SuperCard X¶
SuperCard X is an NFC relay MaaS (Malware-as-a-Service) platform operated by Chinese-speaking threat actors, designed to enable contactless payment fraud through real-time card data relay. Cleafy discovered the family in April 2025, identifying campaigns targeting Italian and European banking customers. The malware uses a two-component architecture (Reader on the victim's device, Tapper on the attacker's device) and requires only the NFC permission, making it nearly invisible to antivirus engines and distinguishing it from permission-heavy banking trojans.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | Early 2025 |
| Last Seen | Active |
| Status | Active MaaS platform |
| Type | NFC relay fraud, MaaS |
| Attribution | Chinese-speaking threat actors |
| Distribution | TOAD (Telephone-Oriented Attack Delivery) social engineering |
Vendor Names¶
| Vendor | Name |
|---|---|
| Cleafy | SuperCard X |
| ThreatFabric | SuperCard |
Origin and Lineage¶
SuperCard X builds on the NFC relay attack category pioneered by NGate in 2024, but operates as a structured MaaS offering rather than a single-operator campaign. The platform shares code similarities with NFCGate, the open-source NFC relay research tool from TU Darmstadt, but has been substantially modified and repackaged into a commercial fraud service.
Chinese-speaking operators run the MaaS infrastructure, providing affiliates with the malware builds, C2 panel access, and operational support. This mirrors the MaaS model seen in banking trojan ecosystems like Cerberus/Ermac, but applied specifically to NFC relay fraud.
Distribution¶
SuperCard X uses TOAD (Telephone-Oriented Attack Delivery), a multi-stage social engineering flow that combines digital messaging with live voice calls:
| Stage | Method | Details |
|---|---|---|
| 1 | SMS/WhatsApp | Victim receives a fraudulent message impersonating their bank about a suspicious transaction |
| 2 | Phone call | Victim calls (or is called by) an attacker posing as bank support |
| 3 | App install | Attacker guides victim through installing a "security" or "verification" app via a provided link |
| 4 | Card tap | Attacker instructs victim to place their payment card against the phone to "verify" it |
The phone call stage is critical. A live human operator builds trust with the victim, walks them through app installation, and coaches them through the card tap. This overcomes the social engineering barrier that makes NFC relay attacks difficult to scale without direct human interaction.
Capabilities¶
Two-Component Architecture¶
SuperCard X operates as a paired system:
| Component | Name | Role |
|---|---|---|
| Victim app | Reader | Captures NFC data from the victim's physical payment card |
| Attacker app | Tapper | Emulates the captured card at a POS terminal or ATM using HCE |
The Reader and Tapper communicate through a C2 server that relays NFC APDU data in real time. The Tapper uses Android's Host Card Emulation (HCE) API to present the relayed card data to a physical terminal.
Core Features¶
| Capability | Implementation |
|---|---|
| NFC relay | Real-time APDU relay from Reader to Tapper through C2 |
| Card emulation | HCE-based contactless card emulation on Tapper device |
| mTLS C2 | Mutual TLS for C2 communication, complicates interception and takedown |
| ATR emulation | Customized Answer To Reset messages to make emulated card indistinguishable from a physical card |
| Minimal permissions | Only NFC permission required, no accessibility or overlay abuse |
mTLS C2 Communication¶
SuperCard X uses mutual TLS (mTLS) for all C2 communication. Both the client and server authenticate with certificates, which:
- Prevents passive network monitoring from capturing relay traffic
- Makes C2 takedown harder because the server rejects connections without valid client certificates
- Complicates researcher analysis and sandbox detection
Technical Details¶
NFC Relay Mechanism¶
The relay follows the same APDU-level approach documented in the NFC Relay Attacks technique page. SuperCard X's implementation adds ATR (Answer To Reset) emulation on the Tapper side, which makes the emulated card's initial response to the terminal match the characteristics of the victim's physical card (card type, protocol parameters, historical bytes). This reduces the chance of the terminal rejecting the emulated card during initial negotiation.
Minimal Permission Footprint¶
Unlike traditional banking trojans that request accessibility, overlay, SMS, and storage permissions, SuperCard X requires only:
| Permission | Purpose |
|---|---|
| NFC | Read victim's card and relay APDU data |
| INTERNET | C2 communication for relay and mTLS |
This minimal footprint is a deliberate design choice. Fewer permissions mean fewer heuristic triggers for antivirus engines and Google Play Protect. Cleafy noted that SuperCard X had very low detection rates across major AV products at the time of discovery.
Target Regions¶
| Region | Details |
|---|---|
| Italy | Primary target, Italian bank customers targeted via TOAD campaigns |
| Europe | Broader European expansion, multiple bank brands targeted |
Notable Campaigns¶
Early 2025: SuperCard X MaaS platform begins active operations. Chinese-speaking operators provide the malware and infrastructure to affiliates running TOAD campaigns against Italian banking customers.
April 2025: Cleafy publishes their analysis, documenting the Reader/Tapper architecture, TOAD distribution model, mTLS C2 communication, and the connection to Chinese-speaking actors. The report highlights the malware's near-zero AV detection rate due to its minimal permission requirements and focused functionality.
Related Families¶
SuperCard X is part of the growing NFC relay malware category that NGate established in 2024. While NGate was a single-operator campaign targeting Czech banks, SuperCard X commercializes the approach as a MaaS platform. RatOn represents a different evolution path, combining NFC relay with ATS and crypto wallet theft in a single trojan. GhostTap takes yet another approach, using Telegram-based data exfiltration with scanner/tapper pairs at scale.
The TOAD distribution model has parallels with Copybara and other Italian-targeting banking trojans that use vishing (voice phishing) to guide victims through malware installation. SuperCard X applies this proven delivery method to NFC relay rather than traditional overlay-based credential theft.