{
	"id": "e0bf22bd-1884-4afd-948d-2720dedbe1ec",
	"created_at": "2026-04-06T00:10:47.641037Z",
	"updated_at": "2026-04-10T13:12:58.474752Z",
	"deleted_at": null,
	"sha1_hash": "5fc8dcb8dd97f603478cf62bef4029d490ba27fc",
	"title": "Smishing campaign in NL spreading Cabassous and Anatsa",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 291293,
	"plain_text": "Smishing campaign in NL spreading Cabassous and Anatsa\r\nPublished: 2024-10-01 · Archived: 2026-04-05 17:12:54 UTC\r\nIntroduction\r\nIn early December 2020 ThreatFabric discovered Cabassous, which was later renamed by PRODAFT to FluBot.\r\nThis is a classic Android bot, equipped with credential stealing capabilities such as the use of overlays (fake login\r\nscreens) for crypto-currency wallet apps and Android banking apps. Besides harvesting credentials, the bot also\r\ngathers all contact information (phone numbers) from a victim’s device to spread itself using SMS messages\r\n(smishing).\r\nAnother banking trojan named Anatsa was discovered by ThreatFabric analysts in January 2021. It should be\r\nconsidered a stronger threat compared to Cabassous, due to its more extensive and advanced set of features.\r\nAnatsa’s functionalities include the classic credential-stealing overlay attacks, which are first downloaded and\r\nstored on the device, and then launched locally. Other features include keylogging, contact information and device\r\ninformation exfiltration, and accessibility logging. This last feature is very advanced and very dangerous for\r\nvictims. It grants information to the malicious actors about everything displayed in the device’s screen, allowing\r\nthe bot to interact with the UI elements and record all the information that is displayed in them. We also covered\r\nthis threat in our latest blog.\r\nAnatsa has been relatively quiet in the first months of the year, but it has recently increased its activity now\r\nincluding Dutch banks in its target list.\r\nWith this threat update we want to inform the users about a new SMS phishing campaign we spotted in the\r\nNetherlands masquerading as UPS apps and distributing both Cabassous and Anatsa.\r\nPrevious campaigns\r\nOn April 18th, Cabassous began to use multiple DGA seeds in every sample allowing it to be more scalable: the\r\nTrojan generates corresponding C2 server address to receive the overlay target list specific for the victim’s\r\ncountry. This means that every botnet can have its own overlay specific to country of the targeted banking and\r\nwallet apps.\r\nAs reported by ThreatFabric, enormous SMS phishing campaigns reported by major telecom operators have been\r\nobserved in multiple new targeted countries, including the UK, Norway, Sweden, Finland, Denmark, Netherlands,\r\nand Japan. This also matches with the current smishing campaign reported in the UK masquerading as UPS and\r\nDHL apps.\r\nhttps://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html\r\nPage 1 of 10\n\nUsually, the SMS contains some link that claims to provide the information about your parcel from DHL or UPS.\r\nThe link leads to the page with a localized text corresponding to the region defined by the victim’s IP location.\r\nThe text contains instructions to download and install an application, which is the Cabassous Trojan itself.\r\nhttps://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html\r\nPage 2 of 10\n\nLatest developments\r\nOn May 5th, ThreatFabric analysts spotted a new smishing campaign in the Netherlands masquerading as UPS\r\napps. That is a common MO for Cabassous that has been described above.\r\nHowever, besides Cabassous, ThreatFabric analysts were able to obtain the Anatsa Trojan from the same links.\r\nThat means that at the moment of writing this blog, Anatsa and Cabassous are distributed side-by-side in the\r\nNetherlands both masquerading as UPS apps. Nevertheless, there is no solid proof that the actor(s) behind these\r\nfamilies are the same.\r\nhttps://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html\r\nPage 3 of 10\n\nAt the moment of writing Cabassous does not target any application of Netherlands banks, the C2 responsible for\r\nthe campaign targeting Norway, Sweden, Finland, Denmark, Netherlands and Poland only serves the target list for\r\nbanking apps in Poland. Anatsa however does have the banking apps from the Netherlands in its target list. The\r\nfollowing images are examples of overlays used for the Dutch banks:\r\nhttps://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html\r\nPage 4 of 10\n\nThe full lists of targeted applications used by Anatsa and Cabassous can be found in the Appendix.