{
	"id": "e96c42f3-e7bf-4026-ad18-7df9bf43e7d5",
	"created_at": "2026-04-06T00:08:39.117529Z",
	"updated_at": "2026-04-10T03:21:09.229388Z",
	"deleted_at": null,
	"sha1_hash": "626f850b357f480c4bcddc8aba1a3fd7be4e9111",
	"title": "Android Trojan Targeting Korean Demographic using GitHub for C2",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 929514,
	"plain_text": "Android Trojan Targeting Korean Demographic using GitHub for\r\nC2\r\nBy ThreatMiner\r\nPublished: 2021-11-16 · Archived: 2026-04-05 17:27:54 UTC\r\nKey Summary\r\nThreat Actor(s) of possible Chinese speaking origin have created malicious Android APKs to target customers of\r\nSouth Korean financial institutions with the go of credentials theft but also spying on other phone activities\r\nincluding SMS interception. The primary C2 communication protocol utilized Base64 + AES encrypted strings\r\nhosted on two GitHub repos under the profiles: maxw201653 and minida1004. Research on the repositories show\r\nthat Git commit activities go back as early as August 6, 2021 (based on encryption key utilization).\r\nThe findings on this blog is an extension to the research previously reported by researchers at Cyble.\r\nRelated Blog:\r\nhttps://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/\r\nRelated Tweet(s):\r\nhttps://twitter.com/malwrhunterteam/status/1458754114645602304\r\nMalware Analysis\r\nSample 1 — KakaoBank\r\nApplication Name: KakaoBank\r\nIcon Hash [SHA-1]: ffe160557de09f247d2ec4335122e5072b689dbf\r\nMD5: f0bb17d31ba943a48ea41d9d1bc163ab\r\nSHA-1: 422c9667a20f0e1f8e9c502a94e2ca15e76c7a2f\r\nSHA-256: 578c2f159d3a68ce9b7d9500eeaac99c71ce18d6e78524b30b505c80f57a945b\r\nhttps://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749\r\nPage 1 of 13\n\nFilename: kakaoBank.apk\r\nITW: hxxp://114.43.207[.]242/kakaoBank.apk\r\nPackage Name: com.avnctb.anove10\r\nMain Activity: com.avnctb.anove10.MainActivity\r\nInternal Version: 44\r\nDisplayed Version: 4.4\r\nMinimum SDK Version: 19\r\nTarget SDK Version: 22\r\nDEX:\r\n[SHA-1] b10ee766cf222eefebdf23f61f1dba552d25e4c5,classes.dex\r\n[SHA-1] e817fbec9dd025e8f383168cd7f569d03018f980,secret-classes2.dex\r\n[SHA-1] 60b4e2df1192c299896b13fddad8de7daea17284,secret-classes.dex\r\nContained HTML/JS (used for webview):\r\nwebview — com.avnctb.anove10\r\n[SHA-1] 378581a8679acdf6aa4d9e3802346c45261da5e0,app1.html\r\n[SHA-1] 8db9cedee5ff51fe9d9a37a9d2de544b616265a1,app2.html\r\n[SHA-1] c6159b6f5b1e0e32720eba3f875b185bc6ae61ea,app3.html\r\n[SHA-1] aaef0e3d21cb5a15af1f8bd86716d8dda11b79c7,app.html\r\n[SHA-1] d7e522bbfc7d14f3db7eb661dad850c1bb4d9cd1,ok.html\r\nTitle: 카카오뱅크 -- Translated: Kakao Bank\r\n[SHA-1] ea3f25e9613c6fabf12a9183a421f422897505ab,subutils.js\r\n//最后跳转的页面 -- Translated: \"Last page jumped\" [Chinese]\r\nhttps://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749\r\nPage 2 of 13\n\nvar okurl = \"./ok.html\";\r\nActivities:\r\ncom.avnctb.anove10.MainActivity\r\ncom.avnctb.anove10.CallActivity\r\ncom.avnctb.anove10.CPMActivity\r\ncom.avnctb.anove10.CommandActivity\r\nReceivers:\r\ncom.avnctb.anove10.receiver.LOutReceiver\r\ncom.avnctb.anove10.receiver.LPReceiver\r\ncom.avnctb.anove10.receiver.LBootReceiver\r\ncom.avnctb.anove10.receiver.LSMReceiver\r\ncom.avnctb.anove10.receiver.LMSReceiver\r\nC2 Encryption Routine:\r\nPress enter or click to view image in full size\r\ncom.avnctb.anove10.kits.MCrypt\r\nEarliest sample [DEX] seen with this encryption key:\r\nMD5: 8c6c60359fefa7c021499eddfeeba712\r\nSHA-1: 49e02ac9cb035bbecb9b3c22fb7412c44f882c1e\r\nSHA-256: 4ed5aa4c7746f505751c4f3ce6d151af9d821efb2f62d9490f980b93a6a4e8d5\r\nFirst Submission: 2021–09–11 10:38:41\r\n—\r\nSample 2\r\nEarliest sample [APK] seen with this encryption key (unrelated to DEX above)\r\nhttps://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749\r\nPage 3 of 13\n\nApp Display Name: KB국민은행 (KB Kookmin Bank)\r\nIcon Hash [SHA-1]: 5cc79f5b97f6d2f209233c01f37533c578df0e78\r\nMD5: 281cc06d971447e785e7ea1ba818d268\r\nSHA-1: 080638f91b31a51751cfe464012f945443630ce2\r\nSHA-256: 864a8845a9a8b4014a1d90037ea5aa17cdec85979e32efe4da670064e6c866ff\r\nPackage Name: com.gua.t04\r\nMain Activity: com.gua.t04.MainActivity\r\nInternal Version: 38\r\nDisplayed Version: 3.8\r\nMinimum SDK Version: 19\r\nTarget SDK Version: 22\r\nDEX:\r\n[SHA-1] c37c3b47d0ea4a484f20b78b2370df81a9fdffb0,classes.dex\r\n[SHA-1] 8eb1cca27447ff0d1714fc7faeed7c2f69253bdd,secret-classes2.dex\r\n[SHA-1] 0401d633d04bd3dcd58a228e8c76b7b6db199067, secret-classes3.dex\r\n[SHA-1] e3ef215c5a9283b672adf10f15b7a57df84278b5,secret-classes.dex\r\nFirst Submission: 2021–08–06 04:17:36\r\n— -\r\nEarliest sample [DEX] with function for obtaining C2 commands from GitHub repository (maxw201653):\r\nMD5: 1e529d263370be5e078d8af7448b8397\r\nSHA-1: 0cdfe9ccc740f9d8eda48b41765b023ab399c5d5\r\nSHA-256: 3d503d3c0dfbb9abb1c422db671404741147f495dba4628a64e6695e2994f37d\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749\r\nPage 4 of 13\n\npackage com.fomta.c002.service\r\nGitHub Information (minida1004):\r\nName: minida1004\r\nProfile URL: hxxps://github[.]com/minida1004\r\nRepository Count: 1 (comprised of 4 files)\r\nJoin Date: September 13, 2021\r\nFirst Commit: September 13, 2021(first file: “slal18ek”)\r\nForks? hxxps://github[.]com/maxw201653/minida1004\r\nContribution Mapping:\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhxxps://github[.]com/minida1004/minida1004\r\npwdroot:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749\r\nPage 5 of 13\n\nhxxps://github[.]com/minida1004/minida1004/commits/main/pwdroot\r\npsetewgd:\r\nPress enter or click to view image in full size\r\nhxxps://github[.]com/minida1004/minida1004/commits/main/psetewgd\r\na_w_xx1:\r\nPress enter or click to view image in full