{ "id": "647b0721-c9b8-48a4-a421-7e1ddaabb5a2", "created_at": "2026-04-06T00:11:11.918526Z", "updated_at": "2026-04-10T03:36:47.930505Z", "deleted_at": null, "sha1_hash": "48196639c95c8c8ba62ed37a8d607e8dac630230", "title": "Two tales and one Antidot(e) — a new mobile malware campaign in Poland", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1289623, "plain_text": "Two tales and one Antidot(e) — a new mobile malware campaign\r\nin Poland\r\nBy mvaks\r\nPublished: 2025-02-12 · Archived: 2026-04-05 22:47:23 UTC\r\n4 min read\r\nFeb 12, 2025\r\nRecently, the Polish cyber threat landscape has seen a growing number of malicious mobile applications. In\r\naddition to identifying the apps impersonating shopping platforms such as OLX and Allegro, as well as the Polish\r\nbank PKO, which were described in the previous article, a new mobile malware campaign involving the Antidot\r\nmalware has been detected.\r\nAntidot was first described by researchers from Cyble in May 2024. At that time, it was found masquerading as\r\nGoogle Play updates in detected campaigns. The malware features overlay and keylogging capabilities and\r\nincludes a VNC module, allowing attackers to remotely control infected devices.\r\nIn recent campaigns in Poland, cybercriminals have employed an intriguing scenario involving a supposed update\r\nfor the Google Chrome application. On compromised Polish websites, they placed scripts that, when visited by an\r\nunsuspecting victim, displayed a message urging them to update their software. If accessed from a computer using\r\nSafari, Google Chrome, or Edge, a .dmg file belonging to the SocGholish malware family was downloaded,\r\nultimately leading to an infection with the Lumma Stealer.\r\nMeanwhile, if accessed from a mobile device, a message appeared stating that the site was using a new Chromium\r\nengine, prompting the download of an .apk file named Update_130.1.6723.108.apk . The file’s name,\r\nresembling a legitimate update, was intended to make the victim’s less suspicious. The victim was then instructed\r\nto grant permission for installing apps from third-party sources.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f\r\nPage 1 of 11\n\nPress enter or click to view image in full size\r\nhttps://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f\r\nPage 2 of 11\n\nAfter installation on the device, an icon impersonating Google Chrome appeared on the home screen.\r\nhttps://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f\r\nPage 3 of 11\n\nThe icon of the fake application (on the right) slightly differs from the original application (on the left).\r\nThe application also requested permission to send notifications.\r\nAdditionally, it asked for permissions to install extra applications — the downloaded app was a dropper, meaning\r\nit contained another malicious application.\r\nhttps://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f\r\nPage 4 of 11\n\nAfter approving the installation, differences in the app icons could be noticed — the original one on top and the\r\nfake one below.\r\nhttps://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f\r\nPage 5 of 11\n\nAfter granting permission, a request to install the Update application appears.\r\nThe hidden secondary application also requested Accessibility access to take control of the device.\r\nhttps://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f\r\nPage 6 of 11\n\nhttps://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f\r\nPage 7 of 11\n\nOnce permissions were granted, a loading screen appeared for the victim, serving as a cover for malicious\r\nactivities running in the background.\r\nGet mvaks’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe victim’s screen becomes locked and it is very difficult to get out of it.\r\nhttps://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f\r\nPage 8 of 11\n\nSo far, two compromised websites following this attack scenario have been identified in Poland. Both distributed\r\napplications were connecting to the same C2, but their checksums differed.\r\nThe malware is obfuscated using a custom encryption code and packed with JSONPacker.\r\nCode connected with accessibility services (obfuscated names with long numbers)\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f\r\nPage 9 of 11\n\nAnd encryption code:\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nIn the dex file, we find the application’s C2:\r\nhttps://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f\r\nPage 10 of 11\n\nPress enter or click to view image in full size\r\nIOCs\r\nChrome (dropper) com.hilabilu.device 36b70e1789115dc4edfef8b7379f018f\r\nAntidot com.rocanoji.platform f6961a4bbd916f1e85f6a954f1155fb4\r\nChrome (dropper) com.zabogutajo.associative 83cc7472eb4efc947f3d7c1ebd410e85\r\nUpdate (Antidot) com.fagulave.data 0772b1116df1586b419acfbff9f8d96c\r\nC2 https:\r\nSource: https://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f\r\nhttps://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f" ], "report_names": [ "two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434271, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/48196639c95c8c8ba62ed37a8d607e8dac630230.pdf", "text": "https://archive.orkl.eu/48196639c95c8c8ba62ed37a8d607e8dac630230.txt", "img": "https://archive.orkl.eu/48196639c95c8c8ba62ed37a8d607e8dac630230.jpg" } }