> <a href="https://start.paloaltonetworks.com/preference-center" role="link" title="Manage Email Preferences" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences">Manage Email Preferences</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/products/products-a-z" role="link" title="Products A-Z" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z">Products A-Z</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/legal-notices/trust-center/tech-certs" role="link" title="Product Certifications" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications">Product Certifications</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/security-disclosure" role="link" title="Report a Vulnerability" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability">Report a Vulnerability</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sitemap" role="link" title="Sitemap" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap">Sitemap</a> </li> <li class="footer-menu-nav__item "> <a href="https://docs.paloaltonetworks.com/" role="link" title="Tech Docs" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs">Tech Docs</a> </li> <li class="footer-menu-nav__item "> <a href="https://unit42.paloaltonetworks.com/" role="link" title="Unit 42" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs:Unit 42">Unit 42</a> </li> <li class="footer-menu-nav__item do-not-sell-link"> <a href="https://panwedd.exterro.net/portal/dsar.htm?target=panwedd" target=_blank role="link" title="Do Not Sell or Share My Personal Information" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs:Unit 42:Do Not Sell or Share My Personal Information">Do Not Sell or Share My Personal Information</a> </li> </ul> </nav> </div> </div> </div> </div> </div> </div> <div class="footer-bottom"> <div class="l-container"> <div class="footer-logo"> <a href="https://www.paloaltonetworks.com/" role="link" title="Footer Nav" data-page-track="true" data-page-track-value="footer:logo:Palo Alto Networks"> <img width="245" height="46" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/palo-alto-footer-logo.svg" class="attachment-medium size-medium" alt="" decoding="async" loading="lazy" /> </a> </div> <div class="footer-bottom__wrapper"> <div class="footer-bottom-nav"> <nav> <ul class="footer-menu-nav__list"> <li> <a href="https://www.paloaltonetworks.com/legal-notices/privacy" role="link" title="Privacy" data-page-track="true" data-page-track-value="footer:bottom-menu:Privacy">Privacy</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal-notices/trust-center" role="link" title="Trust Center" data-page-track="true" data-page-track-value="footer:bottom-menu:Trust Center">Trust Center</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" role="link" title="Terms of Use" data-page-track="true" data-page-track-value="footer:bottom-menu:Terms of Use">Terms of Use</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal" role="link" title="Documents" data-page-track="true" data-page-track-value="footer:bottom-menu:Documents">Documents</a> </li> </ul> </nav> <br/><span class="copyright">Copyright © 2025 Palo Alto Networks. All Rights Reserved</span> </div> <div class="footer-bottom-social"> <ul> <li> <a href="https://www.youtube.com/user/paloaltonetworks" target="_blank" role="link" title="YouTube" data-page-track="true" data-page-track-value="footer:social:Youtube"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/youtube-black.svg" alt="YouTube"> </a> </li> <li> <a href="https://twitter.com/Unit42_Intel" target="_blank" role="link" title="X" data-page-track="true" data-page-track-value="footer:social::Twitter"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/x-icon-black.svg" alt="Twitter"> </a> </li> <li> <a href="https://www.facebook.com/PaloAltoNetworks/" target="_blank" role="link" title="Facebook" data-page-track="true" data-page-track-value="footer:social:Facebook"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/Facebook_Icon.svg" alt="Facebook"> </a> </li> <li> <a href="https://www.linkedin.com/company/palo-alto-networks" target="_blank" role="link" title="LinkedIn" data-page-track="true" data-page-track-value="footer:social:LinkedIn"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/LinkedIn_Icon.svg" alt="LinkedIn"> </a> </li> <li> <a href="https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/" role="link" title="Podcast" data-page-track="true" data-page-track-value="footer:social:Podcast"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/Podcast.svg" alt="Podcast"> </a> </li> </ul> <div class="pa language-dropdown"> <div class="language-dropdown__wrapper"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/globe-icon.svg" alt="Globe icon"> <span id="selectedLanguage">EN</span> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/down-arrow.svg" alt="Down arrow"><ul><li class="title">Select your language</li> <li class="selected" data-value="en"> <a data-page-track="true" data-page-track-value="footer:language-selector:en" href="https://unit42.paloaltonetworks.com/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/">USA (ENGLISH)</a> </li> <li class="non-active" data-value="en"> <a data-page-track="true" data-page-track-value="footer:language-selector:ja" href="https://unit42.paloaltonetworks.jp/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/">JAPAN (日本語)</a> </li></ul> </div> </div> </div> </div> </footer> <div class="dd-overlay"> </div> <!