{
	"id": "6a9710b5-4324-4549-b018-f2b43e59b9ad",
	"created_at": "2026-04-06T00:21:55.233726Z",
	"updated_at": "2026-04-10T03:34:59.368239Z",
	"deleted_at": null,
	"sha1_hash": "2c77423758cd17b4a4471e66d04ab2e66baaa30b",
	"title": "Roaming Mantis, part III",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 578309,
	"plain_text": "Roaming Mantis, part III\r\nBy GReAT\r\nPublished: 2018-10-01 · Archived: 2026-04-05 20:33:26 UTC\r\nIn Q2 2018, Kaspersky Lab published two blogposts about Roaming Mantis sharing details of this new\r\ncybercriminal campaign. In the beginning, the criminals used DNS hijacking in vulnerable routers to spread\r\nmalicious Android applications of Roaming Mantis (aka MoqHao and XLoader), spoofing legitimate applications\r\nsuch as Facebook and Chrome. During our research, it became clear that Roaming Mantis has been rather active\r\nand has evolved quickly. The group’s malware now supports 27 languages, including multiple countries from Asia\r\nand beyond, Europe and the Middle East. In addition, they have started using web crypto-mining for PC, and an\r\nApple phishing page for iOS devices.\r\nYou can check previous chapters of this research here:\r\nRoaming Mantis uses DNS hijacking to infect Android smartphones (April 2018)\r\nRoaming Mantis dabbles in mining and phishing multilingually (May 2018)\r\nIn addition we would like to thank and credit security researchers from LAC Co. Ltd. for a very insightful article\r\ndescribing how vulnerable routers were compromised by the Roaming Mantis group, which was disclosed in their\r\nJapanese blogpost in June 2018. According to this research, the threat actor logged in to their router using default\r\nID and password, and changed legitimate DNS settings to rogue DNS settings, where the router’s control panel\r\nwas accessible over the Internet.\r\nThe Roaming Mantis group did not stop its activities after publication of our reports. We have confirmed several\r\nnew activities and changes to their illegal profit-gaining methods such as web crypto mining for iOS devices,\r\nspreading via malicious content delivery system and so on. This blogpost reveals some details of our new findings\r\nrelated to Roaming Mantis, based on our research.\r\nWeb crypto-mining for iOS devices\r\nThe criminals previously targeted iOS devices using an Apple phishing site to steal credentials. However, they\r\nchanged the HTML source code of the malicious landing page as follows:\r\nPart of HTML source code of the malicious landing page for iOS\r\nhttps://securelist.com/roaming-mantis-part-3/88071/\r\nPage 1 of 10\n\nThe code above shows that they disabled redirection to the fake Apple portal (with a phishing page) and added\r\ncode with a web mining script (previously used only for the PC platform) to run mining on iOS devices.\r\nIf the user visits this landing page from an iOS device, a blank page displays in the web browser. In the\r\nbackground, CPU usage increases to 90% immediately.\r\nScreen capture of the landing page and CPU monitoring tool\r\nInterestingly, the day after we confirmed this, the attacker switched back to Apple phishing again. We believe that\r\nthe criminals, at that time, were testing the possible revenue from web mining on iOS devices, looking for an\r\nefficient way to monetize their activities.\r\nFiltering Japanese devices\r\nOne thing we noticed is that the criminals responded to a number of articles and research activities coming from\r\nJapan. The new feature was added in the landing page to filter out Japanese environment:\r\nhttps://securelist.com/roaming-mantis-part-3/88071/\r\nPage 2 of 10\n\nAdded confirmation of Japanese environment for filtering\r\nIt looks like they want to slow down infections of Japanese targets for the time being.\r\nSpreading via another malware delivery system\r\nIn the middle of July 2018, the live landing page we had been monitoring unfortunately went dark. However, the\r\nmalicious APK files of Roaming Mantis, detected as “Trojan-Banker.AndroidOS.Wroba.al”, were still being\r\ndetected by our customers, according to our KSN data.