{
	"id": "79d1cd3d-9b49-490c-b2e9-d8b415c02a2d",
	"created_at": "2026-04-06T00:09:32.763139Z",
	"updated_at": "2026-04-10T03:30:41.405722Z",
	"deleted_at": null,
	"sha1_hash": "15879bafe597979ff8fb78bba47d075c48f23381",
	"title": "ToxicPanda Malware in 2025 | Bitsight TRACE Threat Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1882986,
	"plain_text": "ToxicPanda Malware in 2025 | Bitsight TRACE Threat Research\r\nBy Written by Pedro Falé Threat Researcher\r\nArchived: 2026-04-05 16:16:36 UTC\r\nToxicPanda is an Android banking trojan designed to steal banking and digital wallets logins, overlaying\r\npin \u0026 pattern codes and perform unauthorized transactions.\r\nThe malware campaign peaked at 4500 infected devices while touring Europe, and now targets Portugal\r\nand Spain.\r\nAndroid banking malware: ToxicPanda\r\nToxicPanda is a banking trojan designed to infiltrate your mobile device, stealing financial details by targeting\r\nbanking \u0026 financial apps. The malware keeps evolving, with the developers behind it being quick to add new\r\nfeatures, such as overlaying pin \u0026 pattern codes, overlaying credential inputs for specific banking apps, allowing\r\ncybercriminals to remotely take control of compromised bank accounts and initiate unauthorized money transfers.\r\nFirst identified in 2022 by Trend Micro, the malware then migrated from Southeast Asia targets to Europe in 2024.\r\nSince then, TRACE has identified a shift in geolocation distribution of infections, now Portugal \u0026 Spain are the\r\nmain targets in early 2025 and the botnet doubled in size. We will take a look at these new developments, but\r\nbefore we dive in, we want to preface with the following chapter, for a greater context on this threat.\r\nHeadlines covering 10s of thousands or even millions of devices tend to be malware associated with proxies or\r\nDDoS botnets, using your device to either pass network traffic, or attack someone else, security concerns to be\r\nsure, but less likely to cause you direct financial harm On the other hand, ransom, banking and APT infections are\r\ngenerally smaller, campaigns are often either industry/region specific, limited in time, and carry more severe\r\nconsequences for the victim.\r\nTherefore, numbers can tell two different stories—proxy malware may spread like wildfire, quickly and quietly\r\nturning countless devices into tools for cybercriminals, often unnoticed. But banking malware? Even a single\r\ninfection can shatter someone’s financial security, drain their savings, turn decades of work to dust — it’s not just\r\nabout numbers; it’s about the real, personal losses that turn lives upside down.\r\nAccording to a report disclosed by Kaspersky, In 2024, cybercriminals intensified their focus on mobile banking\r\ndata theft, leading to a 196% surge in Trojan banker attacks on smartphones compared to the previous year. This\r\nescalation resulted in over 1.24 million attacks on Android devices. In November 2024, discoveries made by\r\nCleafy researchers highlighted a variant of TgToxic named ToxicPanda, spreading beyond its initial targets in\r\nSoutheast Asia and actively infecting devices in Europe and Latin America, with 1,500 devices predominantly in\r\nItaly followed by Portugal, Hong Kong, Spain and Peru. As shown in the following figure from Cleafy.\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 1 of 22\n\nSource: Cleary\r\nThe campaign focused on Italy in late 2024, capturing most of the attention. Even so, 300 infected devices in\r\nPortugal were enough to cause victims — even drawing national news coverage. This hint of a new target was\r\nconfirmed by a demographic shift in 2025.\r\nThe team at TRACE, has uncovered around 3000 devices infected in Portugal by ToxicPanda. Taking a look at\r\nBitsight's current visibility of infections for ToxicPanda in 2025, we can clearly see the result of efforts targeting\r\nthe Iberan Peninsula, both countries represent over 85% of all global infections we observed.\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 2 of 22\n\nThe majority of infections are from Portugal, currently registering around 3000 compromised devices, with\r\nSpain at around 1000 devices. Less popular locations include Greece, Morocco and Peru.\r\nLooking at the phone models represented, it is clear that Samsung, Xiaomi, and Oppo devices account for the\r\nmajority of infections.