Geopolitical events are often used as a lure for targeted threats, and this case is another example of that. This week, we saw a group that we recently published on change their tactics to target users who are interested in the ongoing protests in Nepal. The protests started after the banning of social media, along with accusations of government corruption, and has led to the deaths of dozens of protesters, as well as the ousting of leadership.
As is typical of this group, they leveraged a triple-threat, of Mobile malware, Windows malware, and Phishing, to accomplish their end goals of data theft. In the first example, we can see the attack spoofing the Nepalese Emergency Service to perform straight credential phishing.
Figure 1: spoofing the emergency service for cred phishing
In the next example, we can see them leveraging the persona of General Ashok Sigdel, the Army Chief of Staff. General Sigdel is the current acting head of Nepal [as of September 2025]
Figure 2: Acting head of Nepal
If one were to try to hear directly from General Sigdel, they would instead install malware Gen_Ashok_Sigdel_Live.apk onto their mobile device.
Figure 3: ida-esque view of the Android malware
After successfully granting the malware permissions to the victim device, the user would be shown this content:
Figure 4: APK decoy content
In the background, however, the malware would begin to exfiltrate content requested by the threat actor. As can be seen in the below image, the malware grabs document and image files, and uploads them to playservicess.com.
Figure 5: Examination of data theft filters as well as infra
In another instance, the attacker leverages Windows malware to perform similar data theft leveraging EmergencyApp.exe, and we also see another Android sample Emergency_Help.apk, functionally similar to the backdoor above.
Figure 6: A fake site purporting to be the “Emergency Helpline”
Figure 7: pcap showing ‘qwerty’ sig-able boundary
|
Hunting leads you may find useful |
|---|
C:\Users\asdf\Desktop\9\x64\Release\ConsoleApplication1.pdb
|
boundary=----qwerty
|
/ghijkl/ghijkl/index.php
|
Figure 8: Hunting leads
|
IOCs |
|---|
Emergency_Help.apk f9b828cc11a032dbb50bd0d85de007d1
|
Gen_Ashok_Sigdel_Live.apk 437b9fbd82500ee88b8b65e1722e99c5
|
EmergencyApp.exe f535874179a64f1dc5e289be872026fc
|
playservicess.com
|
playsevices.com
|
194.233.77.73
|
Figure 9: Indicators mentioned
Our github provides a download of the relevant files mentioned in the blog
Acknowledgements
The authors would like to thank the reviewers, as well as peer vendors, for their comments and corrections. Please get in touch at research@strikeready.com if you have corrections, would like us to use your group name, or would like to collaborate on research.