This campaign is part of a broader mobile threat landscape, with over 4 million mobile-focused social engineering attacks recorded in 2024 alone. According to Lookout, iOS users were targeted twice as often as Android users for the first time in 2024, though Android still suffers from more sophisticated malware. The advisory also brings attention to other Android threats like BadBazaar and MOONSHINE, which are used in state-level espionage. These malware families mimic messaging or religious apps to spread spyware capable of collecting sensitive data. Their targets include NGOs, journalists, and communities like the Uyghurs, Tibetans, and Taiwanese.

BadBazaar has ties to the Chinese APT group APT15 (aka Flea, Nylon Typhoon, Royal APT) and has been active since at least 2018. Meanwhile, MOONSHINE has been used by the Earth Minotaur in surveillance campaigns against ethnic minorities. Both malware families can exfiltrate photos, messages, and locations to attacker-controlled infrastructure. Specifically, MOONSHINE uses a SCOTCH ADMIN panel for device monitoring, with 635 compromised devices logged as of January 2024. The geopolitical implications of such operations were underscored by the arrest of Dilshat Reshit in Sweden, a Uyghur activist suspected of spying on the diaspora—showing how mobile malware campaigns tie directly into global surveillance and repression strategies.

Impact

• Sensitive Data Theft
• Unauthorized Access

Indicators of Compromise

Domain Name

• pknby.top
• jygst.top
• dacmj.top
• sakiw.top
• fdtya.top
• hgcks.top
• kyudfsaugsda.top

IP

• 156.244.19.63

MD5

• 0061e9b2ce995fdc2c004e9089c78ef8

• e1cada347451376ee3e9a2c1744406c3

• c9cdf3b21835998d485846f23785f37f

• fa7b1b56ab9b592fa965921ce229a6b1

SHA-256

• d36ef38009dab4be287978190f824245d40bd2b6b6b101ba5fe37bff80662cf6

• f42daefe546b9079bab9fac2f17311e96eb3f0d2ca3af01867311efac2b8e757

• 19cebeebdbd950ea24e4d3a52bfde6e570a9ac29d31e97cb8c01894c4fa9014b

• 482eb4aa6dc6f873063b7b6b5378bd052298cc6f8e60b6a5ddc9beba56d0b05f

SHA1

• 88b15d7bfa5293697d8dea9ada079056877f9d81

• 3602a70747d10210eb6139cf580f587f24fdc77f

• 666de216ef147f1a327a27ebabb3c9c14ddb4d7f

• ca3dcc518fc63892931845d67c2adb93e0d496ef

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Only install apps from official app stores like Google Play or Apple’s App Store.
• Do not download APK files from unknown websites or links, even if they resemble legitimate sources.
• Check app reviews, developer details, and download counts.
• Be cautious of apps requesting excessive permissions that are not relevant to their functionality.
• Deploy reputable mobile security software capable of detecting trojans like SpyNote, BadBazaar, and MOONSHINE.
• Regularly update security apps to ensure the latest threat definitions are active.
• Train users to recognize phishing and fake app install pages.
• Encourage users to verify URLs before clicking on download buttons or granting permissions.
• Use Mobile Device Management (MDM) solutions to restrict installations from unknown sources.
• Enforce app whitelisting and monitor for suspicious activity on enterprise devices.
• Keep Android and iOS operating systems up to date with the latest security patches.
• Enable automatic updates where possible.
• Detect and respond to signs of data exfiltration or unusual access patterns.
• Use threat intelligence feeds to stay informed about newly registered domains used for malware delivery.
• Report any fake apps or phishing pages to Google, Apple, or relevant authorities.
• Share indicators of compromise (IOCs) with industry partners and security communities.