Leaked firmware reveals Xiaomi is testing HyperOS 3.3 based on Android 17, with no mention of HyperOS 4 in the build.
Kaspersky says the attacks use phishing, GitHub-hosted payloads, CVE-2025-9491 LNK abuse, and Go2Tunnel-based tunneling.