{ "id": "6a66790a-74e2-4305-b36b-0ed4242a9eec", "created_at": "2026-04-06T00:22:14.456573Z", "updated_at": "2026-04-10T03:34:59.374286Z", "deleted_at": null, "sha1_hash": "57881f46e5671935c508ba0849c24a824d35bfaa", "title": "Roaming Mantis, part IV", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 697701, "plain_text": "Roaming Mantis, part IV\r\nBy GReAT\r\nPublished: 2019-04-03 · Archived: 2026-04-02 12:09:39 UTC\r\nOne year has passed since we published the first blogpost about the Roaming Mantis campaign on securelist.com,\r\nand this February we detected new activities by the group. This blogpost is follow up on our earlier reporting about\r\nthe group with updates on their tools and tactics.\r\nMobile config for Apple phishing\r\nOur key finding is that the actor continues to seek ways to compromise iOS devices and has even built a new landing\r\npage for iOS users. When an iPhone user visits this landing page, they sees pop-up messages guiding them to the\r\nmalicious iOS mobile config installation:\r\nPop-up messages and mobile config installation\r\nAfter installation of this mobile config, the phishing site automatically opens in a web browser and collected\r\ninformation from the device is sent to the attacker’s server. This information includes DEVICE_PRODUCT,\r\nDEVICE_VERSION, UDID, ICCID, IMEI and MEID.\r\nhttps://securelist.com/roaming-mantis-part-iv/90332/\r\nPage 1 of 10\n\nXML and CA in mobile config\r\nThe CA contains the suspected developer’s email address, “zeeyf79797@yahoo.co[.]jp”, which could be malicious.\r\nWe created a test account for this research and used the account credentials at the phishing site. As soon as the threat\r\nactor received the ID and password, the criminals attempted to log in to the account from Hong Kong. After entering\r\nthe credentials, we were directed to the next page, which tried to steal the two-factor authentication code (PIN) sent\r\nto the device.\r\nhttps://securelist.com/roaming-mantis-part-iv/90332/\r\nPage 2 of 10\n\nPhishing page for stealing apple ID and two-factor authentication\r\nRe-spreading the updated sagawa.apk Type A (MoqHao/XLoader)\r\nOn the Android front, our telemetry data shows a new wave of malicious APK files which we detect as “Trojan-Dropper.AndroidOS.Wroba.g”.\r\nsagawa.apk Type A has spread since Feb 26\r\nWe have analyzed the malicious APK file and confirmed that it is definitely a variant of sagawa.apk Type A malware,\r\nalso known as MoqHao (Mcafee) and XLoader (TrendMicro). Type A malware was earlier distributed via SMS in\r\nhttps://securelist.com/roaming-mantis-part-iv/90332/\r\nPage 3 of 10\n\nJapan.\r\nWe also found out that the threat actors had compromised routers to overwrite DNS settings and discovered that the\r\nfollowing two features were updated as well:\r\nDecryption algorithm for encrypted payload in Trojan-Dropper module\r\nStored destination and accounts for getting real C2\r\nDecryption algorithm for encrypted payload in Trojan-Dropper module\r\nCompared to the previous version, the Trojan-Dropper’s decryption function has been altered slightly (change\r\nhighlighted in purple):\r\nAdded 4-byte skip from encrypted data in decompiled code\r\nWhy did the attackers change it? Well, the simplified Python script for extracting encrypted payload was disclosed in\r\nour previous blog posts. We are suspecting that the actor considered this and introduced some minor changes to their\r\ndecryption algorithm to evade detection by security products and researchers.