{ "id": "0c2b9804-320d-4457-a57d-2900a22cb3c9", "created_at": "2026-04-06T00:18:48.290613Z", "updated_at": "2026-04-10T03:37:36.87262Z", "deleted_at": null, "sha1_hash": "394c09650b288d0354a4b2c1e55ed3af55078cfc", "title": "Newly Registered Domains Distributing SpyNote Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 609818, "plain_text": "Newly Registered Domains Distributing SpyNote Malware\r\nBy DomainTools\r\nPublished: 2026-01-06 · Archived: 2026-04-05 22:02:52 UTC\r\nDeceptive websites hosted on newly registered domains are being used to deliver AndroidOS SpyNote malware.\r\nThese sites mimic the Google Chrome install page on the Google Play Store to lure victims into downloading\r\nSpyNote, a potent Android remote access trojan (RAT) used for surveillance, data exfiltration, and remote\r\ncontrol.\r\nDomains Mimicking App Installation on Google Play Store\r\nNewly registered domains are hosting deceptive websites that mimic popular application installation pages on the\r\nGoogle Play Store to trick victims into downloading malware. Analysis revealed common patterns in domain\r\nregistration and website structure, with limited variations observed in malware configurations, command and\r\ncontrol (C2) infrastructure, and delivery websites. Notably, the threat actor utilized a mix of English and Chinese-language delivery sites and included Chinese-language comments within the delivery site code and the malware\r\nitself.\r\nThis report further details the malware delivery website configurations and the deceptive techniques employed to\r\ntrick users into installing the AndroidOS malware. It also provides an overview of the malware’s installation\r\nprocess and C2 configurations. Finally, the GitHub appendices contain indicators of compromise (IOCs), mapping\r\nto the MITRE Mobile ATT\u0026CK framework, and a snippet of the AndroidManifest file highlighting the\r\npermissions SpyNote seeks on compromised devices.\r\nDomain Registration and Website Patterns\r\nRegistrar:\r\nNameSilo, LLC\r\nhttps://dti.domaintools.com/newly-registered-domains-distributing-spynote-malware/\r\nPage 1 of 6\n\nXinNet Technology Corporation\r\nIP ISP:\r\nLightnode Limited\r\nVultr Holdings LLC\r\nSSL Issuer:\r\nR10\r\nR11\r\nNameServer:\r\ndnsowl[.]com\r\nxincache[.]com\r\nServer Type:\r\nnginx\r\nProminent IP Resolved:\r\n156.244.19[.]63\r\nFrequent Web Endpoint Path:\r\n/index/index/download.html\r\n/index/index/download.html?id=MTAwMDU%3D\r\nFrequent HTML Code Inclusions:\r\nhttps[:]//unpkg[.]com/current-device@0.10.2/umd/current-device.min.js\r\nhref=”https[:]//play.google[.]com/store/apps/details?id=com.zhiliaoapp.musically\r\n“uUDqyDbaLAZwfdPcR4uvjA”\r\nMalware Delivery Website Review\r\nThe websites include an image carousel displaying screenshots of mimicked Google Play app pages. These images\r\nare loaded from “bafanglaicai888[.]top,” another suspicious domain suspected to be owned by the same actor. The\r\ncarousel provides a visual aspect to enhance the illusion of a legitimate app page.\r\nA `\u003cc-wiz\u003e` element acts as a container and a managed component within the web page, responsible for the\r\nfunctionality involving the display and handling of the “Install”  button. As a side note, the presence of\r\n“com.zhiliaoapp.musically” hints at an interaction related to the TikTok (formerly Musical.ly) Android\r\napplication, which may be code remnants of prior versions.\r\nhttps://dti.domaintools.com/newly-registered-domains-distributing-spynote-malware/\r\nPage 2 of 6\n\nWhen the display images mimicking the Google Play store apps are clicked, it executes the JavaScript function\r\n“download()” (shown below) that initiates the download of the .apk file located at the hardcoded URL.\r\nThis function works by dynamically creating a hidden iframe and setting its src attribute to a JavaScript snippet.\r\nThis snippet then uses location.href = src to redirect the iframe to the provided “url” value. Since iframes can\r\ninitiate downloads, this effectively triggers a download of the file at the given URL. In the case of the above code\r\nsamples, it would download the 002.apk file from the URL “https[:]//www.kmyjh[.]top/002.apk.”\r\nAnalysis of the downloaded .apk files revealed them to be SpyNote dropper malware. SpyNote and its variant,\r\nSpyMax, represent a family of potent Android RATs enabling extensive surveillance, data exfiltration, and remote\r\ncontrol. Notably, SpyNote has been associated with sophisticated APT groups such as OilRig (APT34), APT-C-37 (Pat-Bear), and OilAlpha, and has been deployed against Indian Defence Personnel. The malware’s appeal to a\r\nhttps://dti.domaintools.com/newly-registered-domains-distributing-spynote-malware/\r\nPage 3 of 6\n\nwide range of threat actors, including advanced groups, underscores its versatility and efficacy for both targeted\r\nespionage and broader cybercriminal activities. The availability of a builder tool on underground forums has\r\nsignificantly facilitated its adoption among cybercriminals.\r\nThe dropper installs a second .apk file contained within the first via a class function InstallDropSessionActivity().