{
	"id": "848dc40f-e1e5-45c5-a73e-4afd3cdadcfe",
	"created_at": "2026-04-10T03:21:12.485883Z",
	"updated_at": "2026-04-10T03:22:16.839182Z",
	"deleted_at": null,
	"sha1_hash": "338f9bc080b3a25af40d167f0243f384faa82b54",
	"title": "Uncovering Octo2 Domains: New Malware Targets Android Devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 140714,
	"plain_text": "Uncovering Octo2 Domains: New Malware Targets Android\r\nDevices\r\nBy Steve Behm\r\nPublished: 2024-10-10 · Archived: 2026-04-10 03:02:31 UTC\r\nUncovering Domains Created by Octo2’s Domain Generation Algorithm\r\nIntroduction: What is Octo2?\r\nOcto2 is a new version of one of the most prolific malware families, Octo (ExobotCompact). The banking trojan\r\ntargets Android mobile devices and the newest version is likely to be seen globally in the coming year. The\r\n“Architect” of Octo released Octo2 after the original’s source code was leaked earlier this year. The new version\r\noffers differentiating features including increased Remote Access Trojan (RAT) stability, improved anti-analysis\r\nand anti-detection techniques, and the use of a domain generation algorithm (DGA) to generate the actual C2\r\nserver name.\r\nResearchers at DomainTools are particularly intrigued by the obfuscation technique involving the use of a DGA to\r\ngenerate the Command and Control (C2) server name considering our unique dataset of domains. Thanks to initial\r\nefforts by Infoblox’s threat intelligence team, we were able to leverage our database and tools to quickly uncover\r\nadditional domains matching Octo2’s DGA pattern, which are shared in this blog.\r\nSummary of Research Findings\r\nhttps://www.domaintools.com/resources/blog/uncovering-octo2-domains/\r\nPage 1 of 4\n\nBased on this article by Threat Fabric, the initial samples of Octo2 discovered in the wild were seen in Italy,\r\nPoland, Moldova, and Hungary. Researchers believe use may quickly spread considering the global adoption of\r\nthe original Octo, improvements made in Octo2, and the creator listing the new version at the same price as the\r\noriginal.\r\nIn the first samples, the banking trojan has been seen to disguise itself as apps including Google Chrome,\r\nNordVPN, and “Enterprise Europe Network.” Discovered attacks utilized a malware dropper called Zombinder,\r\nwhich activates upon downloading the fake app and prompts the user to install a plugin, which is actually Octo2.\r\nOnce infected, Octo2 allows for remote access of the mobile device to intercept push notifications, harvest\r\ncredentials with fake login pages, and perform unauthorized actions.\r\nOcto2’s use of a DGA to dynamically change its C2 server address makes it harder for security systems to detect\r\nand block. Using a DGA for the C2 server address is like being able to change the address of your evil\r\nheadquarters on the fly. However, once researchers and other experts identify the pattern used to generate the\r\ndomains for the address, it becomes easier to monitor any changes.\r\nLooking for Domains Created by Octo2\r\nThe post from Infoblox’s threat intelligence researchers lists several domains thought to be connected to Octo2.\r\nThe original domains exhibited a DGA pattern, where the apex-level domains generated consist of a random string\r\nof 32 alphanumeric characters, paired with a top-level domain (TLD) selected from a specific set of options.\r\nUsing Iris Investigate, we were able to pivot off of the original domains’ IPs to find additional domains matching\r\nthe pattern. We were eventually able to expand the original 9 domains and 7 TLDs to 269 domains and 12 TLDs\r\nfirst seen from August 22nd, 2024 to October 4th, 2024.\r\nIt was encouraging to find that some domains in this group were already being sinkholed by other researchers and\r\nsecurity groups. Sinkholing domains enables researchers to disrupt the malware’s communication with its C2\r\nserver and gather valuable data on its behavior, infection rates, and geographic distribution.\r\nIdentifying DGA domains in the wild can also be achieved by analyzing traffic in a SIEM. Once discovered,\r\nobtaining additional context is crucial for risk-based decision-making. Iris Enrich (another subtle plug incoming)\r\nis an API designed to provide this contextual data, offering key registration and infrastructure information along\r\nwith a predictive domain risk score to enhance decision-making.\r\nImplications of Using Domain Generation Algorithms\r\nWith the rise of Malware-as-a-Service (MaaS), malware creators understand the importance of differentiating\r\nthemselves from competitors. Utilizing a DGA as an additional layer of obfuscation has become a key evasion\r\ntactic employed by many groups.\r\nOne of the earliest and most notable examples of utilizing a DGA is the Conficker worm, which emerged in 2008\r\nand was covered by our very own Joe St Sauver. In an effort to gauge current adoption levels, I stumbled across an\r\narticle by Sigmund Brandstaetter who notes: “the threat landscape is extensive with well over 50 malware families\r\nhttps://www.domaintools.com/resources/blog/uncovering-octo2-domains/\r\nPage 2 of 4\n\nknown to utilize DGA domains.” Zeus and Dyre are malware families targeting financial information and banking\r\ndetails, to name a few.