{
	"id": "e5ed1d2d-bba4-4a56-b458-43963f8c98cc",
	"created_at": "2026-04-06T00:21:52.747773Z",
	"updated_at": "2026-04-10T13:11:23.958071Z",
	"deleted_at": null,
	"sha1_hash": "65f83a515449e805ee4fb278203ec5b66f5b6fdd",
	"title": "The RoamingMantis Group’s Expansion to European Apple Accounts and Android Devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1665226,
	"plain_text": "The RoamingMantis Group’s Expansion to European Apple\r\nAccounts and Android Devices\r\nBy Aleksejs Kuprins\r\nPublished: 2020-06-25 · Archived: 2026-04-05 17:11:28 UTC\r\nBackground\r\nThe RoamingMantis cybercrime group has been extensively blogged about, analyzed and discussed on different\r\ninformation security conferences and blogs since 2017. It is known to infect victims with the following range of\r\nmalware families for the Android OS: FakeCop, FakeSpy, MoqHao and FunkyBot. The malware is meant to\r\nprovide the criminals with access to the victims’ Android OS devices for further monetary fraud. Until now, the\r\ngroup has been known to focus mostly on Asian countries. It was attacking Europe back in 2018 as well, however\r\nwe have found those campaigns to be not as organized as these new ones.\r\nPress enter or click to view image in full size\r\nThe image above is present on every FakeCop malware’s control panel\r\nThis trojan is usually delivered via SMS spam, containing links to a variety of different fake websites, which\r\nentice the victims to download and install a malicious component — in this case FakeCop.\r\nCases of infections via the official GooglePlay store have been identified in the past as well. Please see the\r\nreferences section to find the articles featuring technical analysis of each of the malware families used by this\r\nhttps://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681\r\nPage 1 of 8\n\ngroup, as well as a summary of the group’s operations and timelines.\r\nThe recent events have exposed the novel ambitions of this group, particularly in their desire to extend their fraud\r\nto European countries. Specifically, we have observed such campaigns in: Denmark, France, Germany, Italy,\r\nNetherlands, Sweden and Finland. Besides these EU countries, we have also seen this attack against the mobile\r\nusers in United Kingdom, Switzerland, Brazil and Japan. With this campaign, RoamingMantis is not only\r\nattacking Android OS with malware, but also employs phishing against Apple ID accounts. Please note, that\r\nunlike the Android OS component, the iOS part of the fraud is unrelated to any malicious apps.\r\nThe Move on Europe\r\nBesides the previously used SMS spam, the chosen strategy for attacking mobile device users in these newly-added regions is the use of phishing website lures. All of these websites impersonate a locally-used postal/delivery\r\nservice.\r\nFor example, the campaign in Denmark involves a website, which looks almost identical to PostNord — a\r\npostal/delivery service widely used in this country. The rest of the campaigns for the aforementioned new target\r\ncountries each feature that country’s own locally-popular postal/delivery service.\r\nPress enter or click to view image in full size\r\nExamples of the European adaptations of the FakeCop’s spreading websites\r\nOn such fake websites, the victim is usually being asked to enter their phone number. Upon entry, the website\r\noffers to download and install an APK file (APK is the file extension of app packages for the Android OS). This\r\ntechnique has been successfully utilized by the group in other regions in the past.\r\nApple ID Phishing\r\nAlong with extension to the new regions and the phishing page strategy, the RoamingMantis group has also\r\ndecided to incorporate a phishing attack on the victims’ Apple ID accounts.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681\r\nPage 2 of 8\n\nExamples of AppleID phishing pages — these are displayed to the users who run iOS\r\nUnfortunately, the phishing pages impersonate the original websites accurately enough. For that reason, we have\r\nfound these phishing pages to yield Apple ID account names and passwords to the criminals at an alarming rate.