\r\nHowever, we have updated the simplified Python script according to this change:\r\nsagawa.apk_typeA_payload_extractor_1.01.py\r\n#!/usr/bin/env python\r\nimport sys\r\nhttps://securelist.com/roaming-mantis-part-iv/90332/\r\nPage 4 of 10\n\nimport zlib\r\nimport base64\r\ndata = open(sys.argv[1],\"rb\").read()\r\ndec_z = zlib.decompress(data[4:])            # open.skip(4);\r\ndec_b = base64.b64decode(dec_z)\r\nwith open(sys.argv[1]+\".dec\",\"wb\") as fp:\r\n    fp.write(dec_b)\r\nStored destination and accounts for getting real C2\r\nIn the previous campaign, the three accounts “haoxingfu11”, “haoxingfu22” and “haoxingfu33” on @outlook.com\r\nwere stored inside the samples for the purpose of retrieving the C2 server address. In order to fetch the C2 server\r\naddress, the email service was used the real C2 destination was delivered to the victims in an encrypted form from\r\nthe email subject. In the new version the actor has switched their tactics for retrieving the C2 address from email\r\nservice to fetching it from Twitter.\r\n“https://twitter.com/%s” is stored in the malware\r\nThe three suspected Twitter accounts were easily found as well, because the sample had the account IDs stored\r\ntogether, separated by the “|” character just like the old samples:\r\nThree account IDs separated by the “|” character\r\nThe decryption algorithm for the real C2 address remained untouched – the malware connects to the extracted real\r\nC2 via web socket. In addition to the three accounts mentioned earlier, we found several other accounts:\r\nlucky88755\r\nlucky98745\r\nlucky876543\r\ngyugyu87418490\r\nluckyone1232\r\nsadwqewqeqw\r\nhttps://securelist.com/roaming-mantis-part-iv/90332/\r\nPage 5 of 10\n\nThe decryption algorithm for extracting the real C2 from Chinese characters is the same as in the previous sample, so\r\nour scripts from the old blogpost will still work. All the accounts are related to the same IP, although the port\r\nnumbers are different. The table below shows these changes as derived from the account “@luckyone1232”.\r\nDatetime (UTC) Encrypted data Decrypted real C2\r\nFebruary 25 2019 11:30 傘傠傘偠傈傠偠傠傐傸偘储傀傐僨傀僨僸傸傀 114.43.155[.]227:28855\r\nFebruary 26 2019 08:00 傀傸傸偠傠傠傠偘傘储偘傰傠僠僨傀僨僸傸傀 220.136.47[.]169:28855\r\nMarch 02 2019 01:00 傀傸傸偠傠傠傠偘傘僘偘傰傈傐僨傀僨僸傸傀 220.136.49[.]137:28855\r\nMarch 05 2019 06:00 傀傸傸偠傠傠傠偘傠僘偘傰僀傸僸僐傀傐 220.136.39[.]1:28855\r\nMarch 07 2019 03:00 傘傠僸偠傠傈僐偘傰傈储偈傀傰傈僀傸僸僐傀傐 118.168.130[.]236:28855\r\nMarch 09 2019 10:00 傠傠偈傀傰傸偠傸傰傐偘储傀僨僨傀僨僸傸傀 61.230.210[.]228:28855\r\nMarch 13 2019 01:00 傘傸傐偠傸储储偘傰储傈偈傈傀僨傀僨僸傸傀 125.227.174[.]35:28855\r\nMarch 21 2019 01:00 傘偘傰傠僠偈傀储傠偠傈僸僀傸僸僐傀傐 1.169.203[.]48:28855\r\nWe also noticed that the threat actor has introduced a new backdoor command “getPhoneState”. The following table\r\nshows the comparison of the older and newer versions of the malware:\r\nDate August 08 2018 March 03 2019\r\nMD5 956f32a28d0057805c7234d6a13aa99b 651b6888b3f419fc1aac535921535324\r\nFile size 427.3 KB (437556 bytes) 396.0 KB (405504 bytes)\r\nMalware\r\ntype\r\nsagawa.apk Type A\r\nMoqHao (McAfee)\r\nXLoader (TrendMicro)\r\nsagawa.apk Type A\r\nMoqHao (McAfee)\r\nXLoader (TrendMicro)\r\nEncrypted\r\npayload\r\n(enc_data)\r\n\\assets\\a \\assets\\bin\r\nDecryption\r\nalgorithm\r\nfor\r\npayload\r\npayload =\r\nbase64.b64decode(zlib.decompress(enc_data));\r\npayload =\r\nbase64.b64decode(zlib.decompress(enc_data[4:]));\r\nBackdoor\r\ncommands\r\nsendSms\r\nsetWifi\r\ngcont\r\nlock\r\nbc\r\nsendSms\r\nsetWifi\r\ngcont\r\nlock\r\nbc\r\nhttps://securelist.com/roaming-mantis-part-iv/90332/\r\nPage 