{ "id": "74f775a5-80b8-4bef-9a4c-6d62fce9774a", "created_at": "2026-04-06T00:13:49.414213Z", "updated_at": "2026-04-10T13:13:04.706918Z", "deleted_at": null, "sha1_hash": "732387f90c716b00b61864b7348da4a70c10438b", "title": "Moqhao masters new tricks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63739, "plain_text": "Moqhao masters new tricks\r\nBy Deutsche Telekom AG\r\nPublished: 2023-03-31 · Archived: 2026-04-05 15:24:24 UTC\r\nEver received a text message alerting you to problems with the delivery of a package - even though you weren't waiting for\r\none? Then you've already met Moqhao in person, also known as Shaoye or XLoader. Moqhao is something like the\r\nbestseller from the Roaming Mantis malware family, ready to build a backdoor into your smartphone's Android operating\r\nsystem. \r\nThis group of Android malware is a proprietary brand of the Yanbian Gang. A Chinese threat actor also known for its DNS\r\nhijacking campaigns, where they \"redirect\" visitors from websites. Deutsche Telekom Security has been tracking the\r\nYanbian Gang and consequently Moqhao infections since 2021. As result from our tracking, we discovered a new major\r\nfeature introduced to Moqhao in order bypass CAPTCHA security access mechanisms in wireless routers. Right, the one\r\nwith the combination of letters and numbers used as images. \r\nThis technique has not been attributed to the Yanbian Gang before. Instead, the security community has only speculated on\r\nhow vulnerable routers were previously compromised by the actor. Now, we have found new evidence on how they are able\r\nto hijack wireless routers via Moqhao. In this blog post, we describe how these attacks are executed by Moqhao and what\r\nmeasures can be taken to prevent them.\r\nMoqhao a key malware player of the Yanbian Gang\r\nThe Yanbian Gang is a threat actor that has been active since 2013 with operation from the Yanbian Prefecture in Jilin,\r\nChina. Over the years, the Yanbian Gang expanded their criminal operation to target countries all over the world with a\r\ncollection of Android malware known as the Roaming Mantis. This collection includes fake apps that impersonate banking\r\nservices, engage in cryptomining, multilingual phishing, and other fraudulent activities.\r\nAs part of the Roaming Mantis, Moqhao was first discovered in 2015. Deutsche Telekom Security started monitoring this\r\nmalware in February 2021 after multiple customers reported fake SMS messages. These messages indicated that a parcel has\r\nbeen sent and urged users for verification.  An example of Moqhao’s SMS Smishing (SMiShing) messages is shown in\r\nfigure 1.\r\nFigure 1: An example of Moqhao's fake SMS messages indicating that a parcel has been sent and urging users\r\nfor verification. © Bildnachweis: Deutsche Telekom/ GettyImages/AmnajKhetsamtip; Montage: Evelyn Ebert\r\nMeneses\r\nMessages sent as part of Moqhao’s campaign appear harmless and authentic at first, but they contain links from where the\r\nMoqhao malware is downloaded onto the victim’s device. The downloaded file containing Moqhao, poses as an update of a\r\nlegitimate App such as Facebook or Chrome. Once installed, it can be used to steal sensitive information, install additional\r\napps, hijack the infected device to send SMiShing messages and recently for DNS hijacking in wireless routers.  Once\r\nMoqhao obtains full control over the infected device, the device is used to engage in SMiShing campaigns to infect further\r\nvictims.\r\nMoqhao infects wireless routers to perform DNS hijacking attacks\r\nSince the beginning of our tracking, efforts have been focused on monitoring Moqhao’s activity in order to prevent\r\ninfections and/or notify our customers in the event of an infection. During July 2022, we published an alert about new\r\nSMiShing waves spreading an updated version of Moqhao in Germany. The campaign exhibited geofencing and operating\r\nsystem checks which proves that the Yanbian Gang tailors their attacks to their victims (e.g., for German speaking users) and\r\navoid detection while trying to keep a low profile.