-- Start: video modal --> <div class="modal video__modal" id="videoModal" tabindex="-1"> <div class="modal__video-wrapper"> <button class="modal__play-btn is-minimized is-paused" id="playPauseBtn"> <img class="play" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-play-icon.svg" alt="Play"> <img class="pause" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-pause-icon1.svg" alt="Pause"> </button> <button class="modal__minimize-btn is-minimized"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-minimize.svg" alt="Minimize"> </button> <button class="modal__close"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/close-modal.svg" alt="Close button"> </button> <video class="modal__video" id="customVideo"> <source src="" type="video/mp4">Your browser does not support the video tag. </video> <div class="modal__post-details" tabindex="-1"> <h3>Default Heading</h3> <a class="l-btn" href="#" title="Right Arrow Icon" role="link" data-page-track="true" data-page-track-value="overview:explore reports:View all reports">Read the article <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow"> </a> </div> <div class="modal__video-controls"> <div class="modal__video-seekbar input__wrapper"><span></span> <label class="is-hidden" for="modalSeekBar">Seekbar</label> <input class="custom-range" id="modalSeekBar" type="range" min="0" max="100" value="1"> <p class="modal__remaining-time"></p> </div> <button class="modal__play-btn is-paused" id="playPauseBtn"> <img class="play" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-play-icon.svg" alt="Play"> <img class="pause" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-pause-icon1.svg" alt="Pause"> </button> <div class="modal__volume-controls"> <div class="modal__volume__wrapper"> <button tabindex="0"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-volume.svg" alt="Volume"> </button> <div class="modal__volume-seekbar"><span></span> <label class="is-hidden" for="volumeBar">Volume</label> <input class="volume__bar" id="volumeBar" type="range" min="0" max="1" step="0.1" value="0.7"> </div> </div> <button class="modal__minimize-btn" id="minimizeBtn"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-minimize.svg" alt="Minimize"> </button> </div> </div> </div> </div><!-- End: video modal --> <script type="text/javascript"> var isProcessing = false; function alter_ul_post_values(obj,post_id,ul_type){ if (isProcessing) return; isProcessing = true; var like_nonce = jQuery('#_wpnonce').val(); jQuery(obj).find("span").html(".."); jQuery.ajax({ type: "POST", url: "https://unit42.paloaltonetworks.com/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php", data: "post_id="+post_id+"&up_type="+ul_type+"&ul_nonce="+like_nonce, success: function(msg){ jQuery(obj).find("span").html(msg); isProcessing = false; jQuery(obj).find('svg').children('path').attr('stroke','#0050FF'); jQuery(obj).removeClass('idc_ul_cont_not_liked idc_ul_cont_not_liked_inner'); } }); } </script> <link rel='stylesheet' id='wpdevart_lightbox_front_end_css-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/lightbox-popup/includes/style/wpdevart_lightbox_front.css?ver=6.7.1' media='all' /> <script src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/js/script.js?ver=1.0.0" id="unit42-v6-navigation-js"></script> <!-- Start: Scripts Migrated From Unit42-v5 --> <script type="text/javascript"> const observer_lozad = lozad('.lozad, .lozad-background'); // lazy loads elements with default selector as '.lozad' observer_lozad.observe(); function noSell(event) { event.preventDefault(); if (( typeof OneTrust != 'undefined') && (!!OneTrust)) { OneTrust.ToggleInfoDisplay(); }else{ var href = event.target.getAttribute('href'); window.open(href, '_blank'); } } window.PAN_Clean_Util = { isIE: false }; (function () { // INP Util Fix function yieldToMain(ms) { return new Promise(resolve => setTimeout(resolve, ms)); } window.PAN_Clean_Util.yieldToMain = yieldToMain })(); if(referer == "CloudCortex" || referer == "Prisma" || referer == "Cortex" || referer == "Sase" || referer == "Unit" || referer == "Ngfw"){ var Coveo_organizationId = "paloaltonetworksintranet"; var techDocsPagePath = "https://docs.paloaltonetworks.com/search.html#hd=All%20Prisma%20Cloud%20Documentation&hq=%40panproductcategory%3D%3D(%22Prisma%20Cloud%22)&sort=relevancy&layout=card&numberOfResults=25"; var languageFromPath="en_US"; window.Granite = window.Granite || {}; Granite.I18n = (function() { var self = {}; self.setLocale = function(locale) { }; self.get = function(text, snippets, note) { var out = ""; if(text){ if(text ==="coveo.clear"){ out = "Clear"; }else if(text ==="coveo.noresultsfound"){ out = "No results found for this search term."; } } return out; }; return self }()); } var main_site_critical_top = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.js'; var main_site_defered = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/defered.min.js'; var main_site_criticalTopBase = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopBase.min.js'; var main_site_criticalTopProductNav = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.js'; window.PAN_MainNavAsyncUrl = maindomain_lang+"/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html"; function loadScript(url, defer){ var script1 = document.createElement('script'); script1.setAttribute('type', 'text/javascript'); script1.setAttribute('src',url); if(defer == true){ script1.setAttribute('defer','defer'); } document.head.appendChild(script1); } function loadScript1(url, callback){ var script = document.createElement("script") script.type = "text/javascript"; if (script.readyState){ //IE script.onreadystatechange = function(){ if (script.readyState == "loaded" || script.readyState == "complete"){ script.onreadystatechange = null; callback(); } }; } else { //Others script.onload = function(){ callback(); }; } script.src = url; document.getElementsByTagName("head")[0].appendChild(script); } if(referer == "CloudCortex" || referer == "Prisma" || referer == "Cortex" || referer == "Sase" || referer == "Unit" || referer == "Ngfw"){ if(referer == "Unit"){ setTimeout(function(){ loadScript(main_site_criticalTopBase, false); loadScript1(main_site_criticalTopProductNav, function(){ window.PAN_initializeProduct2021Nav(); }); loadScript(main_site_defered, false); }, 3000); } else{ setTimeout(function(){ loadScript1(main_site_critical_top, function(){ window.PAN_initializeProduct2021Nav(); }); loadScript(main_site_defered, false); }, 3000); } } $(document).ready(function () { setTimeout(function(){ $('.article-banner .ab__options ul li a').each(function(){ $(this).attr('target', "_blank"); }); }, 4000); $( ".do-not-sell-link a" ).on( "click", function( event ) { noSell(event); }); }); </script> <!-- End: Scripts Migrated From Unit42-v5 --> </body> </html>