{ "id": "2e5772c2-c8bc-4502-8743-a3150f16bea8", "created_at": "2026-04-06T00:07:11.971806Z", "updated_at": "2026-04-10T03:37:09.423768Z", "deleted_at": null, "sha1_hash": "2a822b7ca83e916a372c19558a87c61dc5255dc9", "title": "Malware wars: the attack of the droppers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2681484, "plain_text": "Malware wars: the attack of the droppers\r\nPublished: 2024-10-01 · Archived: 2026-04-05 21:17:43 UTC\r\nAnother 130.000+ installations of malicious droppers from official store\r\nA year ago, we highlighted a trend of malicious droppers in Google Play store used to distribute banking Trojans. We also\r\npredicted further efforts of cybercriminals to reduce the malicious footprint of their malware in order to stay undetected.\r\nDistribution through droppers on official stores remains one of the most efficient ways for threat actors to reach a wide and\r\nunsuspecting audience. Although other distribution methods are also used depending on cybercriminals targets, resources,\r\nand motivation, droppers remain one of the best option on price-efforts-quality ratio, competing with SMiShing.\r\nThe history of competition between malware authors and seсurity mechanisms knows several twists when new measures are\r\nintroduced. Droppers on Google Play went from using AccessibilityService to auto-allow installation from unknown sources\r\nto using legitimate sources to control them and store malicious payloads. Following the updates to the “Developer Program\r\nPolicy” and system updates, actors immediately introduce new ways to sneak to the official store, overcoming limitations or\r\nadjusting droppers to follow the guidelines and not arouse suspicion. A brief story of that battle is presented on the graph\r\nbelow.\r\nhttps://www.threatfabric.com/blogs/the-attack-of-the-droppers.html\r\nPage 1 of 19\n\nIn this blog we uncover additional tactics cybercriminals use in new Google Play droppers discovered by ThreatFabric\r\nanalysts. These droppers have cumulative number of 130k+ installations distributing Sharkbot and Vultur banking Trojans.\r\nSharkbot: the less you see, the more they get\r\nIn the beginning of October 2022 ThreatFabric analysts spotted a new campaign of banking Trojan Sharkbot, targeting\r\nItalian banking users. This campaign involved Sharkbot version 2.29 – 2.32. Following the research path, our analysts were\r\nable to identify the dropper app located on Google Play with 10k+ installations and disguised as an app to calculate tax code\r\nin Italy (“Codice Fiscale”) targeting Italian users.\r\nhttps://www.threatfabric.com/blogs/the-attack-of-the-droppers.html\r\nPage 2 of 19\n\nThis is not the first time that a Sharkbot dropper sneaks into the official Google store, but this time authors did their best to\r\nhide the malicious intents of the dropper. Previous versions of Sharkbot droppers as well as other droppers (including those\r\nwe highlight below in this blog) include ability to download, install and launch the malicious payload. Obviously, such\r\nbehaviour is quite suspicious and already made Google to introduce changes to the Developer Program Policy where usage\r\nof REQUEST_INSTALL_PACKAGES permission was limited to apps that have it as core functionality.\r\nHowever, in this new iteration, Sharkbot dropper authors tried their best to not include suspicious permissions at all, thus\r\nmaintaining an extremely low profile. The new dropper has only 3 permissions that are quite common.