← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Katana: a Mirai variant that compiles its own rootkit on Android TV set-top boxes
WHITE PetrP.73 2026-03-20 Modified: 2026-04-19
34
IOCs
MEDIUM VOLUME
The Katana botnet, identified as a variant of the Mirai malware, specifically targets Android TV set-top boxes that are typically low-cost and lack robust security measures like Google Play Protect. Katana exploits ADB (Android Debug Bridge) vulnerabilities, facilitating unauthorized access through residential proxy services. This technique has enabled mass exploitation of Android-based devices without needing sophisticated exploits—operators merely require a subscription for these proxies to gain access to millions of vulnerable devices.
katanaandroid tvmiraiandroidputtychromeaospkimwolfadb portmirai variantprotectservicefirstpandoraasyncratxwormremcoscobalt strikerhadamanthyslockertencentattackstopkillopensslrefreshsyscallarchpandora.2adbrc4threatfox idc2 protocoltable slotthreatfoxparent domainkatana botrootkit loadertinycc compiler1102717apk wrapperadb stagingas215925as51396as202412omegatech ltdas39900sia goodarm7 elfapk deliveryelf deliverysinglebyte xorxor key
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (3 / 34 total)
All CIDR URL domain hostname FileHash-MD5 FileHash-SHA1 FileHash-SHA256
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 143c7fd6a2297d8b0d91d7a12a5db901988ea2b3 SHA1 of 6cc3fc0284dfe57881f5ea01dcd3cecb6c667dc8d1147b049c3d6bd661d9c906 2026-03-20
FileHash-SHA1 6af4ef79c4f733167f67d7d8e6dd77b174feb2fa SHA1 of aaaa89488caf328bea8e56fa95cae69124a561ec97594b686c93cfdd24f13e96 2026-03-20
FileHash-SHA1 fcab81d4763064c1aa561048e67cd9a452db6f41 SHA1 of 87ec57bd8e639d5f96a17dfb73af5cc63cc528f45d4a3231e70f287e9ad38601 2026-03-20
References (1)
↗ https://github.com/deepfield/public-research/blob/main/katana/report.md