Skip to content

Canis C2

Canis C2 is a cross-platform surveillance framework targeting Japan through smishing campaigns impersonating Japanese payment services. Discovered in March 2026 by researcher @KesaGataMe0 on X and subsequently analyzed by Hunt.io, Canis stands out for its canvas-based device fingerprinting, a delivery validator that scores exploit feasibility per-device, and cross-platform agent support spanning Android, iOS, Windows, Linux, and macOS. Despite the breadth of its capabilities, the framework appears to be in early operational stages with only two device IDs observed in exposed logs.

Overview

Attribute Details
First Seen Late 2025 (estimated), publicly exposed March 2026
Status Active, early operational stage
Type Cross-platform surveillance framework
Attribution Unknown Japanese-speaking threat actor, suspected Kanagawa prefecture (Japan) based on testing logs
Campaign ID CANIS_2026_FEB
Platform Android, iOS, Windows, Linux, macOS
Distribution Smishing (SMS phishing)
Target Region Japan

Distribution

Canis reaches victims through smishing campaigns impersonating Japanese payment services. Two lure types have been observed:

Lure Method
Paidy impersonation Fake billing statements for the buy-now-pay-later service, directing users to install an APK disguised as "Device Shield"
Pay-Easy impersonation Fake payment service notifications via info-payeasy[.]com

The APK masquerades as a security/optimization tool. A secondary phishing page uses a fake dog photo competition to drive browser-based fingerprinting before payload delivery.

Capabilities

The framework supports 20+ operator commands covering surveillance, credential theft, and arbitrary code execution.

Capability Implementation
GPS tracking Continuous coordinate streaming to C2
Camera capture Still and multi-frame video exfiltration
Audio recording Microphone recording via operator command
Credential overlay injection Dynamic overlays for credential theft (T1411)
Keylogging Accessibility service GUI input capture
Screen capture Screenshot exfiltration
Contact/SMS theft Contact list and SMS message extraction
File inventory File listing and directory enumeration
Active Directory enumeration PowerShell-based AD reconnaissance (Windows)
Arbitrary code execution ServiceWorker-based execution (web), subprocess execution (Linux/macOS)
Device fingerprinting Canvas-based GPU fingerprinting with djb2 hashing
Persistent execution Foreground service persistence (Android), sysupdate service masquerading (Linux)

Technical Details

C2 Architecture

Canis uses a lightweight Python-based C2 server with SQLite backend and no external dependencies beyond Python's standard library.

Component Details
C2 server Python HTTP server on port 8080, proxied via nginx
Operator dashboard Port 5000
Credential storage PostgreSQL on port 5432
Admin title "CANIS C2 超高度端末識別" (Ultra-High Precision Device Identification)

RESTful API endpoints exposed on the C2:

Endpoint Purpose
/api/agent/register Agent registration
/api/agent/commands Command delivery
/api/agent/heartbeat Heartbeat polling
/api/c2/commands Operator command interface
/api/module-deployments Module deployment
/api/payloads Payload management
/api/proxy/ Proxy tunneling
/api/stats Campaign statistics
/api/public/perm-status Permission status
/aitm_capture AitM credential capture

Canvas Fingerprinting

Canis implements GPU-level device fingerprinting by rendering text across multiple fonts on an HTML5 canvas and hashing the result with the djb2 algorithm. The technique borrows from Operation Triangulation's validator modules but applies it as a pre-delivery profiling step rather than post-exploitation validation.

const canvas = document.createElement('canvas');
canvas.width = 400; canvas.height = 100;
const ctx = canvas.getContext('2d');
ctx.font = 'bold 28px "Arial", sans-serif';
ctx.fillText('CANIS', 10, 10);

The rendered output differs per device due to GPU rendering differences, creating a hardware-level fingerprint that survives browser privacy measures like user-agent randomization.

Delivery Validator

After fingerprinting a device, Canis evaluates seven delivery methods through a scoring system that calculates feasibility, success probability, and detection risk for each method. This automated targeting replaces the manual operator decision-making seen in most malware frameworks.

