{
	"id": "caf9f74f-cf2e-468a-ad9e-aed3f162c03e",
	"created_at": "2026-04-06T00:12:14.654621Z",
	"updated_at": "2026-04-10T13:11:46.89883Z",
	"deleted_at": null,
	"sha1_hash": "63374f419f6400508546c275112b0735b99a2eca",
	"title": "Octo2: European Banks Already Under Attack by New Malware Variant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1055749,
	"plain_text": "Octo2: European Banks Already Under Attack by New Malware Variant\r\nPublished: 2024-10-01 · Archived: 2026-04-05 19:00:48 UTC\r\nOcto (ExobotCompact) is a notable malware family on the current mobile threat landscape. It dominates the tables of the\r\nnumber of unique samples observed by ThreatFabric in the current year.\r\nIn light of this, the discovery of a new version, named “Octo2” by its creator, could potentially shift the threat landscape and\r\nthe Modus Operandi of the actors behind it. This report uncovers details about the current state of the malware family,\r\nhighlights updates, and makes predictions for the future of the Octo (ExobotCompact) malware family.\r\nKey takeaways of the discovery:\r\nA new variant (named Octo2) of Octo, currently the most widespread malware family, has been released by the\r\noriginal threat actor\r\nThe malware developers took action to increase the stability of the remote action capabilities needed for Device\r\nTakeover attacks\r\nNew Octo2 campaigns have been spotted in European countries\r\nOcto2 contains sophisticated obfuscation techniques to ensure the Trojan stays undetected, including the introduction\r\nof Domain Generation Algorithm (DGA)\r\nFrom Exobot to Octo2: A Brief History of the Family\r\nThe first samples of the Exobot malware family were seen in 2016. At that time, it was a banking trojan capable of\r\nperforming overlay attacks and controlling calls, SMS, and push notifications.\r\nIn 2019, a new version of Exobot called “ExobotCompact”, was promoted on underground forums as a lightweight version\r\nretaining most of the features of its predecessor.\r\nhttps://www.threatfabric.com/blogs/octo2-european-banks-already-under-attack-by-new-malware-variant\r\nPage 1 of 5\n\nAfter a break, in 2021 a new variant of ExobotCompact was discovered. Some AV vendors dubbed it “Coper”; however,\r\nThreatFabric analysts were able to track and prove the connection with the original ExobotCompact. Furthermore, in 2022\r\nthe first mentions of a mysterious mobile malware family “Octo” appeared on underground forums. An actor with the\r\nnickname “Architect” claimed to be the owner of Octo, but showed little activity on the forums, providing only a few details\r\nabout the malware itself. ThreatFabric was able to “connect the dots” and, based on the limited information shared by the\r\nowner, proved that Octo is a new name for ExobotCompact.\r\nSince 2022, our Mobile Threat Intelligence team has observed increasing activity from Octo and its operators. More\r\ncampaigns have been spotted in the wild, and more actors have gained access to this malware family, attracted by its\r\nextensive capabilities, including continuously updated remote access features.\r\nIn 2024, several notable events affected the mobile threat landscape, some related to Octo. First, the source code of Octo\r\nwas leaked, resulting in multiple forks launched by other threat actors. The leak of the source codes was likely one of the\r\nmain reasons behind the second notable event in the story of Octo: a new version, Octo2, was released by the original threat\r\nactor. \r\nTargeting European Countries - and More in the Future\r\nFor the past years of monitoring the activity of Octo, ThreatFabric has observed campaigns of previous variants in multiple\r\nregions all over the world. The \"customers\" of Octo Malware-as-a-Service were seen running campaigns targeting Europe,\r\nthe USA, Canada, the Middle East, Singapore, and Australia.\r\nWhen promoting the update, the owner of Octo announced that Octo2 will be available for users of Octo1 at the same price\r\nwith early access. We can expect that the actors that were operating Octo1 will switch to Octo2, thus bringing it to the global\r\nthreat landscape.\r\nOur research showed that Octo2’s settings contain traces of multiple applications and apps being on the radar of the actors.\r\nThis conclusion is based on the list of package names received from the C2 as a part of the initial setup as\r\n“block_push_apps” setting. It means that once Octo2 detects a push notification from one of the apps on the list, it will\r\nintercept it and not show it to the victim. The presence of the app on the list means that it is of interest to cybercriminals, and\r\nthey are already preparing to attack its users. This is likely a default setting prepared by the developers.\r\nOur Threat Intelligence shows that the first samples of Octo2 discovered in the wild were seen in Italy, Poland, Moldova,\r\nand Hungary. These samples from the first campaigns observed were masquerading as Google Chrome, NordVPN, and\r\n“Enterprise Europe Network” applications. However, as we said previously, we can expect threat actors behind Octo2 to\r\nnot limit their activity and continue targeting users of mobile banking all over the world.\r\nhttps://www.threatfabric.com/blogs/octo2-european-banks-already-under-attack-by-new-malware-variant\r\nPage 2 of 5\n\nIn the Octo2 campaigns that were spotted by ThreatFabric, we observed Zombinder serving as the first stage of the\r\ninstallation: upon launch, Zombinder will request the installation of an additional “plugin” which is, in fact, Octo2, thus\r\nsuccessfully bypassing Android 13+ restrictions.