APT: Android, Phishing, microsoft

Summary: A South Asian APT has been persistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. This post walks through infrastructure and malware pivots to expose novel tooling that compromised the phones of military-adjacent folks.

Recently a zip was detected named Coordination of the Chief of Army Staff's Visit to China.zip. An archive with this theme sticks out like a sore thumb to threat analysts.

Indeed, upon examining the compressed PDF, it was an obviously targeted phish.

Phish lure	Phish decoy
Figure 1: Top level PDF phish	Figure 2: Decoy shown post cred theft

The first pivot an analyst makes is to look for similarly named documents, or that have similar embedded urls, which yielded the results below:

Doc	md5	First stage	Second stage
`Coordination of the Chief of Army Staff's Visit to China.pdf`	`cf9914eca9f8ae90ddd54875506459d6`	`mail-mod-gov-bd-account-conf-files.netlify.app`	`mailbox3-inbox1-bd.com`
`Coordination of the Chief of Army Staff's Visit to China.pdf`	`94e6911b0a99b54391735dfc70b4187d`	`coordination-cas-visit.netlify.app`	`mails.navy.mll.bd.account.file.centralized-email-system-np.com`
`Coordination of the Chief of Army Staff's Visit to China.pdf`	`3c47053adffd39b467592d13398060b5`	`mail-dgfi-gov-bd-accounts-file-data-d.netlify.app`	`mailbox3-inbox1-bd.com`
`Updated TOSAM 120 MM MORTAR ALKAR 110, 120, TURKIYE.pdf`	`33fe3e792a0e98fb890b6393f31ae5cb`	`drive-rokectsaans-com-tr-account-file.netlify.app`	`mailbox3-inbox1-bd.com`
`MAIN KEY POINTS OF CAS VISIT TO BOF (1).pdf`	`73f142ae7c6c10fbb18f439b6410af4f`	`goc-visit-program-details-pdf.netlify.app`	`mailbox-inbox-bd.com`
`079 24 CE Combined Training and Administrative Conference signed.pdf`	`c2ee24fb4aa103b4c1a8e8169d3a9f47`	`combined-training-and-administrative.netlify.app`	`discord`
`Review .pdf`	`e573a2cd2b6a24255c400055d06342b9`	`sdkfjsh23-sdfgdklhg4-efglhdfg4-dfgjkl.netlify.app`	`discord`
`MOU ON DEFENCE COOPERATION BETWEEN BANGLADESH AND KINGDOM OF SAUDI ARABIA KSA.pdf`	`6e930ad2ab7e97da818f54bfbb45b759`	`mail.gov.bd.account.file.updatemind52.com`	`mailbox-inbox-bd.com`
`SECRETARY OF DEFENCE INDUSTRIS OF THE PRESIDENCY OF THE REPUBLIC OF TURKIYE'S DELEGATION VISIT TO BD.pdf`	`abbb7063e3a6d03cf180f73b6ac15ee2`	`mail.drive.gov.bd.files.updatemind52.com`
`AMDT EXAM CEN AND ALLOT INDEX NUMBER FOR PE (CAPT TO MAJ)-APR 2025.pdf`	`aef81736c6dcaf8b67775602cbf9ccbd`	`ebmail.police.gov.bd.updatemind52.com`	`mailbox-inbox-bd.com`

Figure 3: IDEF-themed phishing page, targeting Turks

The javascript that attempted to block “source viewing”, as seen in the image above, appeared unique. Looking at other phishing pages that contained the same blocker yielded quick results. The folks at Hunt IO regularly blog about an adjacent set of activity, as well as OSINT analysts Demon and Nouman.

