{
	"id": "ff6f183b-9fa9-42c4-b762-d9251ebda7fe",
	"created_at": "2026-04-06T00:10:56.365721Z",
	"updated_at": "2026-04-10T03:21:33.457715Z",
	"deleted_at": null,
	"sha1_hash": "01f4ce997038484c4a39f6a8559d7da0fba26111",
	"title": "Lookout Uncovers Hermit Spyware Deployed in Kazakhstan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3114198,
	"plain_text": "Lookout Uncovers Hermit Spyware Deployed in Kazakhstan\r\nBy Lookout\r\nPublished: 2022-06-16 · Archived: 2026-04-05 22:35:17 UTC\r\nLookout researchers have uncovered enterprise-grade Android surveillanceware used by the government of\r\nKazakhstan within its borders. While we’ve been following this threat for a while using Lookout Endpoint\r\nDetection and Response (EDR) these latest samples were detected in April 2022, four months after nation-wide\r\nprotests against government policies were violently suppressed.\r\nBased on our analysis, the spyware, which we named “Hermit,” is likely developed by Italian spyware vendor\r\nRCS Lab S.p.A and Tykelab Srl, a telecommunications solutions company we suspect to be operating as a front\r\ncompany.\r\nThis isn't the first time Hermit has been deployed. We know that the Italian authorities used it in an anti-corruption\r\noperation in 2019. We also found evidence suggesting that an unknown actor used it in northeastern Syria, a\r\npredominantly Kurdish region that has been the setting of numerous regional conflicts. \r\nWhile some Hermit samples have been detected before and are broadly recognized as generic spyware, the\r\nconnections we make in this blog to developers, campaigns, and operators are new.\r\nRCS Lab, a known developer that has been active for over three decades, operates in the same market as Pegasus\r\ndeveloper NSO Group Technologies and Gamma Group, which created FinFisher. Collectively branded as “lawful\r\nintercept” companies, they claim to only sell to customers with legitimate use for surveillanceware, such as\r\nintelligence and law enforcement agencies. In reality, such tools have often been abused under the guise of\r\nnational security to spy on business executives, human rights activists, journalists, academics, and government\r\nofficials.\r\nWhat is Hermit spyware?\r\nNamed after a distinct server path used by the attacker’s command and control (C2), Hermit is a modular\r\nsurveillanceware that hides its malicious capabilities in packages downloaded after it’s deployed.\r\nWe obtained and analyzed 16 of the 25 known modules, each with unique capabilities. These modules, along with\r\nthe permissions the core apps have, enable Hermit to exploit a rooted device, record audio and make and redirect\r\nphone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages.\r\nWe theorize that the spyware is distributed via SMS messages pretending to come from a legitimate source. The\r\nmalware samples analyzed impersonated the applications of telecommunications companies or smartphone\r\nmanufacturers. Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it\r\nkickstarts malicious activities in the background.\r\nWe’re aware of an iOS version of Hermit but were unable to obtain a sample for analysis.\r\nhttps://de.lookout.com/blog/hermit-spyware-discovery\r\nPage 1 of 14\n\nKazakhstan deployment\r\nOur analysis suggests that Hermit has not only been deployed to Kazakhstan, but that an entity of the national\r\ngovernment is likely behind the campaign. To our knowledge, this marks the first time that a current customer of\r\nRCS Lab’s mobile malware has been identified.\r\nWe first detected samples from this campaign in April 2022. They were titled “oppo.service” and impersonated\r\nChinese electronic manufacturer Oppo. The website the malware used to mask its malicious activity is an official\r\nOppo support page (http://oppo-kz.custhelp[.]com) in the Kazakh language that has since gone offline. We also\r\nfound samples that impersonate Samsung and Vivo.\r\nhttps://de.lookout.com/blog/hermit-spyware-discovery\r\nPage 2 of 14\n\nThe now defunct Kazkhak language Oppo support page is loaded and displayed to users as\r\nmalicious activities happen in the background.\r\nThe samples used in the Kazakh targeted campaign connected to the C2 address at 45.148.30[.]122:58442.