\r\nTo ensure that the dropper is launched on a real targeted device, the app obtains the SIM coutry and compares it to “it”\r\n(Italy): if not matched, no malicious activity will be performed. Besides, additional checks are made on the C2 side to ensure\r\nthat the dropper is running on the targeted device: if C2 is reached from a non-Italian IP address, the C2 will respond with a\r\ndefault “exit” message. Otherwise, it will receive a configuration data with the URL containing the payload.\r\nhttps://www.threatfabric.com/blogs/the-attack-of-the-droppers.html\r\nPage 3 of 19\n\nHere the interesting part starts: in order to avoid using REQUEST_INSTALL_PACKAGES permission, the dropper opens a\r\nfake Google Play store page impersonating Codice Fiscale app page. It contains fake information about the number of\r\ninstallations and reviews, and urges the victim to perform an update. Shortly after the page is opened, the automatic\r\ndownload starts. Thus, the dropper outsources the download and installation procedure to the browser, avoiding suspicious\r\npermissions.\r\nObviously, such approach requires more actions from the victim, as the browser will show several messages about the\r\ndownloaded file. However, since victims are sure about the origin of the application, they will highly likely install and run\r\nthe downloaded Sharkbot payload.\r\nhttps://www.threatfabric.com/blogs/the-attack-of-the-droppers.html\r\nPage 4 of 19\n\nDuring our investigation, we also found another Sharkbot dropper available on Google Play. It had zero installations at the\r\ntime of discovery and was quickly removed from the website. The interesting detail about this dropper was that it had the\r\nREQUEST_INSTALL_PACKAGES permission in place and operated more in line with usual dropper’s behaviour. Actors\r\nwere also following the updated policy of Google, as this dropper was masqueraded as file manager, a category that is\r\nallowed to have this permission due to it being a core functionality.\r\nSimilarities in code, C2 communication, and encryption used lead us to the same author behind the older versions of\r\nSharkbot dropper, trying to reduce footprints and stay undetected.\r\nTargets\r\nThe new “Codice Fiscale” dropper discovered by ThreatFabric is configured to distribute Sharkbot payload to Italian users\r\nonly, while the other “File Manager” dropper has Italy and UK in its configuration. At the same time, the payload delivered\r\nstill has banks from Italy, UK, Germany, Spain, Poland, Austria, US, and Australia in its target list. Please, find the full target\r\nlist in Appendix.\r\nVultur: Brunhilda is back\r\nAnother malware family that has been very active in the last year has been Vultur. First discovered by ThreatFabric in July\r\n2021, Vultur is an Android banking trojan which specializes in stealing PII from infected devices using its screen-streaming\r\ncapabilities. It is also able to create a remote session on the device using VNC technology to perform actions on the victim’s\r\ndevice, effectively leading to On-Device Fraud (ODF).\r\nUpon discovery, ThreatFabric first reported the strong connection between this malware family, and the “Brunhilda\r\nProject” crew. This Threat Actor was known for its central role in the distribution sector of the Android Banking malware\r\nlandscape thanks to its dropper applications, which managed often to pass Google security checks and be approved on the\r\nGoogle Play Store. Initially, the Brunhilda droppers were deploying a variety of Android malware applications, like for\r\nexample samples of the malware family Alien. However, after the first discovery of Vultur, every dropper found on the\r\nGoogle Play Store only installed samples belonging to the Vultur malware family.