\r\nhttps://www.threatfabric.com/blogs/octo2-european-banks-already-under-attack-by-new-malware-variant\r\nPage 3 of 5\n\nZombinder lured the victim into allowing the installation of Octo2\r\nNew Features and Improvements\r\nMalware developers and actors who sell their malware as a service have the same challenge as legitimate software\r\nbusinesses: how to differentiate their \"product\" from their competitors' offerings? In the case of Octo, conscious of the\r\nsource code leakage, the competition is even more challenging - improve your own \"product\" to make it more popular than\r\nthe previous version, which has now involuntarily become a competitor with a price point of zero!\r\nIt's therefore no surprise that Octo2 received several significant updates compared to previous variants. Most of the changes\r\nare focused on increasing the stability of remote control sessions while performing Device Takeover attacks, and improving\r\nanti-detection and anti-analysis techniques. Improvements include:\r\nIncreased RAT stability. \r\nThe developers of Octo2 updated the RAT capabilities of the malware to increase the stability and decrease\r\nconnection latency during remote sessions. They introduced a specific remote session setting “SHIT_QUALITY”\r\n(sic) that can be specified by an operator to decrease the amount of data transmitted over the internet to C2 and thus\r\nincrease the stability of the connection even on networks with a poor connection. If set, this setting will trigger Octo2\r\nto decrease the quality of the screenshots sent to the C2 by encoding each pixel with half the usual number of bytes,\r\ncapturing the image in gray tones, and decreasing the quality when converting to JPEG.\r\nImproved anti-analysis and anti-detection techniques\r\nOcto was always known for its sophisticated and advanced anti-analysis and anti-detection techniques. As reported in\r\nour previous blog on Octo, the main payload was decrypted with the use of native code, which poses challenges for\r\nmanual and automated analysis, and, consequently, makes malware detection more challenging. In Octo2, the\r\ndevelopers implemented an even more sophisticated process of malicious code obfuscation when compared to\r\nprevious variants. The execution process consists of several steps, including decrypting and dynamically loading an\r\nadditional native library, which is responsible for decrypting the malicious payload, generating encryption keys, and\r\nC2 domain names.\r\nCommunication with C2 and Domain Generation Algorithm (DGA)\r\nIn the latest versions, Octo2 utilises a Domain Generation Algorithm (DGA) to generate the actual C2 server name.\r\nThis technique allows cybercriminals to update the domain names on the fly without a need to regenerate the samples\r\n(as well as easily setting up new servers with new names after the known ones are taken down). A known limitation\r\nof DGAs is that, once the algorithm is known, researchers and AV vendors can easily predict all future domains that\r\nwill be generated by cybercriminals and proactively block them. Nevertheless, the Octo2 authors decided to use this\r\napproach and came up with a proprietary date-based algorithm.\r\nThe key derivation for encrypting the data sent to the C2 was also updated: instead of a static hardcoded key, the\r\nmalware generates a new key for every request to the C2. The cryptographic \"Salt\" is shared as a part of the request\r\nso the C2 server can derive the same key on its side to decrypt the data.\r\nThe emergence of the Octo2 variant signals future challenges for mobile banking security, as its enhanced capabilities and\r\nwider usage pose significant risks. With the original Octo malware's source code already leaked and easily accessible to\r\nvarious threat actors, Octo2 builds on this foundation with even more robust remote access capabilities and sophisticated\r\nobfuscation techniques. This makes it harder for security systems to detect and remove it, increasing the malware's longevity\r\nand potential impact.\r\nConclusion\r\nhttps://www.threatfabric.com/blogs/octo2-european-banks-already-under-attack-by-new-malware-variant\r\nPage 4 of 5\n\nThe emergence of this Octo2 variant represents a significant evolution in mobile malware, particularly in the context of\r\nbanking security. With enhanced remote access functionality, sophisticated obfuscation methods, and the wide availability of\r\nits predecessor’s source code, Octo2 is poised to remain a dominant force in the mobile malware landscape together with its\r\nolder variants based on the leaked source code. This variant's ability to invisibly perform on-device fraud and intercept\r\nsensitive data, coupled with the ease with which it can be customised by different threat actors, raises the stakes for mobile\r\nbanking users globally. As this threat continues to evolve, both users and financial institutions must remain proactive,\r\nadopting stringent security measures and continuously updating defenses to mitigate the increased risk.\r\nAppendix\r\nIndicators of compromise\r\nHash (SHA256) app name package name\r\n83eea636c3f04ff1b46963680eb4bac7177e77bbc40b0d3426f5cf66a0c647ae NordVPN com.handedfastee5\r\n6cd0fbfb088a95b239e42d139e27354abeb08c6788b6083962943522a870cb98\r\nEurope\r\nEnterprise\r\ncom.xsusb_restore3\r\n117aa133d19ea84a4de87128f16384ae0477f3ee9dd3e43037e102d7039c79d9\r\nGoogle\r\nChrome\r\ncom.havirtual06numberresources\r\nSource: https://www.threatfabric.com/blogs/octo2-european-banks-already-under-attack-by-new-malware-variant\r\nhttps://www.threatfabric.com/blogs/octo2-european-banks-already-under-attack-by-new-malware-variant\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.threatfabric.com/blogs/octo2-european-banks-already-under-attack-by-new-malware-variant"
	],
	"report_names": [
		"octo2-european-banks-already-under-attack-by-new-malware-variant"
	],
	"threat_actors": [],
	"ts_created_at": 1775434334,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/63374f419f6400508546c275112b0735b99a2eca.pdf",
		"text": "https://archive.orkl.eu/63374f419f6400508546c275112b0735b99a2eca.txt",
		"img": "https://archive.orkl.eu/63374f419f6400508546c275112b0735b99a2eca.jpg"
	}
}