size\r\nhxxps://github[.]com/minida1004/minida1004/commits/main/a_w_xx1\r\nPress enter or click to view image in full size\r\nGitHub Information (maxw201653):\r\nhttps://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749\r\nPage 6 of 13\n\nName: maxw201653\r\nProfile URL: hxxps://github[.]com/maxw201653\r\nRepository Count: 3 (vod,dest,minida1004)\r\nJoin Date: May 27, 2021\r\nFirst Commit: May 27, 2021 (First Repo: vod | File(s): gaobai[0-9]{1,3}\\.png) — these files ended up\r\nbeing a pirated movie, broken up into individual ffmpeg extracts\r\nForks? None\r\nContribution Mapping:\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749\r\nPage 7 of 13\n\nhxxps://github[.]com/maxw201653/vod/commits?author=maxw201653\u0026since=2021–05–\r\n01\u0026until=2021–06–01\r\nIPs Associated with Historical Commits\r\nWe took a look at the historical commits in the relevant GitHub repos, and extracted the following IPs (timeline at\r\nbottom):\r\nGet ThreatMiner’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n— — —\r\nIP: 202.79.165[.]35 — most recent C2!\r\nASN: AS64050 (BCPL-SG | South Korea)\r\nPress enter or click to view image in full size\r\nhttps://urlscan.io/result/3520c926-9ae7-4b6f-af93-80e2b58c111d/\r\n—\r\nIP: 180.215.11[.]94\r\nASN: AS64050 (BCPL-SG | Singapore)\r\n—\r\nIP: 180.215.193[.]251\r\nASN: AS64050 (BCPL-SG | Singapore)\r\n—\r\nIP: 45.115.127[.]106\r\nASN: AS132839 (POWERLINE-AS-AP | Hong Kong)\r\nhttps://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749\r\nPage 8 of 13\n\n—\r\nIP: 180.215.11[.]91\r\nASN: AS64050 (BCPL-SG | Singapore)\r\n—\r\nIP: 122.146.93[.]88\r\nASN: AS9919 (NCIC-TW | Taiwan)\r\n—\r\nIP: 180.215.11[.]92\r\nASN: AS64050 (BCPL-SG | Singapore)\r\n—\r\nIP: 180.215.11[.]90\r\nASN: AS64050 (BCPL-SG | Singapore)\r\n—\r\nIP: 103.55.129[.]139\r\nASN: AS132839 (POWERLINE-AS-AP | Hong Kong)\r\n—\r\nIP: 180.215.11[.]93\r\nASN: AS64050 (BCPL-SG | Singapore)\r\n—\r\nIP: 45.80.115[.]250\r\nASN: AS132839 (POWERLINE-AS-AP | Hong Kong)\r\n—\r\nIP: 180.215.193[.]162\r\nASN: AS64050 (BCPL-SG | Singapore)\r\n—\r\nIP: 202.95.18[.]82\r\nASN: AS64050 (BCPL-SG | Hong Kong)\r\n—\r\nIP: 125.227.0[.]22\r\nASN: AS3462 (HINET | Taiwan)\r\nhttps://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749\r\nPage 9 of 13\n\n—\r\nIP: 103.55.129[.]140\r\nASN: AS132839 (POWERLINE-AS-AP | Hong Kong)\r\n—\r\nIP: 202.79.165[.]9\r\nASN: AS64050 (BCPL-SG | Hong Kong)\r\n—\r\nIP: 23.225.128[.]202\r\nASN: AS132839 (POWERLINE-AS-AP | United States)\r\nIndicators…\r\nHashes [SHA-1] — DEX with encryption