{
	"id": "6483fdc0-b745-4133-b76b-49a77633ebfb",
	"created_at": "2026-04-06T00:15:31.531916Z",
	"updated_at": "2026-04-10T13:13:07.973238Z",
	"deleted_at": null,
	"sha1_hash": "3370dee193d961ae8dce311d2794c511960d1b03",
	"title": "More LodaRAT Infrastructure Targeting Bangladesh Uncovered",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 497286,
	"plain_text": "More LodaRAT Infrastructure Targeting Bangladesh Uncovered\r\nBy Silent Push Threat Team\r\nPublished: 2021-04-25 · Archived: 2026-04-05 19:33:08 UTC\r\nLast week, Cisco Talos published a blog post with new research on LodaRAT. Apart from updates to the Windows\r\nversion of this malware, the researchers also found Android malware (‘Loda4Android’) written by the same\r\ngroup. They link both versions of the malware to an ongoing campaign targeting people or entities in\r\nBangladesh.  \r\nThis blog post reveals some further infrastructure used in this campaign. \r\nLodaRAT, or Loda, is information gathering malware. It has the ability to take screenshots of infected machines,\r\nrecord keystrokes and sound and allows its operators to send commands to the machine. It was first analysed by\r\nProofpoint in May 2017.  \r\nIn most of its campaigns, LodaRAT has been spreading through malicious documents, that either contained\r\nmalicious macros or exploited vulnerabilities in Office. Some earlier campaigns exploited CVE-2017-0199, while\r\nmore recent ones exploited CVE-2017-11882. Though patched several years ago, the latter vulnerability remains\r\npopular among malware authors. \r\nAmong the indicators of compromise shared by Talos is the domain lap-top[.]xyz, from which a malicious APK\r\nfile was served. This domain was registered in October and points to 134.122.120[.]22, an IP address belonging to\r\nthe popular cloud infrastructure provider Digital Ocean. \r\nWhile looking in Silent Push’s database for other domains that have pointed to this IP address, Martijn Grooten\r\nnoticed two that turned out to be actively serving LodaRAT: corona-bd[.]com and imei[.]today. \r\nUsing the COVID-19 vaccine as a lure \r\nAt first glance, corona-bd[.]com looks like an official Bangladeshi government website with information on the\r\ncoronavirus. That’s not surprising, because in an iframe it contains that very website, hosted at corona.gov.bd. \r\nBut right above the iframe, there is a grey bar with the Bengali text “প্রথমধা পে অগ্রা ধি কা র ভি ত্তি তে করো না ভা ইরা সে র টি কা\r\nপা ওয়া র আবে দন করতে এখা নে ক্লি ক করু ন।” which Google helped me translate to “Click here to apply for the corona virus\r\nvaccine on a first-come, first-served basis.” \r\nhttps://www.silentpush.com/blog/more-lodarat-infrastructure-targeting-bangladesh-uncovered\r\nPage 1 of 6\n\nThe real Bangladeshi government website (left) and the fake one with an extra link on top (right) \r\nThis link goes to a form that asks for many personal details, some of which (such as “Freedom Fighter Status”)\r\nmay appear unusual for non-Bangladeshis. Upon filling in the form, you are presented with a page telling you\r\nyour application has been accepted. It is unclear whether the information filled in the form is used in some way,\r\nbut JavaScript carefully checks you have filled everything in, after which it is submitted to the server in a POST\r\nrequest. \r\nOnce you have submitted the form, you are urged to download the a copy of the application. Apart from a receipt\r\nnumber, which is different every time the page loads, you are given a password to open the application. The\r\napplication turns out to be a zip file protected with this password and inside is a variant of LodaRAT (SHA256:\r\ne78546bb33df88c6be3afce32f5d13084295a6e0599b26c3b380d54318170d86). \r\nIt is unknown how people end up on this website: whether it relies on natural traffic, or whether the campaign\r\nurges specific targets to visit it, but the context of the campaign and the apparent lack of public links to it make the\r\nlatter more