{
	"id": "38bdc7d2-b45e-4d7f-9ef8-7437c0372701",
	"created_at": "2026-04-06T00:09:08.314158Z",
	"updated_at": "2026-04-10T03:34:59.330769Z",
	"deleted_at": null,
	"sha1_hash": "3cd82a5f4227db4f0e7edd838d36d2afe986f9e3",
	"title": "Over 120 Malicious Domains Discovered in Analysis on New Roaming Mantis Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 490983,
	"plain_text": "Over 120 Malicious Domains Discovered in Analysis on New\r\nRoaming Mantis Campaign\r\nArchived: 2026-04-02 11:24:24 UTC\r\nNovember 19, 2018 • Ofir Ashman\r\nSince April of this year, news of a rapidly evolving crypto mining malware, dubbed Roaming Mantis, has hit the\r\ncyber news headlines. Roaming Mantis debuted with a DNS hijacking attack vector, infecting android running\r\nmachines. Once installed, the malware redirected infected devices to phishing sites by spoofing legitimate\r\napplications, while using the stolen credentials to run a crypto mining script on PCs.\r\nRecently, Securelist researchers uncovered a new Roaming Mantis infection vector targeting android running\r\nmachines. The attack starts with a phishing SMS including malicious link which, when clicked, redirects users to a\r\nwebsite where the malicious Sagawa APK is downloaded.\r\nDuring the ThreatSTOP Security Team’s analysis of indicators of compromise for this campaign, we noticed a\r\npattern in domain syntax linking a published domain to many other presumably malicious domains.\r\nIn the Securelist publication, two domains were published as malicious hosts for Roaming Mantis. One domain,\r\nsagawa-otqwt[.]com, was discovered still active and hosted on the IP 1[.]175[.]177[.]66. When looking at the IP’s\r\nresolve history, we found that it had recently hosted a similar-looking domain - sagawa-fssdf[.]com.\r\nhttps://blog.threatstop.com/over-120-malicious-domains-discovered-in-analysis-on-new-roaming-mantis-campaign\r\nPage 1 of 3\n\nUpon further examination, we uncovered that this domain had previously been hosted on two other IPs,\r\n61[.]230[.]47[.]54 and 61[.]228[.]216[.]44, which had hosted many other “sagawa” domains. The syntax is similar\r\nbetween all domains, starting with the string “sagawa-,” followed by 3-5 letters and the .com TLD.\r\nBy performing similar domain-IP-domain resolves on the domains hosted on the two IPs mentioned above, we\r\nwere able to find many more “sagawa” domains:\r\nhttps://blog.threatstop.com/over-120-malicious-domains-discovered-in-analysis-on-new-roaming-mantis-campaign\r\nPage 2 of 3\n\nThis analysis has provided ThreatSTOP with over 120 new indicators related to Sagawa APK, and possibly also to\r\nRoaming Mantis. We are continuing this analysis, and will continue protecting our customers from Sagawa APK\r\nand Roaming Mantis.\r\nWant to learn more? Plus, actually see what's being blocked on your network? Try out ThreatSTOP for 14\r\ndays (for free) here.\r\nSource: https://blog.threatstop.com/over-120-malicious-domains-discovered-in-analysis-on-new-roaming-mantis-campaign\r\nhttps://blog.threatstop.com/over-120-malicious-domains-discovered-in-analysis-on-new-roaming-mantis-campaign\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.threatstop.com/over-120-malicious-domains-discovered-in-analysis-on-new-roaming-mantis-campaign"
	],
	"report_names": [
		"over-120-malicious-domains-discovered-in-analysis-on-new-roaming-mantis-campaign"
	],
	"threat_actors": [
		{
			"id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a",
			"created_at": "2023-01-06T13:46:38.823793Z",
			"updated_at": "2026-04-10T02:00:03.113045Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group"
			],
			"source_name": "MISPGALAXY:Roaming Mantis",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3",
			"created_at": "2022-10-25T16:07:24.546437Z",
			"updated_at": "2026-04-10T02:00:05.029564Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group",
				"Shaoye"
			],
			"source_name": "ETDA:Roaming Mantis",
			"tools": [
				"MoqHao",
				"Roaming Mantis",
				"SmsSpy",
				"Wroba",
				"XLoader"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434148,
	"ts_updated_at": 1775792099,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3cd82a5f4227db4f0e7edd838d36d2afe986f9e3.pdf",
		"text": "https://archive.orkl.eu/3cd82a5f4227db4f0e7edd838d36d2afe986f9e3.txt",
		"img": "https://archive.orkl.eu/3cd82a5f4227db4f0e7edd838d36d2afe986f9e3.jpg"
	}
}