6 of 10\n\nsetForward\r\ngetForward\r\nhasPkg\r\nsetRingerMode\r\nsetRecEnable\r\nreqState\r\nshowHome\r\ngetnpki\r\nhttp\r\nonRecordAction\r\ncall\r\nget_apps\r\nshow_fs_float_window\r\nping\r\nsetForward\r\ngetForward\r\nhasPkg\r\nsetRingerMode\r\nsetRecEnable\r\nreqState\r\nshowHome\r\ngetnpki\r\nhttp\r\nonRecordAction\r\ncall\r\nget_apps\r\nshow_fs_float_window\r\nping\r\ngetPhoneState\r\nStored\r\ndestination\r\n@outlook.com (email) https://twitter.com/%s (SNS)\r\nAccounts\r\nhaoxingfu11\r\nhaoxingfu22\r\nhaoxingfu33\r\nluckyone1232\r\nsadwqewqeqw\r\ngyugyu87418490\r\nRegExp abcd \u003ctitle\u003eabcd([\\\\u4e00-\\\\u9fa5]+?) “;\r\nDecryption\r\nalgorithm\r\nfor real C2\r\nfor i in range(len(ext)):\r\ndec = dec + chr((ord(ext[i]) – 0x4e00) \u003e\u003e 3 ^\r\nord(‘beg'[j]))\r\nj = (j+1) %3\r\nfor i in range(len(ext)):\r\ndec = dec + chr((ord(ext[i]) – 0x4e00) \u003e\u003e 3 ^\r\nord(‘beg'[j]))\r\nj = (j+1) %3\r\nRogue DNS settings in compromised routers again\r\nIn late February 2019, we detected a URL query of a malicious DNS changer. Here is an example:\r\nURL query of malicious DNS changer\r\nThe router’s DNS setting is potentially compromised if the device reads the URL query of the DNS changer from\r\nlocalnet under a router with the following conditions:\r\n1. 1 No authentication for router panel from localnet\r\n2. 2 The device has an admin session for the router panel\r\n3. 3 Simple ID and password (or default) for route panel like admin:admin\r\nhttps://securelist.com/roaming-mantis-part-iv/90332/\r\nPage 7 of 10\n\nAs we have observed, several hundred routers have been compromised and all pointed to the rogue DNS IPs.\r\nThis code overwrites the rogue DNS IPs below into the DNS settings of routers:\r\n171.244.33[.]114\r\n171.244.33[.]116\r\nGeographical expansion\r\nAccording to our detection data, new variants of sagawa.apk Type A (Trojan-Dropper.AndroidOS.Wroba.g) have\r\nbeen detected in the wild, based on our KSN data from February 25, 2019 to March 20, 2019.\r\nGeographical expansion from KSN data\r\nThe worst affected countries are Russia, Japan, India, Bangladesh, Kazakhstan, Azerbaijan, Iran and Vietnam. Our\r\nproducts detected this malware over 6,800 times for over 950 unique users during this period. We believe this attack\r\nwave has a much bigger scale and these numbers reflect only a small part of this campaign.\r\nConclusion\r\nWe have seen increased distribution of sagawa.apk Type A since late February 2019. This wave is characterized by a\r\nnew attack method of phishing with malicious mobile config, although the previously observed DNS manipulation is\r\nalso still actively used. We find the use of malicious mobile config especially alarming as this may cause serious\r\nproblems for the users. As explained in an earlier blog post, “the profile could configure the device to use a malicious\r\nproxy or VPN, effectively allowing the attacker to monitor everything.”\r\nWe recommend users take the following steps:\r\nChange the default ID and password, and apply the relevant security patches to counter these threats;\r\nFor Android users: do not download APKs from third-party sources;\r\nFor iOS users: do not install a non-trusted third-party mobile config.