← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
The Shadow of GGBond : Suspected Supply Chain Attack on Official Installer of a Virtual Mobile Service Provider
WHITE PetrP.73 2026-04-26 Modified: 2026-04-26
9
IOCs
LOW VOLUME
The RedDrip Team of the QiAnXin Threat Intelligence Center has identified a supply chain attack involving the official installer for a virtual mobile service provider, which occurred between February and late March 2026. During this period, the installer was compromised, leading to substantial breaches affecting various government and enterprise endpoints. The method of attack featured a malicious installer designed as a multi-layer Trojan loader, dubbed GGBond Rat, which exploited the compromised installer framework. The command and control (C2) domain associated with this threat was noted to be hosted on Cloudflare CDN and ranked among the top 1 million domains on OpenDNS.
qianxin threattrojanc2 domainudp packetimpact scopereddrip teamfebruarymarchdownload urlurl pathdropperggbond
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (9)
All FileHash-MD5 URL hostname FileHash-SHA1 FileHash-SHA256
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 5627c24dd7661df4d4c8617a9a68c8bf 2026-04-26
URL https://cos-clXXX-fXXe-data.phone.XXXXXX.com/Packages/PC/XXXXXXXXXRelease.exe 2026-04-26
URL https://www.andrXXXXXX.com/ 2026-04-26
hostname cos-clxxx-fxxe-data.phone.xxxxxx.com 2026-04-26
hostname whapp.linkgt.cc 2026-04-26
hostname www.andrxxxxxx.com 2026-04-26
FileHash-MD5 7eb1a6495269e8faf6b0faecd5dfcf58 2026-04-26
FileHash-SHA1 8367920fc34144d57b385276a8b3ecbcc0696475 SHA1 of 7eb1a6495269e8faf6b0faecd5dfcf58 2026-04-26
FileHash-SHA256 a6c802b8d2b7351ddcd3dd50b17d5aaa36bc7937a41445cd4797363c0efe95ff SHA256 of 7eb1a6495269e8faf6b0faecd5dfcf58 2026-04-26
References (1)
↗ https://ti.qianxin.com/blog/articles/supply-chain-attack-on-official-installer-of-a-virtual-mobile-service-provider-en/