\r\nThe danger of Anatsa\r\nWhen comparing Cabassous with Anatsa, the more dangerous of the two appears to be Anatsa due to its RAT\r\ncapability. The Trojan can receive a command called “start_client” from the C2 and initiate a connection to a\r\nspecified IP and port. This connection is used to send and receive data that enables actor(s) to do the following:\r\nObserve the screen of the victim’s device on a real-time basis\r\nPerform clicks and actions on behalf of the victim\r\nOpen applications (like banking application or web-browser)\r\nManipulate text input\r\nThis capability leads to another type of fraud - so called on-device fraud, when actor(s) perform the actual fraud\r\nfrom the device of the victim. The following code snippet represents the actor(s) ability to manipulate text input:\r\nwhile (counter \u003c numberOfActions) {\r\n int leftBound = byteBuffer.getShort();\r\n int bottomBound = byteBuffer.getShort();\r\n byteBuffer.getShort();\r\n byteBuffer.getShort();\r\n int length = byteBuffer.getShort();\r\n byte[] textBytes = new byte[length];\r\n byteBuffer.get(textBytes, 0, length);\r\n String setText = new String(textBytes, StandardCharsets.UTF_8);\r\nhttps://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html\r\nPage 5 of 10\n\nAccessibilityNodeInfo rootNodeInfo = MainAccessibilityService.service.getRootInActiveWindow();\r\n if (rootNodeInfo != null) {\r\n for (Object editTextNode: Utils.getAllNodes(rootNodeInfo, \"EditText\")) {\r\n AccessibilityNodeInfo accNodeInfo = (AccessibilityNodeInfo) editTextNode;\r\n Rect v9_1 = new Rect();\r\n accNodeInfo.getBoundsInScreen(v9_1);\r\n if (v9_1.left != leftBound || v9_1.bottom != bottomBound) {\r\n // check position continue; }\r\n Bundle bundle = new Bundle();\r\n bundle.putString(\"ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE\", setText);\r\n accNodeInfo.performAction(0x200000, bundle);\r\n }\r\n }++counter;\r\n }\r\nBot commands\r\nThe Anatsa bot supports the following commands:\r\nCommand Description\r\nactivate_screen Enables the screen\r\napp_delete Uninstalls application\r\nask_syspass Shows the request for device password/PIN/gesture\r\nask_perms Trigger the bot to request for permissions\r\nstop_pers Stops persistence mechanisms for 40 seconds\r\nget_accounts Triggers stealing the list of accounts on the device\r\nkill_bot Removes the bot from the infected device\r\nmute_phone Mutes the device\r\nswipe_down Performs a swipe down gesture\r\nopen_inject Triggers the overlay attack for specified application\r\nopen_activity Opens the specified application\r\nchange_pass Prompts the user to change the password\r\nreset_pass Clears cached device password (in the bot’s runtime)\r\nstart_client Starts RAT client\r\ngrab_google_auth Triggers stealing of google authenticator codes\r\nhttps://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html\r\nPage 6 of 10\n\nGetting rid of the malware\r\nIn general, we recommend doing a factory reset when your device is infected with malware. This will put the\r\ndevice back to the state it was in when it was first turned on. For Anatsa and Cabassous it is also enough to\r\nuninstall the malware apps from the device (through the Android Settings menu), assuming you know which app\r\nis the malware (in this campaign the app name “UPS” is used).\r\nBecause both malware variants prevent removing the app through the Android Settings menu, you will have to\r\nboot the phone into safe mode (preventing the malware from running) to be able to uninstall the app. Another\r\noption, for tech-savvy users, is to use ADB (Android Debug Bridge) to connect to the device via USB and run the\r\ncommand  adb uninstall \u003cmalware_package_name\u003e .\r\nAnatsa makes it even more difficult to remove it, because in addition to preventing the app to be uninstalled\r\nthrough the Android Settings, it also prevents rebooting or shutting down the device (required for safe mode). If\r\nyou can’t use ADB, the easiest option is to simply wait until the device turns off because it runs out of power\r\n(optionally in the meantime turning off Wi-Fi and data connections to stop the RAT from communicating with its\r\nC2) and then boot into safe mode and perform the actions described above.\r\nClient Side Detection\r\nThreatFabric CSD can be used to detect customers infected with such threats in real-time, therefore avoiding fraud\r\nand keeping the risk under control.