\r\nNumber of detected users from KSN data (Jun 10, 2018 – Sep 10, 2018)\r\nOur deeper investigation revealed that their new malware spreading method was the one used by other Android\r\nmalware, the “sagawa.apk” delivery system. We published a Japanese blogpost of this Android malware in\r\nJanuary 2018. Trend Micro named it FAKESPY and published a blogpost about it, “FakeSpy Android\r\nInformation-Stealing Malware Targets Japanese and Korean-Speaking Users”. According to our previous\r\nblogpost, the infection vector involved users received a phishing SMS message spoofing a notification from a\r\nJapanese delivery company. The message contained a malicious URL. If the user clicked it, the server displayed a\r\nfake web site that downloaded and installed the malicious application “sagawa.apk”. We discovered two types of\r\nsuch “sagawa.apk” samples:\r\nType A Type B\r\nFile name sagawa.apk sagawa.apk\r\nmd5 956f32a28d0057805c7234d6a13aa99b a19f4cb93274c949e66efe13173c95e6\r\nFile size 427KB (437,556) 2.3MB (2,381,665)\r\nLoader module \\classes.dex \\classes.dex +\r\n\\lib\\arm64-v8a\\libkao.so\r\n\\lib\\armeabi-v7a\\libkao.so\r\nhttps://securelist.com/roaming-mantis-part-3/88071/\r\nPage 3 of 10\n\n\\lib\\x86\\libkao.so\r\n\\lib\\x86_64\\libkao.so\r\nEncrypted payload\r\n(enc_data)\r\n\\assets\\a \\assets\\code.so\r\nDecrypt algorithm\r\npayload =\r\nbase64_dec(zlib_dec(enc_data));\r\naes_key = base64_dec(hardcoded\r\ndata);\r\npayload = AES_dec(enc_data,\r\naes_key);\r\nAlias\r\nMoqHao (McAfee)\r\nXLoader (TrendMicro)\r\nFAKESPY (TrendMicro)\r\nOld file name\r\nfacebook.apk\r\nchrome.apk\r\n${random}.apk\r\nsagawa.apk\r\nBased on detailed static analysis, they belong to different Android malware families. Both Type A and Type B\r\nhave common features, such as monitoring SMS messages and stealing data from infected devices. However,\r\nthere are differences in their code structure, communication protocol and other features. One significant difference\r\nis that Type B targets Japan only, unlike Type A which is multilingual. Type B contains hardcoded strings that are\r\ndisplayed to infected users. These strings are in Japanese only.\r\nJapanese messages displayed to infected users\r\nIn addition, this malware confirms whether a domestic Japanese prepaid card application is installed on the\r\ninfected device.\r\nCheck for the domestic Japanese prepaid card application “Au Wallet”\r\nIf the application is installed on the device, the malware downloads and installs a fake application as its update.\r\nhttps://securelist.com/roaming-mantis-part-3/88071/\r\nPage 4 of 10\n\nUnfortunately, the relationship between the Roaming Mantis group and the service owner of the “sagawa.apk”\r\ndelivery mechanism isn’t very clear at the moment. They might just use the same service as customers, or might\r\nnot. However, it is clear that these criminal groups use the same malware-spreading eco-system for spreading their\r\nAndroid malware.\r\nResearchers may use the following simplified python scripts to extract the payload from “sagawa.apk”:\r\nsagawa.apk_typeA_payload_extractor.py\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n#!/usr/bin/env python\r\nimport sys\r\nimport zlib\r\nimport base64\r\ndata = open(sys.argv[1],\"rb\").read()\r\ndec_z = zlib.decompress(data)\r\ndec_b = base64.b64decode(dec_z)\r\nwith open(sys.argv[1]+\".dec\",\"wb\") as fp:\r\n    fp.write(dec_b)\r\nsagawa.apk_typeB_payload_extractor.py\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n#!/usr/bin/env python\r\nimport sys\r\nfrom Crypto.Cipher import AES, ARC4\r\nimport base64\r\ndata = open(sys.argv[1],\"rb\").read()\r\nkey = sys.argv[2]\r\naes_key = base64.b64decode(key) // key is H8chGVmHxKRdjVSO14Mvgg== in libkao.so\r\nhttps://securelist.com/roaming-mantis-part-3/88071/\r\nPage 5 of 10\n\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\naes = AES.new(aes_key)\r\ndec = aes.decrypt(data)\r\nwith open(sys.argv[1]+\".dec\",\"wb\") as fp:\r\n    fp.write(dec)\r\nWe also observed another malware distribution method of Roaming Mantis which is linked to prezi.com. Prezi is a\r\npopular computer application and online service to create dynamic presentations. The criminals used this service\r\nto spread their scam. When a user visits a page crafted by the attackers, a link is shown offering free content such\r\nas adult video, a game, a comic, music and so on, like pirate editions.\r\nRedirection to a scam page\r\nBased on our research, there were multiple messages leveraging different social engineering tricks to invite users\r\nto a scam website. On the other hand, the Roaming Mantis’ landing page was found to be linked to several such\r\naccounts carrying out redirections.\r\nhttps://securelist.com/roaming-mantis-part-3/88071/\r\nPage 6 of 10\n\nCorrupted landing page code from Roaming Mantis posted on prezi.com\r\nHowever, fortunately this code does not work because of mistakes made during the code preparation stage.