A new wave of cyberattacks has reached Russia, as F6, a leading firm specializing in anti-cybercrime technologies, has confirmed the first detected attempts to compromise Russian bank clients using the recently uncovered SuperCard malware.
Initially identified in attacks against European banking customers earlier this spring, SuperCard represents a malicious evolution of the formerly legitimate NFCGate app, exploiting Android devices’ NFC capabilities to stealthily intercept and relay sensitive payment card data.
Rapid Global Proliferation
SuperCard first drew international attention in April 2025, following disclosures by the Italian cybersecurity company Cleafy.
Cleafy’s threat research team documented the emergence of ‘SuperCard X’, a Malware-as-a-Service (MaaS) offering distributed via darknet markets and, for the first time, openly advertised and supported in Telegram channels catering to both Chinese and English-speaking users.
This model allowed would-be cybercriminals to subscribe to the malware and leverage extensive documentation, bot-assisted support, and multilingual interfaces to target users across the United States, Australia, and Europe.
Notably, no geographic restrictions were embedded in the malware, accelerating its adoption globally, including its recent arrival in Russia.
F6 analysts report that within less than a month of SuperCard’s public debut, threat actors began actively testing the malware against Russian targets.
This mirrors previous waves of attacks with malicious builds of NFCGate, which, by the first quarter of 2025, had already inflicted estimated losses of 432 million rubles and compromised over 175,000 Android devices in Russia alone.
Technical Evolution
A technical analysis of several SuperCard samples reveals significant deviations from earlier NFCGate-based malware, both in code structure and operative functionality a sign that disparate criminal groups are responsible for these modifications.
SuperCard’s core capability lies in intercepting and extracting bank card details from intercepted NFC communication sessions.
Cybercriminals launch attacks by employing social engineering: victims are typically tricked into installing trojanized APK files, often disguised as useful utilities or fake banking apps, via persuasive links spread through instant messengers or phishing campaigns.
Unlike prior darknet-only distributions of malicious NFCGate versions, SuperCard’s developers broadened reach and accessibility by marketing the tool on public Telegram channels, offering subscription-based access and even customer support.
F6 threat intelligence has noted that Chinese-language Telegram channels were the earliest and most active in distributing SuperCard subscriptions, with some English-language commentary present to capture non-Chinese-speaking customers.
Given the sophistication and propagation speed of SuperCard and its variants, F6 emphasizes that protective measures for both individuals and banks remain critical.
Users are strongly advised only to install apps from trusted official stores such as RuStore and Google Play, avoid clicking unsolicited links, and never share sensitive credentials or card security details on unknown platforms or apps.
Device owners should routinely review which applications have access to NFC modules and payment system settings, removing any suspicious or unfamiliar apps.
On the institutional level, F6 recommends that banks augment anti-fraud solutions with detection mechanisms for suspicious NFC ATM transactions, enforce geolocation checks, deploy device-based malware detection, and integrate behavioral analytics.
F6’s own Fraud Protection platform, for example, can correlate session data, device fingerprints, and real-time risk signals to help financial institutions identify compromised users and block fraudulent transactions.
As criminal groups continue to adapt and iterate on SuperCard and related NFC-based malware, ongoing vigilance and adherence to robust cybersecurity practices will be essential for both consumers and organizations to stem the tide of payment card data theft.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