\r\nAs part of our monitoring, we periodically conduct analysis of Moqhao samples obtained during these SmiShing campaigns.\r\nAs result of such analyses, we discovered a previously unknown feature in Moqhao to bypass text-based CAPTCHAs. This\r\nfeature is used in combination with brute-force attacks on wireless router’s web interfaces to compromise routers and\r\nperform DNS hijacking attacks.\r\nDNS hijacking is a technique used to redirect network traffic to for instance malicious websites by altering the DNS\r\nresolution. In other words, Moqhao’s intention is to seize the translation process of human-readable domain names (such as\r\nwww.telekom.com) into IP addresses. This allows Moqhao to redirect the victims web traffic to malicious websites that\r\nmimic legitimate sites to steal sensitive information or deliver copies of Moqhao.\r\nWireless routers are critical in DNS hijacking because they contain information needed to perform this resolution process.\r\nThis means that even if victims type in a legitimate website, their traffic is redirected to a fake one owned by an attacker.\r\nhttps://www.telekom.com/en/blog/group/article/moqhao-masters-new-tricks-1031484\r\nPage 1 of 5\n\nWhat are CAPTCHAs and why are they important to Moqhao?\r\nIn terms of home network security, one of the most important devices we should try to protect is our router. They allow\r\ndevices within a local network to reach resources on the Internet by relaying traffic between local network devices and\r\nremote servers. If routers are infected, threat actors may be able to capture or manipulate network traffic that the router\r\nrelays. Threat actors like the Yanbian Gang have identified the criticality of routers and began targeting them for malicious\r\npurposes.\r\nRouter’s settings and network configurations can often be accessed using a web-based login page that devices from the local\r\nnetwork can access. By gaining access to the router’s web page, all kinds of sensitive information such as login credentials,\r\nnetwork configurations, and other personal data can be accessed and/or manipulated.\r\nTo prevent unauthorized access through brute-force attacks on the router’s login panel, many manufacturers use\r\nCAPTCHAs to prevent automated authentication attempts. CAPTCHAs are verification challenges used to confirm that a\r\nuser is a human opposed to a computer program. They consist of one or more morphed pictures that contain random objects,\r\nnumbers and/or characters. To pass the verification step, the system asks the user to enter the content of the image into an\r\ninput box or to perform an action based on such content. By requiring a human to complete the challenge, the system can\r\nverify that the user is legitimate and prevent automated attacks. Therefore, users need to confirm that they are human when\r\nlogging in.\r\nThis procedure relies on the fact that automated attacks should not be able to complete the task of solving the challenges on\r\nthe image. Unfortunately, not all CAPTCHAs are secure against machine learning mechanisms. Poorly designed\r\nCAPTCHAs that rely on fixed patterns of letters are vulnerable to Optical Character Recognition (OCR) engines. This is\r\nespecially true for the CAPTCHA mechanism targeted by Moqhao’s latest version.\r\nIn short, Optical Character Recognition is a mechanism designed to recognize and extract text from images. OCR engines\r\nwork by analyzing a CAPTCHA image using pattern recognition algorithms to identify the characters on the image.\r\nAnalogously, Moqhao can therefore profit from OCR to trick a system and bypass CAPTCHA challenges that rely on text-based verification.  \r\nFigure 2: Example of a CAPTCHA challenge from ipTIME routers. © Bildnachweis: Deutsche Telekom/\r\nGettyImages/milindri; Montage: Evelyn Ebert Meneses\r\nMoqhao’s new ability to PWNtcha your wireless router\r\nOver the years, the Yanbian Gang has invested a lot of resources to maintain and improve Moqhao’s features. A recent\r\nexample of the Yanbian Gang’s dedication to Moqhao’s development is the adoption of OCR techniques. This represents a\r\nkey addition in order to take over routers to perform DNS Hijacking.