\r\nRecords of stolen data\r\nKaspersky Lab discovered fragments of data stolen from victims’ Android devices via Type A of the malware,\r\nwhich suggests thousands of compromised victims:\r\nSuspected stolen data from victims’ Android devices\r\nThis data contained phone number, date, IP, language, email/id, password, name, date of birth, address, credit card\r\ninformation including cvv, bank information, and secret question and answer in Simplified Chinese. Data headers\r\nin Chinese suggest that the attackers are fluent in Chinese – unless this is a false flag, of course. The first column\r\nhttps://securelist.com/roaming-mantis-part-3/88071/\r\nPage 7 of 10\n\nseems to contain the record number, which in July was already over 4,800. The user device language setting may\r\nindicate victims’ geography. Below is a pie chart created from the language data:\r\nVictims’ language settings\r\nThe top language is “en-us” (39%), the second is “ko-kr”, the third is “ru”. Judging from this data, victims’\r\ngeographical distribution has changed significantly since our first report. This might be due to the update adding\r\nsupport for 27 languages and the new distribution strategies. The reason why the “en-us” is the most popular could\r\nbe because English is used as second language in several countries.\r\nConclusions\r\nIn previous reports, we claimed that the Roaming Mantis campaign had evolved significantly in a short period of\r\ntime, applying new attack methods and expanding its targets. It seems that the attack doesn’t stop developing. In\r\nour recent research, we found that they probed using a web miner for iOS, instead of redirecting to a fake Apple\r\nwebsite.\r\nAnother new method they applied is the use of a malware delivery eco-system that is probably operated by a third\r\nparty and was used to spread other (maybe even unrelated) malware in the past. The infection vector in that case\r\nhttps://securelist.com/roaming-mantis-part-3/88071/\r\nPage 8 of 10\n\nwas an SMS message with a malicious link that led a user to a fake web site that offered a download of the\r\nmalicious apk file “sagawa.apk”. It is not clear how Roaming Mantis and the distributor of “sagawa.apk” are\r\nrelated, but it’s worth mentioning the fact that they are now using the same eco-system.\r\nRoaming Mantis is also trying to spread its malware via prezi.com, with a scam that offers a visitor free content\r\nsuch as videos and more.\r\nJudging from the list of stolen credentials, the attackers seems to have stolen a large amount of data from victims\r\nworldwide. This gives us a glimpse of the real scale of the attack, but we believe that this is just a tip of the\r\niceberg.\r\nWe strongly recommend that Android users turn off the option that allows installation of applications from third-party repositories, to keep their device safe. They should also be suspicious if their phones become unusually hot,\r\nwhich may be a side-effect of the hidden crypto-mining application in action.\r\nKaspersky Lab products detect this malware with the following verdict:\r\nHEUR:Trojan-Banker.AndroidOS.Wroba\r\nIoCs\r\nMalicious hosts:\r\n59.105.6[.]230\r\nsagawa-otqwt[.]com\r\nsagawa-polsw[.]com\r\nHashes of Type A:\r\n956f32a28d0057805c7234d6a13aa99b sagawa.apk\r\n3562f9de6dbe70c2e19a20d8683330ce \\classes.dex\r\n01fa0039b62c5db8d91dfc6b75b246f8 decrypted payload (dex file) from \\assets\\a\r\nHashes of Type B:\r\na19f4cb93274c949e66efe13173c95e6\r\n5e913208ecc69427efb6bbf9e6505624 \\classes.dex\r\n67bc2e8beb14b259a5c60fe7a31e6795 \\arm64-v8a/libkao.so\r\nf120f5f78c7ef762996314cf10f343af \\armeabi-v7a/libkao.so\r\nefe54c22e2b28a44f723d3479487620c \\x86_64/libkao.so\r\ne723c6aec4433f3c6e5d3d24fe810e05 \\x86/libkao.so\r\ndaeccda295de93cf767fd39a86a44355 decrypted payload (jar file) from \\assets\\code.so\r\n581b08b277a8504ed222a71c19cea5f9 classes.dex from decrypted payload\r\nhttps://securelist.com/roaming-mantis-part-3/88071/\r\nPage 9 of 10\n\nSource: https://securelist.com/roaming-mantis-part-3/88071/\r\nhttps://securelist.com/roaming-mantis-part-3/88071/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://securelist.com/roaming-mantis-part-3/88071/"
	],
	"report_names": [
		"88071"
	],
	"threat_actors": [
		{
			"id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a",
			"created_at": "2023-01-06T13:46:38.823793Z",
			"updated_at": "2026-04-10T02:00:03.113045Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group"
			],
			"source_name": "MISPGALAXY:Roaming Mantis",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3",
			"created_at": "2022-10-25T16:07:24.546437Z",
			"updated_at": "2026-04-10T02:00:05.029564Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group",
				"Shaoye"
			],
			"source_name": "ETDA:Roaming Mantis",
			"tools": [
				"MoqHao",
				"Roaming Mantis",
				"SmsSpy",
				"Wroba",
				"XLoader"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434915,
	"ts_updated_at": 1775792099,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2c77423758cd17b4a4471e66d04ab2e66baaa30b.pdf",
		"text": "https://archive.orkl.eu/2c77423758cd17b4a4471e66d04ab2e66baaa30b.txt",
		"img": "https://archive.orkl.eu/2c77423758cd17b4a4471e66d04ab2e66baaa30b.jpg"
	}
}