For iOS targets, the validator scores against specific defenses:

  • BlastDoor sandboxing
  • Media pipeline isolation
  • ImageIO sandbox

The code references a variation of ForcedEntry (NSO Group's 2021 iMessage exploit) in its iOS evaluation logic, though no zero-click exploitation has been confirmed in the wild.

Platform-Specific Payloads

Payload Target
Android専用アップデート Android-specific update
iOS専用 iOS-specific payload
PowerShell AD enumeration Windows (Active Directory)
bash persistence scripts Linux/Unix (sysupdate service masquerading)

Android Agent

The Android implant (PayEasy-Viewer.apk) registers an accessibility service under com.deviceshield.service for GUI input capture and uses android.app.IActivityManager.setServiceForeground for persistent foreground execution.

LLM-Assisted Development

Hunt.io notes the codebase shows "signs of LLM-assisted development." Japanese-language variable naming mixed with structured English comments and consistent formatting suggest generative AI involvement in code production. See AI-Assisted Malware for broader context on this trend.

Infrastructure

Primary C2

Indicator Value
IP 161.33.154[.]144
Hosting Oracle Corporation (AS31898), Inzai, Chiba, Japan
Ports 22 (SSH), 80 (HTTP), 443 (HTTPS), 5000 (Admin), 5432 (PostgreSQL), 8080 (C2)
Secondary IP 34.111.179[.]208

Domains

Primary campaign domains:

Domain Purpose
info-payeasy[.]com Pay-Easy phishing lure (registered March 6, 2026)
americanexpress-site[.]com Secondary phishing domain (appeared March 21, 2026)

Related infrastructure:

Domain Purpose
android-protect[.]com Android payload delivery
applesecurity[.]pro Apple/iOS phishing
devicesecurity[.]pro Device security lure
ios-deviceprotect[.]com iOS payload delivery
ios-inc[.]app iOS targeting
iosdevicepolicy[.]app iOS device policy lure

Certificates

  • Let's Encrypt certificate issued March 6, 2026 (SHA-256: F8E9A720468C89F191D8CB12D46D81EF67B87A9EF95A307835C556A0885BD181)
  • Cloudflare certificate issued March 21, 2026

IOCs

File Hashes

File SHA-256
PayEasy-Viewer.apk 564b381dc3e6fc737fd9b46fb5ee1e06f4e333d2886f0805514af44947a4c271

Network Indicators

Type Value
C2 IP 161.33.154[.]144
Secondary IP 34.111.179[.]208
Domain info-payeasy[.]com
Domain americanexpress-site[.]com
Domain android-protect[.]com
Domain applesecurity[.]pro
Domain devicesecurity[.]pro
Domain ios-deviceprotect[.]com
Domain ios-inc[.]app
Domain iosdevicepolicy[.]app

Artifacts

Type Value
Package name com.deviceshield.service
Linux service sysupdate
Campaign ID CANIS_2026_FEB
Development path C:\Users\cotti\Downloads\aitm-phishing-platform\android-complete-20260309-230759

MITRE ATT&CK Mapping

ID Technique Implementation
T1660 Phishing Smishing with Japanese payment service lures
T1541 Foreground Persistence IActivityManager.setServiceForeground
T1430 Location Tracking Continuous GPS streaming
T1512 Video Capture Still and multi-frame exfiltration
T1429 Audio Capture Microphone recording
T1411 Input Prompt Dynamic credential overlay injection
T1516 Input Injection Accessibility service input capture
T1623 Command and Scripting Interpreter: Unix Shell Subprocess execution on Linux/macOS
T1655.001 Masquerading: Match Legitimate Name sysupdate service spoofing

Timeline

Date Event
Late 2025 Campaign estimated to begin
Early January 2026 Related domains registered
March 6, 2026 info-payeasy[.]com registered, Let's Encrypt certificate issued
March 19, 2026 Android APK discovered on X
March 21, 2026 Operator conducts testing (media_inventory command), new Cloudflare certificate issued, API secured, americanexpress-site[.]com appears
April 8, 2026 Hunt.io publishes analysis

References