New Canis C2 surveillance

A surveillance system is the digital version of planting the same bug in every room of a house. Hunt.io says this one came with separate implants for Android, iPhone, Mac, Windows, Linux, and browser sessions, all controlled from one command server. (hunt.io) The trail started on March 19, 2026, when a researcher spotted an Android app tied to a Japanese phishing page. Hunt.io says the backend was left so exposed that its application programming interface showed payloads, command logs, and even source code for the control panel. (hunt.io) The fake page posed as a bill from Paidy, a Japanese buy-now-pay-later company, and pushed victims to install an app to see invoice details due by March 31, 2026. Hunt.io says the download was hosted at info-payeasy[.]com, which also borrowed the name of Pay-easy, a separate Japanese payment service. (hunt.io) Once installed, the Android app was not just a password thief. Hunt.io says the operator could pull location, activate camera and audio capture, inject fake login screens to steal credentials, and run code through a registered Service Worker inside the browser. (hunt.io) Command-and-control is the attacker’s remote control panel, like a cockpit that shows every infected device on one screen. Hunt.io says the Canis dashboard listed victim identifiers, operating system versions, device models, internet addresses, heartbeat counts, and devices active in the last hour. (hunt.io) Fingerprinting is the trick of recognizing a device from tiny quirks, the way a cashier might recognize a regular customer by voice and gait instead of name. Hunt.io says Canis included a browser payload branded in Japanese as “super advanced terminal identification” and used canvas fingerprinting to tell machines apart. (hunt.io) The strangest decoy was a page called “International Dog Photo Awards 2026.” Hunt.io says victims saw a harmless photo-upload page, while embedded JavaScript quietly ran browser fingerprinting code in the background. (hunt.io) A zero-click attack is the nightmare version of a trapdoor: the message arrives, and the victim does nothing at all. Apple says BlastDoor was built to isolate and inspect untrusted data in Messages specifically to block these no-click chains before they reach the rest of iPhone software. (support.apple.com) Hunt.io says one Canis payload included a validator that checked seven possible delivery methods before trying to infect an iPhone. The code specifically looked for BlastDoor, media pipeline isolation, and the ImageIO sandbox, which are Apple defenses meant to box dangerous image and message processing into separate compartments. (hunt.io) (support.apple.com) That detail matters because earlier iPhone spyware campaigns had to break through those same walls. Citizen Lab says the 2021 ForcedEntry exploit used by Pegasus targeted Apple’s image rendering library, and Kaspersky later documented Operation Triangulation as another highly sophisticated iPhone chain. (citizenlab.ca) (securelist.com) Hunt.io stops short of saying Canis definitely had a working iPhone zero-click exploit in hand. Hunt.io does say the code shows an operator who understood modern iPhone defenses well enough to test for them before deployment, and it published indicators of compromise so defenders can check apps, domains, and infrastructure for matches. (hunt.io) The other clue is geography. Hunt.io says large parts of the codebase and dashboard were written in Japanese, the phishing lures targeted Japanese payment users, and the campaign identifier it found was CANIS_2026_FEB, which points to an operation that was active well before the report landed on April 8, 2026. (hunt.io)