{
	"id": "168d9b85-5cae-413a-8715-5fc3a9a3da29",
	"created_at": "2026-04-06T00:17:57.729134Z",
	"updated_at": "2026-04-10T13:11:40.94026Z",
	"deleted_at": null,
	"sha1_hash": "616e62419d2576eba3abb69f228d2258054649ec",
	"title": "Roaming Mantis implements new DNS changer in its malicious mobile app in 2022",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 552788,
	"plain_text": "Roaming Mantis implements new DNS changer in its malicious\r\nmobile app in 2022\r\nBy GReAT\r\nPublished: 2023-01-19 · Archived: 2026-04-02 10:53:56 UTC\r\nRoaming Mantis (a.k.a Shaoye) is well-known as a long-term cyberattack campaign that uses malicious Android\r\npackage (APK) files to control infected Android devices and steal device information; it also uses phishing pages\r\nto steal user credentials, with a strong financial motivation.\r\nKaspersky has been investigating the actor’s activity throughout 2022, and we observed a DNS changer function\r\nused for getting into Wi-Fi routers and undertaking DNS hijacking. This was newly implemented in the known\r\nAndroid malware Wroba.o/Agent.eq (a.k.a Moqhao, XLoader), which was the main malware used in this\r\ncampaign.\r\nDNS changer via malicious mobile app\r\nBack in 2018, Kaspersky first saw Roaming Mantis activities targeting the Asian region, including Japan, South\r\nKorea and Taiwan. At that time, the criminals compromised Wi-Fi routers for use in DNS hijacking, which is a\r\nvery effective technique. It was identified as a serious issue in both Japan and South Korea. Through rogue DNS\r\nservers, all users accessing a compromised router were redirected to a malicious landing page. From mid-2019\r\nuntil 2022, the criminals mainly used smishing instead of DNS hijacking to deliver a malicious URL as their\r\nlanding page. The landing page identified the user’s device platform to provide malicious APK files for Android\r\nor redirect to phishing pages for iOS.\r\nInfection flow with DNS hijacking\r\nhttps://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/\r\nPage 1 of 10\n\nIn September 2022, we carried out a deep analysis of Wroba.o (MD5 f9e43cc73f040438243183e1faf46581) and\r\ndiscovered the DNS changer was implemented to target specific Wi-Fi routers. It obtains the default gateway IP\r\naddress as the connected Wi-Fi router IP, and checks the device model from the router’s admin web interface.\r\nCode for checking Wi-Fi router model\r\nThe following strings are hardcoded for checking the Wi-Fi router model:\r\nipTIME N3-i\r\nipTIME N604plus-i\r\nEFM Networks ipTIME N604plus-i\r\nEFM Networks – ipTIME Q104\r\nEFM Networks ipTIME Q104\r\nEFM Networks – ipTIME Q204\r\nEFM Networks ipTIME Q204\r\nEFM Networks ipTIME V108\r\nEFM Networks ipTIME Q604\r\nEFM Networks ipTIME Q604 PINKMOD\r\nEFM Networks ipTIME N104R\r\nEFM Networks ipTIME N604R\r\nEFM Networks ipTIME Q504\r\nEFM Networks ipTIME N5\r\nEFM Networks ipTIME N604V\r\nEFM Networks ipTIME N104T\r\nEFM Networks – ipTIME G301\r\ntitle.n704bcm\r\ntitle.a8004t\r\ntitle.a2004sr\r\ntitle.n804r\r\ntitle.n104e\r\ntitle.n704bcm\r\ntitle.n600\r\ntitle.n102e\r\ntitle.n702r\r\ntitle.a8004i\r\ntitle.a2004nm\r\ntitle.t16000m\r\ntitle.a8004t\r\ntitle.a604r\r\ntitle.a9004x2\r\ntitle.a3004t\r\ntitle.n804r\r\ntitle.n5i\r\ntitle.n704qc\r\ntitle.a8004nm\r\ntitle.a8004nb\r\ntitle.n604p\r\ntitle.a604gm\r\ntitle.a3004\r\ntitle.a3008\r\ntitle.n2v\r\ntitle.ax2004m\r\nhttps://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/\r\nPage 