\r\nIn the SolarWinds attack, SUNBURST malware used a DGA to generate domains encoding compromised\r\ncomputers. These domains resolved to IP addresses to assess value, then either connected to a C2 server,\r\ncontinued beaconing, activated a kill-switch, or switched to passive mode based on the subnet. Once the DGA was\r\nidentified, Farsight used its real-time DNS resolution observability to detect beaconing activity from likely\r\ncompromised environments. This data was publicly released and used by defenders and investigators, such as\r\nBambenek Consulting’s indicator repository. For a deeper dive, check out this post-attack analysis on how passive\r\nDNS data pairs well with Maltego.\r\nAs DGAs become increasingly common among malware families, there is a heightened emphasis on the\r\nimportance of domain-related data. Once researchers and security practitioners are able to detect malware using\r\nDGAs, being able to pivot and expand on associated domains allows for a better understanding of the pattern\r\nutilized. Rapidly identifying the DGA pattern significantly shortens the time from detection to mitigation, thereby\r\nreducing the success rate of malicious activities and enhancing overall internet security.\r\nPractical Advice to Avoid Octo2 Infections\r\nIf you are a security practitioner looking to avoid Octo2 infections, here is some practical advice.\r\n1. Leverage Threat Intelligence and Domain-Related Data:\r\n1. Utilize threat intelligence feeds such as known malicious DGA lists to stay updated on the latest\r\nIndicators of Compromise (IOCs) related to Octo2.\r\n2. Perform contextual data analysis and expand on known associated domains to detect patterns\r\nquickly and mitigate accordingly.\r\n2. Implement Advanced Detection Tools:\r\n1. Use advanced malware detection tools that can identify unusual patterns in network traffic. Tools\r\nlike sandboxing and machine learning-based anomaly detection can be particularly effective.\r\n2. At DomainTools we offer a suite of data feeds such as those deemed to be the riskiest, newly active,\r\nor youngest to help with malicious domain detection.\r\n3. Monitor DNS Traffic:\r\n1. Regularly monitor DNS traffic for suspicious domain queries. DGA domains often have unusual\r\ncharacteristics, such as random-looking strings or frequent changes.\r\n2. Consider using protective DNS tools to perform content filtering and block malicious domains at\r\nthe DNS security layer.\r\n3. Investigating suspicious domains within DomainTools passive DNS database can help establish\r\ntimelines and find connected infrastructure.\r\n4. Deploy Endpoint Detection and Response (EDR):\r\n1. Implement EDR solutions to monitor and analyze endpoint activities. These tools can help detect\r\nmalicious behaviors associated with Octo2, such as unauthorized remote access or unusual\r\napplication behavior.\r\n5. Collaborate with the Community:\r\nhttps://www.domaintools.com/resources/blog/uncovering-octo2-domains/\r\nPage 3 of 4\n\n1. Through active engagement with the cybersecurity community to exchange insights and strategies\r\nfor threat detection and mitigation, we discovered Octo2 and its new features. People helping people\r\nis powerful stuff.\r\n2. You can connect with us on X, Mastodon, or on CTI Grapevine.\r\nConclusion\r\nThe emergence of Octo2 underscores the evolving sophistication of malware and the critical need for advanced\r\ndetection and mitigation strategies. By leveraging domain-related data and collaborating with the cybersecurity\r\ncommunity, we can stay ahead of threats like Octo2. The use of DGAs by malware authors presents a significant\r\nchallenge, but with the right tools and intelligence, we can better disrupt these malicious activities.\r\nThe collective effort of the cybersecurity community is essential in this fight. Sharing insights, strategies, and data\r\nnot only helps in identifying and mitigating threats more efficiently but also strengthens the overall security\r\nposture of the internet. Together, we can create a safer digital environment for everyone.\r\nA special thank you to Michael Klatt and Sean McNee for digging into this one as well. Most investigations are a\r\ngroup effort and we have a great group here at DomainTools.\r\nFind domains and IOCs on our GitHub\r\nSource: https://www.domaintools.com/resources/blog/uncovering-octo2-domains/\r\nhttps://www.domaintools.com/resources/blog/uncovering-octo2-domains/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.domaintools.com/resources/blog/uncovering-octo2-domains/"
	],
	"report_names": [
		"uncovering-octo2-domains"
	],
	"threat_actors": [],
	"ts_created_at": 1775791272,
	"ts_updated_at": 1775791336,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/338f9bc080b3a25af40d167f0243f384faa82b54.pdf",
		"text": "https://archive.orkl.eu/338f9bc080b3a25af40d167f0243f384faa82b54.txt",
		"img": "https://archive.orkl.eu/338f9bc080b3a25af40d167f0243f384faa82b54.jpg"
	}
}