Phishing domain	Spoof/Theme
`dgdp-account-file-data-doc-procuremen.netlify.app`	Directorate General of Defence Purchase (DGDP)
`dgdp.cloud.secured.file.updatemind52.com`	Directorate General of Defence Purchase (DGDP)
`drive-afd-gov-bd-account-file.netlify.app`	Government of Bangladesh
`drive-army-mil-bd-account-data-file.netlify.app`	Bangladesh Army
`drive-baf-mil-bd-share-file.netlify.app`	Bangladesh Air Force
`drive-bcc-registraion-cloud-storage.netlify.app`	Bangladesh Computer Council (BCC)
`drive-newmail-arm-mil-bd-account-data.netlify.app`	Bangladesh Army
`drive-rokectsaans-com-tr-account-file.netlify.app`	Roketsans (Turkey)
`drive-roketsans-com-tr-account-files.netlify.app`	Roketsans (Turkey)
`embassy-of-italy-visit-to-cxb.netlify.app`	Embassy of Italy
`goc-visit-program-details-pdf.netlify.app`	Gulf Countries
`idef-2025-conf-data-file-tr-account-d.netlify.app`	IDEF (International Defence Industry Fair)
`idef2025-com-tr-files-drive-account.netlify.app`	IDEF (International Defence Industry Fair)
`mail-afd-gov-bd-account-error-issues.netlify.app`	AFD Government of Bangladesh
`mail-aselsans-com-tr-account-files-da.netlify.app`	Aselsan (Turkish company)
`mail-baf-mil-bd-account-data-files-document.pages.dev`	Bangladesh Air Force
`mail-baf-mil-bd-fils-cas-visit-to-chi.netlify.app`	Bangladesh Air Force
`mail-bof-gov-bd-cas-visit.netlify.app`	BOF Government of Bangladesh
`mail-dgfi-gov-bd-accounts-file-data-d.netlify.app`	Directorate General of Forces Intelligence (DGFI)
`mail-mod-gov-bd-account-conf-files.netlify.app`	Ministry of Defence (MOD)
`mail-mod-gov-bd-account-data-file.netlify.app`	Ministry of Defence (MOD)
`mail-mod-gov-np-account-file-data.netlify.app`	Ministry of Defence (MOD)
`mail.baf.mil.bd.pdf.quickhelpsolve.com`	Bangladesh Air Force
`mail.bcc.gov.bd.pdf.quickhelpsolve.com`	Bangladesh Computer Council (BCC)
`newmail-army-mil-bd-owa-apth-mail-dat.netlify.app`	Bangladesh Army
`newmail-army-mil-bd-pso-meeting-file.netlify.app`	Bangladesh Army
`webmail.police.gov.bd.updatemind52.com`	Bangladesh Police
`coordination-cas-visit.netlify.app`

Reexamining our previous set of c2s, there was another error message that we could key off. The landing page on the domain was reused, which hard coded a particular unix timestamp, corresponding to March 28th, 2025.

Figure 4: Landing page with hard coded timestamp

This landing page was similarly seen on many other similar looking domains:

Phishing domain	Spoof/Theme
`mail.afd.gov.bd.file.quickhelpsolve.com`	AFD Government of Bangladesh
`webmil.assangroup.com.tr.asd.updatemind52.com`	Assan Group (Turkish company)
`mail.bcc.gov.bd.pdf.quickhelpsolve.com`	Bangladesh Computer Council (BCC)
`mails.navy.mll.bd.account.file.centralized-email-system-np.com`	Bangladesh Navy
`webmail.police.gov.bd.updatemind52.com`	Bangladesh Police
`dgdp.gov.bd.file.pdf.updatemind52.com`	Directorate General of Defence Purchase (DGDP)
`dgdp.gov.bd.cloud.file.updatemind52.com`	Directorate General of Defence Purchase (DGDP)
`dgdp.cloud.secured.file.updatemind52.com`	Directorate General of Defence Purchase (DGDP)
`cloud.dgdp.gov.bd.file.updatemind52.com`	Directorate General of Defence Purchase (DGDP)
`mail.dgfi.gov.bd.pdf.updatemind52.com`	Directorate General of Forces Intelligence (DGFI)
`mail.gov.bd.account.file.updatemind52.com`	Government of Bangladesh
`mail.drive.gov.bd.files.updatemind52.com`	Government of Bangladesh
`mail.mofa.gov.pk.pdf.updatemind52.com`	Ministry of Foreign Affairs (MOFA) Pakistan
`mail.mofa.gov.pk.file.updatemind52.com`	Ministry of Foreign Affairs (MOFA) Pakistan
`cloud.national.email.pdf.updatemind52.com`
`webmail.paragonms.com.pk.pdf.updatemind52.com`	Paragon (Pakistan-based company)
`webmail.profen.com.pdf.updatemind52.com`	Profen
`webmail.timgosavunma.com.tr.file.updatemind52.com`	Timgos Savunma (Turkish company)
`mail.163.com.files.updatemind52.com`
`mail.awany.org.file.updatemind52.com`
`mailairforce.quickhelpsolve.com`	Bangladesh Air Force mail
`mail.bangladesh.air.quickhelpsolve.com`	Bangladesh Air Force
`dgdp.cloud.files.pdf.updatemind52.com`	Bangladesh DGDP
`dgdp.cloud.file.pdf.updatemind52.com`	Bangladesh DGDP
`dgdp.cloud.secured.file.updatemind52.com`	Bangladesh DGDP
`dgdp.gov.bd.secured.updatemind52.com`	Bangladesh DGDP
`drive.egovcloud.gov.bd.quickhelpsolve.com`	Bangladesh government
`inboxofficial-bd.com`	Bangladesh government
`webmail.police.gov.bd.updatemind52.com`	Bangladesh police
`mail.bhclondon.org.uk.quickhelpsolve.com`	Bangladesh High Commission
`webmail.bmsdefence.com.pdf.updatemind52.com`	BMS Defence
`bsgrouponline.com.webmail.pdf.updatemind52.com`
`live.login.account.out.quickhelpsolve.com`
`cloud.national.email.file.updatemind52.com`
`www.centralized-email-system-np.com`	Nepal government
`profen.com.fil.login.updatemind52.com`	Profen login
`apm.vpce.gdw55e.quickhelpsolve.com`
`updatemind52.com`
`quickhelpsolve.com`
`play-googyle.com` More analysis here by Aaron Samala as well as Checkpoint