\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 3 of 22\n\nThese devices also tend to be associated with more accessible series from each brand. Such as Samsung A,\r\nXiaomi Redmi and Oppo A. However it is important to note that we also see top tier models being compromised.\r\nSuch as the Samsung S series. This includes mostly older models like S8-S9 but also some recent phone models\r\nsuch as the S23.\r\nTRACE has identified an added technique used by Threat Actors behind ToxicPanda - Leveraging TAG-1241\r\ninfrastructure to facilitate malware distribution with increased operational resilience. Once again, the actors\r\nbehind ToxicPanda demonstrate their commitment to further develop not only the malware itself, but the\r\nsurrounding infrastructure as well. We have seen the malicious apk hosted on several websites. TRACE suspects\r\nthese websites are not random, nor owned by the malware developers, but in fact TAG-124 as we will describe\r\nnext.\r\nThe malicious files, appear as follows: ‘dropper.apk’ and ‘no_dropper.apk’\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 4 of 22\n\nIn January 2025, Insikt announced the existence of a multi-layered Traffic Distribution System (TDS) utilized by\r\nmultiple threat actors to facilitate delivery of malware to unsuspecting victims.\r\nTAG-124 is a type of Traffic Distribution System (TDS). In this context, \"multi-layered\" refers to the several\r\ninterdependent components that work together to analyze, filter, and redirect web traffic for malicious purposes.\r\nMoreover, the multi-layered TDS infrastructure of TAG-124 is not exclusive to one group. The threat actors\r\nbehind TAG-124 continually update the system by adding compromised domains, rotating URLs, adding new\r\nservers, and refining the TDS logic.\r\nToxicPanda is now utilizing this infrastructure to facilitate the distribution of their malware. Samples behind the\r\nearly 2025 campaign of ToxicPanda are hosted on the open directory of websites, some of which have been\r\npreviously linked with TAG-124.\r\nThere are two major distinctions between the websites, one seems under direct registration by the threat actors\r\nbehind TAG-124 based on their naming scheme ‘update-chronne[.]com’). The second are compromised websites.\r\nWe managed to link 52 domains with TAG-124, hosting ToxicPanda malware on an open directory associated with\r\nthe early 2025 campaign.\r\nAt time of writing some domains are even indexed in google, such as:\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 5 of 22\n\nThese sites have previously been seen using two techniques to trick users into installing malware.\r\nReCaptcha (ClickFix)\r\nFake Google Chrome update pages\r\nThis carefully orchestrated redirection is part of the TDS’s design to ensure that only selected targets are funneled\r\nto these malicious endpoints.\r\nIn the case of ToxicPanda it seems very straightforward. The website directly hosts the malicious files as shown\r\npreviously in a very crude way. Perhaps signaling the ongoing development of the malware infrastructure, or an\r\nunknown infection vector that pulls the malware hosted on the open directory of these websites such as fake\r\nplaystore droppers or fake playstore websites, since some of these domains contained the\r\n“chromewebstore.google.com” subdomain. TRACE was not able to find evidence of the initial infection vectors.\r\nIn this chapter we will look into the underlying technicalities behind the malware, like overlays, anti-emulation,\r\nencryption and other topics. The AndroidManifest.xml file present in the app file (with extension .apk) details a\r\nlist of 58 permissions requested by the app.\r\nThe app abuses Accessibility services to hijack the user interface (UI) of the device, and “elevate” permissions it\r\nhas on the device. Accessibility is becoming an increasingly abused system feature. In simple terms, this is like\r\nhaving a trusted assistant on your phone who can control almost everything on your behalf.\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 6 of 22\n\nAs you can guess, this feature was not meant to be taken advantage of by malware, but to aid people with\r\ndisabilities. If enabled, ToxicPanda essentially leverages a feature meant to help users with disabilities. This abuse\r\nallows the malware to bypass security measures, intercept one-time passwords (OTPs), and even alter what’s\r\ndisplayed on the screen to trick users into authorizing fraudulent transfers or insert pin/gesture locks.