← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
TAXISPY RAT : Analysis of TaxiSpy RAT Russian Banking Focused Android Malware with Full Remote Control
WHITE PetrP.73 2026-03-08 Modified: 2026-04-07
8
IOCs
LOW VOLUME
TaxiSpy RAT is an advanced Android banking Trojan integrated with Remote Access Trojan (RAT) functionality, primarily aimed at Russian financial institutions. This malware employs sophisticated evasion techniques, including native library encryption and rolling XOR string obfuscation, enabling it to operate stealthily. Its architecture facilitates comprehensive device surveillance, targeting SMS, call logs, contacts, and notifications, indicative of its financially motivated intent to steal sensitive information and remotely control devices.
http postfirebasesectionaccessibilityxor keyc2 serverotpsandroid bankingtrojanwebsocketandroidmalwarepushcryptowebviewpersistenceratsjsonapk rutaxiworker keycampaignfirebase xorcc e3c2 xor
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
TaxiSpy RAT
Indicators of Compromise (8)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL YARA domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 7d739136f2a76009b265d24b1e9f59a5 MD5 of 67d5d8283346f850eb560f10424ea5a9ccdca5e6769fbbbf659a3e308987cafd 2026-03-08
FileHash-MD5 9bc096a5f4ec7ba133d743cbaf4b8a2e 2026-03-08
FileHash-SHA1 6433aec29051cc17cc531606c0111eca52fedd58 SHA1 of 67d5d8283346f850eb560f10424ea5a9ccdca5e6769fbbbf659a3e308987cafd 2026-03-08
FileHash-SHA256 67d5d8283346f850eb560f10424ea5a9ccdca5e6769fbbbf659a3e308987cafd 2026-03-08
URL http://193.233.112.229 2026-03-08
URL https://taxi.ru 2026-03-08
YARA be64fd459ff544fbf0c00f1bc4f1880b54f02277 Detects TaxiSpy Android Banking RAT targeting Russian users 2026-03-08
domain taxi.ru 2026-03-08
References (1)
↗ https://www.cyfirma.com/research/taxispy-rat-analysis-of-taxispy-rat-russian-banking-focused-android-malware-with-full-remote-control/