\r\nAppendix\r\nCabassous\r\nOne of the latest Cabassous samples found in the wild:\r\nApp name Package name SHA-256 hash\r\nUPS Mobile kit.stem.iron 83ac4c915546ff9c7bda78cf9cbbc23c7f6f5b1d33967d2040ce8f0f22031a2b\r\nThe list of targeted applications contains 30 applications:\r\nApp name Package name\r\nPibank es.pibank.customers\r\nBanca Móvil Laboral Kutxa com.tecnocom.cajalaboral\r\nEVO Banco móvil es.evobanco.bancamovil\r\nIbercaja es.ibercaja.ibercajaapp\r\nBBVA Spain com.bbva.bbvacontigo\r\nhttps://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html\r\nPage 7 of 10\n\nApp name Package name\r\nPeoPay softax.pekao.powerpay\r\nBankinter Móvil com.bankinter.launcher\r\nCajasur com.cajasur.android\r\nBank Millennium wit.android.bcpBankingApp.millenniumPL\r\nruralvía com.rsi\r\nimaginBank - Your mobile bank com.imaginbank.app\r\nBinance - Buy \u0026 Sell Bitcoin Securely com.binance.dev\r\nSantander es.bancosantander.apps\r\nBlockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum piuk.blockchain.android\r\nIKO pl.pkobp.iko\r\nOpenbank – banca móvil es.openbank.mobile\r\nBNP Paribas GOMobile com.finanteq.finance.bgz\r\nSantander mobile pl.bzwbk.bzwbk24\r\nBankia es.cm.android\r\nGmail com.google.android.gm\r\nBanca Digital Liberbank es.liberbank.cajasturapp\r\nMoje ING mobile pl.ing.mojeing\r\nGrupo Cajamar com.grupocajamar.wefferent\r\nUnicajaMovil es.univia.unicajamovil\r\nIdea Bank PL pl.ideabank.mobilebanking\r\nCoinbase – Buy \u0026 Sell Bitcoin. Crypto Wallet com.coinbase.android\r\nCA24 Mobile com.finanteq.finance.ca\r\nAlior Mobile pl.aliorbank.aib\r\nKutxabank com.kutxabank.android\r\nING España. Banca Móvil www.ingdirect.nativeframe\r\nhttps://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html\r\nPage 8 of 10\n\nAnatsa\r\nOne of the latest Anatsa samples found in the wild:\r\nApp\r\nname\r\nPackage name SHA-256 hash\r\nUPS brave.crowd.home c8dbba4ff6c71e7cdb6637f59694d96398b5da4aed50b5d650b0b532f1b07682\r\nThe list of targeted applications contains 39 applications:\r\nApp name Package name\r\nDeutsche Bank Mobile com.db.pwcc.dbmobile\r\nLa Mia Banca com.db.pbc.miabanca\r\nKnab Bankieren bvm.bvmapp\r\nVR Banking Classic de.fiducia.smartphone.android.banking.vr\r\nING Bankieren com.ing.mobile\r\nIbercaja es.ibercaja.ibercajaapp\r\nABN AMRO Mobiel Bankieren com.abnamro.nl.mobile.payments\r\nBBVA Spain com.bbva.bbvacontigo\r\nmyAlpha Mobile com.mobileloft.alpha.droid\r\nCommerzbank Banking - The app at your side de.commerzbanking.mobil\r\nRabo Bankieren nl.rabomobiel\r\nCajasur com.cajasur.android\r\nBanco Sabadell App. Your mobile bank net.inverline.bancosabadell.officelocator.android\r\nTriodos Bankieren NL com.triodos.bankingnl\r\nruralvía com.rsi\r\nHVB Mobile Banking eu.unicreditgroup.hvbapptan\r\nBinance - Buy \u0026 Sell Bitcoin Securely com.binance.dev\r\nSantander es.bancosantander.apps\r\nSpardaSecureApp de.sdvrz.ihb.mobile.secureapp.sparda.produktion\r\nhttps://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html\r\nPage 9 of 10\n\nApp name Package name\r\nBlockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum piuk.blockchain.android\r\nPostbank Finanzassistent de.postbank.finanzassistent\r\nOpenbank – banca móvil es.openbank.mobile\r\nBankia es.cm.android\r\nBanca Digital Liberbank es.liberbank.cajasturapp\r\nING Banking to go de.ingdiba.bankingapp\r\nASN Mobiel Bankieren nl.asnbank.asnbankieren\r\nUnicajaMovil es.univia.unicajamovil\r\nGrupo Cajamar com.grupocajamar.wefferent\r\nSantander Banking de.santander.presentation\r\ncomdirect mobile App de.comdirect.android\r\nWiZink, tu banco senZillo app.wizink.es\r\nCoinbase – Buy \u0026 Sell Bitcoin. Crypto Wallet com.coinbase.android\r\nSparkasse Ihre mobile Filiale com.starfinanz.smob.android.sfinanzstatus\r\nRegioBank - Mobiel Bankieren nl.regiobank.regiobankieren\r\nKutxabank com.kutxabank.android\r\nCaixaBank es.lacaixa.mobile.android.newwapicon\r\ntractorpool de.traktorpool\r\nVivid: Investments \u0026 Banking \u0026 Crypto vivid.money\r\nING España. Banca Móvil www.ingdirect.nativeframe\r\nSource: https://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html\r\nhttps://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html"
	],
	"report_names": [
		"smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434247,
	"ts_updated_at": 1775826778,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5fc8dcb8dd97f603478cf62bef4029d490ba27fc.pdf",
		"text": "https://archive.orkl.eu/5fc8dcb8dd97f603478cf62bef4029d490ba27fc.txt",
		"img": "https://archive.orkl.eu/5fc8dcb8dd97f603478cf62bef4029d490ba27fc.jpg"
	}
}