\r\nhttps://www.threatfabric.com/blogs/the-attack-of-the-droppers.html\r\nPage 5 of 19\n\nRecently, ThreatFabric discovered 3 new Droppers on the Google Play store, ranging from 1.000 to 100.000 installations\r\nreported by Google. As previous campaigns observed throughout 2022, these droppers pose as applications like security\r\nauthenticators, or file recovery tools.\r\nThe Dropper\r\nThe dropper applications are consistent with the droppers that we reported in our first blog about Vultur, and the modus\r\noperandi has not changed much with respect to older variants. As usual, the dropper is made of a trojanized application,\r\nwhich provides the advertised functionality, as well as the hidden dropper functionality. As previously reported, the dropper\r\ninitially sends a registration message to its C2 server. As a response, the server sends back an appToken, which is then used\r\nin the following requests to identify the device. At this point, the dropper prompts the victim with a screen asking to\r\ndownload an update for the current application. If the user accepts the displayed request, the dropper proceeds to install\r\nVultur.\r\nhttps://www.threatfabric.com/blogs/the-attack-of-the-droppers.html\r\nPage 6 of 19\n\nIn terms of execution of the installation, there are no real updates from previous versions of Brunhilda. However, the\r\ndropper currently implements a few obfuscation techniques which were not present in initial versions of the dropper. Firstly,\r\nin these new version, the installation logic is not contained in the main DEX file, but in a additional dex file which is loaded\r\ndynamically. This additional step can complicate the life of researchers, making it harder to identify the code responsible for\r\nmalicious activity.\r\nThe latest version of Brunhilda also implemented a new layer of obfuscation, which encrypts strings by using AES with a\r\nvarying key, which is included in the byte array that is given as input to the decryption method, as explained in the picture\r\nbelow:\r\nhttps://www.threatfabric.com/blogs/the-attack-of-the-droppers.html\r\nPage 7 of 19\n\nOnce the payload is installed, the Brunhilda dropper launches the malware, and then continues existing on the device, acting\r\nas the application it is posing as.\r\nVultur\r\nThese Brunhilda droppers all deploy samples belonging to a novel variant of Vultur Android Banking malware family.\r\nThis new variant maintains the Modus Operandi that characterized the original samples from 2021: once installed, the\r\nmalware initiates a connection with its C2, and after registering it obtains its configuration containing its targets. Vultur\r\nfeatures two separate target lists: one for screen-streaming targets and one for keylogging targets. Similarly to its older\r\nvariant, the keylogging targets are social and messaging applications, while the screen-streaming targets are applications for\r\nonline banking and cryptocurrency exchange. However, in this new variant, this second set of targets is also the list of\r\napplications for which extensive accessibility logging is performed.\r\nBy accessibility logging we mean the extensive logging of all UI elements and all the events associated with them (like for\r\nexample clicks, gestures, etc). This is not a novel technique, but it is the first time we see it implemented in Vultur. This\r\nmight be a solution to the issue created by a security flag often used in these banking applications: Android offers a way to\r\ntag the content of the window as secure, by using the “FLAG_SECURE”, which prevents it “from appearing in screenshots\r\nor from being viewed on non-secure displays”. ThreatFabric tested this and is able to confirm that windows with this flag\r\nenabled only show a black screen during screen-streaming. However, if the keyboard is opened during interaction with the\r\nsecured app, it will be visible on the recording as well as all the keys pressed by victim leading to potential theft of input\r\ndata. In this case, it is possible to obtain enough information to steal credentials even with a black screen, when all the UI\r\nevents are logged and sent to the C2.