2 of 10\n\ntitle.n104pk\r\ntitle.a1004ns\r\ntitle.a604m\r\ntitle.n104pi\r\ntitle.a2008\r\ntitle.ax2004b\r\ntitle.n104q\r\ntitle.n604e\r\ntitle.n704e\r\ntitle.n704v3\r\ntitle.n704v5\r\ntitle.t5004\r\ntitle.t5008\r\ntitle.a1004\r\ntitle.a2003nm\r\ntitle.a2004sr\r\ntitle.a5004nm\r\ntitle.a604sky\r\ntitle.n2pi\r\ntitle.n604pi\r\ntitle.a2004m\r\ntitle.a3004nm\r\ntitle.a7ns\r\ntitle.a8txr\r\ntitle.ew302nr\r\ntitle.n602e\r\ntitle.t16000\r\ntitle.a3003ns\r\ntitle.a6004nm\r\ntitle.n1e\r\ntitle.n3i\r\ntitle.n6\r\ntitle.a2004ns\r\ntitle.n1pi\r\ntitle.a2004r\r\ntitle.v504\r\ntitle.n1p\r\ntitle.n704bcm\r\ntitle.ew302\r\ntitle.n104qi\r\ntitle.n104r\r\ntitle.n2p\r\ntitle.n608\r\ntitle.q604\r\ntitle.n104rsk\r\ntitle.n2e\r\ntitle.n604s\r\ntitle.n604t\r\ntitle.n702bcm\r\ntitle.n804\r\ntitle.n3\r\ntitle.q504\r\ntitle.a604\r\ntitle.v308\r\ntitle.a3004d\r\ntitle.n104p\r\ntitle.g104i\r\ntitle.n604r\r\ntitle.a2004\r\ntitle.a704nb\r\ntitle.a604v\r\ntitle.n6004r\r\ntitle.n604p\r\ntitle.t3004\r\ntitle.n5\r\ntitle.n904\r\ntitle.a5004ns\r\ntitle.n8004r\r\ntitle.n604vlg\r\nFrom these hardcoded strings, we saw that the DNS changer functionality was implemented to target Wi-Fi\r\nrouters located in South Korea: the targeted models have been used mainly in South Korea.\r\nNext, the DNS changer connects to the hardcoded vk.com account “id728588947” to get the next destination,\r\nwhich is “107.148.162[.]237:26333/sever.ini”. The “sever.ini” (note the misspelling of server) dynamically\r\nprovided the criminal’s current rogue DNS IP addresses.\r\nhttps://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/\r\nPage 3 of 10\n\nRogue DNS from a vk.com hardcoded account to compromise the DNS setting\r\nChecking the code of the DNS changer, it seems to be using a default admin ID and password such as\r\n“admin:admin”. Finally, the DNS changer generates a URL query with the rogue DNS IPs to compromise the\r\nDNS settings of the Wi-Fi router, depending on the model, as follows.\r\nHardcoded default ID and password to compromise DNS settings using the URL query\r\nWe believe that the discovery of this new DNS changer implementation is very important in terms of security. The\r\nattacker can use it to manage all communications from devices using a compromised Wi-Fi router with the rogue\r\nDNS settings. For instance, the attacker can redirect to malicious hosts and interfere with security product updates.\r\nIn 2016, details of another Android DNS changer were published, demonstrating why DNS hijacking is critical.\r\nUsers connect infected Android devices to free/public Wi-Fi in such places as cafes, bars, libraries, hotels,\r\nshopping malls and airports. When connected to a targeted Wi-Fi model with vulnerable settings, the Android\r\nhttps://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/\r\nPage 4 of 10\n\nmalware will compromise the router and affect other devices as well. As a result, it is capable of spreading widely\r\nin the targeted regions.\r\nInvestigation of landing page statistics\r\nAs we mentioned above, the main target regions of the DNS changer were mainly South Korea. However, the\r\nattackers not only targeted South Korea but also France, Japan, Germany, the United States, Taiwan, Turkey and\r\nother regions. Smishing has been observed to be the main initial infection method in these regions, except South\r\nKorea, though we should keep in mind that the criminals may update the DNS changer function to target Wi-Fi\r\nrouters in those regions in the near future.