\r\nThe class implements the DialogInterface.OnClickListener interface, meaning it’s executed when the user clicks a\r\nbutton (likely the “Confirm” button in the “User Data Info” dialog from InstallDropSessionActivity).\r\nThe second .apk file contains the majority of the SpyNote malware functionality. Finally, a base.dex file within the\r\nSpyNote’s assets folder contains the connection parameters with the DomainManager.class used for testing and\r\nestablishing remote connections to the Command and Control (C2) server.\r\nhttps://dti.domaintools.com/newly-registered-domains-distributing-spynote-malware/\r\nPage 4 of 6\n\nOne variation in this configuration was identified in which an IP is hardcoded for the C2, also over port 8282.\r\nNotably, the hardcoded IP is the same IP resolved for both C2 domains observed in the other variations.\r\nSpyNote Malware Ramifications\r\nhttps://dti.domaintools.com/newly-registered-domains-distributing-spynote-malware/\r\nPage 5 of 6\n\nNewly registered domains were identified hosting deceptive websites that mimic popular app installation pages on\r\nthe Google Play Store. These sites are designed to trick users into downloading malware. Analysis of these\r\ncampaigns reveals common patterns in domain registration, website structure, and largely consistent malware\r\nconfigurations, command and control (C2) infrastructure, and delivery methods. These websites often include an\r\nimage carousel displaying screenshots of mimicked Google Play app pages to enhance the illusion of legitimacy.\r\nWhile no definitive attribution is currently available, a China nexus is suspected. This deceptive infrastructure is\r\nbeing leveraged to distribute SpyNote AndroidOS malware.\r\nAnalysis of the SpyNote malware reveals a two-stage installation process initiated by an APK dropper, ultimately\r\ndeploying the core SpyNote RAT from a second embedded APK. Command and control server details are hidden\r\nwithin a DEX file. SpyNote is notorious for its persistence, often requiring a factory reset for complete removal.\r\nUpon installation, it aggressively requests numerous intrusive permissions, gaining extensive control over the\r\ncompromised device. This control allows for the theft of sensitive data such as SMS messages, contacts, call logs,\r\nlocation information, and files. SpyNote also boasts significant remote access capabilities, including camera and\r\nmicrophone activation, call manipulation, and arbitrary command execution. Its robust keylogging functionality,\r\ntargeting application credentials and utilizing Accessibility Services for two-factor authentication codes, is\r\nparticularly concerning. Furthermore, SpyNote can remotely wipe data, lock the device, or install further\r\napplications. The extensive capabilities of SpyNote underscore its effectiveness as a potent tool for espionage and\r\ncybercrime, posing a significant threat to individuals and organizations targeted by these deceptive campaigns.\r\nSign Up For DomainTools Investigations’ Newsletter for the Latest Research\r\nWant more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest\r\nresearch from the team – available on LinkedIn or email.\r\nSource: https://dti.domaintools.com/newly-registered-domains-distributing-spynote-malware/\r\nhttps://dti.domaintools.com/newly-registered-domains-distributing-spynote-malware/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://dti.domaintools.com/newly-registered-domains-distributing-spynote-malware/" ], "report_names": [ "newly-registered-domains-distributing-spynote-malware" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "ca3acede-fb02-418a-8f2b-a73d8c89eda7", "created_at": "2023-06-23T02:04:34.425347Z", "updated_at": "2026-04-10T02:00:04.787571Z", "deleted_at": null, "main_name": "OilAlpha", "aliases": [ "TAG-41", "TAG-62" ], "source_name": "ETDA:OilAlpha", "tools": [ "Bladabindi", "CypherRat", "Jorik", "SpyMax", "SpyNote", "SpyNote RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "0769c188-62ce-44ee-8e9d-1067f3d3c083", "created_at": "2022-10-25T16:07:24.259063Z", "updated_at": "2026-04-10T02:00:04.913621Z", "deleted_at": null, "main_name": "Pat Bear", "aliases": [ "APT-C-37", "Pat Bear", "Racquet Bear" ], "source_name": "ETDA:Pat Bear", "tools": [ "Bladabindi", "CypherRat", "DroidJack", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "Jenxcus", "Jorik", "Kognito", "Njw0rm", "SSLove RAT", "SpyNote", "SpyNote RAT", "WSHRAT", "dinihou", "dunihi", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9802c44a-36d9-4e1e-9f37-76b89b3b61b0", "created_at": "2023-11-07T02:00:07.10244Z", "updated_at": "2026-04-10T02:00:03.408827Z", "deleted_at": null, "main_name": "OilAlpha", "aliases": [], "source_name": "MISPGALAXY:OilAlpha", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434728, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/394c09650b288d0354a4b2c1e55ed3af55078cfc.pdf", "text": "https://archive.orkl.eu/394c09650b288d0354a4b2c1e55ed3af55078cfc.txt", "img": "https://archive.orkl.eu/394c09650b288d0354a4b2c1e55ed3af55078cfc.jpg" } }