216.73.217.80

Canis C2 Exposed: Previously Undocumented Cross-Platform ...

· Published 08/04/2026 21:09 · Modified 09/04/2026 18:05

Export JSON

Essential information

Published
08/04/2026 21:09
Modified
09/04/2026 18:05
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
browser canis cross platform infostealer phishing
Tags
2026-04-08 browser canis cross-platform infostealer phishing
Related entities
10 indicators, 10 observables, 1 techniques (mitre), 6 others

Description

On March 19, a researcher on X posted a suspicious Android APK tied to a page impersonating Paidy, a Japanese buy-now-pay-later service. A quick look at the infrastructure behind it revealed an unauthenticated API sitting wide open, with endpoints exposing payloads, command logs, and the C2 source code itself. The server wasn't running a simple credential harvester. Agents for Android, iOS, Windows, Linux, and macOS were present, alongside a canvas-based device fingerprinting system and code that references iOS sandboxing mechanisms by name. The actor behind it is clearly comfortable with Japanese, and large portions of the codebase show signs of LLM-assisted development.

External references