{
	"id": "77466c22-4217-45cc-bae2-074392e95dc3",
	"created_at": "2026-04-06T00:07:46.505941Z",
	"updated_at": "2026-04-10T13:12:51.386489Z",
	"deleted_at": null,
	"sha1_hash": "3b962d5f57dd62b826f0786a7157f6e78ad14757",
	"title": "The wolf is back...",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1595586,
	"plain_text": "The wolf is back...\r\nBy Warren Mercer\r\nPublished: 2020-05-19 · Archived: 2026-04-05 19:24:30 UTC\r\nTuesday, May 19, 2020 13:00\r\nBy Warren Mercer, Paul Rascagneres and Vitor Ventura.\r\nNews summary\r\nThai Android devices and users are being targeted by a modified version of DenDroid we are calling\r\n\"WolfRAT,\" now targeting messaging apps like WhatsApp, Facebook Messenger and Line.\r\nWe assess with high confidence that this modified version is operated by the infamous Wolf Research.\r\nThis actor has shown a surprising level of amateur actions, including code overlaps, open-source project\r\ncopy/paste, classes never being instanced, unstable packages and unsecured panels.\r\nExecutive summary\r\nCisco Talos has discovered a new Android malware based on a leak of the DenDroid malware family. We named\r\nthis malware \"WolfRAT\" due to strong links between this malware (and the command and control (C2)\r\ninfrastructure) and Wolf Research, an infamous organization that developed interception and espionage-based\r\nmalware and was publicly described by CSIS during Virus Bulletin 2018. We identified infrastructure overlaps\r\nand string references to previous Wolf Research work. The organization appears to be shut down, but the threat\r\nactors are still very active.\r\nWe identified campaigns targeting Thai users and their devices. Some of the C2 servers are located in Thailand.\r\nThe panels also contain Thai JavaScript comments and the domain names also contain references to Thai food, a\r\nhttps://blog.talosintelligence.com/2020/05/the-wolf-is-back.html\r\nPage 1 of 16\n\ntactic commonly employed to entice users to click/visit these C2 panels without much disruption.\r\nWe identified a notable lack of sophistication in this investigation such as copy/paste, unstable code, dead code\r\nand panels that are freely open.\r\nWhat's new?  \r\nWolfRAT is based on a previously leaked malware named DenDroid. The new malware appears to be linked to the\r\ninfamous Wolf Research organization and targets Android devices located in Thailand.\r\nHow did it work?  \r\nThe malware mimics legit services such as Google service, GooglePlay or Flash update. The malware is not really\r\nadvanced and is based on a lot of copy/paste from public sources available on the Internet. The C2 infrastructure\r\ncontains a lack of sophistication such as open panels, reuse of old servers publicly tagged as malicious…\r\nSo what?  \r\nAfter being publicly denounced by CSIS Group — a threat intelligence company in Denmark — Wolf Research\r\nwas closed and a new organization named LokD was created. This new organization seems to work on securing\r\nAndroid devices. However, thanks to the infrastructure sharing and forgotten panel names, we assess with high\r\nconfidence that this actor is still active, it is still developing malware and has been using it from mid-June to\r\ntoday. On the C2 panel, we found a potential link between Wolf Research and another Cyprus organization named\r\nCoralco Tech. This organization is also working on interception technology.\r\nLinks to Wolf Intelligence\r\nDuring the Virus Bulletin conference in 2018, CSIS researchers Benoît Ancel and Aleksejs Kuprins did a\r\npresentation on Wolf Research and the offensive arsenal developed by the organization. They mentioned an\r\nAndroid, iOS and Windows remote access tool (RAT). Their findings showed that Wolf is headquartered in\r\nGermany with offices in Cyprus, Bulgaria, Romania, India and (possibly) the U.S. The organization was closed\r\nafter the CSIS presentation. However, the director created a new organization in Cyprus named LokD. This new\r\norganization proposed the creation of a more secure Android phone. Based on the organization website, it also\r\nproposes services and developed zero-day vulnerabilities to test their own products:\r\nZero-day research from lokd.com\r\nhttps://blog.talosintelligence.com/2020/05/the-wolf-is-back.html\r\nPage 2 of 16\n\nWe can see that the organization owner still has an interest in Android devices. Based on infrastructure overlaps\r\nand leaked information, we assess with high confidence that the malware we identified and present in this paper is\r\nlinked to Wolf Research.