\r\nhttps://securelist.com/roaming-mantis-part-iv/90332/\r\nPage 8 of 10\n\nFor further information about this threat actor, please refer to our previous blog posts about Roaming mantis:\r\nRoaming Mantis uses DNS hijacking to infect Android smartphones\r\nRoaming Mantis dabbles in mining and phishing multilingually\r\nRoaming Mantis, part III: iOS crypto-mining and spreading via malicious content delivery system\r\nKaspersky Lab products detect this malware for Android as:\r\nHEUR:Trojan-Banker.AndroidOS.Wroba\r\nHEUR:Trojan-Dropper.AndroidOS.Wroba\r\nFinally, we would like to show our appreciation to the Japanese researchers @ninoseki and @papa_anniekey, who\r\nhave shared and discussed with us their results of Roaming Mantis campaign research. The criminals are still rapidly\r\nimproving their methods: we discovered some updated sagawa.apk Type A this April, the fresh sample has embedded\r\nDES algorithm instead of some decryption feature. We’re going to track Roaming Mantis activity and publish any\r\nnew activities in the future.\r\nIndicators of compromise (IoCs) examples\r\nMalicious hosts:\r\n114.43.155[.]227 real C2\r\n220.136.47[.]169 real C2\r\n220.136.49[.]137 real C2\r\n220.136.39[.]1 real C2\r\n118.168.130[.]236 real C2\r\n171.244.33[.]114 RogueDNS\r\n171.244.33[.]116 RogueDNS\r\n61.230.153[.]211 Landing page\r\n154.223.62[.]130 Landing page\r\nffakecg[.]com Landing page\r\nsagawa-mwm[.]com Landing page\r\nsagawa-mqd[.]com Landing page\r\nsagawa-bz[.]com Landing page\r\nnttdocomo-qae[.]com Landing page\r\nnttdocomo-qat[.]com Landing page\r\nhttps://securelist.com/roaming-mantis-part-iv/90332/\r\nPage 9 of 10\n\nSuspicious Twitter accounts:\r\nluckyone1232\r\nsadwqewqeqw\r\ngyugyu87418490\r\nlucky88755\r\nlucky98745\r\nlucky876543\r\nsagawa.apk Type A and its modules:\r\n417a6af1172042986f602cc0e2e681dc APK file\r\n651b6888b3f419fc1aac535921535324 APK file\r\n0a4e8d3fe5ee383ba3a22d0f00670ce3 APK file\r\n870697ddb36a8f205478c2338d7e6bc7 APK file\r\n7e247800b95c643a3c9d4a320b12726b \\classes.dex\r\n7cfb9ed812e0250bfcb4022c567771ec \\classes.dex\r\n8358d2a39d412edbd1cf662e0d8a9f19 \\classes.dex\r\n7cfb9ed812e0250bfcb4022c567771ec \\classes.dex\r\naf2890a472b85d473faee501337564a9 Decrypted dex file\r\nc8d7475a27fb7d669ec3787fe3e9c031 Decrypted dex file\r\nd0848d71a14e0f07c6e64bf84c30ee39 Decrypted dex file\r\ne2b557721902bc97382d268f1785e085 Decrypted dex file\r\nSource: https://securelist.com/roaming-mantis-part-iv/90332/\r\nhttps://securelist.com/roaming-mantis-part-iv/90332/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://securelist.com/roaming-mantis-part-iv/90332/" ], "report_names": [ "90332" ], "threat_actors": [ { "id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a", "created_at": "2023-01-06T13:46:38.823793Z", "updated_at": "2026-04-10T02:00:03.113045Z", "deleted_at": null, "main_name": "Roaming Mantis", "aliases": [ "Roaming Mantis Group" ], "source_name": "MISPGALAXY:Roaming Mantis", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3", "created_at": "2022-10-25T16:07:24.546437Z", "updated_at": "2026-04-10T02:00:05.029564Z", "deleted_at": null, "main_name": "Roaming Mantis", "aliases": [ "Roaming Mantis Group", "Shaoye" ], "source_name": "ETDA:Roaming Mantis", "tools": [ "MoqHao", "Roaming Mantis", "SmsSpy", "Wroba", "XLoader" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434934, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/57881f46e5671935c508ba0849c24a824d35bfaa.pdf", "text": "https://archive.orkl.eu/57881f46e5671935c508ba0849c24a824d35bfaa.txt", "img": "https://archive.orkl.eu/57881f46e5671935c508ba0849c24a824d35bfaa.jpg" } }