\r\nhttps://www.threatfabric.com/blogs/the-attack-of-the-droppers.html\r\nPage 8 of 19\n\nIn our previous blog we documented through our research why we believe that Vultur, the malware downladed by these\r\ndroppers, is a malware family that is not only distributed, but also created by the criminals behind the Brunhilda Project. In\r\naddition to the reasons discussed in our previous blog, which focus on the networking protocol used, new variants of Vultur\r\nalso adopted the very same string obfuscation algorithm discussed in the previous section about the Brunhilda Dropper,\r\nfurther confirming our beliefs about the connection between these two malware families.\r\nTargets\r\nThese new Brunhilda-Vultur campaigns have been very active and successful in the last few months, reaching more than\r\n100.000 potential fraud victims. Based on our research and investigation, in addition to cryptowallets which have always\r\nbeen in the target list, the largest campaign we observed focused on UK and Netherlands, while the two smaller and more\r\nrecent ones switched to Germany, France, and Italy. Full target list of Vultur is provided in Appendix.\r\nConclusion\r\nAnother trend predicted by ThreatFabric’s experts comes true and looks like it is here to stay. Malicious dropper applications\r\nstill find their way to sneak in the official store despite the changes made to the policy and security mechanisms. Distibution\r\nthrough droppers on Google Play still remains the most “affordable” and scalable way of reaching victims for most of the\r\nactors of different level. While sophisticated tactics like telephone-oriented attack delivery require more resources and are\r\nhard to scale, droppers on official and third-party stores allow threat actors to reach wide unsuspecting audience with\r\nreasonable efforts. Such way of distribution of Android banking Trojans is very dangerous as victims may stay unsuspecting\r\nfor a long time and may not alert their bank about suspicious transactions made without them knowlege. Thus it is very\r\nimportant to take actions on the organisation side to detect such malicous apps and their payloads as well as suspicious\r\nbehaviour happenning on customer’s device.\r\nWe at ThreatFabric always report malicous droppers we indentified to remove it from official stores and limit its further\r\ndistribution. Financial organisations are welcome to contact us: if you suspect some app be involved in malicious activity,\r\nfeel free to reach our Mobile Threat Intelligence team which will provide additional details and help with reporting the\r\nmalicous app if identified: mti@threatfabric.com.\r\nhttps://www.threatfabric.com/blogs/the-attack-of-the-droppers.html\r\nPage 9 of 19\n\nFraud Risk Suite\r\nThreatFabric’s Fraud Risk Suite enables safe \u0026 frictionless online customer journeys by integrating industry-leading mobile\r\nthreat intel, behavioural analytics, advanced device fingerprinting and over 10.000 adaptive fraud indicators. This will give\r\nyou and your customers peace of mind in an age of ever-changing fraud.