\r\nOne of the samples\r\n(e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1) uses the C2 server\r\nsvcws[.]ponethus[.]com. Based on our research and Benoît Ancel's tracker, this C2 was used by Wolf Intelligence:\r\nAdditionally, we identified two empty panels on a C2 server. The new one with the title \"Coralco Archimedes,\"\r\nand an older version with the title \"Wolf Intelligence:\"\r\nNew panel\r\nhttps://blog.talosintelligence.com/2020/05/the-wolf-is-back.html\r\nPage 3 of 16\n\nOld panel\r\nThe new panel name contains \"Coralco\" in its name. Coralco Tech is an organization located in Cyprus and\r\nproviding interception tools. We cannot say for sure if Wolf Research and Coralco Tech are linked, but this panel\r\nname, their offerings and the panel layout would suggest it should be considered suspiciously linked.\r\nCoralco Tech's services description.\r\nVictimology on the identified campaigns\r\nhttps://blog.talosintelligence.com/2020/05/the-wolf-is-back.html\r\nPage 4 of 16\n\nThe campaigns we analyzed targeted Android devices in Thailand.\r\nThe C2 server domain is linked to Thai food:\r\nNampriknum[.]net: Nam Phrik Num\r\nhttps://blog.talosintelligence.com/2020/05/the-wolf-is-back.html\r\nPage 5 of 16\n\nSomtum[.]today: Som Tum\r\nWe also identified comments in Thai on the C2 infrastructure mentioned in the previous chapter:\r\nMalware\r\nDenDroid\r\nThe Android malware is based on the DenDroid Android malware. Several analysis reports were published on this\r\nmalware in 2014 and, finally, the source code was leaked in 2015. The original leak is no longer available on\r\ngithub.com, but a copy can be found here. The table below shows the commands available to the operator for\r\ntasking on infected devices.\r\nhttps://blog.talosintelligence.com/2020/05/the-wolf-is-back.html\r\nPage 6 of 16\n\nThis malware is simplistic in comparison to some modern-day Android malware. The best example of that is that\r\nit doesn't take advantage of the accessibility framework, collecting information on non-rooted devices. The\r\ncommands are self-explanatory and show the features included in the malware. Some of them like takephoto,\r\ntakevideo, recordaudio, getsentsms and uploadpictures are focused on espionage activities. Others like transferbot,\r\npromptupdate and promptuninstall are meant to help the operator manage the malware.\r\nVersion #1: June 2019 — Domain: databit[.]today\r\nDuring our investigation, we identified at least four major releases of the RAT. The permissions on the first\r\nversion of the malware lay out the foundations of a spying trojan.\r\nPermissions\r\nhttps://blog.talosintelligence.com/2020/05/the-wolf-is-back.html\r\nPage 7 of 16\n\nThe package name follows the original style name used on DenDroid. The code is obfuscated but not packed. This\r\nmalware also contains a screen recorder.\r\nThis feature is implemented using another open-source software package that can be found here. The service is\r\nimplemented in the class com.serenegiant.service.ScreenRecorderService which is declared in the package\r\nmanifest. During our analysis of this sample, we did notice that the class itself is never called or used by the\r\nmalware. It remains available within the source code but no method of use takes place.\r\nVersion #2: June - Aug. 2019 — Domain: somtum[.]today\r\nThis is the first version that shows the code organization evolution that will continue to be used on all other\r\nfunctions throughout this malware.\r\nCode structure\r\nhttps://blog.talosintelligence.com/2020/05/the-wolf-is-back.html\r\nPage 8 of 16\n\nObviously, this code is not obfuscated when compared with the previous version it becomes clear that this is the\r\nsame code base. One of the first changes that stands out is that the screen recording feature mentioned in the\r\nprevious sample has been removed. A new class was added called com.utils.RestClient. This class is based on\r\npublic code belonging to the package praeda.muzikmekan,which can be found here among other places. Just like\r\nin previous examples, the malware author does not use this package.\r\nMissing permissions\r\nThe lack of the READ_FRAME_BUFFER permission can be justified by the removal of the screen record feature.\r\nThe ACCESS_SUPERUSER may have been removed because it was deprecated upon the release of Android 5.0\r\nLollipop which happened in 2014. The reality is that the RAT permissions can be implemented just with the\r\npermissions declared on the manifest, thus there is no need for higher permissions.\r\nVersion #3: Sept. - Dec. 2019 — Domain: ponethus[.]com\r\nGiven that there is some overlap in the previous two versions, it came as no surprise to us that we finally\r\nidentified a sample which is an evolution based on both previous versions. This sample is clearly a mix between\r\nthe two. This is also the first version where the package name changes into something that a less aware user may\r\nbe tricked by, com.android.playup.