← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Katana: a Mirai variant that compiles its own rootkit on Android TV set-top boxes
WHITE PetrP.73 2026-03-20 Modified: 2026-04-19
34
IOCs
MEDIUM VOLUME
The Katana botnet, identified as a variant of the Mirai malware, specifically targets Android TV set-top boxes that are typically low-cost and lack robust security measures like Google Play Protect. Katana exploits ADB (Android Debug Bridge) vulnerabilities, facilitating unauthorized access through residential proxy services. This technique has enabled mass exploitation of Android-based devices without needing sophisticated exploits—operators merely require a subscription for these proxies to gain access to millions of vulnerable devices.
katanaandroid tvmiraiandroidputtychromeaospkimwolfadb portmirai variantprotectservicefirstpandoraasyncratxwormremcoscobalt strikerhadamanthyslockertencentattackstopkillopensslrefreshsyscallarchpandora.2adbrc4threatfox idc2 protocoltable slotthreatfoxparent domainkatana botrootkit loadertinycc compiler1102717apk wrapperadb stagingas215925as51396as202412omegatech ltdas39900sia goodarm7 elfapk deliveryelf deliverysinglebyte xorxor key
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (4 / 34 total)
All CIDR URL domain hostname FileHash-MD5 FileHash-SHA1 FileHash-SHA256
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 01e909a65bc736be3c5fa49ca16c4cf8 MD5 of aaaa89488caf328bea8e56fa95cae69124a561ec97594b686c93cfdd24f13e96 2026-03-20
FileHash-MD5 474a5445862638e0dfdf6543a11803f7 MD5 of 6cc3fc0284dfe57881f5ea01dcd3cecb6c667dc8d1147b049c3d6bd661d9c906 2026-03-20
FileHash-MD5 b37b8e308f0d49c7b5f34e87e18a67ef MD5 of 87ec57bd8e639d5f96a17dfb73af5cc63cc528f45d4a3231e70f287e9ad38601 2026-03-20
FileHash-MD5 4a7e92b3c5d8e1f42c5f81a4b7caddee 2026-03-20
References (1)
↗ https://github.com/deepfield/public-research/blob/main/katana/report.md