\r\nAppendix\r\nSharkbot Droppers\r\nApp\r\nname\r\nPackage name SHA-256\r\nCodice\r\nFiscale\r\n2022\r\ncom.iatalytaxcode.app 5649fb11661e059a6fa276127be2ea688471fec7cd3b1f4b2745a7d2b048cc26\r\nFile\r\nManager\r\nSmall,\r\nLite\r\ncom.paskevicss752.usurf 84cad5780bb72075a9904040811e82fae39243d0a28c51f6095bc8b841c55356\r\nSharkbot Samples\r\nApp\r\nname\r\nPackage name SHA-256\r\n_Codice\r\nFiscale\r\ncom.hzpwksdljgeibc.gmzjwdule 0cbd727b7fa8d9938746475e91fb22a46b75cdcca2778db78073e3c3da70ad31\r\n_Codice\r\nFiscale\r\ncom.gxulzkj.atuqczml 008338b39c0abf3aa75e92e845c34ac60e049a480eb1e0ab8d3147085a7bb745\r\nBrunhilda Droppers\r\nApp name Package name SHA-256\r\nMy Finances\r\nTracker\r\ncom.all.finance.plus 0626e98f9988c63684e575d7a0df839240f7963aed38f82010e63b1b85a9ef61\r\nRecoverFiles com.umac.recoverallfilepro e94a6f7dcdddd4b8c18110993f118f86d3cbfe1faf330f9968aaa7095dd189a4\r\nZetter\r\nAuthenticator\r\ncom.zetter.fastchecking 54139e2e008ed2ebcb4fc71d8aa2470727a724c8607464d9c3688e9506952529\r\nVultur Samples\r\nApp name Package name SHA-256\r\nRecoverFiles com.accessible.recoverypro cae3a48013fcea931f6b84e196f625e27017a1cdc97c1d86c8077db431abd508\r\nhttps://www.threatfabric.com/blogs/the-attack-of-the-droppers.html\r\nPage 10 of 19\n\nApp name Package name SHA-256\r\nZetter\r\nAuthenticator\r\ncom.zforce.setupex 8584d43067535dc97d12c4565e1636e3a1963421fe811ff6e58b4dbd7e5b947d\r\nSharkbot Targets\r\nPackage name App name\r\nau.com.nab.mobile NAB Mobile Banking\r\nat.erstebank.george George Österreich\r\ncom.grppl.android.shell.BOS Bank of Scotland Mobile Banking: secure on the go\r\nde.number26.android N26 — The Mobile Bank\r\nco.bitx.android.wallet Luno: Buy Bitcoin, Ethereum and Cryptocurrency\r\ncom.fineco.it Fineco\r\ncom.paypal.android.p2pmobile PayPal Mobile Cash: Send and Request Money Fast\r\nes.lacaixa.mobile.android.newwapicon CaixaBank\r\ncom.targo_prod.bad TARGOBANK Mobile Banking\r\ncom.grppl.android.shell.halifax Halifax: the banking app that gives you extra\r\npl.pkobp.iko IKO\r\norg.stgeorge.bank St.George Mobile Banking\r\nit.bnl.apps.banking BNL\r\ncom.vipera.chebanca CheBanca!\r\nuk.co.santander.santanderUK Santander Mobile Banking\r\ncom.wf.wellsfargomobile Wells Fargo Mobile\r\ncom.starfinanz.smob.android.* Sparkasse\r\npiuk.blockchain.android Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum\r\ncom.commbank.netbank CommBank\r\nes.unicajabanco.app Unicaja Banco\r\nuk.co.mbna.cardservices.android MBNA - Card Services App\r\nde.postbank.finanzassistent Postbank Finanzassistent\r\ncom.barclays.android.barclaysmobilebanking Barclays\r\ncom.konylabs.capitalone Capital One® Mobile\r\nhttps://www.threatfabric.com/blogs/the-attack-of-the-droppers.html\r\nPage 11 of 19\n\nPackage name App name\r\ncom.advanzia.mobile Advanzia\r\nuk.co.tsb.newmobilebank TSB Mobile Banking\r\ncom.latuabancaperandroid Intesa Sanpaolo Mobile\r\ncom.citi.citimobile Citi Mobile®\r\ncom.virginmoney.uk.mobile.android Virgin Money Mobile Banking\r\ncom.grppl.android.shell.CMBlloydsTSB73 Lloyds Bank Mobile Banking: by your side\r\nposteitaliane.posteapp.appbpol BancoPosta\r\ncom.lynxspa.bancopopolare YouApp\r\nde.commerzbanking.mobil Commerzbank Banking - The app at your side\r\nuk.co.hsbc.hsbcukmobilebanking HSBC UK Mobile Banking\r\ncom.CredemMobile Credem\r\ncom.starlingbank.android Starling Bank - Better Mobile Banking\r\ncom.binance.dev Binance - Buy \u0026 Sell Bitcoin Securely\r\ncom.cooperativebank.bank The Co-operative Bank\r\ncom.transferwise.android TransferWise Money Transfer\r\ncom.usbank.mobilebanking U.S. Bank - Inspired by customers\r\nVultur Targets\r\nPackage name Application name\r\nasia.coins.mobile Coins.ph Wallet\r\nbe.aion.android.app Aion Bank\r\nbtc.org.freewallet.app Bitcoin Wallet. Buy \u0026 Exchange BTC coin-Freewallet\r\nbvm.bvmapp Knab Bankieren\r\ncash.klever.blockchain.wallet