\r\nThis version brings back the ACCESS_SUPERUSER and READ_FRAME_BUFFER permissions. However, this\r\ntime, the permission is actually used.\r\nWhatsApp message capture\r\nhttps://blog.talosintelligence.com/2020/05/the-wolf-is-back.html\r\nPage 9 of 16\n\nThe service com.serenegiant.service.ScreenRecorderService, is invoked by the ScreenRecorderActivity. Upon\r\ncreation, this activity launches a thread that will loop on a 50-second interval. In the first iteration, the screen\r\nrecording is started and will only stop when the RAT determines that WhatsApp is not running. It's restarted in the\r\nnext cycle independently based on if WhatsApp is running.\r\nIn this version, the developer added more classes from the same package. Even though we could not find\r\nindications of being in use, two stand out. Bluetooth — which allows the interaction with the Bluetooth interface,\r\nand net/deacon — which implements a beaconing system based on UDP.\r\nAndroid shell\r\nA new package was added that allows the execution of commands in the Android shell. Again, this package source\r\ncode is publicly available and can be found here. One of the uses the malware gives to this package is the\r\nexecution of the command \"dumpsys\" to determine if certain activities are running.\r\nCheck if chat apps are running\r\nIn the above example, the malware is searching for Line, Facebook Messenger and WhatsApp activities. This is\r\npart of a class called CaptureService, which already existed in the previous version but it was not duly\r\nimplemented.\r\nhttps://blog.talosintelligence.com/2020/05/the-wolf-is-back.html\r\nPage 10 of 16\n\nPrevious version\r\nThe capture service class implements the chat applications interception. Upon creation the class will start to take\r\nscreenshots that will be stopped and uploaded to the C2 once the service can't find the targeted applications\r\nrunning. The core of this functionality is also based on an open-source project that can be found here.\r\nAnother novelty is a VPN-related package, which is based on OrbotVPN. Once again, it doesn't seem to actually\r\nbe in use. The same happens with the package squareup.otto, which is an open-source bus implementation focused\r\non Android implementation. Both sources can be found here and here.\r\nVersion #4: April 2020 — Domain: nampriknum.net  \r\nFollowing the same pattern, this version has some added features and others, which were not in use, removed.\r\nFirst of all the new package name is com.google.services, which can easily be confused with a legitimate Google\r\nservice. The VPN package is no longer present, further reinforcing our conclusion that it was not in use.\r\nhttps://blog.talosintelligence.com/2020/05/the-wolf-is-back.html\r\nPage 11 of 16\n\nWolfRAT application screen\r\nThe Google GMS and Firebase service has been added, however, no configuration has been found, even though\r\nservices seem to be referenced in the of a new class. The new class is called NotificationListener and extends the\r\nNotificationListenerService class. This would allow the RAT to receive system notifications.\r\nhttps://blog.talosintelligence.com/2020/05/the-wolf-is-back.html\r\nPage 12 of 16\n\nNotification handling method\r\nThe class is only implemented in debug mode, pushing all captured information into the log. The usage of the\r\nPlusShare API in 2020 denotes some unprofessional development, since this is the API to access Google+. This\r\nservice, along with the API, was fully decommissioned in March 2019.\r\nThis version adds one significant class — it requests DEVICE_ADMIN privileges.\r\nDevice admin policies\r\nLooking at the policy's definition, we can see that it lists all the available policies even if most of them are\r\ndeprecated on Android 10.0 and their usage results in a security exception. The code implementation again seems\r\nthat it has been added for testing purposes only.\r\nVersions overview\r\nThe DenDroid code base was kept to such an extent that even the original base64-encoded password was kept.\r\nhttps://blog.talosintelligence.com/2020/05/the-wolf-is-back.html\r\nPage 13 of 16\n\nOriginal password\r\nThe main service follows the same structure as the first version, the anti-analysis features are primitive, only\r\nchecking the emulator environment without any kind of packing or obfuscation.\r\nThe malware will start the main service if all the requested permissions and the device admin privileges are\r\ngranted. Otherwise, it will launch an ACTION_APPLICATION_SETTINGS intent trying to trick the user to grant\r\nthe permissions.