likely. \r\nInterestingly, the domain corona-bd[.]com had been active many years ago, when it hosted the website of a\r\nfashion company. Last spring, it was registered again to serve information related to the coronavirus pandemic. \r\nFrom the copy on the Wayback Machine, Martijn couldn’t determine any malicious purpose of this website, but it\r\nshared an IP address with a number of domains that Talos also linked to this campaign, so it is likely that the same\r\nactor was hosting it already. This would suggest this campaign, or at least preparations for it, started well before\r\nOctober. \r\nFake IMEI checker \r\nThe second domain, imei[.]today, hosts what appears to be a checker for IMEIs: numbers that uniquely identify\r\nmobile phones. \r\nThe page lay-out is largely copied from the legitimate site imei.info, but made to look to belong to the BTRC, the\r\nBangladesh Telecommunication Regulatory Commission. This site thus too targets Bangladesh, even if it is\r\nhttps://www.silentpush.com/blog/more-lodarat-infrastructure-targeting-bangladesh-uncovered\r\nPage 2 of 6\n\nwritten in English, a language however still widely understood in the country.  \r\nLegitimate (left) and malicitious (right) IMEI checker \r\nUpon entering a valid IMEI number (client-side JavaScript performs the ‘Luhn check’), the user is served a zip\r\nfile. Inside this zip file, which this time is not protected with a password, is another variant of LodaRAT (SHA256:\r\ncf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407). \r\nOther domains \r\nWhile I found these domains because both have used the IP address 134.122.120[.]22, they have in fact shared\r\nseveral more IP addresses. And there are several more domains that have used some of these addresses in recent\r\nmonths. \r\nOne is mybnp[.]club. This site looks near identical to bnpbd.org, the website of the Bangladesh Nationalist Party\r\n(a Bangladeshi political party), from which it includes most content. The only difference is a line on top that says\r\n(in Bengali) “Click here to register to become a member of the BNP” that links to a signup page. This signup page\r\ncontains an iframe that loads content from http://educationboardresults[.]net/php/application/. \r\nHowever, there is no content there: educationboardresults[.]net is a parked domain. Moreover, mybnp[.]club does\r\nnot render well in most modern browsers, due to mixed content errors. It may be that this site was intended to be\r\nused in the campaign but then abandoned. \r\nOther domains that have used IP addresses in the same set include av24[.]co and bracbank[.]info, both of which\r\nwere mentioned by Talos, but also bkash[.]club, bkashagent[.]com, aktel[.] org and zepode[.]online. All of these\r\nare relevant to Bangladeshis: bKash is a mobile financial service in Bangladesh, AKTEL is the former name of a\r\nmobile phone provider in Bangladesh, and Zepode is an ecommerce platform popular in the region. \r\nhttps://www.silentpush.com/blog/more-lodarat-infrastructure-targeting-bangladesh-uncovered\r\nPage 3 of 6\n\nInformation on aktel[.]org on Silent Push’s dashboard. \r\nApart from using some of the same IP addresses, all of these domains use two nameservers ns1.domain and\r\nns2.domain with domain the domain itself and both name servers pointing to the same IP address as the domain’s\r\nA recor , a somewhat peculiar set-up. \r\nMartijn had not been able to find any content hosted on these latter four domains, but that does not mean URLs\r\nwith malware don’t exist. It is also possible that these have been registered for future use in this campaign. \r\nA hacker-for hire campaign? \r\nWriting about the discovery of LodaRAT activity in Bangladesh, Cyberscoop suggests it might belong to a hacker-for-hire group. \r\nLast year, several hacker-for-hire operations (sometimes referred to as ‘cyber mercenaries’) have been uncovered.