{ "type": "Domain", "indicator": "superflashlight.mobi", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/superflashlight.mobi", "alexa": "http://www.alexa.com/siteinfo/superflashlight.mobi", "indicator": "superflashlight.mobi", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 159265, "indicator": "superflashlight.mobi", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6a123f4adef80b0c4d8ccd35", "name": "Android Trojan Abuses Commercial Rooting Tool and Steals Private Information", "description": "Rootnik is an Android trojan that exploits vulnerabilities in Android 4.3 and earlier by weaponizing a Chinese commercial rooting tool called Root Assistant. The malicious operation spreads through repackaged legitimate applications distributed globally, affecting users primarily in the United States, Malaysia, Thailand, Lebanon and Taiwan. After installation, Rootnik gains root access using stolen exploits, installs four persistent APK files to the system partition, and performs aggressive app promotion campaigns. The trojan silently installs and uninstalls applications, downloads and executes code remotely, and harvests sensitive data including WiFi passwords, location information, device identifiers, and MAC addresses. The malware maintains command and control infrastructure through multiple domains and generates revenue through aggressive advertising that interrupts user activity regardless of the current application.", "modified": "2026-05-25T10:39:18.780000", "created": "2026-05-23T23:59:06.114000", "tags": [ "rooting", "rootnik", "android", "app promotion", "wifi credentials", "information theft" ], "references": [ "https://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/?pdf=print&lg=en&_wpnonce=3df28d88da" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lebanon", "Malaysia", "Taiwan", "Thailand" ], "malware_families": [ { "id": "Rootnik", "display_name": "Rootnik", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-SHA256": 8, "domain": 4, "hostname": 6 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 386459, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1814b55e1559397600e7f7", "name": "EbeeMay2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-28T10:11:01.506000", "created": "2026-05-28T10:11:01.506000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "redacted", "ipv62a12", "ipv62a03", "localappdata", "cve20234966 cve", "cve20136282 cve", "cve20132597 cve" ], "references": [ "IOCs-MAY4.csv" ], "public": 1, "adversary": "RemotePE, ClayRat, Nimbus Manticore, SonicWall SSL VPN exploitation, ModeloRAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 79, "URL": 57, "CIDR": 3, "CVE": 15, "FileHash-MD5": 151, "FileHash-SHA1": 113, "FileHash-SHA256": 164, "domain": 137, "email": 4, "hostname": 47 }, "indicator_count": 770, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "632ad3a5f64e3881b24787ca", "name": "Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information", "description": "A Trojan that uses a commercial root tool to gain root access to Android devices is spreading around the world, according to analysis by security firm Mobile Security Research (MSSR) and the International Institute of Strategic Studies (IISS).", "modified": "2022-09-21T09:04:37.874000", "created": "2022-09-21T09:04:37.874000", "tags": [ "rootnik android", "rootnik", "datadata", "android", "root assistant", "china", "download" ], "references": [ "https://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Rootnik", "display_name": "Rootnik", "target": null }, { "id": "Rootnik Android", "display_name": "Rootnik Android", "target": null } ], "attack_ids": [ { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "teaf1001", "id": "185941", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 8, "domain": 4, "hostname": 6 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "1347 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs-MAY4.csv", "https://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/?pdf=print&lg=en&_wpnonce=3df28d88da", "https://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Rootnik" ], "industries": [] }, "other": { "adversary": [ "RemotePE, ClayRat, Nimbus Manticore, SonicWall SSL VPN exploitation, ModeloRAT" ], "malware_families": [ "Rootnik", "Rootnik android" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6a123f4adef80b0c4d8ccd35", "name": "Android Trojan Abuses Commercial Rooting Tool and Steals Private Information", "description": "Rootnik is an Android trojan that exploits vulnerabilities in Android 4.3 and earlier by weaponizing a Chinese commercial rooting tool called Root Assistant. The malicious operation spreads through repackaged legitimate applications distributed globally, affecting users primarily in the United States, Malaysia, Thailand, Lebanon and Taiwan. After installation, Rootnik gains root access using stolen exploits, installs four persistent APK files to the system partition, and performs aggressive app promotion campaigns. The trojan silently installs and uninstalls applications, downloads and executes code remotely, and harvests sensitive data including WiFi passwords, location information, device identifiers, and MAC addresses. The malware maintains command and control infrastructure through multiple domains and generates revenue through aggressive advertising that interrupts user activity regardless of the current application.", "modified": "2026-05-25T10:39:18.780000", "created": "2026-05-23T23:59:06.114000", "tags": [ "rooting", "rootnik", "android", "app promotion", "wifi credentials", "information theft" ], "references": [ "https://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/?pdf=print&lg=en&_wpnonce=3df28d88da" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lebanon", "Malaysia", "Taiwan", "Thailand" ], "malware_families": [ { "id": "Rootnik", "display_name": "Rootnik", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-SHA256": 8, "domain": 4, "hostname": 6 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 386459, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1814b55e1559397600e7f7", "name": "EbeeMay2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-28T10:11:01.506000", "created": "2026-05-28T10:11:01.506000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "redacted", "ipv62a12", "ipv62a03", "localappdata", "cve20234966 cve", "cve20136282 cve", "cve20132597 cve" ], "references": [ "IOCs-MAY4.csv" ], "public": 1, "adversary": "RemotePE, ClayRat, Nimbus Manticore, SonicWall SSL VPN exploitation, ModeloRAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 79, "URL": 57, "CIDR": 3, "CVE": 15, "FileHash-MD5": 151, "FileHash-SHA1": 113, "FileHash-SHA256": 164, "domain": 137, "email": 4, "hostname": 47 }, "indicator_count": 770, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "632ad3a5f64e3881b24787ca", "name": "Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information", "description": "A Trojan that uses a commercial root tool to gain root access to Android devices is spreading around the world, according to analysis by security firm Mobile Security Research (MSSR) and the International Institute of Strategic Studies (IISS).", "modified": "2022-09-21T09:04:37.874000", "created": "2022-09-21T09:04:37.874000", "tags": [ "rootnik android", "rootnik", "datadata", "android", "root assistant", "china", "download" ], "references": [ "https://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Rootnik", "display_name": "Rootnik", "target": null }, { "id": "Rootnik Android", "display_name": "Rootnik Android", "target": null } ], "attack_ids": [ { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "teaf1001", "id": "185941", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 8, "domain": 4, "hostname": 6 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "1347 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "superflashlight.mobi", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "superflashlight.mobi", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780180770.1976688 }