{ "type": "URL", "indicator": "https://jsonapi.biz", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://jsonapi.biz", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4333937577, "indicator": "https://jsonapi.biz", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69f1d2d45ec26fc5e1ca72f4", "name": "KYCShadow: An Android Banking Malware Exploiting Fake KYC Workflows for Credential and OTP Theft", "description": "An Android malware campaign masquerading as a bank KYC verification application targets users in India through WhatsApp distribution. The threat operates as a multi-stage dropper installing secondary payloads while establishing persistent command-and-control communication. It combines native code obfuscation, Firebase-based remote execution, VPN-based traffic manipulation, and WebView-based phishing to systematically harvest sensitive user data. The infection chain progresses through deceptive update screens, VPN activation, silent APK installation, and extensive permission abuse. The deployed payload enables SMS interception, call control, USSD execution, and structured credential theft through staged phishing interfaces mimicking legitimate banking workflows. Exfiltrated data is encrypted locally and transmitted to jsonapi.biz, while critical configuration values are hidden inside native libraries to hinder detection.", "modified": "2026-04-29T10:12:57.758000", "created": "2026-04-29T09:43:48.542000", "tags": [ "india targeting", "android banking trojan", "otp theft", "vpn manipulation", "kycshadow", "whatsapp distribution", "firebase c2", "credential theft", "sms interception" ], "references": [ "https://www.cyfirma.com/research/kycshadow-an-android-banking-malware-exploiting-fake-kyc-workflows-for-credential-and-otp-theft/" ], "public": 1, "adversary": "", "targeted_countries": [ "British Indian Ocean Territory", "India" ], "malware_families": [ { "id": "KYCShadow", "display_name": "KYCShadow", "target": null } ], "attack_ids": [], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 1, "domain": 3 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 386456, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f2df5361138cb4b7cd7f06", "name": "KYCShadow: An Android Banking Malware Exploiting Fake KYC Workflows for Credential and OTP Theft", "description": "", "modified": "2026-04-30T04:49:23.346000", "created": "2026-04-30T04:49:23.346000", "tags": [ "india targeting", "android banking trojan", "otp theft", "vpn manipulation", "kycshadow", "whatsapp distribution", "firebase c2", "credential theft", "sms interception" ], "references": [ "https://www.cyfirma.com/research/kycshadow-an-android-banking-malware-exploiting-fake-kyc-workflows-for-credential-and-otp-theft/" ], "public": 1, "adversary": "", "targeted_countries": [ "British Indian Ocean Territory", "India" ], "malware_families": [ { "id": "KYCShadow", "display_name": "KYCShadow", "target": null } ], "attack_ids": [], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "69f1d2d45ec26fc5e1ca72f4", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 1, "domain": 3 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "30 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.csv", "https://www.cyfirma.com/research/kycshadow-an-android-banking-malware-exploiting-fake-kyc-workflows-for-credential-and-otp-theft/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Kycshadow" ], "industries": [ "Finance" ], "unique_indicators": 9 }, "other": { "adversary": [ "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar" ], "malware_families": [ "Kycshadow" ], "industries": [ "Finance" ], "unique_indicators": 1005 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/jsonapi.biz", "whois": "http://whois.domaintools.com/jsonapi.biz", "domain": "jsonapi.biz", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69f1d2d45ec26fc5e1ca72f4", "name": "KYCShadow: An Android Banking Malware Exploiting Fake KYC Workflows for Credential and OTP Theft", "description": "An Android malware campaign masquerading as a bank KYC verification application targets users in India through WhatsApp distribution. The threat operates as a multi-stage dropper installing secondary payloads while establishing persistent command-and-control communication. It combines native code obfuscation, Firebase-based remote execution, VPN-based traffic manipulation, and WebView-based phishing to systematically harvest sensitive user data. The infection chain progresses through deceptive update screens, VPN activation, silent APK installation, and extensive permission abuse. The deployed payload enables SMS interception, call control, USSD execution, and structured credential theft through staged phishing interfaces mimicking legitimate banking workflows. Exfiltrated data is encrypted locally and transmitted to jsonapi.biz, while critical configuration values are hidden inside native libraries to hinder detection.", "modified": "2026-04-29T10:12:57.758000", "created": "2026-04-29T09:43:48.542000", "tags": [ "india targeting", "android banking trojan", "otp theft", "vpn manipulation", "kycshadow", "whatsapp distribution", "firebase c2", "credential theft", "sms interception" ], "references": [ "https://www.cyfirma.com/research/kycshadow-an-android-banking-malware-exploiting-fake-kyc-workflows-for-credential-and-otp-theft/" ], "public": 1, "adversary": "", "targeted_countries": [ "British Indian Ocean Territory", "India" ], "malware_families": [ { "id": "KYCShadow", "display_name": "KYCShadow", "target": null } ], "attack_ids": [], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 1, "domain": 3 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 386456, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f2df5361138cb4b7cd7f06", "name": "KYCShadow: An Android Banking Malware Exploiting Fake KYC Workflows for Credential and OTP Theft", "description": "", "modified": "2026-04-30T04:49:23.346000", "created": "2026-04-30T04:49:23.346000", "tags": [ "india targeting", "android banking trojan", "otp theft", "vpn manipulation", "kycshadow", "whatsapp distribution", "firebase c2", "credential theft", "sms interception" ], "references": [ "https://www.cyfirma.com/research/kycshadow-an-android-banking-malware-exploiting-fake-kyc-workflows-for-credential-and-otp-theft/" ], "public": 1, "adversary": "", "targeted_countries": [ "British Indian Ocean Territory", "India" ], "malware_families": [ { "id": "KYCShadow", "display_name": "KYCShadow", "target": null } ], "attack_ids": [], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "69f1d2d45ec26fc5e1ca72f4", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 1, "domain": 3 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "30 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://jsonapi.biz", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://jsonapi.biz", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780180140.1353781 }