\r\nIn December 2022, we confirmed some landing pages and got an understanding of the number of downloaded\r\nAPK files. Below are some examples of the download URLs from the landing page statistics.\r\nTarget\r\nregions\r\nLanding page\r\nIP\r\n# of Downloaded\r\nAPK\r\nExamples of download URLs\r\nJapan\r\n103.80.134[.]40\r\n103.80.134[.]41\r\n103.80.134[.]42\r\n103.80.134[.]48\r\n103.80.134[.]49\r\n103.80.134[.]50\r\n103.80.134[.]51\r\n103.80.134[.]52\r\n103.80.134[.]53\r\n103.80.134[.]54\r\n24645\r\nhttp://3.wubmh[.]com/chrome.apk\r\nhttp://5.hmrgt[.]com/chrome.apk\r\nhttp://9v.tbeew[.]com/chrome.apk\r\nAustria\r\n199.167.138[.]36\r\n199.167.138[.]38\r\n199.167.138[.]39\r\n199.167.138[.]40\r\n7354\r\nhttp://8.ondqp[.]com/chrome.apk\r\nhttp://5c2d.zgngu[.]com/chrome.apk\r\nhttp://d.vbmtu[.]com/chrome.apk\r\nFrance\r\n199.167.138[.]48\r\n199.167.138[.]49\r\n199.167.138[.]51\r\n199.167.138[.]52\r\n7246\r\nhttp://j.vbrui[.]com/chrome.apk\r\nhttp://vj.nrgsd[.]com/chrome.apk\r\nhttp://k.uvqyo[.]com/chrome.apk\r\nGermany\r\n91.204.227[.]144\r\n91.204.227[.]145\r\n91.204.227[.]146\r\n5827\r\nhttps://mh.mgtnv[.]com/chrome.apk\r\nhttp://g.dguit[.]com/chrome.apk\r\nhttp://xtc9.rvnbg[.]com/chrome.apk\r\nSouth Korea 27.124.36[.]32\r\n27.124.36[.]34\r\n27.124.36[.]52\r\n508 http://m.naver.com/chrome.apk\r\nhttps://m.daum.net/chrome.apk\r\nhttps://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/\r\nPage 5 of 10\n\n27.124.39[.]241\r\n27.124.39[.]242\r\n27.124.39[.]243\r\n(legitimate domains because DNS\r\nhijacking)\r\nTurkey\r\n91.204.227[.]131\r\n91.204.227[.]132\r\n381\r\nhttp://y.vpyhc[.]com/chrome.apk\r\nhttp://r48.bgxbm[.]com/chrome.apk\r\nhttp://t9o.qcupn[.]com/chrome.apk\r\nMalaysia\r\n134.122.137[.]14\r\n134.122.137[.]15\r\n134.122.137[.]16\r\n154\r\nhttp://3y.tmztp[.]com/chrome.apk\r\nhttp://1hy5.cwdqh[.]com/chrome.apk\r\nhttp://53th.xgunq[.]com/chrome.apk\r\nIndia\r\n199.167.138[.]41\r\n199.167.138[.]43\r\n199.167.138[.]44\r\n199.167.138[.]45\r\n28\r\nhttp://w3.puvmw[.]com/chrome.apk\r\nhttp://o.wgvpd[.]com/chrome.apk\r\nhttp://kwdd.cehsg[.]com/chrome.apk\r\nThe number of downloaded APK files was reset at the beginning of December 2022. After a few days, we got the\r\nabove numbers from the landing pages, and it showed us that Android malware was still being actively\r\ndownloaded for some targeted regions. It also showed us that the most affected region was Japan, followed by\r\nAustria and France. From this investigation, we noted that the criminals have now also added Austria and\r\nMalaysia to their main target regions.\r\nAccording to the download URLs for each region above, with the exception of South Korea, it seems that the\r\ncriminals randomly generated and registered these domains to resolve the IP addresses of the landing page. It\r\nseems pretty obvious these domains were used as a link in the smishing for the initial infection. Regarding South\r\nKorea, the URLs have a legitimate domain because of DNS hijacking. Resolving the legitimate domain for\r\n“m.xxx.zzz” (for mobile) and “www.xxx.zzz” with rogue DNS and legitimate DNS yields the following results,\r\nrespectively:\r\n“m.xxx.zzz” + rogue DNS “www.xxx.zzz” + rogue DNS\r\n$ dig m.daum.net @ 193.239.154.15\r\n; \u003c\u003c\u003e\u003e DiG 9.18.1-1ubuntu1.2-Ubuntu \u003c\u003c\u003e\u003e\r\nm.daum.net @193.239.154.15\r\n;; global options: +cmd\r\n;; Got