\r\nEach sample contains a userId hardcoded, meaning that each sample can only be used in a victim. It seems,\r\nhowever, if the same victim has more than one device the malware can be reused since the IMEI is sent along with\r\neach data exfiltration.\r\nIt is clear that this RAT is under intense development, however, the addition and removal of packages, along with\r\nthe huge quantity of unused code and usage of deprecated and old techniques denotes an amateur development\r\nmethodology.\r\nConclusion\r\nWe witness actors continually using open-source platforms, code and packages to create their own software. Some\r\nare carried out well, others, like WolfRAT, are designed with an overload of functionality in mind as opposed to\r\nfactoring any sensible approach to the development aspect. After all, a working product is often more important\r\nthan a stable product. We watched WolfRAT evolve through various iterations which shows that the actor wanted\r\nto ensure functional improvements — perhaps they had deadlines to meet for their customers, but with no thought\r\ngiven to removing old code blocks, classes, etc. throughout the Android package.\r\nWolfRAT is a specifically targeted RAT which we assess to be aimed at Thai individuals and, based on previous\r\nwork from Wolf Research, most likely used as an intelligence-gathering tool or interception tool. This can be\r\npackaged and \"sold\" in many different ways to customers. A \"Tracking tool\" or an \"Admin tool\" are often cited for\r\nthese kinds of tools for \"commercial\" or \"enterprise\" usage. Wolf Research claimed to shut down their operations\r\nbut we clearly see that their previous work continues under another guise.\r\nThe ability to carry out these types of intelligence-gathering activities on phones represents a huge score for the\r\noperator. The chat details, WhatsApp records, messengers and SMSs of the world carry some sensitive\r\ninformation which people often forget when communicating with their devices. We see WolfRAT specifically\r\ntargeting a highly popular encrypted chat app in Asia, Line, which suggests that even a careful user with some\r\nawareness around end-to-end encryption chats would still be at the mercy of WolfRAT and it's prying eyes.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2020/05/the-wolf-is-back.html\r\nPage 14 of 16\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such\r\nas this automatically.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), Cisco ISR, andMeraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nHashes\r\n139edb1bc033725539b117f50786f3d3362ed45845c57fe1f82e7ed72b044367\r\ne19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1\r\ne19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1\r\ne5f346d8f312cc1f93c2c6af611e2f50805c528934786ea173cabc6a39b14cda\r\n1849a50a6ac9b3eec51492745eeb14765fe2e78488d476b0336d8e41c2c581d4\r\nd328fca14c4340fcd4a15e47562a436085e6b1bb5376b5ebd83d3e7218db64e7\r\nhttps://blog.talosintelligence.com/2020/05/the-wolf-is-back.html\r\nPage 15 of 16\n\n59b9809dba857c5969f23f460a2bf0a337a71622a79671066675ec0acf89c810\r\n120474682ea439eb0b28274c495d9610a73d892a4b8feeff268c670570db97e2\r\ned234e61849dcb95223676abe2312e1378d6130c0b00851d82cda545b946ec83\r\n27410d4019251a70d38f0635277f931fb73f67ac9f2e1f3b475ce680ebfde12a\r\n6e6c210535b414c5aa2dd9e67f5153feeb43a8ac8126d8e249e768f501323a3e\r\n4a32ced20df7001da7d29edc31ca76e13eef0c9b355f62c44888853435e9794f\r\nac5abaebd9f516b8b389450f7d27649801d746fb14963b848f9d6dad0a505e66\r\n3a45d7a16937d4108b5b48f44d72bb319be645cbe15f003dc9e77fd52f45c065\r\nDomains\r\ncvcws[.]ponethus[.]com\r\nsvc[.]ponethus[.]com\r\nwww[.]ponethus[.]com\r\nwebmail[.]ponethus[.]com\r\nnampriknum[.]net\r\nwww[.]nampriknum[.]net\r\nsvc[.]nampriknum[.]net\r\nsvcws[.]nampriknum[.]net\r\nsvc[.]somtum[.]today\r\nsvcws[.]somtum[.]today\r\nwww[.]somtum[.]today\r\nsomtum[.]today\r\nshop[.]databit[.]today\r\nsvc[.]databit[.]today\r\ntest[.]databit[.]today\r\nwww[.]databit[.]today\r\nadmin[.databit[.today\r\ncendata[.]today\r\nsvc[.]cendata[.]today\r\nsvcws[.]cendata[.]today\r\nwww[.]cendata[.]today\r\nSource: https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html\r\nhttps://blog.talosintelligence.com/2020/05/the-wolf-is-back.html\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"
	],
	"report_names": [
		"the-wolf-is-back.html"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434066,
	"ts_updated_at": 1775826771,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3b962d5f57dd62b826f0786a7157f6e78ad14757.pdf",
		"text": "https://archive.orkl.eu/3b962d5f57dd62b826f0786a7157f6e78ad14757.txt",
		"img": "https://archive.orkl.eu/3b962d5f57dd62b826f0786a7157f6e78ad14757.jpg"
	}
}