Hamster Kombat’s rising popularity has drawn cybercriminals targeting Android and Windows users with Android spyware (Ratel), fake app stores, and Lumma Stealer cryptors on Windows. The report covers threat details, MITRE mappings, and IoCs, warning that the game could attract more abuse as its earnings model evolves. #Ratel #LummaStealer #HamsterKombat #Telegram #TON #Notcoin #NOTToken #Sberbank
Keypoints
- Hamster Kombat’s popularity is being exploited by criminals aiming to monetize through threats and scams.
- Android spyware named Ratel impersonates Hamster Kombat and is distributed via an unofficial Telegram channel.
- Ratel targets Android users with fake app stores that deliver ads and can harvest notifications and perform SMS actions.
- Windows attackers push GitHub repositories offering farm bots and autoclickers that actually deploy Lumma Stealer cryptors.
- Lumma Stealer cryptors come in C++, Go, and Python variants and employ RC4 or AES-GCM, often using process hollowing.
- Threat actors use various C2 methods (HTTP, FTP) and attempt to hide activity (obfuscated payloads, notification suppression).
- The IoCs section lists hashes, filenames, domains, and certificate details associated with these threats.
MITRE Techniques
- [T1660] Initial Access – Phishing – “Android spyware Ratel has been distributed using an unofficial Telegram channel.”
- [T1624.001] Persistence – Event Triggered Execution: Broadcast Receivers – “Android spyware Ratel registers to receive the SMS_RECEIVED, SMS_DELIVER, PACKAGE_REMOVED, PACKAGE_REPLACED, PACKAGE_ADDED, and PACKAGE_CHANGE broadcast intents to activate itself.”
- [T1517] Collection – Access Notifications – “Android spyware Ratel can collect messages from various apps.”
- [T1644] Command and Control – Out of Band Data – “Android spyware Ratel can use SMS to receive commands to execute.”
- [T1646] Exfiltration – Exfiltration Over C2 Channel – “Exfiltration over C2 channel” / “Exfiltrates data using HTTP.”
- [T1616] Impact – Call Control – “Android spyware Ratel can make phone calls.”
- [T1582] Impact – SMS Control – “Android spyware Ratel can send and receive SMS messages.”
- [T1027.009] Defense Evasion – Obfuscated Files or Information: Embedded Payloads – “Lumma Stealer uses C++ and Go binaries to embed its payload.”
- [T1055.012] Defense Evasion – Process Hollowing – “Lumma Stealer uses process hollowing.”
- [T1071.001] Command and Control – Web Protocols – “Lumma Stealer communicates with the C&C server via HTTP.”
- [T1071.002] Command and Control – File Transfer Protocols – “Lumma Stealer downloader uses FTP to download the payload.”
- [T1041] Exfiltration – Exfiltration Over C2 Channel – “Lumma Stealer exfiltrates the victim’s data to the C&C server.”
Indicators of Compromise
- [IP] Android C2 server – 77.91.124.14:260, 77.91.124[.]14
- [IP] Lumma Stealer C2 servers – 104.21.86.106, 104.21.86[.]106
- [Domain] Fake Hamster Kombat sites – hamsterkombat-ua.pro, hamsterkombat-win.pro
- [Domain] Additional fake storefronts – www.hamsterkombat-ua.pro, www.hamster-kombat-ua.pro
- [File hash] Android Hamster Ratel APK – ACD260356E3337F775E1, AA6259B55E2D3BB11F80
- [File name] Hamster.apk – Android/Spy.Ratel.A
- [File name] Setup.exe – Win32/Kryptik.HWZI (example)
- [File name] Hamster-Kombat.exe – Win32/Kryptik.HXDB
- [Certificate] NVIDIA Corporation – Serial 0997C56CAA59055394D9A9CDB8BEEB56; Subject CN NVIDIA Corporation; Valid from 2023-01-13 to 2026-01-16
Read more: https://www.welivesecurity.com/en/eset-research/tap-estry-threats-targeting-hamster-kombat-players/