\r\nWhen trying to “PWNtcha” (defeat via CAPTCHA challenge) a vulnerable router, Moqhao first determines the IP address of\r\nthe router to request its web-based administration pages. By accessing this default pages, Moqhao can determine the router’s\r\nmodel. Next, Moqhao compares the router model against a hardcoded list of vulnerable routers to decide whether it proceeds\r\nwith the attack.\r\nWhen Moqhao identifies a vulnerable model, it crawls the router’s web-admin pages searching for specific patterns. These\r\npatterns are based on hardcoded strings embedded in Moqhao’s configuration to extract login forms and images from the\r\nCAPTCHA challenges. If such predefined patterns are matched, Moqhao uses a list of default usernames and passwords\r\nsuch as “admin:admin”. Although, the amount of hardcoded credentials in Moqhao is limited, default login combinations\r\ncan be easily extended by the actor. For example, dictionary-based passwords or stolen credentials could be added to\r\nMoqhao’s configuration to target further router models or tailor attacks to other devices in the future.\r\nAs described before, the malware needs to circumvent the router’s CAPTCHA challenges to gain access to the router’s\r\nsettings. To achieve this, Moqhao forwards CAPTCHA images to an API-based OCR translation service that converts\r\nCAPTCHA images to text. If the OCR service successfully returns the correct text, the malware can brute force the login\r\ncredentials to successfully take over the router.\r\nMoqhao’s OCR Translation Service\r\nAs part of its configuration, Moqhao depends on a list of profile account IDs hosted on different social media platforms.\r\nThese profiles are created using false information such as name, location, age and gender to deceive others into believing\r\nthat the profile belongs to a real person. The main purpose of these fake profiles is to publish information regarding the\r\nmalware’s infrastructure while avoiding detection. This information includes for example, the location of the C\u0026C server, a\r\nrogue DNS service used for DNS Hijacking and its new OCR translation service. During Moqhao’s execution, these profile\r\naccounts are accessed to dynamically retrieve network configuration updates made periodically by the threat actor.\r\nDeutsche Telekom Security conducted analysis of the malware in order to extract the malicious profile IDs directly from\r\nmalware. By extracting these IDs, it is possible to track where Moqhao’s endpoints are published and obtain the malware\r\nconfiguration as soon as it gets updated.\r\nhttps://www.telekom.com/en/blog/group/article/moqhao-masters-new-tricks-1031484\r\nPage 2 of 5\n\nOur collected data regarding profile accounts overlaps with Kaspersky’s latest report on Moqhao's latest campaign.\r\nHowever, in addition to the DNS changer accounts reported by Kaspersky, we were able to obtain the OCR accounts and\r\nverify the use of this translation service. For example, samples that we analyzed connected to a social media profile hosted\r\non vk.com which ID is id729071494.  vk.com is a Russian social network analogous to Facebook. From this profile,\r\nMoqhao was able to retrieve the URL of a file called gif.txt hosted at 107.148.162[.]237:28810/gif.txt.\r\nFigure 3: OCR service information posted on hxxps://m[.]vk[.]com/id729071494?act=info. © Bildnachweis:\r\nDeutsche Telekom/ GettyImages/simonkr; Montage: Evelyn Ebert Meneses\r\nWhen Moqhao requests the content of the gif.txt file shown in figure 2, i.e., 107.148.162.237:28810/gif.txt, it obtains\r\nanother IP, port and path which belongs to the OCR service, i.e., 27.124.38[.]58:10052/ocr.html. Although, it is unknown\r\nwhat type of OCR backend system the threat actor uses or whether they rely on a proprietary solution, there are numerous\r\nservices that can solve CAPTCHAs automatically.\r\nMoqhao’s OCR service is currently exposed to anyone on the Internet and is not protected by any form of authentication. As\r\nof February 2023, this service could be further employed by other criminals as a free CAPTCHA-bypass mechanism. At the\r\ntime of our analysis, access to one of the vulnerable router models was not available. To overcome this limitation, we tested\r\nMoqhao’s OCR service by emulating Moqhao’s network communication.