\r\nThis latest version of ToxicPanda is no longer running in popular sandbox environments made to dynamically\r\nanalyse malware, such as (joe, virustotal, triage). Therefore in order to understand the apps behaviour we had to\r\nbypass the anti-emulation measures.\r\nUpon install, a fake “Google Chrome” appears. Below you can see evidence of this in a mobile phone.\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 7 of 22\n\nThe malicious application will try to bait you to enable accessibility services. Once granted, the app will display\r\nthe following loading screen while it finishes its setup, granting permissions and modifying settings. Funnily\r\nenough, during this phase, if you turn up the volume, you can hear the touch ‘clicks’ going in the background, this\r\nis the malicious app navigating and altering settings.\r\nDuring initial communication with the C2 the app receives a JSON payload containing 39 entries, each\r\ncorresponding to a banking app with its own custom phishing overlay, showcasing the growing sophistication of\r\nthe malware.\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 8 of 22\n\nChanges to this payload could be used to track new campaigns/targets.\r\nThe malware abuses the android webview, modifying settings and allowing it to seal credentials from\r\nunsuspecting victims via overlays. Overlay attacks work by loading a WebView on top of the legitimate app that\r\nlooks very similar to the original one.\r\nFor example, the phishing overlay for the banking app of ‘Bankinter for Portugal’ (com.bankinter.portugal.bmb),\r\nis exactly the same as the current app login. Perhaps signalling an effort towards a Portuguese targeted campaign.\r\nThe images below are some of these phishing overlays\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 9 of 22\n\nSome overlays use a \"through\" flag that sends your input to the app behind them. Malware exploits overlays of\r\nTYPE_ACCESSIBILITY_OVERLAY to bypass native protections against this, capturing credentials via fake\r\noverlays and simulating interactions through accessibility services to access banking apps and perform\r\nunauthorized transfers. Only Android 14+ apps that explicitly use\r\nACCESSIBILITY_DATA_PRIVATE_YES on a view, can block other apps that are not on playstore, from\r\ninteracting via accessibility. This is not widely adopted yet by many wallets, and even then, in the best case\r\nscenario it is, the malware can still capture your credentials through the fake overlay and exfiltrate them.\r\nYou can find the list of the latest 39 phishing overlays for banking apps here\r\nThese custom overlays loaded from the C2, are not the only ones. There are some default pin/seed and gesture\r\nlock overlays as well, associated with a list of hundreds of banking and digital wallet apps. But these tend to be\r\ngeneric, a greyed out gesture overlay, with the same app icon. Think the same way you would gesture unlock your\r\nphone, you get that overlay in pin/gesture locked apps that are known to use this, often wallet/crypto apps.\r\nNetwork and infrastructure\r\nWe will now further detail the network and infrastructure used by this malware, such as DGA logic, anti-emulation, new encryption keys, routines, exchanged payloads upon infection, C2 commands added and\r\npersistence. The malware relies on anti-emulation, code obfuscation, and encryption to thwart detection and\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 10 of 22\n\nreversing efforts. Due to code being obfuscated in some areas, some functions from the code snippets shown\r\nmight be renamed for an easier understanding.\r\nWe noticed that the latest samples of ToxicPanda (no_dropper.apk - com.example.mysoul), no longer fully\r\ndetonate on sandboxes, making it harder to get C2 communication. We will not dive into each specific anti-analysis topic, as this has been detailed recently by Intel 471, and remains mostly unchanged in recent samples\r\nwith only minor tweaks to previously covered behavior. Most of the anti-emulation checks come from: cpu info,\r\ncommon emulator paths and emulator strings such as “vbox”, “qemu, “genymotion”, etc. The anti emulation\r\nfunction is detailed in the code snippet below.