\r\nHowever, further analysis of the spyware’s C2 server revealed that this IP address is used as a proxy for the real\r\nC2 server at 85.159.27[.]61:8442. The real C2 IP address is administered by STS Telecom, a small internet service\r\nprovider (ISP) operating out of Nur-Sultan, Kazakhstan’s capital. Based on sparse online records, STS specializes\r\nin “other wired telecommunications” and cable services.\r\nOur interaction with a poorly configured C2 server revealed the true C2 IP address.\r\nSyria, Italy and other targets\r\nPrior to detecting the Kazakhstan samples, we found a reference to “Rojava,” a Kurdish-speaking region in\r\nnortheastern Syria, in the passive DNS records of Hermit. This is significant because the region has been the site\r\nof ongoing crises, such as the Syrian civil war and conflicts between the Islamic State (IS) and U.S.-led coalition\r\nsupport of the Kurdish-led Syrian Democratic Forces (SDF). Most recently, Turkey conducted a series of military\r\noperations against the SDF that resulted in partial occupation of the region.\r\nThe domain we found (rojavanetwork[.]info) specifically imitates “Rojava Network,” a social media brand on\r\nFacebook and Twitter that provides news coverage and political analysis of the region, often in support of SDF\r\noperations.\r\nhttps://de.lookout.com/blog/hermit-spyware-discovery\r\nPage 3 of 14\n\nThe domain rojavanetwork[.]info seems to be specifically imitating “Rojava Network,” a social\r\nmedia brand on Facebook and Twitter that provides news coverage and political analysis of the\r\nregion, often in support of SDF operations.\r\nOutside Syria, Hermit has been deployed in Italy. According to a document released by the Italian lower house in\r\n2021, Italian authorities potentially misused it in an anti-corruption operation. The document mentioned an iOS\r\nversion of Hermit and linked RCS Lab and Tykelab to the malware, which corroborates our analysis.\r\nRCS Lab and its controversial connections \r\nLike many spyware vendors, not much is known about RCS Lab and its clientele. But based on the information\r\nwe do have, it has a considerable international presence.\r\nAccording to leaked documents published in WikiLeaks in 2015, RCS Lab was a reseller for another Italian\r\nspyware vendor HackingTeam, now known as Memento Labs, as early as 2012. Correspondences between the two\r\ncompanies revealed that RCS Lab engaged with military and intelligence agencies in Pakistan, Chile, Mongolia,\r\nBangladesh, Vietnam, Myanmar, and Turkmenistan — the latter three ranked as authoritarian regimes by the\r\nDemocracy Index. \r\nRCS Lab also has past dealings with Syria, another authoritarian regime, as part of its collaboration with Berlin-based Advanced German Technology (AGT) to sell surveillance solutions.\r\nhttps://de.lookout.com/blog/hermit-spyware-discovery\r\nPage 4 of 14\n\nCountries that had ties to RCS Lab’s past business connections. Top row: Chile, Pakistan, Mongolia\r\nand Bangladesh; bottom row: Myanmar, Vietnam, Turkmenistan and Syria.\r\nTykelab and its connection to RCS Lab\r\nAccording to its own website, Tykelab provides innocuous technology solutions. However, we found various\r\npublicly-available clues that suggest otherwise. In addition to the Italian parliamentary document, we found\r\nseveral pieces of evidence tying Tykelab to RCS Lab. \r\nFor example, a current Tykelab employee’s LinkedIn profile indicates that they also work at RCS Lab. In addition,\r\nthe company offers services that require skills that may be useful in the development and delivery of\r\nsurveillanceware, such as knowledge or interaction with telecommunications networks, social media analysis,\r\nSMS services, and mobile app development. One of the Tykelab job postings for a security engineer we found\r\nspells out desired skills that would have direct application to surveillance of mobile networks and devices.\r\nhttps://de.lookout.com/blog/hermit-spyware-discovery\r\nPage 5 of 14\n\nThis Tykelab job listing highlights interest in mobile network vulnerabilities, penetration testing,\r\nand reverse engineering: skills that can serve both defensive and offensive purposes.