\r\nTo verify if Moqhao’s OCR service is able to defeat the CAPTCHA challenges, we used the public CAPTCHA generator\r\nfrom one of the vulnerable router brands, i.e., ipTIME, which available here. These challenges are examples of the\r\nCAPTCHAs presented to the users during login and targeted by Moqhao.\r\nWe sent multiple requests to Moqhao's OCR service with these CAPTCHAs, i.e, the gif image files. For all of our test\r\nimages using ipTIME’s generator, we were able to successfully retrieve the correct codes as text. However, when using\r\nCAPTCHAS of other router brands and models, its success rate dropped. Therefore, we conclude that the threat actor’s OCR\r\ntranslation service was designed to target Moqhao’s list of router models specifically.\r\n\"ipTIME N3-i\\nipTIME N604plus-i\\nEFM Networks ipTIME N604plus-i\"\r\n\"EFM Networks - ipTIME Q104\\nEFM Networks ipTIME Q104\"\r\n\"EFM Networks - ipTIME Q204\\nEFM Networks ipTIME Q204\\nEFM Networks ipTIME V108\"\r\n\"EFM Networks ipTIME Q604\\nEFM Networks ipTIME Q604 PINKMOD\\nEFM Networks ipTIME N104R\\nEFM\r\nNetworks ipTIME N604R\\nEFM Networks ipTIME Q504\\nEFM Networks ipTIME N5\\nEFM Networks ipTIME N604V\"\r\n\"EFM Networks ipTIME N104T”\r\n\"EFM Networks - ipTIME G301\"\r\n\"title.n704bcm\\ntitle.a8004t\\ntitle.a2004sr\\ntitle.n804r\"\r\n\"title.n104e\\ntitle.n104pk\\ntitle.a1004ns\\ntitle.a604m\\ntitle.n104pi\\ntitle.a2008\\ntitle.ax2004b\\ntitle.n104q\\ntitle.n604e\\ntitle.n704e\\ntitle.n704v3\\ntitle.n\r\n\"title.v504\\ntitle.n1p\\ntitle.n704bcm\\ntitle.ew302\\ntitle.n104qi\\ntitle.n104r\\ntitle.n2p\\ntitle.n608\\ntitle.q604\\ntitle.n104rsk\\ntitle.n2e\\ntitle.n604s\\ntitle.n6\r\n\"title.a604v\\ntitle.n6004r\\ntitle.n604p\\ntitle.t3004\\ntitle.n5\\ntitle.n904\\ntitle.a5004ns\\ntitle.n8004r\\ntitle.n604vlg\"\r\nStrings of wireless router models hardcoded in Moqhao’s configuration.\r\nOnce Moqhao has gained access to the router’s web admin, it continues to hijack the router’s DNS settings as described\r\nhere. Moqhao’s final goal is to deliver copies of the malware on devices connecting to the compromised network via DNS\r\nhijacking.\r\nVictims\r\nBased on our telemetry, infections with Moqhao continue to happen via SMiShing campaigns in Germany. However, we\r\nhave no indicators of victims of Moqhao’s PWNtcha attacks at the time of writing.  \r\nBy extracting the list of router models from the malware, we conclude that the current campaign targets users of wireless\r\nrouters located in Asia, mainly in South Korea as reported by Kaspersky.\r\nDeutsche Telekom Security is constantly monitoring Roaming Mantis related infrastructure and implementing protection\r\nmechanisms. As part of Moqhao’s infrastructure, we have identified well-known Roaming Mantis IPs and monitor the\r\nregistration of domain names on these IPs that are potentially used as landing pages. These landing pages serve as the\r\ndestination to where the victims are lured during the Yanbian Gang’s phishing scams. In other cases, these are used as well\r\nto host Moqhao payloads.\r\nOur focus remain primarily on preventing customers from contacting the aforementioned Moqhao’s malicious end-points.\r\nOur efforts also include detecting new Moqhao infections in order to notify customers and provide assistance during the\r\ncleanup process.\r\nConclusion\r\nAs more and more people rely on wireless routers to connect to the Internet, the risk of similar attacks to the one\r\nimplemented by Moqhao is likely to increase. CAPTCHA attacks on routers can be challenging to detect and can\r\nhttps://www.telekom.com/en/blog/group/article/moqhao-masters-new-tricks-1031484\r\nPage 3 of 5\n\ncompromise the security of an entire network. Once a router is compromised, attackers can use it as a launching pad for\r\nfurther attacks.