{ "id": "80dabde5-9ecf-46f0-b0f1-1f61fbd6fe4f", "created_at": "2026-04-06T00:21:02.284758Z", "updated_at": "2026-04-10T03:37:50.26341Z", "deleted_at": null, "sha1_hash": "2a11ca0479de2f463f620e9a698554bed2dac1b0", "title": "Pawn Storm Update: iOS Espionage App Found", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 70024, "plain_text": "Pawn Storm Update: iOS Espionage App Found\r\nBy By: Feike Hacquebord, Fernando Merces Feb 04, 2015 Read time: 4 min (962 words)\r\nPublished: 2015-02-04 · Archived: 2026-04-05 15:23:41 UTC\r\nUpdated February 6, 2015, 10:30 AM PST Trend Micro™ Mobile Security protects users' iOS devices and stops\r\nthreats before they reach them. Trend Micro Mobile Security offers protection and detects these malware using the\r\ncloud-based Smart Protection Network™ and Mobile App Reputation technology.\r\nUpdated February 11, 2015, 7:52 PM PST In a previous version of this blog posting, we stated that the iOS device\r\ndoesn’t have to be jailbroken per se for the malware to be installed. We revisited this finding and found that the\r\niOS device indeed needs to be jailbroken. The exact way how the actors install the espionage malware on iOS\r\ndevices is currently unknown to us. It is very likely that social engineering is an important part.\r\nIn our continued research on Operation Pawn Storm, we found one interesting poisoned pawn—spyware\r\nspecifically designed for espionage on iOS devices. While spyware targeting Apple users is highly notable by\r\nitself, this particular spyware is also involved in a targeted attack.\r\nBackground of Operation Pawn Storm\r\nOperation Pawn Storm is an active economic and political cyber-espionage operation that targets a wide range of\r\nentities, like the military, governments, defense industries, and the media. The actors of Pawn Storm tend to first\r\nmove a lot of pawns in the hopes they come close to their actual, high profile targets. When they finally\r\nsuccessfully infect a high profile target, they might decide to move their next pawn forward: advanced espionage\r\nmalware.\r\nThe iOS malware we found is among those advanced malware. We believe the iOS malware gets installed on\r\nalready compromised systems, and it is very similar to next stage SEDNIT malware we have found for Microsoft\r\nWindows’ systems. We found two malicious iOS applications in Operation Pawn Storm. One is called\r\nXAgent (detected as IOS_XAGENT.A) and the other one uses the name of a legitimate iOS game, MadCap\r\n(detected as IOS_ XAGENT.B). After analysis, we concluded that both are applications related to SEDNIT. The\r\nobvious goal of the SEDNIT-related spyware is to steal personal data, record audio, make screenshots, and send\r\nthem to a remote command-and-control (C\u0026C) server. As of this publishing, the C\u0026C server contacted by the iOS\r\nmalware is live.\r\nAnalysis of XAgent\r\nThe XAgent app is fully functional malware. After being installed on iOS 7, the app’s icon is hidden and it runs in\r\nthe background immediately. When we try to terminate it by killing the process, it will restart almost immediately.\r\nInstalling the malware into an iOS 8 device yields different results. The icon is not hidden and it also cannot\r\nrestart automatically. This suggests that the malware was designed prior to the release of iOS 8 last September\r\n2014.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/\r\nPage 1 of 4\n\nData Theft Capabilities\r\nThe app is designed to collect all kind of information on an iOS device. It is able to perform the following\r\nroutines:\r\nCollect text messages\r\nGet contact lists\r\nGet pictures\r\nCollect geo-location data\r\nStart voice recording\r\nGet a list of installed apps\r\nGet a list of processes\r\nGet the Wi-Fi status\r\nFigure 1. XAgent code structure\r\nC\u0026C Communication\r\nBesides collecting information from the iOS device, the app sends the information out via HTTP. It uses POST\r\nrequest to send messages, and GET request to receive commands.\r\nFormatted Log Messages\r\nThe malware’s log messages are written in HTML and color coded, making it easier for human operators to read.\r\nError messages tend to be in red, while others are in green as shown in the figure below.\r\nFigure 2. Color-coded HTML log messages\r\nA Well-Designed Code Structure\r\nWe can see that the code structure of the malware is very organized. The malware looks carefully maintained and\r\nconsistently updated.\r\nFigure 3. XAgent code structure\r\nThe app uses the commands watch, search, find, results, open, and close.\r\nFigure 4. List of base URIs\r\nRandomly Generated URI\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/\r\nPage 2 of 4\n\nThe full uniform resource identifier (URI) for C\u0026C HTTP requests is randomly generated, according to a template\r\nagreed upon with the C\u0026C server. The base URI can be seen in Figure 4, and parameters are chosen from the list\r\nbelow and appended to the base URI.\r\nFigure 5. List of parameters used with URIs\r\nHere are corresponding implementations we got during our reversing:\r\nFigures 6 and 7. Code for URI generation\r\nToken Format and Encoding\r\nThe malware uses a token to identify which module is communicating. The token is Base64 encoded data, but\r\npadded with a 5-byte random prefix so that it looks like valid Base64 data. See the first line “ai=” part in the\r\nfigure below.\r\nFigure 8. Client (XAgent) request\r\nReverse engineering also revealed additional communication functions.\r\nFigure 9. HTTP communication functions\r\nFigure 10. C2 server\r\nFTP Communication\r\nThe app is also able to upload files via FTP protocol.\r\nFigure 11. FTP communication functions\r\nAnalysis of \"MadCap\" \"\r\nMadcap\" is similar to the XAgent malware, but the former is focused on recording audio. \"Madcap\" can only be\r\ninstalled on jailbroken devices.\r\nFigure 12. Code structure of Madcap\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/\r\nPage 3 of 4\n\nPossible Infection Methods\r\nThe exact methods of installing these malware is unknown. As far as we can tell the iOS device has to be\r\njailbroken to install the Xagent malware. However we have seen one instance wherein a lure involving XAgent\r\nsimply says “Tap Here to Install the Application.\"\r\nFigure 13. Site used in downloading XAgent\r\nIt is good to note that it is still possible to install the malicious app into non-jailbroken devices if the app is signed\r\n using Apple's enterprise certificate. Another possible scenario is infecting an iPhone after connecting it to a\r\ncompromised or infected Windows laptop via a USB cable.\r\nTo learn more about this campaign, you may refer to our report, Operation Pawn Storm Using Decoys to Evade\r\nDetection. The hashes of the related files are:\r\n05298a48e4ca6d9778b32259c8ae74527be33815\r\n176e92e7cfc0e57be83e901c36ba17b255ba0b1b\r\n30e4decd68808cb607c2aba4aa69fb5fdb598c64\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/" ], "report_names": [ "pawn-storm-update-ios-espionage-app-found" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434862, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2a11ca0479de2f463f620e9a698554bed2dac1b0.pdf", "text": "https://archive.orkl.eu/2a11ca0479de2f463f620e9a698554bed2dac1b0.txt", "img": "https://archive.orkl.eu/2a11ca0479de2f463f620e9a698554bed2dac1b0.jpg" } }