answer:\r\n;; -\u003e\u003eHEADER\u003c\u003c- opcode: QUERY, status:\r\nNOERROR, id: 15464\r\n;; flags: qr rd; QUERY: 1, ANSWER: 1,\r\nAUTHORITY:\r\n0, ADDITIONAL: 0\r\n;; WARNING: recursion requested but not available\r\n$ dig www.daum.net @193.239.154.15\r\n; \u003c\u003c\u003e\u003e DiG 9.18.1-1ubuntu1.2-Ubuntu \u003c\u003c\u003e\u003e\r\nwww.daum.net @193.239.154.15\r\n;; global options: +cmd\r\n;; Got answer:\r\n;; -\u003e\u003eHEADER\u003c\u003c- opcode: QUERY, status:\r\nNOERROR, id: 40935\r\n;; flags: qr rd; QUERY: 1, ANSWER: 1,\r\nAUTHORITY:\r\n0, ADDITIONAL: 0\r\n;; WARNING: recursion requested but not available\r\nhttps://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/\r\nPage 6 of 10\n\n;;QUESTION SECTION:\r\n;m.daum.net.                    IN      A\r\n;; ANSWER SECTION:\r\nm.daum.net.             600     IN      A      \r\n27.124.39.243\r\n;;Query time: 104 msec\r\n;; SERVER: 193.239.154.15#53(193.239.154.15)\r\n(UDP)\r\n;; WHEN: Wed Dec 07 02:09:51 GMT 2022\r\n;; MSG SIZE  rcvd: 54\r\n;; QUESTION SECTION:\r\n;www.daum.net.                  IN      A\r\n;; ANSWER SECTION:\r\nwww.daum.net.           600     IN      A      \r\n121.53.105.193\r\n;; Query time: 48 msec\r\n;; SERVER: 193.239.154.15#53(193.239.154.15)\r\n(UDP)\r\n;; WHEN: Wed Dec 07 02:09:57 GMT 2022\r\n;; MSG SIZE  rcvd: 58\r\nAs you can see, their rogue DNS only works in the mobile domain, which is “m.xxx.zzz”. We believe the\r\ncriminals only filtered a limited number of domains that can be resolved to their landing page to hide their activity\r\nfrom security researchers.\r\nGeography based on KSN\r\nOur telemetry showed the detection rate of Wroba.o (Trojan-Dropper.AndroidOS.Wroba.o) for each region such\r\nas France (54.4%), Japan (12.1%) and the United States (10.1%). When compared with the landing page statistics\r\nabove, the results are similar in that many detections have been observed in France, Japan, Austria and Germany.\r\nOn the other hand, while we had previously monitored landing pages for the United States, this time we haven’t\r\nseen those landing pages.\r\nConclusions\r\nFrom 2019 to 2022, Kaspersky observed that the Roaming Mantis campaign mainly used smishing to deliver a\r\nmalicious URL to their landing page. In September 2022, we analyzed the new Wroba.o Android malware and\r\ndiscovered a DNS changer function that was implemented to target specific Wi-Fi routers used mainly in South\r\nKorea. Users with infected Android devices that connect to free or public Wi-Fi networks may spread the malware\r\nto other devices on the network if the Wi-Fi network they are connected to is vulnerable. Kaspersky experts are\r\nconcerned about the potential for the DNS changer to be used to target other regions and cause significant issues.\r\nKaspersky products detect this Android malware as HEUR:Trojan-Dropper.AndroidOS.Wroba.o or HEUR:Trojan-Dropper.AndroidOS.Agent.eq, providing protection from this cyberthreat to Kaspersky’s customers and users.