\r\nIn our own analysis of Hermit, we were able to tie Tykelab to Hermit and RCS Lab. One of the IP addresses\r\nHermit used for C2 communications revealed an SSL certificate shared with another IP, 93.51.226[.]53. Notably,\r\nthe shared certificate has Milan, Italy in the locality field which is where RCS Lab is headquartered.\r\nThis second IP used another SSL certificate that directly named RCS as the organization and Tykelab as the\r\norganization unit. The location references Rome, which is the headquarters location of Tykelab.\r\nAn SSL certificate tied to Hermit infrastructure shows that Tykelab and RCS Lab are both connected\r\nto the spyware.\r\nTechnical analysis: Hermit’s advanced capabilities\r\nHermit is a highly configurable surveillanceware with enterprise-grade capabilities to collect and transmit data. \r\nFor example, it uses 20-plus parameters, which enables any operator to tailor it to their campaign. The spyware\r\nalso attempts to maintain data integrity of collected ‘evidence’ by sending a hash-based message authentication\r\nhttps://de.lookout.com/blog/hermit-spyware-discovery\r\nPage 6 of 14\n\ncode (HMAC). This allows the actors to authenticate who sent the data as well as ensure the data is unchanged.\r\nUsing this method for data transmission may enable the admissibility of collected evidence.\r\nTo cover up its true intentions, Hermit is built to be modular. This means malicious functionality is hidden inside\r\nadditional payloads that the malware downloads as needed.\r\nHow it tricks victims and avoids detection\r\nAs we mentioned earlier, Hermit pretends to come from legitimate entities, namely telecommunications\r\ncompanies or smartphone manufacturers. To keep up this facade, the malware loads and displays the website from\r\nthe impersonated company simultaneously as malicious activities kickstart in the background.\r\nThe first malicious step is to decrypt an embedded configuration file with properties that are used to communicate\r\nwith the C2 server. But before communication happens, Hermit performs a series of checks to ensure that it isn’t\r\nbeing analyzed. This includes looking for the presence of an emulator and signs that the app itself has been\r\nmodified to make analysis easier.\r\nModules and data collection \r\nOnce the malware connects with the C2, it takes instructions on what modules to download, each with distinct\r\ncapabilities. In addition to the modules, the permissions that the malware requests indicate the various ways it\r\ncould collect data.\r\nHermit can be asked by the C2 to download modules from any URL and then load them\r\ndynamically.\r\nIn total we acquired 16 modules by interacting with the IP address (45.148.30[.]122:58442) “oppo.service” used\r\nfor C2 communications. Based on identification numbers assigned to the modules in Hermit’s code, there are at\r\nleast 25 modules.\r\nWithin the core app, we found an abstract class called “module” that provided additional hints as to what the rest\r\nof the modules are capable of. The code contained references to exploit usage, which was further confirmed by\r\nclues found in obtained modules. While we weren’t served exploits during testing, we can tell that an exploited\r\ndevice will have a local root service listening on 127.0.0.1:500 that the malware will “ping” for.\r\nhttps://de.lookout.com/blog/hermit-spyware-discovery\r\nPage 7 of 14\n\nSome variables hint that Hermit has modules that can use exploits.\r\nIf the device is confirmed to be exploitable then it will communicate with the C2 to acquire the files necessary to\r\nexploit the device and start its root service. This service will then be used to enable elevated device privileges such\r\nas access to accessibility services, notification content, package use state, and the ability to ignore battery\r\noptimization.\r\nBeyond the root service, some of the modules expect or attempt to use root access directly through a su binary.\r\nThese modules will attempt to modify the shared preferences of the SuperSU app in order to enable the execution\r\nof root commands without user interaction.\r\nWhile this may be a generic attempt at using root without user awareness, SuperSU may also be a part of the\r\nunknown exploitation process. If root is not available, the modules may prompt the user to take actions which will\r\naccomplish the same goals.