{
	"id": "691746ec-93d5-4faa-8989-85cafc708473",
	"created_at": "2026-04-06T00:17:44.922482Z",
	"updated_at": "2026-04-10T03:30:33.915766Z",
	"deleted_at": null,
	"sha1_hash": "5b04633a8f34219d4d352bb32655c22cefe056fd",
	"title": "EventBot: A New Mobile Banking Trojan is Born",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1646338,
	"plain_text": "EventBot: A New Mobile Banking Trojan is Born\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 17:19:52 UTC\r\nResearch by: Daniel Frank, Lior Rochberger, Yaron Rimmer and Assaf Dahan\r\nKey Findings \r\nThe Cybereason Nocturnus team is investigating EventBot, a new type of Android mobile malware that emerged\r\naround March 2020. EventBot is a mobile banking trojan and infostealer that abuses Android’s accessibility features\r\nto steal user data from financial applications, read user SMS messages, and steal SMS messages to allow the\r\nmalware to bypass two-factor authentication.\r\nEventBot targets users of over 200 different financial applications, including banking, money transfer services, and\r\ncrypto-currency wallets. Those targeted include applications like Paypal Business, Revolut, Barclays, UniCredit,\r\nCapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, paysafecard, and many more. \r\n It specifically targets financial banking applications across the United States and Europe, including Italy, the UK,\r\nSpain, Switzerland, France, and Germany. The full list of banking applications targeted is included in the appendix. \r\nEventBot is particularly interesting because it is in such early stages. This brand new malware has real potential to\r\nbecome the next big mobile malware, as it is under constant iterative improvements, abuses a critical operating\r\nsystem feature, and targets financial applications. \r\nThis research gives a rare look into the process improvements malware authors make when optimizing before\r\nlaunch. By going on the offensive and hunting the attackers, our team was able to unearth the early stages of what\r\nmay be a very dangerous mobile malware. \r\ntable of contents\r\nSecurity Recommendations\r\nIntroduction\r\nThreat Analysis\r\nCommon Features\r\nUnique Features by Version\r\nMalware Under Active Development\r\nSuspected Detection Tests by the Threat Actor\r\nEventBot Infrastructure\r\nCybereason Mobile\r\nConclusion\r\nIndicators of Compromise\r\nMITRE ATT\u0026CK for Mobile Breakdown\r\nSecurity Recommendations\r\nKeep your mobile device up-to-date with the latest software updates from legitimate sources.\r\nKeep Google Play Protect on.\r\nhttps://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nPage 1 of 20\n\nDo not download mobile apps from unofficial or unauthorized sources. Most legitimate Android apps are available\r\non the Google Play Store. \r\nAlways apply critical thinking and consider whether you should give a certain app the permissions it requests. \r\nWhen in doubt, check the APK signature and hash in sources like VirusTotal before installing it on your device. \r\nUse mobile threat detection solutions for enhanced security.\r\nIntroduction\r\nFor the past few weeks, the Cybereason Nocturnus team has been investigating a new type of Android malware dubbed\r\nEventBot, which was first identified in March 2020. This malware appears to be newly developed with code that differs\r\nsignificantly from previously known Android malware. EventBot is under active development and is evolving rapidly; new\r\nversions are released every few days with improvements and new capabilities. \r\nEventBot abuses Android’s accessibility feature to access valuable user information, system information, and data stored in\r\nother applications. In particular, EventBot can intercept SMS messages and bypass two-factor authentication mechanisms.\r\nThe Cybereason Nocturnus team has concluded that EventBot is designed to target over 200 different banking and finance\r\napplications, the majority of which are European bank and crypto-currency exchange applications.\r\nBy accessing and stealing this data, Eventbot has the potential to access key business data, including financial data. 60% of\r\ndevices containing or accessing enterprise data are mobile, and mobile devices tend to include a significant amount of\r\npersonal and business data, assuming the organization has a bring-your-own-device policy in place. Mobile malware is a\r\nsignificant risk for organizations and consumers alike, and must be considered when protecting personal and business data. \r\nApplications targeted by EventBot.