Pivoting on updatemind52.com, which was also mentioned by Twitter user AiTM, we can see an APK file hosted at updatemind52.com/Love_Chat.apk. This is a mod of an open source Android RAT, Rafel Rat, the source of which can be reviewed here.

updatemind52.com/Love_Chat.apk

9a7510e780ef40d63ca5ab826b1e9dab

Below, we can see the decompiled APK file uploading various document types from the device to the c2.

Figure 5: h/t to dex2jar

aHR0cHM6Ly9xdWlja2hlbHBzb2x2ZS5jb20vcHVibGljL2NvbW1hbmRzLnBocA== decodes to the c2, https://quickhelpsolve.com/public/commands.php, which we saw used by this actor for credential phishing. That same domain was used in the malicious APK b8eda465ffbc197d80a9ce7ab785f07a, and with other simple pivots, we can find a cluster of other APK.

App name	MD5	C2	Decoy
`Love_Chat.apk`	`9a7510e780ef40d63ca5ab826b1e9dab`	`quickhelpsolve.com`
`TestMe.apk`	`78bc9707f298552b7087ef385f098912`	`kutcat-rat.com`	`lovehabibi.com`
`PvtChat1.apk`	`dfa353ac65b29df7d14f72aca7d52f12`	`kutcat-rat.com`	`lovehabibi.com`
	`b8eda465ffbc197d80a9ce7ab785f07a`	`quickhelpsolve.com`	`lovehabibi.com`
`PvtChat.apk`	`ce417487ac9ccfbb31fa28fde9365fd7`	`kutcat-rat.com`	`isexychat.com`
`TestMe.apk`	`67e7cf00aa82d9b4cf0db2b55b7fb0b9`	`kutcat-rat.com`
	`0d106fd047d6a744b1dbecddbe9c2e99`	`kutcat-rat.com`
`Social Chat.apk`	`01011bd3c58141165f2a4551f4c40609`	`kutcat-rat.com`	`playservicess.com [down - was nsfw]`
`Securechat.apk`	`65a08e14ca41bfedf483d1ada74844a9`	`kutcat-rat.com`	`lovehabibi.com`
`Securechat.apk`	`c8d2bf204349853b6d7d810ed2698924`	`kutcat-rat.com`	`lovehabibi.com`
`voting.apk`	`12b6483d4843e99b57b86379197208cd`	`kutcat-rat.com`	`UN voting page`
`BSM.apk`	`3b26fcd7c6994598dc53bb3f69725d68`	`play-googyle.com`	`whatsapp download`

Figure 6: obligatory non-ida ida screenshot showing how the decoy was launched

The apps themselves are standard infostealers, as well as a remote shell to execute arbitrary commands. Sample permissions and actions include, but are not limited to, ADD_DEVICE_ADMIN, READ_EXTERNAL_STORAGE, MANAGE_APP_ALL_FILES_ACCESS_PERMISSION, READ_CONTACTS, READ_MEDIA_VIDEO etc.