Klever Wallet: Buy Bitcoin, Ethereum, Tron, Crypto\r\ncedacri.mobile.bank.crbolzano isi-mobile Cassa di Risparmio\r\ncedacri.mobile.bank.esperia Mediobanca Private Banking\r\nco.bitx.android.wallet Luno: Buy Bitcoin, Ethereum and Cryptocurrency\r\nco.clabs.valora Valora - Crypto Wallet\r\nco.edgesecure.app Edge - Bitcoin, Ethereum, Monero, Ripple Wallet\r\nhttps://www.threatfabric.com/blogs/the-attack-of-the-droppers.html\r\nPage 12 of 19\n\nPackage name Application name\r\nco.mona.android Crypto.com - Buy Bitcoin Now\r\nco.uk.Nationwide.Mobile Nationwide Banking App\r\ncom.CredemMobile Credem\r\ncom.IngDirectAndroid ING France\r\ncom.VBSmartPhoneApp BankUp Mobile\r\ncom.abnamro.nl.mobile.payments ABN AMRO Mobiel Bankieren\r\ncom.americanexpress.android.acctsvcs.it Amex Italia\r\ncom.americanexpress.android.acctsvcs.uk Amex United Kingdom\r\ncom.arkea.android.application.cmb Crédit Mutuel de Bretagne\r\ncom.bankid.bus BankID säkerhetsapp\r\ncom.banknorwegian Bank Norwegian\r\ncom.barclays.android.barclaysmobilebanking Barclays\r\ncom.barclays.bca Barclaycard\r\ncom.bbva.italy BBVA Italia Banca Online\r\ncom.binance.dev Binance - Buy \u0026 Sell Bitcoin Securely\r\ncom.bitcoin.mwallet Bitcoin Wallet\r\ncom.bitfinex.mobileapp Bitfinex\r\ncom.bitpanda.bitpanda Bitpanda - Buy Bitcoin in minutes\r\ncom.bittrex.trade Bittrex Global\r\ncom.bituniverse.portfolio BitUniverse:Crypto Trading Bot\r\ncom.boursorama.android.clients Boursorama Banque\r\ncom.breadwallet BRD Bitcoin Wallet. Buy BTC Bitcoin Cash, Ethereum\r\ncom.bunq.android bunq - bank of The Free\r\ncom.bybit.app Bybit: Crypto Trading Exchange\r\ncom.caisseepargne.android.mobilebanking Banque\r\ncom.cic_prod.bad CIC\r\ncom.cm_prod.bad Crédit Mutuel\r\ncom.coinbase.android Coinbase – Buy \u0026 Sell Bitcoin. Crypto Wallet\r\nhttps://www.threatfabric.com/blogs/the-attack-of-the-droppers.html\r\nPage 13 of 19\n\nPackage name Application name\r\ncom.coinbase.pro Coinbase Pro – Bitcoin \u0026 Crypto Trading\r\ncom.coinbase.wallite Coinbase Wallet Lite\r\ncom.coinomi.wallet Coinomi Wallet :: Bitcoin Ethereum Altcoins Tokens\r\ncom.coinspot.app CoinSpot - Buy \u0026 Sell Bitcoin\r\ncom.comeco.teo TEO - Das neue Multibanking\r\ncom.cooperativebank.bank The Co-operative Bank\r\ncom.crypterium Crypterium Bitcoin Wallet\r\ncom.crypto.multiwallet Guarda Crypto Bitcoin Wallet\r\ncom.cryptonator.android Cryptonator cryptocurrency wallet\r\ncom.db.pbc.miabanca La Mia Banca\r\ncom.db.pwcc.dbmobile Deutsche Bank Mobile\r\ncom.defi.wallet Crypto.com l DeFi Wallet\r\ncom.digifinex.app DigiFinex - Buy \u0026 Sell Bitcoin, Crypto Trading\r\ncom.enjin.mobile.wallet Enjin: Bitcoin, Ethereum, Blockchain Crypto Wallet\r\ncom.etoro.openbook eToro - Smart Crypto Trading Made Easy\r\ncom.etoro.wallet eToro Money\r\ncom.fideuram.alfabetobanking Alfabeto Banking\r\ncom.fidor.fsw Fidor Smart Banking\r\ncom.fineco.it Fineco\r\ncom.firstdirect.bankingonthego first direct\r\ncom.gemini.android.app Gemini: Buy Bitcoin Instantly\r\ncom.getpenta.app Penta – Business Banking App\r\ncom.grppl.android.shell.BOS Bank of Scotland Mobile Banking: secure on the go\r\ncom.grppl.android.shell.CMBlloydsTSB73 Lloyds Bank Mobile Banking: by your side\r\ncom.grppl.android.shell.halifax Halifax: the banking app that gives you extra\r\ncom.hanseaticbank.banking Hanseatic Bank Mobile\r\ncom.hittechsexpertlimited.hitbtc HitBTC – Bitcoin Trading and Crypto Exchange\r\ncom.ie.capitalone.uk Capital One UK\r\nhttps://www.threatfabric.com/blogs/the-attack-of-the-droppers.html\r\nPage 14 of 19\n\nPackage name Application name\r\ncom.ing.mobile ING Bankieren\r\ncom.kontist Kontist Tax Service\r\ncom.kraken.invest.app