\r\nIoCs\r\nMD5 of Wroba.o\r\n2036450427a6f4c39cd33712aa46d609\r\n8efae5be6e52a07ee1c252b9a749d59f\r\n95a9a26a95a4ae84161e7a4e9914998c\r\nab79c661dd17aa62e8acc77547f7bd93\r\nhttps://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/\r\nPage 7 of 10\n\nd27b116b21280f5ccc0907717f2fd596\r\nf9e43cc73f040438243183e1faf46581\r\nDomains of landing pages:\r\n1hy5.cwdqh[.]com\r\n3.wubmh[.]com\r\n3y.tmztp[.]com\r\n53th.xgunq[.]com\r\n5c2d.zgngu[.]com\r\n5.hmrgt[.]com\r\n8.ondqp[.]com\r\n9v.tbeew[.]com\r\nd.vbmtu[.]com\r\ng.dguit[.]com\r\nj.vbrui[.]com\r\nk.uvqyo[.]com\r\nkwdd.cehsg[.]com\r\nmh.mgtnv[.]com\r\no.wgvpd[.]com\r\nr48.bgxbm[.]com\r\nt9o.qcupn[.]com\r\nvj.nrgsd[.]com\r\nw3.puvmw[.]com\r\nxtc9.rvnbg[.]com\r\ny.vpyhc[.]com\r\nIPs of landing pages:\r\n103.80.134[.]40\r\n103.80.134[.]41\r\n103.80.134[.]42\r\n103.80.134[.]48\r\n103.80.134[.]49\r\n103.80.134[.]50\r\n103.80.134[.]51\r\n103.80.134[.]52\r\n103.80.134[.]53\r\n103.80.134[.]54\r\n134.122.137[.]14\r\n134.122.137[.]15\r\n134.122.137[.]16\r\n199.167.138[.]36\r\n199.167.138[.]38\r\n199.167.138[.]39\r\nhttps://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/\r\nPage 8 of 10\n\n199.167.138[.]40\r\n199.167.138[.]41\r\n199.167.138[.]43\r\n199.167.138[.]44\r\n199.167.138[.]45\r\n199.167.138[.]48\r\n199.167.138[.]49\r\n199.167.138[.]51\r\n199.167.138[.]52\r\n27.124.36[.]32\r\n27.124.36[.]34\r\n27.124.36[.]52\r\n27.124.39[.]241\r\n27.124.39[.]242\r\n27.124.39[.]243\r\n91.204.227[.]131\r\n91.204.227[.]132\r\n91.204.227[.]144\r\n91.204.227[.]145\r\n91.204.227[.]146\r\nRogue DNS:\r\n193.239.154[.]15\r\n193.239.154[.]16\r\n193.239.154[.]17\r\n193.239.154[.]18\r\n193.239.154[.]22\r\nHardcoded malicious accounts of vk.com to obtain live rogue DNS servers:\r\nid728588947\r\nProviding live rogue DNS servers:\r\n107.148.162[.]237:26333/sever.ini\r\nSuspicious accounts/pages of some legitimate services for obtaining C2s\r\nhttp://m.vk[.]com/id668999378?act=info\r\nhttp://m.vk[.]com/id669000526?act=info\r\nhttp://m.vk[.]com/id669000956?act=info\r\nhttp://m.vk[.]com/id674309800?act=info\r\nhttp://m.vk[.]com/id674310752?act=info\r\nhttp://m.vk[.]com/id730148259?act=info\r\nhttp://m.vk[.]com/id730149630?act=info\r\nhttp://m.vk[.]com/id761343811?act=info\r\nhttp://m.vk[.]com/id761345428?act=info\r\nhttps://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/\r\nPage 9 of 10\n\nhttp://m.vk[.]com/id761346006?act=info\r\nhttps://www.youtube[.]com/channel/UCP5sKzxDLR5yhO1IB4EqeEg/about\r\nhttps://docs.google[.]com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic\r\nhttps://docs.google[.]com/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasic\r\nC\u0026C\r\n91.204.227[.]32\r\n91.204.227[.]33\r\n92.204.255[.]173\r\n91.204.227[.]39\r\n118.160.36[.]14\r\n198.144.149[.]131\r\nSource: https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/\r\nhttps://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/"
	],
	"report_names": [
		"108464"
	],
	"threat_actors": [
		{
			"id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a",
			"created_at": "2023-01-06T13:46:38.823793Z",
			"updated_at": "2026-04-10T02:00:03.113045Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group"
			],
			"source_name": "MISPGALAXY:Roaming Mantis",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3",
			"created_at": "2022-10-25T16:07:24.546437Z",
			"updated_at": "2026-04-10T02:00:05.029564Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group",
				"Shaoye"
			],
			"source_name": "ETDA:Roaming Mantis",
			"tools": [
				"MoqHao",
				"Roaming Mantis",
				"SmsSpy",
				"Wroba",
				"XLoader"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434677,
	"ts_updated_at": 1775826700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/616e62419d2576eba3abb69f228d2258054649ec.pdf",
		"text": "https://archive.orkl.eu/616e62419d2576eba3abb69f228d2258054649ec.txt",
		"img": "https://archive.orkl.eu/616e62419d2576eba3abb69f228d2258054649ec.jpg"
	}
}