\r\nhttps://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nPage 2 of 20\n\nCybereason Mobile detecting EventBot.\r\nThreat Analysis\r\nInitial Access\r\nThough EventBot is not currently on the Google Play Store, we were able to find several icons EventBot is using to\r\nmasquerade as a legitimate application. We believe that, when it is officially released, it will most likely be uploaded to\r\nrogue APK stores and other shady websites, while masquerading as real applications. \r\nIcons used for EventBot masqueraded as legitimate with these icons.application.\r\nMalware Capabilities\r\nThe Cybereason Nocturnus team has been following EventBot since the beginning of March 2020. The team has\r\nencountered different versions of the malware over time as it has rapidly evolved. At the time of writing this research, four\r\nversions of the EventBot malware were observed: Version 0.0.0.1, 0.0.0.2, and 0.3.0.1 and 0.4.0.1. Each version expands\r\nthe bot’s functionality and works to obfuscate the malware against analysis. In this research, we review common features of\r\nthe malware and examine the improvements the threat actor made in each version.\r\nCommon Features\r\nPermissions\r\nWhen installed, EventBot requests the following permissions on the device:\r\nhttps://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nPage 3 of 20\n\nSYSTEM_ALERT_WINDOW - allow the app to create windows that are shown on top of other apps.\r\nREAD_EXTERNAL_STORAGE - read from external storage.\r\nREQUEST_INSTALL_PACKAGES - make a request to install packages.\r\nINTERNET - open network sockets.\r\nREQUEST_IGNORE_BATTERY_OPTIMIZATIONS - whitelist the app to allow it to ignore battery\r\noptimizations.\r\nWAKE_LOCK - prevent the processor from sleeping and dimming the screen.\r\nACCESS_NETWORK_STATE - allow the app to access information about networks.\r\nREQUEST_COMPANION_RUN_IN_BACKGROUND - let the app run in the background.\r\nREQUEST_COMPANION_USE_DATA_IN_BACKGROUND - let the app use data in the background.\r\nRECEIVE_BOOT_COMPLETED - allow the application to launch itself after system boot. EventBot uses this\r\npermission in order to achieve persistence and run in the background as a service.\r\nRECEIVE_SMS - allow the application to receive text messages.\r\nREAD_SMS - allow the application to read text messages.\r\nEventBot’s permissions as seen in the manifest file.\r\nThe Initial Installation Process\r\nOnce installed, EventBot prompts the user to give it access to accessibility services.\r\nhttps://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nPage 4 of 20\n\nInitial request by EventBot to run as a service.\r\nOnce the malware can use accessibility services, it has the ability to operate as a keylogger and can retrieve notifications\r\nabout other installed applications and content of open windows.\r\nEventBot’s request to use accessibility services.\r\nIn more up-to-date versions of Android, EventBot will ask for permissions to run in the background before deleting itself\r\nfrom the launcher.\r\nEventBot requests permissions to always run in the background.\r\nDownload and Update the Target Configuration File\r\nhttps://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nPage 5 of 20\n\nBy analyzing and decoding the HTTP packets in EventBot Version 0.0.0.1, we can see that EventBot downloads and\r\nupdates a configuration file with almost 200 different financial application targets. Following is the HTTP response from\r\nthe C2 server, containing the encrypted configuration: \r\nEncrypted HTTP response returned from the C2.\r\nIn Version 0.0.0.1, the communication with the C2 is encrypted using Base64 and RC4. The RC4 key is hardcoded in\r\nEventBot. Upon decryption, we can see that the response from the server is a JSON object of EventBot’s configuration,\r\nwhich contains C2 URLs and a targeted applications list.\r\nDecrypted EventBot configuration returned from the C2.\r\nThe configuration file contains a list of financial applications that can be targeted by EventBot. This version includes 185\r\ndifferent applications, including official applications of worldwide banks. 