Kraken - Buy Bitcoin \u0026 Crypto\r\ncom.kraken.trade Pro: Advanced Bitcoin \u0026 Crypto Trading\r\ncom.krakenfutures Kraken Futures: Bitcoin \u0026 Crypto Futures Trading\r\ncom.kubi.kucoin KuCoin: Bitcoin Exchange \u0026 Crypto Wallet\r\ncom.latuabancaperandroid Intesa Sanpaolo Mobile\r\ncom.latuabancaperandroid.pg Intesa Sanpaolo Business\r\ncom.liberty.jaxx Jaxx Liberty: Blockchain Wallet\r\ncom.lumiwallet.android Lumi Crypto and Bitcoin Wallet\r\ncom.lynxspa.bancopopolare YouApp\r\ncom.mediolanum.android.fullbanca Mediolanum\r\ncom.mercuryo.app Mercuryo Bitcoin Cryptowallet\r\ncom.mycelium.wallet Mycelium Bitcoin Wallet\r\ncom.ocito.cdn.activity.banquesmc SMC pour Mobile\r\ncom.ocito.cdn.activity.creditdunord Crédit du Nord pour Mobile\r\ncom.okinc.okex.gp OKEx - Bitcoin/Crypto Trading Platform\r\ncom.opentecheng.android.webank Webank\r\ncom.orangebank.android Orange Bank\r\ncom.paxful.wallet Paxful Bitcoin Wallet\r\ncom.paysend.app Money Transfer App Paysend\r\ncom.phemex.app Phemex: Buy Crypto \u0026 Bitcoin\r\ncom.pionex.client Pionex - Crypto Trading Bot\r\ncom.plunien.poloniex Poloniex Crypto Exchange\r\ncom.plutus.wallet Abra: Bitcoin, XRP, LTC\r\ncom.rbs.mobile.android.natwest NatWest Mobile Banking\r\ncom.rbs.mobile.android.rbs Royal Bank of Scotland Mobile Banking\r\ncom.rbs.mobile.android.ubn Ulster Bank NI Mobile Banking\r\nhttps://www.threatfabric.com/blogs/the-attack-of-the-droppers.html\r\nPage 15 of 19\n\nPackage name Application name\r\ncom.revolut.revolut Revolut - Get more from your money\r\ncom.robinhood.android Robinhood - Investment \u0026 Trading, Commission-free\r\ncom.satispay.customer Satispay\r\ncom.scrignosa SCRIGNOIdentiTel\r\ncom.sella.BancaSella Banca Sella\r\ncom.sisal.sisalpay Mooney App: pagamenti digitali\r\ncom.squareup.cash Cash App\r\ncom.starfinanz.smob.android.bwmobilbanking BW-Mobilbanking mit Smartphone und Tablet\r\ncom.starfinanz.smob.android.sfinanzstatus Sparkasse Ihre mobile Filiale\r\ncom.starlingbank.android Starling Bank - Better Mobile Banking\r\ncom.stoegerit.outbank.android Outbank - 360° Banking\r\ncom.stormgain.mobile StormGain: Bitcoin Wallet \u0026 Crypto Exchange App\r\ncom.superchain.lbankgoogle LBank - Buy Bitcoin \u0026 Crypto\r\ncom.tabtrader.android TabTrader Buy Bitcoin and Ethereum on exchanges\r\ncom.targo_prod.bad TARGOBANK Mobile Banking\r\ncom.tescobank.mobile Tesco Bank Mobile Banking\r\ncom.transferwise.android TransferWise Money Transfer\r\ncom.triodos.bankingnl Triodos Bankieren NL\r\ncom.unicredit Mobile Banking UniCredit\r\ncom.uphold.wallet Uphold - Trade, Invest, Send Money For Zero Fees\r\ncom.vipera.chebanca CheBanca!\r\ncom.virginmoney.uk.mobile.android Virgin Money Mobile Banking\r\ncom.wallet.crypto.trustapp Trust: Crypto \u0026 Bitcoin Wallet\r\ncom.youhodler.youhodler YouHodler - Crypto and Bitcoin Wallet\r\ncom.zengo.wallet ZenGo Crypto \u0026 Bitcoin Wallet: Buy, Earn \u0026 Trade\r\nde.bbbank.banking.privat BBBank-Banking classic\r\nde.bs.ibanking OLB Banking\r\nde.comdirect.app comdirect\r\nhttps://www.threatfabric.com/blogs/the-attack-of-the-droppers.html\r\nPage 16 of 19\n\nPackage name Application name\r\nde.commerzbanking.mobil Commerzbank Banking - The app at your side\r\nde.fiducia.smartphone.android.banking.vr VR Banking Classic\r\nde.fiduciagad.banking.vr VR Banking - einfach sicher\r\nde.ingdiba.bankingapp ING Banking to go\r\nde.number26.android N26 — The Mobile Bank\r\nde.postbank.bestsign Postbank BestSign\r\nde.postbank.finanzassistent Postbank Finanzassistent\r\nde.psd.banking.app PSD Banking\r\nde.psd.banking.privat PSD Banking Classic\r\nde.santander.presentation Santander Banking\r\nde.schildbach.wallet