{
	"id": "c76980da-547b-4715-83bb-6ecb547e5a35",
	"created_at": "2026-04-06T00:06:26.572134Z",
	"updated_at": "2026-04-10T13:11:55.101129Z",
	"deleted_at": null,
	"sha1_hash": "592f7b0b2c6f3bb23152436306a4d6b5ee0ff7d5",
	"title": "MoqHao (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59287,
	"plain_text": "MoqHao (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 17:52:07 UTC\r\nMoqHao\r\naka: Shaoye, Wroba, XLoader\r\nActor(s): Yanbian Gang\r\nMoqHao, also called Wroba and XLoader (not to be confused with the malware of the same name for Windows\r\nand macOS), is an Android-based mobile threat that is associated with a financially motivated Chinese group\r\ncalled Roaming Mantis. The malware claims to be the default SMS application and has dropper and banker\r\ncapabilities.\r\nReferences\r\n2023-03-31 ⋅ Telekom ⋅\r\nMoqhao masters new tricks\r\nMoqHao\r\n2023-03-16 ⋅ Team Cymru ⋅ S2 Research Team\r\nMoqHao Part 3: Recent Global Targeting Trends\r\nMoqHao\r\n2023-01-19 ⋅ Kaspersky Labs ⋅ GReAT\r\nRoaming Mantis implements new DNS changer in its malicious mobile app in 2022\r\nMoqHao\r\n2022-08-11 ⋅ xanhacks' infosec blog ⋅ xanhacks\r\nMoqHao Android malware analysis and phishing campaign\r\nMoqHao\r\n2022-07-18 ⋅ Sekoia ⋅ Quentin Bourgue, Threat \u0026 Detection Research Team\r\nOngoing Roaming Mantis smishing campaign targeting France\r\nMoqHao\r\n2022-04-12 ⋅ Broadcom ⋅ Broadcom\r\nMoqHao malware continues to target mobile users in Europe\r\nMoqHao\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.moqhao\r\nPage 1 of 3\n\n2022-04-07 ⋅ Team Cymru ⋅ Josh Hopkins\r\nMoqHao Part 2: Continued European Expansion\r\nMoqHao\r\n2021-08-11 ⋅ Team Cymru ⋅ Josh Hopkins\r\nMoqHao Part 1.5: High-Level Trends of Recent Campaigns Targeting Japan\r\nMoqHao\r\n2021-05-18 ⋅ Medium (Cryptax) ⋅ Axelle Apvrille\r\nA native packer for Android/MoqHao\r\nMoqHao\r\n2021-05-05 ⋅ Kashif Ali Surfeit and Blasé Security ⋅ Kashif Ali\r\nRoaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware\r\nMoqHao Roaming Mantis\r\n2021-01-20 ⋅ Team Cymru ⋅ Andy Kraus\r\nMoqHao Part 1: Identifying Phishing Infrastructure\r\nMoqHao\r\n2020-06-25 ⋅ Medium CSIS Techblog ⋅ Aleksejs Kuprins\r\nThe RoamingMantis Group’s Expansion to European Apple Accounts and Android Devices\r\nFakeSpy FunkyBot MoqHao\r\n2020-02-27 ⋅ Kaspersky Labs ⋅ Suguru Ishimaru\r\nRoaming Mantis, part V: Distributed in 2019 using SMiShing and enhanced anti-researcher techniques\r\nFunkyBot MoqHao Roaming Mantis\r\n2020-01-17 ⋅ Hiroaki Ogawa, Manabu Niseki\r\n100 more behind cockroaches?\r\nMoqHao Emotet Predator The Thief\r\n2019-01-01 ⋅ Kaspersky Labs ⋅ Hiroaki Ogawa, Manabu Niseki, Suguru Ishimaru\r\nRoaming Mantis: an Anatomy of a DNS Hijacking Campaign\r\nMoqHao Roaming Mantis\r\n2018-11-26 ⋅ Trend Micro ⋅ Ecular Xu, Lorin Wu\r\nExamining XLoader, FakeSpy, and the Yanbian Gang\r\nFakeSpy MoqHao Yanbian Gang\r\n2018-11-26 ⋅ Trend Micro ⋅ Ecular Xu, Lorin Wu\r\nA Look into the Connection Between XLoader and FakeSpy, and Their Possible Ties With the Yanbian Gang\r\nFakeSpy MoqHao\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.moqhao\r\nPage 2 of 3\n\n2018-04-20 ⋅ Trend Micro ⋅ Trend Micro\r\nXLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing\r\nMoqHao Yanbian Gang\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/apk.moqhao\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.moqhao\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/apk.moqhao"
	],
	"report_names": [
		"apk.moqhao"
	],
	"threat_actors": [
		{
			"id": "4c5a35bf-f483-463e-aea0-89a795698cff",
			"created_at": "2023-01-06T13:46:39.198624Z",
			"updated_at": "2026-04-10T02:00:03.243996Z",
			"deleted_at": null,
			"main_name": "Yanbian Gang",
			"aliases": [],
			"source_name": "MISPGALAXY:Yanbian Gang",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a",
			"created_at": "2023-01-06T13:46:38.823793Z",
			"updated_at": "2026-04-10T02:00:03.113045Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group"
			],
			"source_name": "MISPGALAXY:Roaming Mantis",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8f350ed9-134e-4160-b63d-701f562ba64a",
			"created_at": "2022-10-25T16:07:24.589322Z",
			"updated_at": "2026-04-10T02:00:05.045635Z",
			"deleted_at": null,
			"main_name": "Yanbian Gang",
			"aliases": [],
			"source_name": "ETDA:Yanbian Gang",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3",
			"created_at": "2022-10-25T16:07:24.546437Z",
			"updated_at": "2026-04-10T02:00:05.029564Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group",
				"Shaoye"
			],
			"source_name": "ETDA:Roaming Mantis",
			"tools": [
				"MoqHao",
				"Roaming Mantis",
				"SmsSpy",
				"Wroba",
				"XLoader"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433986,
	"ts_updated_at": 1775826715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/592f7b0b2c6f3bb23152436306a4d6b5ee0ff7d5.pdf",
		"text": "https://archive.orkl.eu/592f7b0b2c6f3bb23152436306a4d6b5ee0ff7d5.txt",
		"img": "https://archive.orkl.eu/592f7b0b2c6f3bb23152436306a4d6b5ee0ff7d5.jpg"
	}
}