{ "id": "2fb07cbe-0f7b-460a-8e8b-13cef13b2e5a", "created_at": "2026-04-06T00:10:46.496829Z", "updated_at": "2026-04-10T13:12:03.570174Z", "deleted_at": null, "sha1_hash": "011d63d51b59f8b98fb7ec39be28e6f1b81fc2a0", "title": "Roaming Mantis Swarms Globally, Spawning iOS Phishing, Cryptomining", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42224, "plain_text": "Roaming Mantis Swarms Globally, Spawning iOS Phishing,\r\nCryptomining\r\nBy Tara Seals\r\nPublished: 2018-05-21 · Archived: 2026-04-05 18:48:21 UTC\r\nAnalysis shows that the malware, previously a banking trojan focused on Android devices, has rapidly evolved\r\njust in the past month.\r\nThe Roaming Mantis mobile banking trojan is roaming further afield than it ever has before. Recent analysis\r\nshows that the malware has rapidly evolved just in the past month. It’s now targeting Europe and the Middle East\r\nin addition to Asian countries. According to researchers, it’s following the cyber-zeitgeist by expanding its\r\ncapabilities to include cryptomining (and iOS phishing).\r\nRoaming Mantis is a mostly-mobile malware which this year has been spreading via DNS hijacking. Potential\r\nvictims are typically redirected to a malicious webpage that distributes a trojanized application that pretends to be\r\neither Facebook or Chrome. Once installed manually by users, a trojan banker will execute.\r\nIts sights have become much wider, however.\r\n“Roaming Mantis has evolved quickly,” said Kaspersky Lab researcher Suguru Ishimaru, in an analysis posted on\r\nFriday. “The actors behind it have been quite active in improving their tools. The rapid growth of the campaign\r\nimplies that those behind it have a strong financial motivation and are probably well-funded.”\r\nGlobal Infections\r\nOn the multilingual front, Roaming Mantis (a.k.a. MoqHao or XLoader) was seen this month to have significantly\r\ntweaked its landing pages and malicious APK files to support 27 languages – a serious expansion from the four\r\nlanguages it used in campaigns just a month ago.\r\nIn campaigns observed in April, its activity was located mostly in Bangladesh, Japan and South Korea, according\r\nto Ishimaru. Kaspersky Lab has now confirmed that several more languages have been hardcoded in the HTML\r\nsource of the landing page.\r\nThese include; Arabic, Armenian, Bulgarian, Bengali, both traditional and simplified Chinese, Czech, English,\r\nGeorgian, German, Hebrew, Hindi, Indonesian, Italian, Japanese, Korean, Malay, Polish, Portuguese, Russian,\r\nSerbo-Croatian, Spanish, Tagalog, Thai, Turkish, Ukrainian and Vietnamese.\r\nThe expansion is succeeding in terms of garnering more victims: “We believe the attacker made use of an easy\r\nmethod to potentially infect more users, by translating their initial set of languages with an automatic translator,”\r\nIshimaru said. “It’s clear from [our data] that South Korea, Bangladesh and Japan are no longer the worst affected\r\ncountries; instead, Russia, Ukraine and India [bear] the brunt.”\r\nhttps://threatpost.com/roaming-mantis-swarms-globally-spawning-ios-phishing-cryptomining/132149/\r\nPage 1 of 3\n\nNew Targets and Tactics\r\nIn addition to broadening its target range, an analysis of the Roaming Mantis code reveals the criminals behind the\r\nmalware have added a phishing option that targets iOS device users and a cryptomining option targeting PCs. This\r\nis a departure from the group’s primary focus on the Android platform, researchers said.\r\n“When a user connects to the landing page via iOS devices, the user is redirected to\r\n‘http://security.apple[dot]com/’,” Ishimaru explained. “A legitimate DNS server wouldn’t be able to resolve a\r\ndomain name like that, because it simply doesn’t exist. However, a user connecting via a compromised router can\r\naccess the landing page because the rogue DNS service resolves this domain to the IP address\r\n172[.]247[.]116[.]155. The final page is a phishing page mimicking the Apple website with the very reassuring\r\ndomain name ‘security.apple[dot]com’ in the address bar of the browser.”\r\nThe phishing site steals user IDs, passwords, card numbers, card expiration dates and CVVs. Here is where\r\nresearchers said the HTML source of the phishing site supported 25 languages. Notably,  the languages Bengali\r\nand Georgian are missing from the phishing site.