\r\nAt one point we have observed the traffic of between 10 to 15 credentials per hour, in Denmark alone. However,\r\nthis rate has slowed down greatly on the second day of our observations.\r\nData Collection\r\nPress enter or click to view image in full size\r\nThe backend of RoamingMantis’ FakeCop malware and its European phishing campaign is split between different\r\nhosts, each responsible for providing the criminals with a web user interface for management of the stolen data, as\r\nwell as the database behind it. Each of the phishing websites runs its own panel, which stores the data acquired\r\nfrom the phishing.\r\nIn case anyone reading out there has looked at the screenshot above and instantly remembered an article on\r\nKrebsonsecurity about Trump’s Dumps — sorry, we are not aware of any connection of RoamingMantis to it\r\nbeyond the use of this design.\r\nhttps://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681\r\nPage 3 of 8\n\nPress enter or click to view image in full size\r\nNotably, all of the control panels that we have observed provide the user interface in Chinese language. It is\r\nhighly uncommon for Chinese-speaking carders to attack European financial organizations.\r\nRoamingMantis has a wide variety of monetization schemes, which ranges from bitcoin mining and money\r\nlaundering to banking fraud. You can expect a group as large as this one to use every opportunity at their disposal\r\nto generate revenue.\r\nGet Aleksejs Kuprins’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nUsing these control panels, the criminals can change different settings to fine-tune the phishing activity. We have\r\nused GoogleTranslate on some of the screenshots for the ease of reading.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681\r\nPage 4 of 8\n\nThe Settings of the phishing website designed to attack Denmark\r\nPress enter or click to view image in full size\r\nThis user interface provides the criminals with access to the stolen data from the campaign in\r\nDenmark\r\nMeanwhile, the IDs of the stolen data records on the main panel are much larger, indicating its magnitude (nearly\r\n7,000 records). This panel includes data from various campaigns:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681\r\nPage 5 of 8\n\nFinally, the user interface for monitoring of specifically the FakeCop’s malware data in EU has a different design,\r\nbut also shows the amount of devices affected in EU (nearly 300).\r\nPress enter or click to view image in full size\r\nSummary\r\nRoaming Mantis campaigns usually come in huge volumes of spam, but now also have a wide regional coverage.\r\nThe analysis above covers only a minor part of such campaigns during just two days of observation.\r\nThe technique of impersonation of postal/delivery services is nothing new and has been used rather successfully\r\naround the world by cybercriminals for years. Nearly everyone expects a package delivery from time to time and\r\noften would be impatient to receive it. The criminals will always exploit such impatience, because the phishing\r\npage can seem more credible when the victim is actually expecting a delivery.\r\nPlease remember to always verify the source of notifications for your mail or other delivery. Is it the same\r\nincoming phone number in that SMS notification as it was previously, when you have received a different\r\ndelivery? Did you receive an email notification at the same time as well? Can you remember or check the official\r\nwebsite name of your postal/delivery service? If so, maybe you could navigate to that page manually instead of\r\nclicking the provided link in the notification.\r\nExercise caution and avoid installing any unknown apps or entering your AppleID credentials when the context\r\nshould not call for that. Your real postal/delivery service is most likely to provide their official app only through\r\nhttps://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681\r\nPage 6 of 8\n\nthe official app store, which is relevant for your device: Apples AppStore in case of iOS devices and Googles\r\nGooglePlay, if your device runs Android OS.