\r\nNew additions include: further bluetooth checks, checks on sensors of type 5 which measures ambient light\r\ncommonly used to auto regulate screen brightness, and telephony dial where the apk sends an intention to dial\r\n12345.\r\nEmulators often lack certain default applications or variable sensory data that would be present in physical\r\ndevices. By checking this availability and variances in collected metrics it may suggest that the code is running on\r\nan emulator, triggering the anti-emulation method to return “TRUE”, and sending the malware into a long sleep or\r\nuninstalling completely.\r\n1. Hijacking the DGA\r\nThe newer version of ToxicPanda implements a Domain Generation Algorithm (DGA), which generates a large\r\nnumber of C2 domain names. This strategy complicates efforts to block its communications, enhancing malware\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 11 of 22\n\nresilience in case some domains are disabled or taken down, thereby maintaining continuous contact with its\r\noperators.\r\nIn the case of ToxicPanda the DGA is quite simple. It generates one second-level domain per month, then appends\r\na TLD by cycling through a list, to find a domain that is responding.\r\nThe DGA logic represented in the function - dga_domain_hash_substring() is as follows:\r\nYou can see the python code to replicate this DGA here, and the domains for 2025 here\r\nThe TLD is then appended from a list, cycled when attempting to HTTP request. This cycle is sequential, meaning\r\nit always starts at: “com”, “net”, ”org” … etc. This sequential pattern of the TLD list, presents a vulnerability in\r\nthe threat actor's infrastructure, its predictability makes the botnet vulnerable to C2 takeover.\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 12 of 22\n\nHaving the full domain, the malware will attempt the following HTTP request:\r\nhttps://ctrl.\u003cgenerated_domain+.TLD\u003e\u003e/adv.php?apk=XXXXXX\u0026cmode=test\u0026device=XXXXXXXXXX\r\nWhen the request is successful, the malware obtains the following 200 Response with a “resOk” field equal to\r\n‘true’\r\nJSON\r\nResponse Code: 200\r\nResponse Body:\r\n{\r\n \"resOk\": true,\r\n \"token\": \"COYDNtCufeEXPnQR2J5F4fHcAFd1+MkpNntyI/kwPzIWE4Qi4cORonjIhcmokQ4H\"\r\n}\r\nIf it fails to establish a communication to the C2 by exceeding the entire TLD list 10 times, it falls back to the\r\n“dom.txt” file for a valid domain. The token we see in the response is a json, base64encoded and AES/ECB\r\nencrypted.\r\n2. Encryption \u0026 Payloads\r\nWe found 2 uses of encryption in the apk:\r\nAES/ECB/PKCS5Padding\r\nDES/CBC/PKCS5Padding\r\nAES/ECB\r\nGenerally the one being used, encrypts every communication/payload sent to the C2 with collected data or\r\ncommands received from the C2 server. As shown in the following code snippet.\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 13 of 22\n\nThe encryption key used for all of this remains hardcoded and obfuscated in a byte array within the code.\r\nAES Secret Key: \"0623U25KTT3YO8P9\"\r\nLooking back into the previous C2 response, the ‘token’ value then decrypts to:\r\nThis information is appended to the previously generated domain via DGA, in order to establish a websocket\r\nconnection for C2 communication.\r\nThe host value, in this case “eu”, will change based on the device IP geolocation, and receive a corresponding\r\nprefix for the domain. And the port will be used in the URI. As such:\r\nWebsocket URL: { https://host.domain.tld/ioport/…. }\r\nThe malware sends its first payload to the C2 with device information, letting the C2 know the device is online\r\nand ready to receive its first set of routine commands:\r\nThe malware establishes a websocket with the C2 to send data, and receive its first commands\r\nIn the following image, we can see the first routine payload that are always exchanged post infection with the C2\r\nserver. The image shows intercepted traffic from the client to the server after establishing a secure websocket with\r\nthe C2 domain.\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 14 of 22\n\nClient-to-server:\r\nThe client sends the following encrypted payload\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 15 of 22\n\nSome highlights here are: “deviceOnline” and “appName”, as we confirmed previously, it’s hidden under a fake\r\n“Google Chrome” application, and script version 1.4.7\r\nServer-to-Client:\r\nThe C2 server, upon receiving this payload with {“action”:deviceOnline…} will always send the following initial\r\ncommands for setup\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 16 of 22\n\nDES/CBC\r\nDES is only used once, when encrypting a particular string into a .txt file. During C2 comms, specifically the\r\npayload {\"action\":\"catAllViewSwitch\"}, at the end there is a domain field. This domain is appended to the\r\n‘dom.txt’ file, using DES encryption.