\r\nSuch groups make cyber-espionage capabilities available to companies, political organisations as well as nation\r\nstates without their own offensive cyber capabilities. \r\nLodaRAT’s activity has all the hallmarks of such an operation. First, the geographic spread of the activities: Talos\r\nbelieves the group is based in Morocco (which is why it is referred to as ‘Kasablanka’) and previous activity by\r\nthis group was linked to Latin America, while this campaign targets Bangladesh. The Android malware used by\r\nthis group has been linked to campaigns in the Middle East. \r\nSecondly, the malware focuses on gathering information rather than on direct financial gain, which would be\r\ncommon for malware used by a more traditional cybercrime group. \r\nAnd thirdly, this particular campaign appears fairly targeted. While the real size can’t be determined without\r\nglobal telemetry, a more widespread campaign would have likely left public traces through search engines and\r\npublic thread feeds. \r\nOf course, none of this is conclusive proof of the kind of operation this is. Nor does it mean that the authors of the\r\nmalware are the same as the ones conducting this campaign. \r\nhttps://www.silentpush.com/blog/more-lodarat-infrastructure-targeting-bangladesh-uncovered\r\nPage 4 of 6\n\nConclusion \r\nMalware and phishing campaigns make a serious effort to stay under the radar. However, limited resources forces\r\nthreat actors to reuse infrastructure. \r\nIn this case, with the Silent Push API, Martijn was able to use this weakness to uncover more infrastructure used\r\nby the ‘Kasablanka’ actor in its targeting of Bangladesh, based on a few publicly posted indicators.  \r\nWith contributions from Ken Bagnall and Nick Kostopoulos. \r\nIndicators of Compromise (IOCs)\r\nDomain names:\r\naktel[.]org \r\nbkashagent[.]com \r\nbkash[.]club \r\ncorona-bd[.]com \r\nimei[.]today \r\nmybnp[.]club \r\nzepode[.]online \r\nAlso likely linked to this campaign because of shared infrastructure and similar set up, but with no apparent\r\nBangladesh link: \r\nc0mputer[.]xyz \r\npiramidewebs[.]com \r\nIP addresses:\r\n94.130.110[.]78 \r\n107.180.72[.]97 \r\n107.180.73[.]34 \r\n107.180.73[.]135 \r\n116.203.37[.]39 \r\n134.122.120[.]22 \r\nOf these, 94.130.110[.]78 had a PTR record set to be vps.corona-bd[.]com, while 134.122.120[.]22 used vps.lap-top[.]xyz as a PTR record. This confirms that at least these two IP addresses are or were attacker owned rather\r\nthan shared hosting space. \r\nSome other IP addresses that the domains have pointed to were shared with too many unrelated domains to\r\nconsidered them reliable indicators for this domain, or for malicious activity in general; hence they have not been\r\nlisted. \r\nSHA256 hashes of LodaRAT variants:\r\nhttps://www.silentpush.com/blog/more-lodarat-infrastructure-targeting-bangladesh-uncovered\r\nPage 5 of 6\n\ncf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407 \r\ne78546bb33df88c6be3afce32f5d13084295a6e0599b26c3b380d54318170d86 \r\nSource: https://www.silentpush.com/blog/more-lodarat-infrastructure-targeting-bangladesh-uncovered\r\nhttps://www.silentpush.com/blog/more-lodarat-infrastructure-targeting-bangladesh-uncovered\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.silentpush.com/blog/more-lodarat-infrastructure-targeting-bangladesh-uncovered"
	],
	"report_names": [
		"more-lodarat-infrastructure-targeting-bangladesh-uncovered"
	],
	"threat_actors": [
		{
			"id": "d4135989-e577-4133-bdae-a24243c832a4",
			"created_at": "2023-11-05T02:00:08.068657Z",
			"updated_at": "2026-04-10T02:00:03.396218Z",
			"deleted_at": null,
			"main_name": "Kasablanka",
			"aliases": [],
			"source_name": "MISPGALAXY:Kasablanka",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434531,
	"ts_updated_at": 1775826787,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3370dee193d961ae8dce311d2794c511960d1b03.pdf",
		"text": "https://archive.orkl.eu/3370dee193d961ae8dce311d2794c511960d1b03.txt",
		"img": "https://archive.orkl.eu/3370dee193d961ae8dce311d2794c511960d1b03.jpg"
	}
}