26 of the targeted applications are from Italy, 25\r\nare from the UK, 6 are from Germany, 5 are from France, and 3 are from Spain. However, it also targets applications from\r\nRomania, Ireland, India, Austria, Switzerland, Australia, Poland and the USA. In addition to official banking applications,\r\nthe target list includes 111 other global financial applications for banking and credit card management, money transfers, and\r\ncryptocurrency wallets and exchanges. Those targeted include Paypal Business, Revolut, Barclays, UniCredit, CapitalOne\r\nhttps://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nPage 6 of 20\n\nUK, HSBC UK, Santander UK, TransferWise, Coinbase, paysafecard, and many more. The full list of banking applications\r\ntargeted is included in the appendix. \r\nAbuse of Accessibility Services\r\nEventBot abuses the accessibility services of Android devices for the majority of its activity. Accessibility features are\r\ntypically used to help users with disabilities by giving the device the ability to write into input fields, auto-generate\r\npermissions, perform gestures for the user, etc. However, when used maliciously, accessibility features can be used to\r\nexploit legitimate services for malicious purposes, like with EventBot. EventBot uses multiple methods to exploit\r\naccessibility events for webinjects and other information stealing purposes. \r\nData Gathering\r\nGetting a list of all installed applications: Once EventBot is installed on the target machine, it lists\r\nall the applications on the target machine and sends them to the C2. \r\nDevice information: EventBot queries for device information like OS, model, etc, and also sends that to the C2.\r\nInformation gathered about the infected device to be sent to the C2.\r\nData encryption: In the initial version of EventBot, the data being exfiltrated is encrypted using Base64 and\r\nRC4. In later versions, another encryption layer is added using Curve25519 encryption. All of the most recent\r\nversions of EventBot contain a ChaCha20 library that can improve performance when compared to other\r\nalgorithms like RC4 and AES. This implies that the authors are actively working to optimize EventBot over\r\ntime.\r\nSMS grabbing: EventBot has the ability to parse SMS messages by using the targeted device’s SDK version\r\nto parse them correctly.\r\nhttps://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nPage 7 of 20\n\nParsing of grabbed SMS messages.\r\nWebinjects: According to the bot’s configuration, if a webinject is set for a given application, it will be\r\nexecuted.\r\nWeb injects execution method by a pre-established configuration.\r\nBot Updates\r\nEventBot has a long method called parseCommand that can update EventBot’s configuration XML files, located in the\r\nshared preferences folder on the device.\r\nDropped XML configuration files on the device.\r\nhttps://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nPage 8 of 20\n\nEventBot uses this function to update its C2s, the configuration of webinjects, etc. The following code shows EventBot\r\nparsing instructions sent from the C2.\r\nParsing of instructions by the bot from the C2 .\r\nUnique Features by Version\r\nEventBot Version 0.0.0.1\r\nRC4 and Base64 Packet Encryption\r\nhttps://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nPage 9 of 20\n\nRC4 and Base64 data decryption from the C2.\r\nAs mentioned above, EventBot Version 0.0.0.1 sends a JSON object containing the Android package names of all the apps\r\ninstalled on the victim’s device alongside additional metadata, including the bot version, botnetID, and the reason this\r\npackage is sent. For this particular packet, the reason is registration of the bot. If the connection to the C2 fails, it will\r\ncontinue to retry until it is successful. \r\nLogcat from the infected device.\r\nEventBot Version 0.0.0.2\r\nDynamic Library Loading\r\nAs of Version 0.0.0.2, EventBot attempts to hide its main functionality from static analysis. With Version 0.0.0.1, there is a\r\ndedicated functions class where all main malicious activity happens and can be observed. Instead, in Version 0.0.0.2,\r\nhttps://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nPage 10 of 20\n\nEventBot dynamically loads its main module. \r\nLoaded library as seen in Logcat.\r\nBy browsing EventBot’s installation path on the device, we can see the library dropped in the app_dex folder.\r\nThe loaded library dropped on the device.\r\nThe code to load the main module dynamically can also be seen statically. The malicious library is loaded from Eventbot’s\r\nassets that contain a font file called default.ttf which is actually the hidden library and then decoded using RC4.