\r\n‘Dom.txt’ is used as a fallback in case the malware fully loops the DGA 10 times and is still unable to contact the\r\nC2 server. This way the malware saves the previous active C2 domains in case future domains fail.\r\nDES Secret key: \"jp202411\" and IV: \"jp202411\"\r\nNew infrastructure:\r\nThe domain that is encrypted and stored in ‘dom.txt’, usually is the DGA domain that successfully responded. But\r\nlately as of June, and perhaps because of us snooping around, now the domain being sent by the C2 to store in\r\n‘dom.txt’ is ksicngtw[.]org, which is not DGA.\r\nLooking at the passive DNS of this domain, we can see two additional findings:\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 17 of 22\n\nThe cloudflare IPs that point to this domain: 104.21.52.214 and 172.67.204.27, also host the current DGA\r\nas of May.\r\nThe domain d7472ad157[.]lol, which actively responds to all toxicpanda malware requests, yet it’s not a\r\ndomain produced by the current DGA...\r\nThere are also files within the apk, a ZIP file containing: mp3 files and a folder with each language the apk\r\nsupports. This is password protected. The password is “BySoulkey\u0026TryEncoderUnit2024114”\r\nLastly, in both these last passwords/keys we see the presence of ‘202411’, this is common across samples and we\r\nbelieve it can be used to track campaigns as this one seems to have started around November 2024.\r\n3. New commands\r\nFor the sake of brevity, we won’t be delving extensively into the full list of commands, you can consult our full\r\nlist here.\r\nNevertheless, we will disclose the new commands we have seen added in this sample. Showcasing once again that\r\nthe malware developers are still very much active and engaged in propelling this malware.\r\nsetDisConnect – Not implemented;\r\ncloseNewWin – Likely shuts down, resets, or removes UI-related elements, such as overlays;\r\nsetDomain – Set a domain in ‘dom.txt file using DES encryption, this file is used as a fallback when the\r\nDGA fails;\r\nopenLayer – Loads a fake url sent via payload, on the specified apk, overlaying it above the real app;\r\nupdatePageRule – Phishing webview overlays (C2 uri path) to load, and overlay logins on the specified\r\nbanking apps, to steal credentials;\r\n4. Persistency\r\nDuring the analysis of the malware, we identified multiple persistence techniques, ensuring it remains active\r\neven after attempted removal.\r\nThe malware first registers a unique broadcast receiver (this exists outside of the app function), which will re-trigger the malware if it receives the “RestartSensor” broadcast.\r\nThis “RestartSensor” broadcast is emitted by the app according to specific events, onStart() the malware\r\ndynamically registers several Receivers, one which will listen for any of the following intents for removing or\r\nreplacing the app:\r\nPACKAGE_REMOVED\r\nPACKAGE_REPLACED\r\nPACKAGE_RESTARTED\r\nPACKAGE_DATA_CLEARED\r\nPACKAGE_FULLY_REMOVED\r\nPACKAGE_CHANGE\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 18 of 22\n\nThe registered receivers allow the malware to perceive intents to remove the apk, allowing it to trigger actions\r\nsuch as running the function onDestroy(). Below is an image breakdown of these mechanisms for a better\r\nunderstanding.\r\nTo put it simply, you won’t be able to uninstall this as you would other apps, why? Even if you attempt to open the\r\napp settings to uninstall, the malware will just close this window for you, due to accessibility services. Likewise if\r\nyou attempt to access the accessibility settings to deactivate, the malware will also close this window.\r\nSo how do you remove it? You will need to connect to your device via ‘adb’:\r\nadb shell am force-stop com.example.mysoul\r\nadb uninstall com.example.mysoul\r\nToxicPanda, a persistent Android banking malware, continues to evolve and expand its footprint across Europe.\r\nAfter initially focusing on Italy in 2024, it has since pivoted its campaigns toward Portugal and Spain in 2025,\r\nsignaling a deliberate geographic shift by the threat actors.