Bitcoin Wallet\r\nde.sdvrz.ihb.mobile.secureapp.sparda.produktion SpardaSecureApp\r\nde.sparda.banking.privat SpardaBanking+\r\nde.spardab.banking.privat Sparda Berlin\r\neth.org.freewallet.app Ethereum Wallet. Buy \u0026 Exchange ETH — Freewallet\r\neu.qonto.qonto Qonto • Easy Business Banking\r\neu.unicreditgroup.hvbapptan HVB Mobile Banking\r\nexodusmovement.exodus Exodus: Crypto Bitcoin Wallet\r\nfr.bnpp.digitalbanking Hello bank! par BNP Paribas\r\nfr.creditagricole.androidapp Ma Banque\r\nfr.hsbc.hsbcfrance HSBC France\r\nfr.lcl.android.customerarea Mes Comptes - LCL\r\nfr.mafrenchbank Ma French Bank\r\nio.atomicwallet Bitcoin Wallet \u0026 Ethereum Ripple ZIL DOT\r\nio.bluewallet.bluewallet BlueWallet Bitcoin Wallet\r\nio.cex.app.prod CEX.IO Cryptocurrency Exchange\r\nio.metamask MetaMask - Buy, Send and Swap Crypto\r\nio.safepal.wallet SafePal-Crypto wallet BTC NFTs\r\nhttps://www.threatfabric.com/blogs/the-attack-of-the-droppers.html\r\nPage 17 of 19\n\nPackage name Application name\r\nit.bcc.iccrea.mycartabcc myCartaBCC\r\nit.bnl.apps.banking BNL\r\nit.bnl.apps.banking.privatebnl My Private Banking\r\nit.bper.mobile.mymoney Smart My Money\r\nit.caitalia.apphub Crédit Agricole Italia\r\nit.carige Carige Mobile\r\nit.cedacri.hb2.bpbari Mi@\r\nit.cedacri.hb3.desio.brianza D-Mobile\r\nit.copergmps.rt.pf.android.sp.bmps Banca MPS\r\nit.creval.bancaperta Bancaperta\r\nit.gruppobper.ams.android.bper Smart Mobile Banking\r\nit.gruppobper.smartbpercard Smart BPER Card\r\nit.gruppocariparma.nowbanking Nowbanking\r\nit.hype.app Hype\r\nit.icbpi.mobile Nexi Pay\r\nit.ingdirect.app ING Italia\r\nit.nogood.container UBI Banca\r\nit.phoenixspa.inbank Inbank\r\nit.popso.SCRIGNOapp SCRIGNOapp\r\nit.relaxbanking RelaxBanking Mobile\r\nmobi.societegenerale.mobile.lappli L’Appli Société Générale\r\nmobi.societegenerale.mobile.lapplipro L’Appli Pro Société Générale\r\nmw.org.freewallet.app Bitcoin \u0026 Crypto Blockchain Wallet: Freewallet\r\nnet.bitstamp.app Bitstamp – Buy \u0026 Sell Bitcoin at Crypto Exchange\r\nnet.bnpparibas.mescomptes Mes Comptes BNP Paribas\r\nnet.safemoon.androidwallet SafeMoon\r\nnl.asnbank.asnbankieren ASN Mobiel Bankieren\r\nnl.rabomobiel Rabo Bankieren\r\nhttps://www.threatfabric.com/blogs/the-attack-of-the-droppers.html\r\nPage 18 of 19\n\nPackage name Application name\r\nnl.regiobank.regiobankieren RegioBank - Mobiel Bankieren\r\nnl.snsbank.snsbankieren SNS Mobiel Bankieren\r\none.tomorrow.app Tomorrow: Mobile Banking\r\norg.electrum.electrum Electrum Bitcoin Wallet\r\norg.toshi Coinbase Wallet — Crypto Wallet \u0026 DApp Browser\r\npiuk.blockchain.android Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum\r\nposteitaliane.posteapp.appbpol BancoPosta\r\nse.bankgirot.swish Swish payments\r\nuk.co.hsbc.hsbcukmobilebanking HSBC UK Mobile Banking\r\nuk.co.mbna.cardservices.android MBNA - Card Services App\r\nuk.co.metrobankonline.mobile.android.production Metro Bank\r\nuk.co.santander.santanderUK Santander Mobile Banking\r\nuk.co.tsb.newmobilebank TSB Mobile Banking\r\nSource: https://www.threatfabric.com/blogs/the-attack-of-the-droppers.html\r\nhttps://www.threatfabric.com/blogs/the-attack-of-the-droppers.html\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.threatfabric.com/blogs/the-attack-of-the-droppers.html" ], "report_names": [ "the-attack-of-the-droppers.html" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434031, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2a822b7ca83e916a372c19558a87c61dc5255dc9.pdf", "text": "https://archive.orkl.eu/2a822b7ca83e916a372c19558a87c61dc5255dc9.txt", "img": "https://archive.orkl.eu/2a822b7ca83e916a372c19558a87c61dc5255dc9.jpg" } }