Inside Canis C2: The ‘Wide Open’ Surveillance Engine Targeting Every Major OS

In the world of cyber espionage, discovering a new Command and Control (C2) framework is often a game of cat and mouse played through encrypted tunnels and hidden servers. However, a recent investigation by Hunt.io has revealed an exception: a sophisticated, cross-platform surveillance system that was left completely exposed to the public internet.

The infrastructure, dubbed Canis C2, was uncovered on March 19 following the discovery of a suspicious Android APK impersonating Paidy, a Japanese buy-now-pay-later service. What researchers found behind that single file was an unauthenticated API.

The scale of the exposure was significant. According to the Hunt.io report, the researchers found “an unauthenticated API sitting wide open, with endpoints exposing payloads, command logs, and the C2 source code itself”.

This visibility allowed for a rare, detailed look into a modern surveillance operation. The system was not just a simple credential harvester but a comprehensive platform designed for total device takeover.

Canis C2 is a “previously undocumented cross-platform surveillance system with agents targeting Android, iOS, Windows, Linux, and macOS”. This “all-of-the-above” approach is increasingly common among advanced actors who want to ensure they can track a target regardless of the hardware they use.

The capabilities of these agents are extensive. Once a victim is lured into installing the software—often through phishing pages displaying fake electric bills or service invoices—the operators gain access to:

• Real-time Tracking: Precise GPS location data.
• Media Capture: Remote activation of the device’s camera and audio recording.
• Credential Theft: The use of “credential overlay injection” to trick users into typing passwords into fake login screens.
• Persistent Control: Arbitrary code execution via a registered Service Worker in the browser.

The report highlights a growing trend in malware development: the use of Artificial Intelligence. Analysts noted that “large portions of the codebase show signs of LLM-assisted development”, suggesting that the actors behind Canis C2 are using AI to accelerate their coding process and increase the complexity of their tools.

The transparency of the C2 did not last forever. Hours after researchers began pulling data from the open API, the actor noticed the activity. In a quick attempt to pivot and maintain the operation, they registered a new phishing domain, americanexpress-site[.]com, targeting Japanese speakers with a more standard login-theft page.

Unlike the initial APK-based attack, this new iteration focused on “AitM (Adversary-in-the-Middle) capture” techniques, aiming to intercept login credentials and session tokens in real-time.