Overview
- Bitdefender reported an active campaign using a fake security app called TrustBastion to trigger a forced update that fetches a malicious payload from a Hugging Face dataset.
- The dropper reaches an endpoint at trustbastion[.]com that redirects to Hugging Face, where the final APK is served via the platform’s CDN.
- Once installed, the RAT requests Accessibility permissions, captures screen content, presents phishing overlays for services such as Alipay and WeChat, and attempts to harvest lock-screen PINs.
- Operators use server-side polymorphism to generate new payload variants roughly every 15 minutes, with the month-old repository recording more than 6,000 commits.
- After the initial repository was removed, the campaign reappeared under the Premium Club name with the same code, as Hugging Face took down datasets and Bitdefender published indicators of compromise.