{ "Event": { "analysis": "1", "date": "2026-04-08", "extends_uuid": "", "info": "[Threat Intel] Canis C2 Exposed: Previously Undocumented Cross-Platform ...", "protected": false, "publish_timestamp": "1776175450", "published": true, "threat_level_id": "3", "timestamp": "1776175449", "uuid": "7e511bed-0526-41cf-bf9f-22fd16263207", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#cf6788", "local": false, "name": "misp-galaxy:producer=\"Hunt.io\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#5887a6", "local": false, "name": "misp-galaxy:target-information=\"Japan\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Audio Capture - T1429\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1623\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Foreground Persistence - T1541\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Input Injection - T1516\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Input Prompt - T1411\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Location Tracking - T1430\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Name or Location - T1655.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1660\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Video Capture - T1512\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120046", "local": false, "name": "rectifyq:sub-category=\"infra-profile\"", "relationship_type": "" }, { "colour": "#170059", "local": false, "name": "rectifyq:topic=\"mobile-attack\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775790012", "to_ids": false, "type": "link", "uuid": "d26460e7-360a-47cf-8ed0-8ea5a7493dbc", "value": "https://hunt.io/blog/canis-c2-exposed-cross-platform-surveillance-framework-japan" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775790012", "to_ids": false, "type": "text", "uuid": "17f24b42-4e1f-4331-b05d-83325a214157", "value": "On March 19, a researcher on X posted a suspicious Android APK tied to a phishing page impersonating Paidy, a Japanese buy-now-pay-later service. A quick look at the infrastructure behind it revealed an unauthenticated API sitting wide open, with endpoints exposing payloads, command logs, and the C2 source code itself. The server wasn't running a simple credential harvester. Agents for Android, iOS, Windows, Linux, and macOS were present, alongside a canvas-based device fingerprinting system and code that references iOS sandboxing mechanisms by name. The actor behind it is clearly comfortable with Japanese, and large portions of the codebase show signs of LLM-assisted development." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775790012", "to_ids": false, "type": "text", "uuid": "846f4c40-feef-4e57-bef1-8d5ac56d04db", "value": "Name: Canis C2 Exposed: Previously Undocumented Cross-Platform ...\nAuthor: AlienVault\nAdversary: \nTags: [\"phishing\", \"canis\", \"cross platform\", \"browser\", \"infostealer\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1566\"]\nIndustries: []" }, { "category": "Payload delivery", "comment": "Let's Encrypt certificate", "deleted": false, "disable_correlation": false, "timestamp": "1776022091", "to_ids": true, "type": "x509-fingerprint-sha256", "uuid": "790813b8-d476-4708-b509-484431b82101", "value": "f8e9a720468c89f191d8cb12d46d81ef67b87a9ef95a307835c556a0885bd181" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776167037", "to_ids": true, "type": "url", "uuid": "3866b379-315e-4647-8cab-5975de27f72f", "value": "http://info-payeasy.com/assets/index-DdmV8luQ.js", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776167058", "to_ids": true, "type": "url", "uuid": "3317f15b-d674-4bd5-94bc-1406e784518f", "value": "http://info-payeasy.com/pages/overview.html", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776167079", "to_ids": true, "type": "domain", "uuid": "a902f6a1-402e-42cf-a014-d9c821acd9ea", "value": "americanexpress-site.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776167100", "to_ids": true, "type": "domain", "uuid": "9c119d5b-b1b4-45b9-8420-840c03dd8ce7", "value": "android-protect.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776167121", "to_ids": true, "type": "domain", "uuid": "4f30c786-073a-4296-899e-e4d91ea9a3b6", "value": "applesecurity.pro", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776167143", "to_ids": true, "type": "domain", "uuid": "999fa845-f120-401a-82b1-40d9e44c4280", "value": "devicesecurity.pro", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776167164", "to_ids": true, "type": "domain", "uuid": "ae1a51ee-08a1-4e41-910c-dfbced2656af", "value": "info-payeasy.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776167186", "to_ids": true, "type": "domain", "uuid": "8527bec6-c38d-44aa-9965-e69f65c9052f", "value": "ios-deviceprotect.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Initial and follow-on domains presenting phishing lures", "deleted": false, "disable_correlation": false, "timestamp": "1776167207", "to_ids": true, "type": "ip-dst", "uuid": "f9089184-519c-4795-a680-a61fd13dbc13", "value": "161.33.154.144", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776167228", "to_ids": true, "type": "ip-dst", "uuid": "1c2c0d39-ceeb-4b69-b384-68948fe192c6", "value": "34.111.179.208", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Domains using the same registrar, nameservers, and similar webpages are engaging in credential harvesting/compromise.", "deleted": false, "disable_correlation": false, "timestamp": "1776167250", "to_ids": true, "type": "domain", "uuid": "e449f83f-2864-488b-bc2f-023494cf5b4a", "value": "ios-inc.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Domains using the same registrar, nameservers, and similar webpages are engaging in credential harvesting/compromise.", "deleted": false, "disable_correlation": false, "timestamp": "1776167271", "to_ids": true, "type": "domain", "uuid": "449601da-9dec-44c4-b8fd-17ff190556bc", "value": "iosdevicepolicy.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776167292", "uuid": "7d84aacb-2679-4337-b141-90b773523af3", "Attribute": [ { "category": "Payload delivery", "comment": "Android APK discovered and posted on X.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776167292", "to_ids": true, "type": "md5", "uuid": "2325624b-433b-4751-9950-0939619cb435", "value": "01813833afbe76f6968b7982528ce783", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Android APK discovered and posted on X.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776166987", "to_ids": true, "type": "sha1", "uuid": "d6800f1c-27e0-402f-962d-f874b7c82afb", "value": "c860bf65930b4bb956c3f7bee999f7a5dcfdb3b3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Android APK discovered and posted on X.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776166987", "to_ids": true, "type": "sha256", "uuid": "24bddd1b-b5f2-4c1a-bc57-81a444af7118", "value": "564b381dc3e6fc737fd9b46fb5ee1e06f4e333d2886f0805514af44947a4c271", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776072120", "to_ids": true, "type": "ssdeep", "uuid": "387737e0-ea2b-4eda-9d1a-17d6f9ca4906", "value": "24576:t2p780zOU0xMN7+mMcksQXAWSzfeBzh4E4fg7TUu:wThNXMcNxegEWgEu" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776072120", "to_ids": false, "type": "size-in-bytes", "uuid": "7c4a531e-5ea9-4596-85b9-df68a497e869", "value": "944616" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776072120", "to_ids": true, "type": "vhash", "uuid": "d68ce8d2-3f7f-4192-8484-f2d7a372bc91", "value": "7d0793a4d1be92765e087ccc3d45a807" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776072120", "to_ids": true, "type": "filename", "uuid": "cf866f09-afbc-4c65-a1c5-4d93acf93007", "value": "PayEasy-Viewer.apk" }, { "category": "Other", "comment": "Checked: 13/04/2026\nLast-scan\t: 13/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776072120", "to_ids": false, "type": "text", "uuid": "0c2e0d36-c5bd-400e-9836-9cf8ce333c1a", "value": "Android APK discovered and posted on X.\r\nType Description: Android\nMicrosoft: Trojan:Win32/Ravartar!rfn\nVT Total Detection:13/67\nFirst Submission:2026-03-19T07:28:48.000000+00:00\nLast Submission:2026-04-10T04:37:21.000000+00:00" } ] } ] } }