\r\nThese are the modules we were able to acquire (refer to the appendix for a complete breakdown of each modules):\r\nAccessibility Event Account Address Book\r\nAudio Browser Calendar\r\nCamera Clipboard Device Info\r\nFile download File upload Log\r\nNotification Listener Screen Capture Telegram\r\nhttps://de.lookout.com/blog/hermit-spyware-discovery\r\nPage 8 of 14\n\nWhatsApp\r\nLike other weaponry, spyware can easily be abused\r\nVendors of so-called “lawful intercept” spyware, such as RCS Lab, the NSO Group, and Gamma Group, usually\r\nclaim to only sell to entities that have a legitimate use for surveillanceware such as police forces fighting\r\norganized crime or terrorism. However, there have been many reports, especially in recent years, of spyware being\r\nmisused. \r\nWe found evidence of Hermit being deployed in Kazakhstan and Syria, countries with poor human rights records.\r\nEven in the case of the anti-corruption operations in Italy, there was alleged mishandling of personal and private\r\ndata. \r\nIn a sense, electronic surveillance tools are not that different from any other type of weaponry. Just this month,\r\nfaced with financial pressure, CEO of the NSO group Shalev Hulio opened up the possibility of selling to “risky”\r\nclients. Spyware makers operate in secrecy and with limited oversight and the legitimacy of the use of their\r\nproducts is rarely as clear-cut as they project.\r\nHow to protect yourself from spyware like Hermit\r\nWith sophisticated data collection capabilities, and the fact that we carry them all the time, mobile devices are the\r\nperfect target for surveillance. While not all of us will be targeted by sophisticated spyware, here are some tips to\r\nkeep yourself and your organization safe:\r\nUpdate your phone and apps: Operating systems and apps will often have vulnerabilities that need to\r\nbe patched. Update them to ensure the exploits are resolved.\r\nDon’t click on unknown links: One of the most common ways for an attacker to deliver malware is\r\nby sending you a message pretending to be a legitimate source. Don’t click on links, especially when\r\nyou don’t know the source.\r\nDon’t install unknown apps: Exercise caution when installing unknown apps, even if the source of\r\nthe app seems like a legitimate authority.\r\nPeriodically review your apps: Sometimes malware can change settings or install additional content to\r\nyour phone. Check your phone periodically to ensure nothing unknown has been added.\r\nIn addition to following the security best practices outlined above, we strongly recommend having a dedicated\r\nmobile security solution to ensure that your device is not compromised by malware or phishing attacks.\r\nTo the best of our knowledge the apps described in this article were never distributed through Google Play. Users\r\nof Lookout security apps are protected from these threats.\r\nIndicators of Compromise\r\nhttps://de.lookout.com/blog/hermit-spyware-discovery\r\nPage 9 of 14\n\nCore App indicators\r\nSHA1 Hash Values\r\nca101ddfcf6746ffa171dc3a0545ebd017bf689a\r\nb1dfb2be760d209846f2147ce32560954d2f71b5\r\ncf610aae906ffcfd52c08d6ba03d9ce2c9996ac8\r\n22f49fa7fe1506d2639f08e9ae198e262396c052\r\n97ead8dec0bf601ba452b9e45bb33cb4a3bf830f\r\n527141e1ee5d76b55b7c7640f7dcf222cb93e010\r\n4f8145805eec0c4d8fc32b020744d4f3f1e39ccb\r\n9f949b095c2ab4b305b2ea168ae376adbba72ffb\r\nNetwork indicators\r\nIP Address Port\r\n2.229.68[.]182 8442\r\n2.228.150[.]86 8443\r\n93.57.84[.]78 8443\r\n93.39.197[.]234 8443\r\n45.148.30[.]122 58442\r\n85.159.27[.]61 8442\r\nSample of domains used in Hermit’s targeting operations\r\nDomain List 1 Domain List 2\r\n119-tim[.]info milf[.]house\r\n133-tre[.]info mobdemo[.]info\r\n146-fastweb[.]info mobilepays[.]info\r\nhttps://de.lookout.com/blog/hermit-spyware-discovery\r\nPage 10 of 14\n\nDomain List 1 Domain List 2\r\n155-wind[.]info kena-mobile[.]info\r\n159-windtre[.]info poste-it[.]info\r\niliad[.]info rojavanetwork[.]info\r\namex-co[.]info store-apple[.]info\r\ncloud-apple[.]info wind-h3g[.]info\r\nfb-techsupport[.]com\r\nParameter configurations Hermit uses\r\nParameter Configuration\r\nvps\r\nCertificate fingerprint, IP address, and port, for C2\r\ncommunication\r\np1,p3,p4,p5,p6 Server endpoints for various C2 communications\r\nredirectUrl\r\nThis is the benign URL opened when the application is\r\nlaunched\r\nhidden Determines if the icon of the application will be hidden.