A sophisticated Android remote access trojan (RAT) campaign that leverages social engineering, Hugging Face’s infrastructure for payload staging, and heavy abuse of Android Accessibility Services to gain deep control over infected devices.
What stands out is how attackers exploit Hugging Face, a popular platform for machine learning models, datasets, and developer tools, to host and rapidly deploy malicious APKs.
The platform’s lack of robust upload filters, relying mainly on ClamAV scans, leaves it vulnerable to such misuse.
This campaign deploys fresh samples at scale, generating new payloads roughly every 15 minutes through server-side polymorphism.
Dropper apps trick users into sideloading malware disguised as security tools, leading to persistent surveillance, credential theft, and data exfiltration via a centralized command-and-control (C2) server.
Core Mechanics of the Campaign
The RAT follows a two-stage infection chain: a benign-looking dropper followed by a malicious payload. Attackers distribute the initial dropper, often called TrustBastion, through deceptive ads that claim to scan for scams, phishing, or malware.
The now-defunct site trustbastion[.]com pitched it as a free protector against fraudulent SMS and threats.
Once installed via manual sideloading, the dropper displays a fake update prompt mimicking Google Play or Android system dialogs. This social engineering ploy pushes users to approve the next step.
Payload Fetching via Legitimate Platforms
To evade domain blocklists, the dropper queries an encrypted endpoint on trustbastion[.]com, like /xiazz.html.
Hardcoded config in the app decodes the URL using a simple offset (e.g., ‘z’ shift). The server responds not with an APK, but with an HTML redirect to a Hugging Face dataset repo, such as
huggingface[.]co/datasets/xcvqsccm/sfxyt851/resolve/main/b.apk.
Network captures reveal the flow:
- Dropper GET to trustbastion[.]com/xiazz.html (IP: 148.135.44.146).
- Response: HTML with Hugging Face link.
- Final download from Hugging Face CDN (e.g., cdn-lfs-us-1.hf[.]co/…/b.apk), hitting CloudFront edges.
This blends malicious traffic with legit Hugging Face requests, dodging basic filters. The payload APK (about 4.8 MB) lands with a package name like rgpp.lerlgl.vhrthg or net.falcon878.market.
Polymorphism at Scale
Repo analysis showed over 6,000 commits in 29 days, one every 15 minutes. Each commit uploads a rebuilt APK with tweaks: altered icons, strings, or minor code changes to shuffle hashes and evade signature-based detection.
When one repo went dark, attackers spun up a new one with cosmetic shifts, keeping core logic intact.
Behaviorally consistent traits, permissions, API calls, and network patterns betray the malware.
Tools like behavioral analysis in mobile security suites flag it despite hash churn.
Post-Exploitation: Accessibility Abuse and Persistence
After installation, the payload poses as “Phone Security” to coax Accessibility Service grants.
This Android permission allows it to read screen content, simulate input, and monitor device-wide events, far beyond the bounds of a standard app.
Additional grabs include screen recording, overlays, and casting perms. With these, the RAT:
- Captures keystrokes, screenshots, and user flows in real-time.
- Overlays fake login screens mimicking Alipay, WeChat, or banking apps to phish credentials.
- Snags lock screen PINs/patterns via injected overlays.
Exfiltration hits the C2 over keep-alive TCP on port 5000 (e.g., 154.198.48.57).
The same server handles commands, config updates, payload URLs, and even loads benign webviews to mask activity.
Decompiled config snippets reveal hardcoded elements:
public static final String B_ASSET_APK = "b.apk";
public static final String B_PACKAGE = "rgpp.lerlgl.vhrthg";
private static final String DATA_SOURCE_1 = "Eg4OCglAVVUNDQ1UDggPCQ4YGwkOExUUVBkVF1UCExsAAFQSDhcW"; // Scrambled URL pieceEvolution to Second Wave
The TrustBastion repo vanished late December 2025 after a month online. Days later, “Premium Club” emerged with the same code, a new facade.
Fake update screens persisted, now under au-club[.]top, with package com.nrb.phayrucq.
| Type | Indicator | Details/Notes |
|---|---|---|
| Dropper SHA256 | d184d705189e42b54c6243a55d6c9502 | TrustBastion initial loader |
| Dropper SHA256 | d8b0fd515d860be2969cf441ea3b620d | Variant |
| Dropper SHA256 | b716a8a742fec3084b0f497abbfecfc0 | Variant |
| Dropper SHA256 | 15bdc66aca9fb7290165d460e6a993a9 | Variant |
| Payload Package | rgpp.lerlgl.vhrthg | Common in first wave |
| C2 IP | 154.198.48.57 | Port 5000, tied to trustbastion[.]com |
| Domain | trustbastion[.]com | Dropper staging, redirects |
| Second Wave | ||
| Dropper SHA256 | fc874c42ea76dd5f867649cbdf81e39b | Premium Club loader |
| Payload Package | com.nrb.phayrucq | Second iteration |
| Domain | au-club[.]top | New staging site |
| C2 IP | 108.187.7.133 | Updated server |
Hugging Face took down flagged datasets after receiving a notification from ifdefender, but the tactic persists. Attackers cycle repos, leaning on the platform’s open nature.
Block these IOCs in firewalls, EDR, and mobile threat defense. Scan for Accessibility abuse via behavioral rules.
This campaign highlights risks in open platforms like Hugging Face, where dev-friendly policies enable abuse.
Android users should shun sideloaded “security” apps from ads, stick to the Play Store, and review Accessibility grants. Defenders: prioritize runtime behavior over static hashes for Android threats.(Source)
%20(1).webp "Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security")