\r\nThe method responsible for the library loading.\r\nEventBot has the ability to update its library or potentially even download a second library when given a command from the\r\nC2. An updated library name is generated by calculating the md5sum of several device properties, while concatenating the\r\nbuild model twice in case of an update to the library.\r\nUpdated library naming convention\r\nhttps://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nPage 11 of 20\n\nNew library naming convention.\r\nData Encryption\r\nThe Curve25519 encryption algorithm was implemented as of EventBot Version 0.0.0.2. This encryption algorithm is an\r\nextra security layer for communicating with the C2, an improvement over the previous version of a plain RC4 encryption.\r\nWhen reviewing the decrypted packet, it’s clear it has the same content as previous versions.\r\nDecryption of packets from the C2 using Curve25519.\r\nEventBot Version 0.3.0.1\r\nAdditional Assets Based on Country / Region\r\nImages in Spanish and Italian added in version 0.3.0.1.\r\nVersion 0.3.0.1 includes Italian and Spanish language compatibility within the resources section. Presumably, this was done\r\nto make the app seem more credible to targeted users in different countries. \r\nGrabbing the Screen PIN with Support for Samsung Devices\r\nVersion 0.3.0.1 added an ~800 line long method called grabScreenPin, which uses accessibility features to track pin code\r\nchanges in the device’s settings. It listens to events like TYPE_VIEW_TEXT_CHANGED. We suspect the updated PIN is\r\nsent to the C2, most likely to give the malware the option to perform privileged activities on the infected device related to\r\npayments, system configuration options, etc.\r\nhttps://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nPage 12 of 20\n\nListening to TYPE_VIEW_TEXT_CHANGED accessibility event.\r\nAfter collecting the changed PIN code, it is sent back to the C2.\r\nSending the pin code back to the C2.\r\nEventually, the screen PIN preferences will be saved to an additional XML file in the shared preferences folder. \r\nThe content of screenPinPrefs.xml.\r\nThe grabScreenPin method has separate conditioning to handle screen lock events in Samsung devices.\r\nA new method to handle screen lock with support for Samsung devices.\r\nEventBot Version 0.4.0.1\r\nPackage Name Randomization\r\nIn this version, the package name is no longer named ‘com.example.eventbot’, which makes it more difficult to track down.\r\nhttps://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nPage 13 of 20\n\nRandomized package name instead of com.example.eventbot.\r\nProGuard Obfuscation\r\nAs with many other Android applications, EventBot is now using obfuscation. Both the loader and dropped class are\r\nobfuscated using ProGuard, which obfuscates names using alphabet letters. The code itself is not modified by this type of\r\nobfuscation though, making the analysis easier.\r\nObfuscated class names using letters of the alphabet.\r\nHidden Configuration Data\r\nAs mentioned above, EventBot begins using obfuscation. Due to this obfuscation, a part of the previously mentioned cfg\r\nclass is now mapped to c/b/a/a/a or c/a/a/a/a.\r\nhttps://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nPage 14 of 20\n\nC2 URLs and other settings in a nested class.\r\nOther configuration data is located elsewhere, and some of it can been seen here:\r\nThe encrypted library path\r\nThe output folder on the device for the dropped library\r\nThe name of the library after it is loaded\r\neventBot name string\r\nVersion number\r\nA string used as an RC4 key, both for decrypting the library and as a part of the network data encryption\r\n(hasn’t changed from the previous version)\r\nThe C2 URLs\r\nA randomized class name using the device’s accessibility services\r\nPart of the extracted configuration of the new version.\r\nMalware Under Active Development\r\nEventBot “cfg” class.\r\nhttps://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nPage 15 of 20\n\nEventBot is in constant development, as seen with the botnetID string above, which shows consecutive numbering across\r\nversions. This example is from a later version of EventBot, and in other versions the naming convention is very similar,\r\nwith bot IDs such as word100, word101, word102, and test2005, test2006 etc. In the latest version, a layer of obfuscation\r\nwas added, perhaps taking the malware one step closer to being fully operational.