\r\nvpsseed\r\nString used along with android_id as a unique device\r\nidentifier\r\ncertificateSignature\r\nExpected signature of the app. If the signature does not\r\nmatch the app will not run.\r\nwdpn Package name of another app interacted with on device\r\nwdcn Component name of a service contained in wdpn app\r\nxAuthToken HTTP header added to every request for authentication\r\npsk Pre-shared key used for message authentication\r\ndeleteApk\r\nBoolean indicating whether APK files should be deleted if\r\nanti-emulation checks fail\r\nfp Fingerprint for protobuf encryption setup\r\npk Public key for protobuf encryption setup\r\nhttps://de.lookout.com/blog/hermit-spyware-discovery\r\nPage 11 of 14\n\nParameter Configuration\r\napplicationId, gcmSenderId, projectId,\r\nstorageBucket, apiKey\r\nFirebase Messaging Service setup parameters\r\nModules downloaded by Hermit\r\nAuthors\r\nJustin Albrecht\r\nGlobal Director, Mobile Threat Intelligence\r\nJustin Albrecht is the Global Director of Mobile Threat Intelligence. He works with his team to uncover new\r\nmobile threats, track actors and targets, and provide accurate research and reporting on these issues. Justin has\r\nover 20 years of experience tracking cyber threat actors, terrorists, and intelligence activities in both the\r\nintelligence community, and more recently as a member of Lookout’s Threat Intelligence Team.\r\nPaul Shunk\r\nStaff Security Intelligence Researcher\r\nPaul is a security researcher with a primary focus on reverse engineering mobile malware. Prior to Lookout, he\r\nworked in a security operations centre first as a cyber threat intelligence analyst and later in security\r\ninvestigations. Paul graduated with a Bachelor of Applied Information Sciences (Information Systems Security)\r\nfrom Sheridan College in 2015.\r\nhttps://de.lookout.com/blog/hermit-spyware-discovery\r\nPage 12 of 14\n\nModule\r\nName\r\nFunction Note\r\nAccessibility\r\nEvent\r\nTrack foreground app.\r\nAccount Steal stored account emails.\r\nAddress Book Steal contacts.\r\nAudio Record audio.\r\nBrowser Steal browser bookmarks / searches.\r\nCalendar Steal calendar events, attendees.\r\nCamera Take pictures.\r\nClipboard Steal current and future clipboard content.\r\nDevice Info\r\nExfiltrate device information, including\r\napplications, kernel information, model,\r\nmanufacturer, OS version, phone number,\r\nsecurity patch, root/exploitation status.\r\nhttps://de.lookout.com/blog/hermit-spyware-discovery\r\nPage 13 of 14\n\nModule\r\nName\r\nFunction Note\r\nFile\r\nDownload\r\nDownload and install APK files on the\r\ndevice.\r\nUse root to silently install apps.\r\nFile Upload Upload files from the device.\r\nUse root to copy files the app doesn’t have\r\naccess to.\r\nLog Enable/disable verbose logging.\r\nNotification\r\nListener\r\nExfiltrate notification content.\r\nDismiss/snooze notifications that reference,\r\nbut don’t originate from, the Hermit app.\r\nScreen\r\nCapture\r\nTake pictures of the screen. Use root to run ‘screencap’.\r\nTelegram\r\nPrompt the user to reinstall Telegram on the\r\ndevice with a downloaded APK.\r\nUse root to silently uninstall/reinstall\r\nTelegram. Also copy the old app’s data to\r\nthe new app’s folder, changing the files’\r\nSELinux contexts and owners.\r\nWhatsApp\r\nPrompt the user to reinstall WhatsApp via\r\nPlay Store.\r\nHeader Header Header Header\r\nCell Cell Cell Cell\r\nCell Cell Cell Cell\r\nCell Cell Cell Cell\r\nCell Cell Cell Cell\r\nSource: https://de.lookout.com/blog/hermit-spyware-discovery\r\nhttps://de.lookout.com/blog/hermit-spyware-discovery\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://de.lookout.com/blog/hermit-spyware-discovery"
	],
	"report_names": [
		"hermit-spyware-discovery"
	],
	"threat_actors": [],
	"ts_created_at": 1775434256,
	"ts_updated_at": 1775791293,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/01f4ce997038484c4a39f6a8559d7da0fba26111.pdf",
		"text": "https://archive.orkl.eu/01f4ce997038484c4a39f6a8559d7da0fba26111.txt",
		"img": "https://archive.orkl.eu/01f4ce997038484c4a39f6a8559d7da0fba26111.jpg"
	}
}