\r\nMeanwhile, the perpetrators have added a new feature such as web mining via a the CoinHive script executed in\r\nthe browser. “When a user connects to the landing page from a PC, the CPU usage will drastically increase\r\nbecause of the cryptomining activity in the browser,” Ishimaru said.\r\nBetter Evasion Techniques\r\n“The evasion techniques used by Roaming Mantis have also become more sophisticated. Several examples of\r\nrecent additions described in [the Kaspersky Lab post] include a new method of retrieving the C2 by using the\r\nemail POP protocol, server-side dynamic auto-generation of changing APK file names, and the inclusion of an\r\nadditional command to potentially assist in identifying research environments,” researchers wrote.\r\nThe dynamic auto-generation helps avoid blacklisting, they said.\r\n“Aside from the filename, we also observed that all the downloaded malicious APK files are unique due to\r\npackage generation in real time as of May 16, 2018,” explained Ishimaru. “It seems the actor added automatic\r\ngeneration of APK per download to avoid blacklisting by file hashes. This is a new feature.”\r\nMeanwhile, older Roaming Mantis samples connected to the C2 by accessing a “legitimate website, extracting a\r\nChinese string from a specific part of the HTML code, and decoding it,” said the researcher. In the most recent\r\nsample, instead of using HTML protocol, Roaming Mantis uses email protocol to retrieve the C2.\r\n“The malware connects to an email inbox using hardcoded outlook.com credentials via POP3,” Ishimaru said. “It\r\nthen obtains the email subject (in Chinese) and extracts the real C2 address using the string ‘abcd’ as an anchor.”\r\nAlso, the previous malicious APK from April “had 18 backdoor commands to confirm victims’ environments and\r\nto control devices.” It’s now added a feature that calls the OS ping command with the IP address of the C2 server.\r\n“By running this, the attackers validate the availability of the server, packet travel time or detect network filtering\r\nin the target network,” he said. “This feature can also be used to detect semi-isolated research environments.”\r\nhttps://threatpost.com/roaming-mantis-swarms-globally-spawning-ios-phishing-cryptomining/132149/\r\nPage 2 of 3\n\nIn August 2017, McAfee first identified and reported the existence of Roaming Mantis. At that time, the\r\ndistribution method was SMS and South Korea was its only target. “[By] April 2018, it had already implemented\r\nDNS hijacking and expanded its targets to the wider Asian region,” Ishimaru said.\r\nThis latest expansion indicates that the actors behind the malware have no intention of slowing down their attack\r\nrate.\r\nSource: https://threatpost.com/roaming-mantis-swarms-globally-spawning-ios-phishing-cryptomining/132149/\r\nhttps://threatpost.com/roaming-mantis-swarms-globally-spawning-ios-phishing-cryptomining/132149/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://threatpost.com/roaming-mantis-swarms-globally-spawning-ios-phishing-cryptomining/132149/" ], "report_names": [ "132149" ], "threat_actors": [ { "id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a", "created_at": "2023-01-06T13:46:38.823793Z", "updated_at": "2026-04-10T02:00:03.113045Z", "deleted_at": null, "main_name": "Roaming Mantis", "aliases": [ "Roaming Mantis Group" ], "source_name": "MISPGALAXY:Roaming Mantis", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3", "created_at": "2022-10-25T16:07:24.546437Z", "updated_at": "2026-04-10T02:00:05.029564Z", "deleted_at": null, "main_name": "Roaming Mantis", "aliases": [ "Roaming Mantis Group", "Shaoye" ], "source_name": "ETDA:Roaming Mantis", "tools": [ "MoqHao", "Roaming Mantis", "SmsSpy", "Wroba", "XLoader" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434246, "ts_updated_at": 1775826723, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/011d63d51b59f8b98fb7ec39be28e6f1b81fc2a0.pdf", "text": "https://archive.orkl.eu/011d63d51b59f8b98fb7ec39be28e6f1b81fc2a0.txt", "img": "https://archive.orkl.eu/011d63d51b59f8b98fb7ec39be28e6f1b81fc2a0.jpg" } }