\r\nSuspected Detection Tests by the Threat Actor \r\nIn searching for EventBot, we’ve identified multiple submissions from the same submitter hash, 22b3c7b0:\r\nThe 22b3c7b0 submitter hash that submitted most of the EventBot samples to VirusTotal.\r\nThis submitter has thousands of other submissions in VirusTotal, however, it is the only one that continues to submit\r\nEventBot samples via the VirusTotal API. Also, the botnet IDs increment over time as they are submitted. Given this, and\r\nthe naming convention of the submissions (\u003chash\u003e.virus), the submitter hash most likely belongs to an AV vendor or\r\nsandboxing environment that automatically submits samples to online malware databases. It may be that these submissions\r\nare made from the author’s machine, or that they submit it to a detection service that in turn submits to online malware\r\ndatabases.\r\nEventBot Threat Actors\r\nAs a part of this investigation, the Cybereason Nocturnus team has attempted to identify the threat actors behind the\r\ndevelopment of EventBot. The evidence above suggests that EventBot is still in the development stage, and as such, is not\r\nlikely to have been used for large attack campaigns thus far. \r\nThe Cybereason Nocturnus team is monitoring multiple underground platforms in an attempt to identify chatter relating to\r\nEventBot. New malware is often introduced to underground communities by being promoted and sold or offered as a\r\ngiveaway. However, at the time of writing, we were unable to identify relevant conversations about the EventBot malware.\r\nThis strengthens our suspicion that this malware is still undergoing development and has not been officially marketed or\r\nreleased yet. \r\nEventBot Infrastructure\r\nBy mapping the C2 servers, a clear, repeated pattern emerges based on the specific URL gate_cb8a5aea1ab302f0_c. As of\r\nthis writing, all the domains were registered recently and some are already offline.\r\nURL Status IP\r\nDomain\r\nregistration date\r\nhttps://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nPage 16 of 20\n\nhttp://ora.studiolegalebasili[.]com/gate_cb8a5aea1ab302f0_c offline 31.214.157[.]6 2020-02-29\r\nhttp://themoil[.]site/gate_cb8a5aea1ab302f0_c online 208.91.197[.]91 2020-03-04\r\nhttp://ora.carlaarrabitoarchitetto[.]com/gate_cb8a5aea1ab302f0_c offline 31.214.157[.]6 2020-03-26\r\nhttp://rxc.rxcoordinator[.]com/gate_cb8a5aea1ab302f0_c online 185.158.248[.]102 2020-03-29\r\nhttp://ora.blindsidefantasy[.]com/gate_cb8a5aea1ab302f0_c online 185.158.248[.]102 2020-04-02\r\nhttp://marta.martatovaglieri[.]it/gate_cb8a5aea1ab302f0_c online 185.158.248[.]102 2020-04-14\r\nhttp://pub.douglasshome[.]com/gate_cb8a5aea1ab302f0_c online 185.158.249[.]141 2020-04-26\r\nIn the course of the investigation, the team discovered a potential link to an additional Android infostealer. The IP address\r\nof both ora.carlaarrabitoarchitetto[.]com and ora.studiolegalebasili[.]com, 31.214.157[.]6, was previously hosting the\r\ndomain next.nextuptravel[.]com. This was the C2 for an Android infostealer responsible for several attacks in Italy back in\r\nlate 2019.\r\nVirusTotal search for the malicious IP address.\r\nImpact\r\nEventBot is a mobile malware banking trojan that steals financial information, is able to hijack transactions. Once this\r\nmalware has successfully installed, it will collect personal data, passwords, keystrokes, banking information, and more.\r\nhttps://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nPage 17 of 20\n\nThis information can give the attacker access to personal and business bank accounts, personal and business data, and\r\nmore. \r\nLetting an attacker get access to this kind of data can have severe consequences. 60% of devices containing or accessing\r\nenterprise data are mobile. Giving an attacker access to a mobile device can have severe business consequences, especially\r\nif the end user is using their mobile device to discuss sensitive business topics or access enterprise financial information.