RelayNFC: The New NFC Relay Malware Targeting Brazil

    Wednesday, November 26, 2025 In: Threat Research Print

    Date: 11/26/2025

    Severity: Medium

    Summary

    RelayNFC is a newly identified and increasingly sophisticated Android malware targeting users in Brazil through phishing campaigns. Designed specifically for NFC relay attacks, it captures victims’ contactless payment card data and relays it in real time to attacker-controlled servers, enabling fraudulent transactions as if the physical card were present. Built with React Native and Hermes bytecode, RelayNFC is lightweight, evasive, and difficult to analyze, with VirusTotal showing zero detections. The campaign uses convincing Portuguese-language phishing sites to trick victims into installing the malicious app, and related variants indicate the threat actors are experimenting with techniques such as Host Card Emulation. The operation mirrors a broader rise in NFC-abusing malware families like Ngate, SuperCardX, and PhantomCard, with multiple coordinated sites distributing the same RelayNFC payload.

    Indicators of Compromise (IOC) List

    URLs/Domain

    https://maisseguraca.site/ 

    http://proseguro.site/ 

    https://test.ikotech.online/ 

    https://maisseguro.site/ 

    http://maisprotecao.site/

    http://31.97.17.73

    http://72.60.255.182

    http://82.25.70.65

    http://72.60.146.139

    http://72.61.55.178

    Hash

    5df7ded7e5ba815f563193140e4f303fff50c78aac475b7c3409b0271131dbab

    f474e7fdc1185351fd613c2bd9e683d13cc4fa143e28e50ced808bd1ad5ccd1a

    76b6b2f0254a8a62eaeed02ab34828e9097f5cf2571ec3fd8230850efb709c68

    5905aa58853a05e860c87e9feeeea7c32b43859c8e703485e233429cec8d38dc

    4124d196a5c7706c7d03d0da6fc19df5833793e30716b04f2259f5faa9816b45

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Detection Query 1 :

    domainname like "http://72.60.255.182" or siteurl like "http://72.60.255.182" or url like "http://72.60.255.182" or domainname like "http://72.60.146.139" or siteurl like "http://72.60.146.139" or url like "http://72.60.146.139" or domainname like "http://82.25.70.65" or siteurl like "http://82.25.70.65" or url like "http://82.25.70.65" or domainname like "https://maisseguraca.site/" or siteurl like "https://maisseguraca.site/" or url like "https://maisseguraca.site/" or domainname like "http://proseguro.site/" or siteurl like "http://proseguro.site/" or url like "http://proseguro.site/" or domainname like "https://test.ikotech.online/" or siteurl like "https://test.ikotech.online/" or url like "https://test.ikotech.online/" or domainname like "https://maisseguro.site/" or siteurl like "https://maisseguro.site/" or url like "https://maisseguro.site/" or domainname like "http://maisprotecao.site/" or siteurl like "http://maisprotecao.site/" or url like "http://maisprotecao.site/" or domainname like "http://31.97.17.73" or ssiteurl like "http://31.97.17.73" or url like "http://31.97.17.73" or domainname like "http://72.61.55.178" or siteurl like "http://72.61.55.178" or url like "http://72.61.55.178"

    Detection Query 2 :

    sha256hash IN ("f474e7fdc1185351fd613c2bd9e683d13cc4fa143e28e50ced808bd1ad5ccd1a","5905aa58853a05e860c87e9feeeea7c32b43859c8e703485e233429cec8d38dc","76b6b2f0254a8a62eaeed02ab34828e9097f5cf2571ec3fd8230850efb709c68","5df7ded7e5ba815f563193140e4f303fff50c78aac475b7c3409b0271131dbab",4124d196a5c7706c7d03d0da6fc19df5833793e30716b04f2259f5faa9816b45")

    Reference: 

    https://cyble.com/blog/relaynfc-nfc-relay-malware-targeting-brazil/


    Tags

    MalwareRelayNFCAndroid MalwareBrazilPhishingNFC relayFinancial ServicesNgateSuperCardXPhantomCard

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.