{ "type": "Domain", "indicator": "uscelluliar.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/uscelluliar.com", "alexa": "http://www.alexa.com/siteinfo/uscelluliar.com", "indicator": "uscelluliar.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4212566476, "indicator": "uscelluliar.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "6994616c344268c9e9708b53", "name": "The tablet conqueror and the links between major Android botnets", "description": "A new Android backdoor called Keenadu has been discovered embedded in the firmware of several tablet brands. It infects the libandroid_runtime.so library during firmware building, injecting itself into every app launched on the device. Keenadu provides attackers unrestricted control over victims' devices, primarily for ad fraud purposes. The investigation revealed connections between Keenadu and other major Android botnets like Triada, BADBOX, and Vo1d. The malware was found in system apps, Google Play apps, and modified versions of popular apps. Over 13,000 users worldwide have been affected, with Russia, Japan, Germany, Brazil and the Netherlands seeing the highest number of infections.", "modified": "2026-02-17T15:58:38.735000", "created": "2026-02-17T12:39:08.238000", "tags": [ "badbox", "firmware", "keenadu", "android", "nova", "vo1d", "botnets", "ad fraud", "supply chain attack", "backdoor", "triada" ], "references": [ "https://securelist.com/keenadu-android-backdoor/118913/" ], "public": 1, "adversary": "Keenadu", "targeted_countries": [], "malware_families": [ { "id": "Keenadu", "display_name": "Keenadu", "target": null }, { "id": "Triada", "display_name": "Triada", "target": null }, { "id": "BADBOX", "display_name": "BADBOX", "target": null }, { "id": "Vo1d", "display_name": "Vo1d", "target": null }, { "id": "SUPERNOVA - S0578", "display_name": "SUPERNOVA - S0578", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1542.003", "name": "Bootkit", "display_name": "T1542.003 - Bootkit" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 1, "domain": 10, "hostname": 3 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 386766, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd48ce7b65f7a9350024cd", "name": "EbeeMar2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:33:18.540000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 130, "FileHash-SHA1": 145, "FileHash-SHA256": 207, "CVE": 1, "URL": 25, "domain": 285, "email": 4, "hostname": 82 }, "indicator_count": 879, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c2bd69d7ddf6e60e5188ea", "name": "Android devices ship with firmware-level malware", "description": "Keenadu malware is a significant cyber threat targeting Android devices, identified by SophosLabs analysts in late February 2026. This malware operates as a firmware-level backdoor embedded within the libandroid_runtime.so library, enabling attackers to take full control of infected devices. By injecting itself into the Zygote process, which serves as the parent for all Android applications, Keenadu ensures its presence across all apps on the compromised device. The payload can function as a downloader for various malicious modules aimed at extracting data from applications or facilitating ad fraud.", "modified": "2026-04-23T16:19:26.926000", "created": "2026-03-24T16:35:53.192000", "tags": [ "c2 server", "domain name", "armor", "keenadu", "ip address", "bold k50", "sha256 hash", "g84 firmware", "sha1", "armor x13" ], "references": [ "https://www.sophos.com/en-us/blog/android-devices-ship-with-firmware-level-malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "domain": 19, "hostname": 1 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699c70c5de80512e1628bfaf", "name": "Keenadu Android Backdoor Embedded in Firmware Enables Full Device Compromise", "description": "Facebook, Twitter, Facebook, Instagram, Snapchat and other sites are all open to comment on the latest developments from the world's largest social media platforms, as well as those of their own..", "modified": "2026-03-25T15:04:14.473000", "created": "2026-02-23T15:22:45.963000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cherryid", "id": "383941", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 41, "FileHash-SHA1": 41, "FileHash-SHA256": 41, "domain": 18 }, "indicator_count": 141, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6997fce17ae6ac720fec14c5", "name": "Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets", "description": "Malicious software infected with the Keenadu operating system can be detected by analysing the code's code, as well as the software itself, in order to use it to run its own software.", "modified": "2026-03-22T06:07:27.526000", "created": "2026-02-20T06:19:13.198000", "tags": [ "keenadu", "applications", "nova clicker", "payload cdn" ], "references": [ "https://securelist.com/keenadu-android-backdoor/118913/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Keenadu", "display_name": "Keenadu", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 75, "FileHash-SHA1": 