\r\nReferences and Further Reading\r\n1. https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Ishimaru-Niseki-Ogawa-Mantis.pdf\r\n2. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/\r\n3. https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/\r\n4. https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/\r\n5. https://securelist.com/roaming-mantis-part-3/88071/\r\n6. https://securelist.com/roaming-mantis-part-iv/90332/\r\n7. https://securelist.com/roaming-mantis-part-v/96250/\r\n8. https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/\r\n9. https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/\r\n10. https://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan\r\n11. https://krebsonsecurity.com/2017/05/trumps-dumps-making-dumps-great-again/\r\n12. https://twitter.com/ninoseki/status/1273057220586950656\r\n13. https://twitter.com/ninoseki/status/1249623587574517761\r\n14. https://twitter.com/papa_anniekey/status/1275759555830407168\r\nIOCs\r\nFakeCop APK SHA256\r\n19e4f566c9193ab381828b390be24b63fc7c5ba32a4799bee2dc2890204f5833\r\n1915ea279e8e5f518e766c9e3363d651891cc4e63951c1dbca0d6e600673d972\r\n351e1cd5a9f1e39964d6ecddb81623f97ec137192cec3d314c273d31fcb4a106\r\n359e1c533e8008969031255977493f6d07026879b7a39f3cfd4e8a3615db529f\r\n4d008b863447590fe42cabdcf1ab5d2d9575db503a4d4566a2b298e684817fb5Phishing domains:\r\ndeutschepost .top\r\ndie-1 .top\r\ndie-5 .top\r\ndie-t .top\r\ndie-u .top\r\ndie-w .top\r\ndie-x .top\r\ndie-y .top\r\nkuroneko-b .top\r\nkuroneko-c .top\r\nkuroneko-d .top\r\nkuroneko-e .top\r\nkuroneko-f .top\r\nkuroneko-h .top\r\nhttps://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681\r\nPage 7 of 8\n\nkuroneko-i .top\r\nkuroneko-k .top\r\nkuroneko-m .top\r\nkuroneko-n .top\r\nkuroneko-o .top\r\nkuroneko-r .top\r\nkuroneko-u .top\r\nkuroneko-x .top\r\nlaposet .top\r\nposte-m .com\r\npostnl .top\r\nroyal-mail .top\r\nwww.postnl .top\r\npost-y .top\r\nfr-a .top\r\npost-ap .top\r\njppost-tu .top\r\njppost-ha .top\r\njppost-hi .top\r\njppost-ru .top\r\njppost-yu .top\r\njppost-ka .co\r\njppost-ama .com\r\njppost-so .co\r\njppost-ke .co\r\njppost-si .co\r\njppost-ki .co\r\njppost-ko .co\r\njppost-so .top\r\njppost-sso .topHost/C2 IPs:\r\n103.126.100 .18\r\n103.145.106 .131\r\n45.137.183 .33\r\nSource: https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c6\r\n81\r\nhttps://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681"
	],
	"report_names": [
		"the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681"
	],
	"threat_actors": [
		{
			"id": "4c5a35bf-f483-463e-aea0-89a795698cff",
			"created_at": "2023-01-06T13:46:39.198624Z",
			"updated_at": "2026-04-10T02:00:03.243996Z",
			"deleted_at": null,
			"main_name": "Yanbian Gang",
			"aliases": [],
			"source_name": "MISPGALAXY:Yanbian Gang",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a",
			"created_at": "2023-01-06T13:46:38.823793Z",
			"updated_at": "2026-04-10T02:00:03.113045Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group"
			],
			"source_name": "MISPGALAXY:Roaming Mantis",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8f350ed9-134e-4160-b63d-701f562ba64a",
			"created_at": "2022-10-25T16:07:24.589322Z",
			"updated_at": "2026-04-10T02:00:05.045635Z",
			"deleted_at": null,
			"main_name": "Yanbian Gang",
			"aliases": [],
			"source_name": "ETDA:Yanbian Gang",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3",
			"created_at": "2022-10-25T16:07:24.546437Z",
			"updated_at": "2026-04-10T02:00:05.029564Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group",
				"Shaoye"
			],
			"source_name": "ETDA:Roaming Mantis",
			"tools": [
				"MoqHao",
				"Roaming Mantis",
				"SmsSpy",
				"Wroba",
				"XLoader"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434912,
	"ts_updated_at": 1775826683,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/65f83a515449e805ee4fb278203ec5b66f5b6fdd.pdf",
		"text": "https://archive.orkl.eu/65f83a515449e805ee4fb278203ec5b66f5b6fdd.txt",
		"img": "https://archive.orkl.eu/65f83a515449e805ee4fb278203ec5b66f5b6fdd.jpg"
	}
}