Unmasking State-Sponsored Mobile Surveillance Malware from Russia, China, and North Korea
2024-12-11 • Lookout •
Attachments
This Black Hat Europe presentation surveys mobile surveillance malware attributed to state-sponsored activity from Russia, China, and North Korea, including North Korea-linked families such as Hermit alongside references to Kimsuky and ScarCruft. The evidence describes Android-focused tradecraft including dynamic code loading, system-utility style icons and names, encrypted payload structures, and early-stage functionality intended to hide capabilities until later execution. For CTI teams, the report is most useful as a comparative reference for mobile APT behaviors, victimology, and detection considerations rather than a single incident write-up.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | buckso.ru | 2024-12-11 | 2024-12-11 |
| DOMAIN | secure-qonto-pro.com | 2024-12-11 | 2024-12-11 |
| DOMAIN | vasifgo.ru | 2024-12-11 | 2024-12-11 |
| DOMAIN | bashaardi.ru | 2024-12-11 | 2024-12-11 |
| DOMAIN | secure-bdf.com | 2024-12-11 | 2024-12-11 |
| DOMAIN | drowrang.ru | 2024-12-11 | 2024-12-11 |
| DOMAIN | dsp2formulaire-bdf.net | 2024-12-11 | 2024-12-11 |
| DOMAIN | molotiras.ru | 2024-12-11 | 2024-12-11 |
| DOMAIN | milashto.ru | 2024-12-11 | 2024-12-11 |
| DOMAIN | loperto.ru | 2024-12-11 | 2024-12-11 |
| DOMAIN | hitrovana.ru | 2024-12-11 | 2024-12-11 |
| DOMAIN | baloglandi.ru | 2024-12-11 | 2024-12-11 |
| DOMAIN | detroito.ru | 2024-12-11 | 2024-12-11 |
| DOMAIN | llkeyvost.ddns.net | 2024-12-11 | 2024-12-11 |
| IPv4 | 47.112.137.199 | 2024-12-11 | 2024-12-11 |
| IPv4 | 89.185.84.81 | 2024-12-11 | 2024-12-11 |