Threat Research

New Pakistan-based Cyber Espionage Group’s Year-Long Campaign Targeting Indian Defense Forces with Android Malware – CYFIRMA

Cyfirma

CYFIRMA reports a year-long Android malware campaign attributed to a Pakistan-based APT targeting Indian defense personnel, with links to Spynote or Craxs Rat and heavy obfuscation. The operation uses WhatsApp-based social engineering to deliver disguised APKs (MNS NH Contact.apk and Posted out off.apk) that exfiltrate contacts, call logs, and SMS while employing evasion techniques. #Spynote #CraxsRat #IndianDefenseForces

Keypoints

  • CYFIRMA intercepted Android malware tied to a Pakistan-based APT group targeting Indian defense personnel, active for over a year.
  • The threat actor likely used Spynote or a Craxs Rat variant, with high obfuscation to hinder analysis.
  • Delivery occurred via WhatsApp social engineering, impersonating a senior officer to push the app onto victims.
  • Disguised apps named “MNS NH Contact.apk” and “Posted out off.apk” aim to access contacts, call logs, and SMSs; a screen monitoring feature appears when accessibility is granted.
  • The campaign includes anti-emulator checks, a disguised “Contacts” app name, and a one-time-permission flow leading to a bogus page.
  • Code review shows heavy obfuscation, a module to fetch location, and explicit permissions (READ_SMS, READ_CONTACTS, READ_EXTERNAL_STORAGE) to collect data.
  • Artifacts include a base64-encrypted C2 server, a dex file split into 600 parts (converted to .jar), and a text file logging device activity.

MITRE Techniques

  • [T1406] Obfuscated Files or Information – The app is highly modified and obfuscated to evade Android security measures. “The app was highly modified and obfuscated to evade Android security measures.”
  • [T1636.003] Contact List – The threat actor fetches the contact list when compromised. “gaining access to victims’ contact lists.”
  • [T1636.002] Call Log – The threat actor gets access to the victims’ call list. “call logs.”
  • [T1636.004] SMS Messages – The threat can fetch ‘Sent’ and ‘received SMS’ once the device is compromised. “SMSs.”
  • [T1420] File and Directory Discovery – The threat actor can access the storage. “access the storage.”

Indicators of Compromise

  • [SHA256] 78625E72074EEE611866AB04AE1935F2152ED695D3ADCD68061D10386170668B – MNS NH Contact.apk
  • [SHA256] 6C9A7E15D666FD61F62F1802D79782753BA25AAA76ECC86401658807F5D41503 – Posted out off.apk
  • [IP] 38.92.47.116 – Command Control

Read more: https://www.cyfirma.com/research/new-pakistan-based-cyber-espionage-groups-year-long-campaign-targeting-indian-defense-forces-with-android-malware/