{
	"id": "3e1b9890-4692-446a-ab27-9e2c83bc17a7",
	"created_at": "2026-04-06T00:10:45.437797Z",
	"updated_at": "2026-04-10T13:12:09.3794Z",
	"deleted_at": null,
	"sha1_hash": "3ed534f630b9e7f7119bff79ab4585bf785b8834",
	"title": "BianLian - from rags to riches, the malware dropper that had a dream",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 28557,
	"plain_text": "BianLian - from rags to riches, the malware dropper that had a\r\ndream\r\nPublished: 2024-10-01 · Archived: 2026-04-02 10:39:05 UTC\r\nIntro\r\nRecently, while analyzing our daily portion of APK files, searching for the new banking related threats, we found\r\na sample that was standing out among the others. While being seemingly benign, the sample was downloading and\r\ninstalling the infamous Anubis malware, which is responsible for financial losses of thousands of Android users\r\naround the globe, targeting more than 300 different apps.\r\nThe thorough investigation of this sample led us to uncover yet another malware dropper campaign on the Google\r\nPlay store - the main source of the applications for the vast majority of the Android users. The actors have\r\nmanaged to bypass the Play store protections on a regular basis, the first sample that we were able to attribute to\r\nthis campaign was built and uploaded to the store in the July 2018 and most recent one – on October 16th, so the\r\ncampaign is active for at least 3 months now:\r\nAs visible in the following chart, several different droppers were built through time, on quite a regular basis:\r\nSource: https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html\r\nhttps://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html"
	],
	"report_names": [
		"bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434245,
	"ts_updated_at": 1775826729,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3ed534f630b9e7f7119bff79ab4585bf785b8834.pdf",
		"text": "https://archive.orkl.eu/3ed534f630b9e7f7119bff79ab4585bf785b8834.txt",
		"img": "https://archive.orkl.eu/3ed534f630b9e7f7119bff79ab4585bf785b8834.jpg"
	}
}