The landing pages and decoys are similar to what one would expect. A notable Pakistani dating service was a key pivot point to find other related samples.

Figure 7: “ChatMe” decoy

Figure 8: “Love Chat” decoy

Figure 9: voting.apk decoy

From the above play-googyle.com and playservicess.com, we can see a crossover in the email registrant from the whois scanner in the free community version of SilentPush. This registrant noraramly30121982@yahoo.com was seen on another similar domain in '24 mailservicess.com. Additionally, this email address, except on gmail (noraramly30121982@gmail.com) was used to register
mailserver-lk.com which has been used prolifically to phish, and has been catalogued by ThreatBook, as well as our own Labs account. As always, Maltrail is a great resource for aggregating indicators from the OSINT community.

Figure 10: SilentPush free WHOIS scanner

The kutcat c2 is a modded version of Rafel-rat, notably with the credits from the original author removed from the panel. The c2 has the ability to send down arbitrary commands to compromised phones. If one has good dns telem, gj3nyrs9jqrslv5hbej92406cxin6c.burpcollaborator.net may be a useful indicator. kutcat-rat.com was also mentioned by Twitter user MHT.

Figure 11: Commands sent to selected compromised phones

Below one can see the c2 panel, which was publicly available and indexed by google, with device information, and was disabled prior to this blog post. On the server was a plethora of stolen content, including documents, raw SMS, and contact lists. In the content, it was abundantly clear that many of the victims were members of the military of multiple South Asian countries, as well as close contacts, based on phone address books that only included ranks and duty stations.

Figure 12: C2 panel	Figure 13: C2 panel
Figure 14: Sample of stolen SMS	Figure 15: Stolen address books

Figure 16: Victims by country

Figure 17: Contacts by country

The first phone UUID in the list ffffffff-e76f-903a-ffff-ffffef05ac4a reports to be in India, and has installed an apk SetupIndiaServicesTnC.apk.The first phone on an operational server often is a test/developer account, and in this case, contained data that was part of a test rig. A consecutive UUID ffffffff-e76f-903a-ffff-ffffef05ac4b also appears in the device list. The uuid is constructed using >nisrulz's easydeviceinfo.

Figure 18: construction of UUID

Lastly, the threat actor also leverages windows malware, leveraging the same C2 infrastructure. These samples are available in the index.

Top level file	intermediary	c2
`EX AMAN-2025.zip`	`updatemind52.com/asdf.6786708906`	`play-googyle.com`
`4e13a48db966b3ebffb1fd49b3d2af8e`	`quickhelpsolve.com/asdf.6786708906`	`play-googyle.com`
`outgoing Farewell - Invitation.zip`		`play-googyle.com`

Vendor	Name
Proofpoint	UNK_ArmyDrive
You?	Get in touch for blog pre-releases!

Figure 19: Vendor validated names

Our github provides a download of the relevant mentioned in the blog, except those that contain victim identifying information

Hunting leads you may find useful
C:\Users\Android\Desktop\full working with all and url encrypt\x64\Release\ConsoleApplication1.pdb
C:\Users\Android\Desktop\lsass - Copy\x64\Release\ConsoleApplication1.pdb
C:\Users\Android\Desktop\work\d\x64\Release\ConsoleApplication1.pdb
C:\Users\user\Desktop\c\d\x64\Release\ConsoleApplication1.pdb
C:\Users\user\Desktop\cache\apk\c\i\x64\Debug\ConsoleApplication1.pdb
C:\Users\user\Desktop\ppp\app\c\d\x64\Debug\ConsoleApplication1.pdb
Network strings containing "ghijkl"
emails addresses containing `noraramly30121982` or `qesy.35fysel` (`securedownloadfiles.com` → `downloadattachment.com`)
`midtearmy@gmail.com`, `itdtearmy@gmail.com`

Acknowledgements

The authors would like to thank the reviewers, as well as peer vendors, for their comments and corrections. Please get in touch at research@strikeready.com if you have corrections, would like us to use your group name, or would like to collaborate on research.

APT: Android, Phishing, microsofT

Acknowledgements

Related posts