← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
BadBazaar espionage tool targets Android users via trojanized Signal and Telegram apps
WHITE GREF AlienVault 2023-08-31 Modified: 2023-10-03
19
IOCs
MEDIUM VOLUME
Research has identified two campaigns targeting Android users via trojanized Signal and Telegram apps and a malware family that has previously been used to target Uyghurs and other Turkic ethnic minorities.
flygrambadbazaarmessengerc serverandroiddoubleagentukrainexslcmdsilkbeancarbonstealgoldeneaglegrefuyghur telegramos x
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
FlyGram Uyghur Telegram OS X GREF Android BadBazaar
Indicators of Compromise (19)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 ef271686f134be63277ce471a5181ee9 MD5 of e368db837edf340e47e85652d6159d6e90725b0d 2023-08-31
FileHash-SHA1 19e5cf2e8eed73ee614b668bc1dbdda01e058c0c 2023-08-31
FileHash-SHA1 606e33614cfa4969f0bf8b0828710c9a23bda22b 2023-08-31
FileHash-SHA1 b0402e3b6270dca3dd42ffeb033f02b9bcd9228e 2023-08-31
FileHash-SHA1 c6e26eafbf6703dc19446944af5ded65f86c9571 2023-08-31
FileHash-SHA1 dab2f85c5282889e678cd0901cd6de027fd0ec44 2023-08-31
FileHash-SHA1 e368db837edf340e47e85652d6159d6e90725b0d 2023-08-31
FileHash-SHA256 3460330f4187163e2f0ee96c034a2db3c386de3dff5a8b6c8180ab3260bc705b SHA256 of e368db837edf340e47e85652d6159d6e90725b0d 2023-08-31
domain flygram.org 2023-08-31
domain signalplus.org 2023-08-31
hostname mail.pmumail.com 2023-08-31
hostname proxy1.signalplus.org 2023-08-31
hostname proxy2.signalplus.org 2023-08-31
hostname proxy3.signalplus.org 2023-08-31
hostname proxy4.signalplus.org 2023-08-31
hostname proxy5.signalplus.org 2023-08-31
hostname proxy6.signalplus.org 2023-08-31
hostname www.flygram.org 2023-08-31
hostname www.signalplus.org 2023-08-31
References (1)
↗ https://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/