\r\nOur analysis reveals that ToxicPanda is under active development. This is evidenced by several key\r\nenhancements: the integration of a Domain Generation Algorithm (DGA) to bolster infrastructure resilience, the\r\nadoption of TAG-124’s delivery framework to reduce detection risk, improved sandbox evasion techniques,\r\nexpanded command sets, refined persistence mechanisms, updated encryption routines, and other incremental\r\nchanges—all covered in detail throughout this report.\r\nWe also identified placeholders for future C2 commands and commented-out code fragments, the registration of\r\nnew domains to Cloudflare infrastructure, and changing of C2 panel software, indicating ongoing feature\r\ndevelopment and experimentation. Curiously, remnants of Mandarin remain deep within the codebase, suggesting\r\nlinks to prior Chinese infrastructure — consistent with earlier findings by Cleafy, which identified Mandarin-language on the previously used C2 panel idiom.\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 19 of 22\n\nCyber threats targeting mobile users have become increasingly popular and sophisticated. TRACE recommends\r\nusers to install apps solely from the official playstore, beware of accessibility services, and review app permission\r\nrequests. Although not full-proof, best practices significantly reduce the risk of falling victim to Android banking\r\nmalware.\r\nToxicPanda remains active, currently leveraging overlay attacks to compromise credentials from banking and\r\nfinancial applications. Existing infrastructure and development suggest this malware family is far from dormant\r\n— it campaigns, regroups, refines and delivers.\r\nPublic github with IOCs\r\nMalicious package:\r\ncom.example.mysoul\r\nC2\r\n38.54.119.95\r\nbusketmonmaster\r\nDGA domains 2025\r\nNEW Cloudflare infrastructure\r\n104.21.52.214\r\n172.67.204.27\r\nTwo new IOCs - cloudflare\r\nd7472ad157[.]lol → this could be a new DGA ?\r\nksicngtw[.]org → domain now being sent as fallback stored in ‘dom.txt’\r\nWebsites seen hosting ToxicPanda malware, on open directory\r\nPossibly under direct registration BY TAG124:\r\ncheck-googlle[.]com\r\nupdate-chronne[.]com\r\nmktgads[.]com\r\nOther:\r\naerodromeabase[.]com\r\nextensionphantomisyour[.]com\r\nphaimtom[.]com\r\nplesk[.]page\r\nsymbieitc[.]com\r\nbentonwhite[.]com\r\nfrezorapp[.]io\r\nphanetom[.]com\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 20 of 22\n\nportalonline-simplespgme[.]online\r\nsymbietic[.]com\r\nbplnetempresas[.]com\r\nhaleetemug[.]com\r\nphantomisyourextension[.]com\r\nportalreceitafazenda[.]com\r\nsymblatic[.]com\r\nchalnlizt[.]org\r\ninfos-lieferung[.]com\r\nphanutom[.]com\r\nprivate-lieferung[.]de\r\nsymdlotic[.]com\r\ncihainlst[.]org\r\ninfos-versand[.]de\r\nphaqwentom[.]com\r\nroninachain[.]com\r\nsynbioltic[.]com\r\ncom-animus[.]app\r\nio-suite-web[.]com\r\nphatom-wa[.]com\r\nronnin-v2[.]com\r\ntradr0ger[.]cloud\r\ncomteste[.]com\r\nmanflle[.]com\r\nphatom-we[.]com\r\nronnin-v3[.]com\r\ntrust-walles[.]com\r\ncuenta-ntflx[.]com\r\nminer-tolken[.]com\r\nphavtom-v1[.]com\r\nronnnn[.]com\r\nv2-rubby[.]com\r\ndogs-airdp[.]com\r\nmondiale-relaissupport[.]com\r\nphavtom-v2[.]com\r\nsymbiatec-fi[.]com\r\nv3-rabby[.]com\r\neuro-mago[.]com\r\nonsuitex[.]com\r\nphavtom-v3[.]com\r\nsymbiatic-fi[.]com\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 21 of 22\n\nReference:\r\nKeeling, Megan. The Massive, Hidden Infrastructure Enabling Big Game Hunting at Scale. Recorded Future, 22\r\nApr. 2025\r\nSource: https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nhttps://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study"
	],
	"report_names": [
		"toxicpanda-android-banking-malware-2025-study"
	],
	"threat_actors": [
		{
			"id": "4390d8ec-605d-493a-81ee-d5ef80c07046",
			"created_at": "2025-05-29T02:00:03.223467Z",
			"updated_at": "2026-04-10T02:00:03.873701Z",
			"deleted_at": null,
			"main_name": "TAG-124",
			"aliases": [
				"LandUpdate808"
			],
			"source_name": "MISPGALAXY:TAG-124",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434172,
	"ts_updated_at": 1775791841,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/15879bafe597979ff8fb78bba47d075c48f23381.pdf",
		"text": "https://archive.orkl.eu/15879bafe597979ff8fb78bba47d075c48f23381.txt",
		"img": "https://archive.orkl.eu/15879bafe597979ff8fb78bba47d075c48f23381.jpg"
	}
}