\r\nThis can result in brand degradation, loss of individual reputation, or loss of consumer trust. \r\nMuch like we have seen in recent months, anyone can be impacted by a mobile device attack. These attacks are only\r\nbecoming more common, with one third of all malware now targeting mobile endpoints. Care and concern both for using a\r\nmobile device and for securing a mobile device is critical, especially for those organizations that allow bring-your-own-devices. \r\nCybereason Mobile\r\nCybereason Mobile detects EventBot and immediately takes remediation actions to protect the end user. With Cybereason\r\nMobile, analysts can address mobile threats in the same platform as traditional endpoint threats, all as part of one incident.\r\nWithout mobile threat detection, this attack would not be detected, leaving end users and organizations at risk. \r\nCybereason Mobile detects EventBot and provides the user with immediate actions.\r\nConclusion\r\nIn this research, the Nocturnus team has dissected a rapidly evolving Android malware in the making. This malware abuses\r\nthe Android accessibility feature to steal user information and is able to update its code and release new features every few\r\ndays. With each new version, the malware adds new features like dynamic library loading, encryption, and adjustments to\r\ndifferent locales and manufacturers. EventBot appears to be a completely new malware in the early stages of development,\r\ngiving us an interesting view into how attackers create and test their malware.\r\nCybereason classifies EventBot as a mobile banking trojan and infostealer based on the stealing features discussed in this\r\nresearch. It leverages webinjects and SMS reading capabilities to bypass two-factor authentication, and is clearly targeting\r\nfinancial applications.\r\nhttps://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nPage 18 of 20\n\nAlthough the threat actor responsible for the development of EventBot is still unknown and the malware does not appear to\r\nbe involved in major attacks, it is interesting to follow the early stages of mobile malware development. The Cybereason\r\nNocturnus team will continue to monitor EventBot’s development. \r\nIn recent years, online activity has gradually been shifting from personal computers to mobile devices. Naturally, this\r\nresulted in the introduction of malware for mobile platforms, especially Android devices, including Cerberus, Xhelper and\r\nthe Anubis Banking Trojan. As many people use their mobile devices for online shopping and even to manage their bank\r\naccounts, the mobile arena became increasingly profitable for cyber criminals.\r\nThis is why we recently released Cybereason Mobile, a new offering that strengthens the Cybereason Defense Platform by\r\nbringing prevention, detection, and response capabilities to mobile devices. With Cybereason Mobile, our customers can\r\nprotect against modern threats across traditional and mobile endpoints, all within a single console. \r\nIndicators of Compromise\r\nClick here to download this campaign's IOCs (PDF)\r\nClick here to download the EventBot Targeted Applications (PDF)\r\nMITRE ATT\u0026CK for Mobile Breakdown\r\nInitial\r\nAccess\r\nPersistence\r\nDefense\r\nEvasion\r\nCredential\r\nAccess\r\nDiscovery Collection Exfiltration C2\r\nDeliver\r\nMalicious\r\nApp via\r\nOther\r\nMeans\r\nApp Auto-Start at\r\nDevice\r\nBoot\r\nMasquerade\r\nas\r\nLegitimate\r\nApplication\r\nCapture\r\nSMS\r\nMessages\r\nApplication\r\nDiscovery\r\nInput\r\ncapture\r\nData\r\nEncrypted\r\nStandard\r\nCryptographic\r\nProtocol\r\nLockscreen\r\nBypass\r\n \r\nSuppress\r\nApplication\r\nIcon\r\nInput\r\nCapture\r\nSystem\r\nInformation\r\nDiscovery\r\nAccess\r\nSensitive\r\nData in\r\nDevice\r\nLogs\r\nStandard\r\nApplication\r\nLayer\r\nProtocol\r\n \r\n   \r\nDownload\r\nNew Code\r\nat Runtime\r\n   \r\nAccess\r\nStored\r\nApplication\r\nData\r\n   \r\n   \r\nInput\r\nInjection\r\n         \r\nhttps://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nPage 19 of 20\n\nClick here to view the EventBot Threat Alert PDF.\r\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and\r\nenterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies,\r\nreverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first\r\nto release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nhttps://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"
	],
	"report_names": [
		"eventbot-a-new-mobile-banking-trojan-is-born"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434664,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5b04633a8f34219d4d352bb32655c22cefe056fd.pdf",
		"text": "https://archive.orkl.eu/5b04633a8f34219d4d352bb32655c22cefe056fd.txt",
		"img": "https://archive.orkl.eu/5b04633a8f34219d4d352bb32655c22cefe056fd.jpg"
	}
}