{
	"id": "2d6dadf7-f3bf-4ba1-a06c-78f9f9db231a",
	"created_at": "2026-04-06T00:06:14.954575Z",
	"updated_at": "2026-04-10T13:12:37.421735Z",
	"deleted_at": null,
	"sha1_hash": "24ec545b3086e36b80ea308ef87269268f79df5e",
	"title": "Roaming Mantis - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 69298,
	"plain_text": "Roaming Mantis - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 17:53:39 UTC\r\nHome \u003e List all groups \u003e Roaming Mantis\r\n Other threat group: Roaming Mantis\r\nNames\r\nRoaming Mantis (Kaspersky)\r\nRoaming Mantis Group (Kaspersky)\r\nShaoye (?)\r\nCountry [Unknown]\r\nMotivation Financial crime\r\nFirst seen 2017\r\nDescription\r\n(Kaspersky) In March 2018, Japanese media reported the hijacking of DNS settings\r\non routers located in Japan, redirecting users to malicious IP addresses. The\r\nredirection led to the installation of Trojanized applications named facebook.apk and\r\nchrome.apk that contained Android Trojan-Banker. According to our telemetry data,\r\nthis malware was detected more than 6,000 times, though the reports came from just\r\n150 unique users (from February 9 to April 9, 2018). Of course, this is down to the\r\nnature of the malware distribution, but it also suggests a very painful experience for\r\nsome users, who saw the same malware appear again and again in their network.\r\nMore than half of the detections were observed targeting the Asian region.\r\nDuring our research we received some invaluable information about the true scale of\r\nthis attack. There were thousands of daily connections to the command and control\r\n(C2) infrastructure, with the device locale for the majority of victims set to Korean.\r\nSince we didn’t find a pre-existing name for this malware operation, we decided to\r\nassign a new one for future reference. Based on its propagation via smartphones\r\nroaming between Wi-Fi networks, potentially carrying and spreading the infection,\r\nwe decided to call it ‘Roaming Mantis’.\r\nObserved\r\nCountries: Azerbaijan, Bangladesh, Brazil, Cambodia, Canada, China, Denmark,\r\nFinland, France, Germany, Hong Kong, India, Indonesia, Iran, Ireland, Italy, Japan,\r\nKazakhstan, Netherlands, Russia, Saudi Arabia, South Korea, Sri Lanka, Sweden,\r\nSwitzerland, Taiwan, Thailand, Turkey, UK, USA, Vietnam.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d8f07834-98d8-473b-a247-9b54aa4571a1\r\nPage 1 of 3\n\nTools used Roaming Mantis, SmsSpy.\nOperations performed\nFeb 2018\nRoaming Mantis malware is designed for distribution through a\nsimple, but very efficient trick based on a technique known as DNS\nhijacking. When a user attempts to access any website via a\ncompromised router, they will be redirected to a malicious website.\nMay 2018\nIn May, while monitoring Roaming Mantis, aka MoqHao and\nXLoader, we observed significant changes in their M.O. The group’s\nactivity expanded geographically and they broadened their\nattack/evasion methods. Their landing pages and malicious apk files\nnow support 27 languages covering Europe and the Middle East. In\naddition, the criminals added a phishing option for iOS devices, and\ncrypto-mining capabilities for the PC.\nSep 2018\nIn addition, they have started using web crypto-mining for PC, and an\nApple phishing page for iOS devices.\nFeb 2019\nAccording to our detection data, new variants of sagawa.apk Type A\n(Trojan-Dropper.AndroidOS.Wroba.g) have been detected in the wild,\nbased on our KSN data from February 25, 2019 to March 20, 2019.\nJun 2019\nRoaming Mantis: a new phishing method targets a Japanese MNO\nAug 2019\nThe McAfee mobile research team has found a new type of Android\nmalware for the MoqHao phishing campaign (a.k.a. XLoader and\nRoaming Mantis) targeting Korean and Japanese users. A series of\nattack campaigns are still active, mainly targeting Japanese users. The\nnew spyware has very different payloads from the existing MoqHao\nsamples.\nFeb 2020 The group’s attack methods have improved and new targets\ncontinuously added in order to steal more funds. The attackers’ focus\nhas also shifted to techniques that avoid tracking and research:\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d8f07834-98d8-473b-a247-9b54aa4571a1\nPage 2 of 3\n\nwhitelist for distribution, analysis environment detection and so on.\nJun 2020\nThe RoamingMantis Group’s Expansion to European Apple Accounts\nand Android Devices\nJan 2021\nRoaming Mantis Amplifies Smishing Campaign with OS-Specific\nAndroid Malware\n2021\nRoaming Mantis reaches Europe\n2022\nRoaming Mantis implements new DNS changer in its malicious\nmobile app in 2022\nJul 2022\nOngoing Roaming Mantis smishing campaign targeting France\nInformation\nLast change to this card: 15 February 2023\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d8f07834-98d8-473b-a247-9b54aa4571a1\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d8f07834-98d8-473b-a247-9b54aa4571a1\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d8f07834-98d8-473b-a247-9b54aa4571a1"
	],
	"report_names": [
		"showcard.cgi?u=d8f07834-98d8-473b-a247-9b54aa4571a1"
	],
	"threat_actors": [
		{
			"id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a",
			"created_at": "2023-01-06T13:46:38.823793Z",
			"updated_at": "2026-04-10T02:00:03.113045Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group"
			],
			"source_name": "MISPGALAXY:Roaming Mantis",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3",
			"created_at": "2022-10-25T16:07:24.546437Z",
			"updated_at": "2026-04-10T02:00:05.029564Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group",
				"Shaoye"
			],
			"source_name": "ETDA:Roaming Mantis",
			"tools": [
				"MoqHao",
				"Roaming Mantis",
				"SmsSpy",
				"Wroba",
				"XLoader"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433974,
	"ts_updated_at": 1775826757,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/24ec545b3086e36b80ea308ef87269268f79df5e.pdf",
		"text": "https://archive.orkl.eu/24ec545b3086e36b80ea308ef87269268f79df5e.txt",
		"img": "https://archive.orkl.eu/24ec545b3086e36b80ea308ef87269268f79df5e.jpg"
	}
}