58, "FileHash-SHA256": 58, "domain": 19, "hostname": 5 }, "indicator_count": 215, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "71 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69979ddcdbba1952fb51a3de", "name": "EbeeFeb2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-21T23:07:14.518000", "created": "2026-02-19T23:33:48.858000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20261281 cve", "uxxxxxx" ], "references": [ "IOCs2.csv" ], "public": 1, "adversary": "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "CVE": 7, "FileHash-MD5": 193, "FileHash-SHA1": 148, "FileHash-SHA256": 205, "domain": 203, "hostname": 63 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "72 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699762e8ad3e3432e9666e98", "name": "Keenadu Android Malware Preinstalled on New Devices", "description": "Researchers have identified a new \"backdoor\" in the Android operating system, which can be installed on \"new\" devices on a \"thousands of devices\" on which they are currently operating.", "modified": "2026-03-21T19:09:28.611000", "created": "2026-02-19T19:22:15.999000", "tags": [ "https", "ctia type", "date", "february", "time" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 15, "FileHash-MD5": 23, "FileHash-SHA1": 21, "FileHash-SHA256": 21 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "72 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996fad7174769b1329ac21b", "name": "Keenadu the tablet conqueror and the links between major Android botnets | Securelist", "description": "", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:58:15.315000", "tags": [ "adware", "badbox", "botnets", "google android", "keenadu", "malware", "malware descriptions", "malware technologies", "mobile malware", "triada", "trojan", "trojan clicker", "vo1d", "c2 server", "keenadu loader", "google play", "android", "md5 hash", "heur", "nova", "phantom", "april", "august", "temu", "clicker", "wallpaper", "facebook", "telegram" ], "references": [ "https://securelist.com/keenadu-android-backdoor/118913/?utm_source=cybersecuritynews" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 61, "FileHash-SHA256": 61, "URL": 1, "domain": 23, "hostname": 10, "email": 1 }, "indicator_count": 241, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "72 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6995ae49ebd94603d440f024", "name": "Keenadu Botnet", "description": "Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets", "modified": "2026-03-20T12:02:30.782000", "created": "2026-02-18T12:19:19.747000", "tags": [ "reverse dns", "forward dns", "http", "software", "openbsd openssh", "f5 nginx", "matched fields", "us technology", "frankfurt", "main", "hesse", "godaddycomllc", "phoenix", "keenadu" ], "references": [ "https://www.virustotal.com/graph/g64c2194c54614365a0962f458e9fdfa7d36bc70a897941dbbd9d60c4319fcff8", "https://securelist.com/keenadu-android-backdoor/118913/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Keenadu", "display_name": "Keenadu", "target": null }, { "id": "Triada", "display_name": "Triada", "target": null }, { "id": "vo1d", "display_name": "vo1d", "target": null }, { "id": "BADBOX", "display_name": "BADBOX", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Vulcanraven", "id": "167674", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 37, "hostname": 68, "URL": 1 }, "indicator_count": 106, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69954274f6501c133fc69122", "name": "The tablet conqueror and the links between major Android botnets", "description": "", "modified": "2026-02-18T04:39:16.713000", "created": "2026-02-18T04:39:16.713000", "tags": [ "badbox", "firmware", "keenadu", "android", "nova", "vo1d", "botnets", "ad fraud", "supply chain attack", "backdoor", "triada" ], "references": [ "https://securelist.com/keenadu-android-backdoor/118913/" ], "public": 1, "adversary": "Keenadu", "targeted_countries": [], "malware_families": [ { "id": "Keenadu", "display_name": "Keenadu", "target": null }, { "id": "Triada", "display_name": "Triada", "target": null }, { "id": "BADBOX", "display_name": "BADBOX", "target": null }, { "id": "Vo1d", "display_name": "Vo1d", "target": null }, { "id": "SUPERNOVA - S0578", "display_name": "SUPERNOVA - S0578", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1542.003", "name": "Bootkit", "display_name": "T1542.003 - Bootkit" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" } ], "industries": [], "TLP": "white", "cloned_from": "6994616c344268c9e9708b53", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 1, "domain": 10, "hostname": 3 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "103 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.pdf", "https://www.virustotal.com/graph/g64c2194c54614365a0962f458e9fdfa7d36bc70a897941dbbd9d60c4319fcff8", "https://www.sophos.com/en-us/blog/android-devices-ship-with-firmware-level-malware", "https://securelist.com/keenadu-android-backdoor/118913/?utm_source=cybersecuritynews", "IOCs2.csv", "https://securelist.com/keenadu-android-backdoor/118913/" ], "related": { "alienvault": { "adversary": [ "Keenadu" ], "malware_families": [ "Vo1d", "Triada", "Keenadu", "Badbox", "Supernova - s0578" ], "industries": [] }, "other": { "adversary": [ "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key", "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R", "Keenadu" ], "malware_families": [ "Vo1d", "Triada", "Keenadu", "Badbox", "Supernova - s0578" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "6994616c344268c9e9708b53", "name": "The tablet conqueror and the links between major Android botnets", "description": "A new Android backdoor called Keenadu has been discovered embedded in the firmware of several tablet brands. It infects the libandroid_runtime.so library during firmware building, injecting itself into every app launched on the device. Keenadu provides attackers unrestricted control over victims' devices, primarily for ad fraud purposes. The investigation revealed connections between Keenadu and other major Android botnets like Triada, BADBOX, and Vo1d. The malware was found in system apps, Google Play apps, and modified versions of popular apps. Over 13,000 users worldwide have been affected, with Russia, Japan, Germany, Brazil and the Netherlands seeing the highest number of infections.", "modified": "2026-02-17T15:58:38.735000", "created": "2026-02-17T12:39:08.238000", "tags": [ "badbox", "firmware", "keenadu", "android", "nova", "vo1d", "botnets", "ad fraud", "supply chain attack", "backdoor", "triada" ], "references": [ "https://securelist.com/keenadu-android-backdoor/118913/" ], "public": 1, "adversary": "Keenadu", "targeted_countries": [], "malware_families": [ { "id": "Keenadu", "display_name": "Keenadu", "target": null }, { "id": "Triada", "display_name": "Triada", "target": null }, { "id": "BADBOX", "display_name": "BADBOX", "target": null }, { "id": "Vo1d", "display_name": "Vo1d", "target": null }, { "id": "SUPERNOVA - S0578", "display_name": "SUPERNOVA - S0578", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1542.003", "name": "Bootkit", "display_name": "T1542.003 - Bootkit" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 1, "domain": 10, "hostname": 3 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 386766, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd48ce7b65f7a9350024cd", "name": "EbeeMar2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:33:18.540000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 130, "FileHash-SHA1": 145, "FileHash-SHA256": 207, "CVE": 1, "URL": 25, "domain": 285, "email": 4, "hostname": 82 }, "indicator_count": 879, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c2bd69d7ddf6e60e5188ea", "name": "Android devices ship with firmware-level malware", "description": "Keenadu malware is a significant cyber threat targeting Android devices, identified by SophosLabs analysts in late February 2026. This malware operates as a firmware-level backdoor embedded within the libandroid_runtime.so library, enabling attackers to take full control of infected devices. By injecting itself into the Zygote process, which serves as the parent for all Android applications, Keenadu ensures its presence across all apps on the compromised device. The payload can function as a downloader for various malicious modules aimed at extracting data from applications or facilitating ad fraud.", "modified": "2026-04-23T16:19:26.926000", "created": "2026-03-24T16:35:53.192000", "tags": [ "c2 server", "domain name", "armor", "keenadu", "ip address", "bold k50", "sha256 hash", "g84 firmware", "sha1", "armor x13" ], "references": [ "https://www.sophos.com/en-us/blog/android-devices-ship-with-firmware-level-malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "domain": 19, "hostname": 1 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699c70c5de80512e1628bfaf", "name": "Keenadu Android Backdoor Embedded in Firmware Enables Full Device Compromise", "description": "Facebook, Twitter, Facebook, Instagram, Snapchat and other sites are all open to comment on the latest developments from the world's largest social media platforms, as well as those of their own..", "modified": "2026-03-25T15:04:14.473000", "created": "2026-02-23T15:22:45.963000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cherryid", "id": "383941", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 41, "FileHash-SHA1": 41, "FileHash-SHA256": 41, "domain": 18 }, "indicator_count": 141, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6997fce17ae6ac720fec14c5", "name": "Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets", "description": "Malicious software infected with the Keenadu operating system can be detected by analysing the code's code, as well as the software itself, in order to use it to run its own software.", "modified": "2026-03-22T06:07:27.526000", "created": "2026-02-20T06:19:13.198000", "tags": [ "keenadu", "applications", "nova clicker", "payload cdn" ], "references": [ "https://securelist.com/keenadu-android-backdoor/118913/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Keenadu", "display_name": "Keenadu", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 75, "FileHash-SHA1": 58, "FileHash-SHA256": 58, "domain": 19, "hostname": 5 }, "indicator_count": 215, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "71 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69979ddcdbba1952fb51a3de", "name": "EbeeFeb2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-21T23:07:14.518000", "created": "2026-02-19T23:33:48.858000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20261281 cve", "uxxxxxx" ], "references": [ "IOCs2.csv" ], "public": 1, "adversary": "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "CVE": 7, "FileHash-MD5": 193, "FileHash-SHA1": 148, "FileHash-SHA256": 205, "domain": 203, "hostname": 63 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "72 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699762e8ad3e3432e9666e98", "name": "Keenadu Android Malware Preinstalled on New Devices", "description": "Researchers have identified a new \"backdoor\" in the Android operating system, which can be installed on \"new\" devices on a \"thousands of devices\" on which they are currently operating.", "modified": "2026-03-21T19:09:28.611000", "created": "2026-02-19T19:22:15.999000", "tags": [ "https", "ctia type", "date", "february", "time" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 15, "FileHash-MD5": 23, "FileHash-SHA1": 21, "FileHash-SHA256": 21 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "72 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996fad7174769b1329ac21b", "name": "Keenadu the tablet conqueror and the links between major Android botnets | Securelist", "description": "", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:58:15.315000", "tags": [ "adware", "badbox", "botnets", "google android", "keenadu", "malware", "malware descriptions", "malware technologies", "mobile malware", "triada", "trojan", "trojan clicker", "vo1d", "c2 server", "keenadu loader", "google play", "android", "md5 hash", "heur", "nova", "phantom", "april", "august", "temu", "clicker", "wallpaper", "facebook", "telegram" ], "references": [ "https://securelist.com/keenadu-android-backdoor/118913/?utm_source=cybersecuritynews" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 61, "FileHash-SHA256": 61, "URL": 1, "domain": 23, "hostname": 10, "email": 1 }, "indicator_count": 241, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "72 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6995ae49ebd94603d440f024", "name": "Keenadu Botnet", "description": "Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets", "modified": "2026-03-20T12:02:30.782000", "created": "2026-02-18T12:19:19.747000", "tags": [ "reverse dns", "forward dns", "http", "software", "openbsd openssh", "f5 nginx", "matched fields", "us technology", "frankfurt", "main", "hesse", "godaddycomllc", "phoenix", "keenadu" ], "references": [ "https://www.virustotal.com/graph/g64c2194c54614365a0962f458e9fdfa7d36bc70a897941dbbd9d60c4319fcff8", "https://securelist.com/keenadu-android-backdoor/118913/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Keenadu", "display_name": "Keenadu", "target": null }, { "id": "Triada", "display_name": "Triada", "target": null }, { "id": "vo1d", "display_name": "vo1d", "target": null }, { "id": "BADBOX", "display_name": "BADBOX", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Vulcanraven", "id": "167674", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 37, "hostname": 68, "URL": 1 }, "indicator_count": 106, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69954274f6501c133fc69122", "name": "The tablet conqueror and the links between major Android botnets", "description": "", "modified": "2026-02-18T04:39:16.713000", "created": "2026-02-18T04:39:16.713000", "tags": [ "badbox", "firmware", "keenadu", "android", "nova", "vo1d", "botnets", "ad fraud", "supply chain attack", "backdoor", "triada" ], "references": [ "https://securelist.com/keenadu-android-backdoor/118913/" ], "public": 1, "adversary": "Keenadu", "targeted_countries": [], "malware_families": [ { "id": "Keenadu", "display_name": "Keenadu", "target": null }, { "id": "Triada", "display_name": "Triada", "target": null }, { "id": "BADBOX", "display_name": "BADBOX", "target": null }, { "id": "Vo1d", "display_name": "Vo1d", "target": null }, { "id": "SUPERNOVA - S0578", "display_name": "SUPERNOVA - S0578", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1542.003", "name": "Bootkit", "display_name": "T1542.003 - Bootkit" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" } ], "industries": [], "TLP": "white", "cloned_from": "6994616c344268c9e9708b53", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 1, "domain": 10, "hostname": 3 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "103 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "uscelluliar.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "uscelluliar.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780355259.3387432 }