string:\r\n183beb6c1a002501df386c310daac68438a08de3\r\naf8f807b4e74013c37f4c42880bf6de692f66592\r\n5054adf6f586e869cbac58ceb763c91ef28da391\r\ne7022e39cb49be4a42ca0a07c4c314599c2f0b3f\r\nc90f46d2136d8b82cd8d6f6dedbec26ceb8f1d75\r\nfe315d040bab6eeac0a01bd3643ca31945ebbdda\r\n923b5c9b785a6c2751d1f571793f7b6e6d62d238\r\nc250b0eacebc168f2657a7d8c5753f6daedff86a\r\n548002822cf479c9e53e363dc7c4e914d152d0c6\r\n38dbebee4c8a3f0a5bfd1f0eda552134be56e806\r\n987ca1c9444ae88f2f1ad516f94fa264c4a9379f\r\neb7b11f1359ec019884000cee8b89328f05282fc\r\n49e02ac9cb035bbecb9b3c22fb7412c44f882c1e\r\n0cdfe9ccc740f9d8eda48b41765b023ab399c5d5\r\n75e920d0003bba0424b6931d781e829c6bb77128\r\ne548fd5140064a1e03f37388b9269c123053761e\r\n91478ee12234f35de65da4108f6cc9f785b48047\r\na6000a318ae70fa99d597da7b633f63c90286ce8\r\ncab0e261fe0729cc47df2f4ad15d605014182d70\r\n022422a4a0f1a04e159e6ff0106ac8c6fe120494\r\n7a54216718188eead713444ecc84a865e66088ea\r\n3c2a02facc66845adcdfbafd94f8d59e54c681d5\r\n946cc18806e6fce00a55280bf915e82eda17cca1\r\n66409fa7c40ea8c0a5c943e9531101e1abdc7ec5\r\nad0b8dd1cffc520c294533fa51544ccf762626f6\r\ned8e5d074f4a011e55b805f14423918cbc7587e6\r\nhttps://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749\r\nPage 10 of 13\n\nfaf4fb3545ec97cf2e5795102b29ba3ab747e10d\r\nce8889674bb6ed586f0ec471647adb41be10ed18\r\nde47248c69220101bce61136820f01f49ee7ee9f\r\nec3764b377a54675324ae3e14d181156da39fd92\r\nbc8be526904f5812e7575a4cd61d6a7edc70ea81\r\nbb0f53dbe50dfb9aef3a408b04f7f2b943eaf21b\r\n1391d106d1d1dae3b85f8d4fc7dee863b94e27d7\r\n407957ff1202fb85027359dedf38971393e7c311\r\nc886d06e370d30ccfca44446920783f4968a114a\r\nd35d255b95caf69f0b548fa3caaaec68e25b701b\r\nURL(s):\r\nhxxps://github[.]com/maxw201653\r\nhxxps://github[.]com/minida1004\r\nhxxp://114.43.207[.]242/kakaoBank.apk\r\nIP(s):\r\n202.79.165[.]35\r\n180.215.11[.]94\r\n180.215.193[.]251\r\n45.115.127[.]106\r\n180.215.11[.]91\r\n122.146.93[.]88\r\n180.215.11[.]92\r\n180.215.11[.]90\r\n103.55.129[.]139\r\n180.215.11[.]93\r\n45.80.115[.]250\r\n180.215.193[.]162 (4xjyy8888[.]xyz)\r\n202.95.18[.]82\r\n125.227.0[.]22\r\n103.55.129[.]140\r\n202.79.165[.]9\r\n23.225.128[.]202\r\nGitHub Timeline (/maxw201653/dest/):\r\n[create pwdText] | maxw201653 committed on Sep 12\r\n[Update pwdText] | maxw201653 committed on Sep 13 (hxxp://25.227.0[.]22/) — believed to be a typo by the dev\r\n[Update pwdText] | maxw201653 committed on Sep 13 (hxxp://125.227.0[.]22/)\r\n[Update pwdText] | maxw201653 committed on Sep 13 (hxxp://23.225.128[.]202/)\r\n[Update pwdText] | maxw201653 committed on Sep 13 (hxxp://125.227.0[.]22/)\r\nhttps://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749\r\nPage 11 of 13\n\n[Update pwdText] | maxw201653 committed on Sep 15 (hxxp://45.115.127[.]106/)\r\n[Update pwdText] | maxw201653 committed on Sep 17 (hxxp://122.146.93[.]88/)\r\n[Update pwdText] | maxw201653 committed on Sep 27 (hxxp://23.235.156[.]130/)\r\n— -\r\n[Create a_a_xx1] | maxw201653 committed on Sep 29\r\n[Update a_a_xx1] | maxw201653 committed on Oct 6 (hxxp://180.215.193[.]162/)\r\n[Update a_a_xx1] | maxw201653 committed on Oct 12 (hxxp://45.80.115[.]250/)\r\n[Update a_a_xx1] | maxw201653 committed on Oct 12 (hxxp://180.215.193[.]251/)\r\n[Update a_a_xx1] | maxw201653 committed on Oct 18 (hxxp://103.55.129[.]139/)\r\n[Update a_a_xx1] | maxw201653 committed on Oct 19 (hxxp://202.95.18[.]82/)\r\n[Update a_a_xx1] | maxw201653 committed on Oct 25 (hxxp://103.55.129[.]140/)\r\nUpdate a_a_xx1| maxw201653 committed on Oct 25 (hxxp://180.215.11[.]90/)\r\n[Update a_a_xx1] | maxw201653 committed on Nov 2 (hxxp://202.79.165[.]9/)\r\n[Update a_a_xx1] | maxw201653 committed on Nov 3 (hxxp://180.215.11[.]94/)\r\n[Update a_a_xx1] | maxw201653 committed on Nov 8 (hxxp://180.215.11[.]93/)\r\n[Update a_a_xx1] | maxw201653 committed on Nov 9 (hxxp://180.215.11[.]92/)\r\n[Update a_a_xx1] | maxw201653 committed on Nov 12 (hxxp://180.215.11[.]91/)\r\n[Update a_a_xx1] | maxw201653 committed on Nov 15 (hxxp://202.79.165[.]35/)\r\nGitHub Profiles:\r\nmaxw201653\r\nminida1004\r\nDecryption Parameters:\r\nAES - KEY: rb!nBwXv4C%Gr^84 | IV: 1234567812345678\r\nGitHub Info [C2]\r\ngit clone --bare hxxps://github[.]com/maxw201653/dest.git --omy0zILUA2JohhTP1Op0T+pMnCADEeO7bFD75jrpK\r\noV5vPfI5ToganghHobgpryGMYLQpbAFYpuWg3+btkmI= (hxxp://180.215.193[.]251/)\r\nD3EYPvgJne+afr2FDXBZvQ6tbivGZwSx8IBkmn7SypU= (hxxp://45.115.127[.]106/)\r\n8LwDf2impUCOw+l/fQT60rx1Y8gr6uD0YoT3PyxMOBw=\r\n(hxxp://25.227.0[.]22/)\r\noV5vPfI5ToganghHobgprwa8sVY1CTqY3nDMulyMS58= (hxxp://180.215.11[.]91/)\r\nNQTjgAVgwmqqLIbvtZ2y/Fra4uPQea1e3vz9/RxnpwU= (hxxp://122.146.93[.]88/)\r\noV5vPfI5ToganghHobgpr4+WfsgIaa4q32XYNRjHZbY= (hxxp://180.215.11[.]92/)\r\noV5vPfI5ToganghHobgpr8glAmysvX9klyQYUw9nV/U= (hxxp://180.215.11[.]90/)\r\n3PnZ7L0Nmjr/DhG48XnYAjvnpRLI1q4mOI15BXlseCo= (hxxp://103.55.129[.]139/)\r\noV5vPfI5ToganghHobgpr7mZNx8utGF01Uvp+tkfWFo= (hxxp://180.215.11[.]93/)\r\nMb/EqrTXu7BC+Js6mgB5/eXM6hlcKMlwWY2Evjv9HZ8= (hxxp://45.80.115[.]250/)\r\noV5vPfI5ToganghHobgprytlGC62pUtOb9NZkZjXu5Q= (hxxp://180.215.193[.]162/)\r\noxvRGttkRRD//yIzfJIMKCSjrFk/1vB5hzZDMHY2OTk= (hxxp://202.95.18[.]82/)\r\nhttps://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749\r\nPage 12 of 13\n\nOYTi+Uy+cWw5QDIwxfElxzLELWufF81DB/svnDVV7to= (hxxp://125.227.0[.]22/)\r\n3PnZ7L0Nmjr/DhG48XnYAiOv+mwAj5eT0YQQmaUtu1o= (hxxp://103.55.129[.]140/)\r\nomy0zILUA2JohhTP1Op0T1dpSeIswkXXlhLTYZNjLk0= (hxxp://202.79.165[.]9/)\r\nrqKDh5sy0IITxGiMiYuvjBjkMiO/gzDAx4T5fW3vLwY= (hxxp://23.225.128[.]202/)\r\nSource: https://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749\r\nhttps://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749"
	],
	"report_names": [
		"android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749"
	],
	"threat_actors": [],
	"ts_created_at": 1775434119,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/626f850b357f480c4bcddc8aba1a3fd7be4e9111.pdf",
		"text": "https://archive.orkl.eu/626f850b357f480c4bcddc8aba1a3fd7be4e9111.txt",
		"img": "https://archive.orkl.eu/626f850b357f480c4bcddc8aba1a3fd7be4e9111.jpg"
	}
}