\r\nNeglected routers with poor CAPTCHA implementations and the use of weak passwords can additionally contribute and\r\nmake such attacks effortless in order to gain unauthorized access or even take control of an entire network.  In this regard,\r\nMoqhao and its OCR translation service are a successful duet for a chain of exploits that it starts with gaining unauthorized\r\naccess to the router’s web-admin and ends with hijacking the DNS settings of the compromised routers.  During this\r\nscenario the potential for havoc from Moqhao is not only limited to spreading itself. Instead, it is rather limited only by the\r\nthreat actor’s interest.\r\nDespite the Yanbian Gang actively using this attack only in South Korea as of March 2023, Deutsche Telekom Security\r\nbelieves in the possibility of this group extending the scope of these attacks to target victims in other countries. Although,\r\nrouter models targeted by Moqhao are currently not used in Germany, Moqhao’s PWNtcha serves as a successful proof of\r\nconcept to mimic and further extend. For instance, attackers can easily modify the list of default passwords and router\r\nmodels to include more popular brands such as FRITZ!Box, TP-Link, D-Link, etc. As a result, it is important for users to\r\ntake steps to protect from these attacks.\r\nRecommendations\r\nIn order to protect from Moqhao's router PWNtcha attacks, it is recommending the following practices:\r\nChange the default user+password combination for the web admin interface of your router and use a strong password\r\nwhen applying this change.\r\nThere are several CAPTCHA systems available, each with varying levels of security. Choose a router model with\r\nstrong CAPTCHA system.\r\nIf your router model allows it, implement two-factor authentication to provide an extra layer of security. This can\r\nhelp prevent unauthorized access even if the CAPTCHA is bypassed.\r\nMake sure your router’s firmware is up to date and that security patches have been applied. This can help prevent\r\nvulnerabilities from being exploited.\r\nNever install firmware from third-party/unknown sources.\r\nOverall, a combination of these measures can help protect against CAPTCHA attacks and maintain the security of your\r\nwireless router.\r\nIoCs\r\nHashes\r\n83ba2b1c0352ea9988edeb608abf2c037b1f30482bbc05c3ae79265bab7a44c9\r\n6e28c76b07d64fd1d0479d328207082b8d29f4560433d7f075328aa236a4f1ab\r\n6b9fa3df72fc684f307cd6bac06788c2cd83ceb44ab9e5e04671b8ed1c107aad\r\n89e593dc246cb0b4ef8decf59c3260697677e703d609a24807cb6ea58c0deda4\r\n6257da70cb01826a6ce575e23cd2e42a0dbdc742f9b529f06fa9a13224701823\r\n780992147fd4b8fd5c780f4fe1a5237a1729c61ec99dda010fe9313bb5ef5bac\r\nC\u0026C server accounts\r\nhttps://imgur.com/user/shaoye99/about\r\nhttps://imgur.com/user/shaoye88/about\r\nhttps://imgur.com/user/shaoye77/about\r\nhttps://m.vk.com/id674309800?act=info\r\nhttps://m.vk.com/id674310752?act=info\r\nhttps://m.vk.com/id674311261?act=info\r\nhttps://m.vk.com/id730148259?act=info\r\nhttps://m.vk.com/id730149630?act=info\r\nhttps://m.vk.com/id761343811?act=info\r\nhttps://m.vk.com/id761345428?act=info\r\nhttps://m.vk.com/id761346006?act=info\r\nOCR Translation Service\r\nhxxps://m[.]vk[.]com/id729071494?act=info\r\n107.148.162[.]237:28810/gif.txt\r\nConfiguration included in gif.txt:\r\n27.124.38[.]58:10052/ocr.html\r\nRogue DNS\r\nhxxps://m[.]vk[.]com/id728588947?act=info\r\n107.148.162[.]237:26333/sever.ini\r\nhttps://www.telekom.com/en/blog/group/article/moqhao-masters-new-tricks-1031484\r\nPage 4 of 5\n\nConfiguration included in sever.ini:\r\n[Severkt]----sever=193.239.154.16----sever1=193.239.154.17----\r\n[Seversk]----sever=193.239.154.16----sever1=193.239.154.17----\r\n[Severother]----sever=193.239.154.16----sever1=193.239.154.\r\nSource: https://www.telekom.com/en/blog/group/article/moqhao-masters-new-tricks-1031484\r\nhttps://www.telekom.com/en/blog/group/article/moqhao-masters-new-tricks-1031484\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.telekom.com/en/blog/group/article/moqhao-masters-new-tricks-1031484" ], "report_names": [ "moqhao-masters-new-tricks-1031484" ], "threat_actors": [ { "id": "4c5a35bf-f483-463e-aea0-89a795698cff", "created_at": "2023-01-06T13:46:39.198624Z", "updated_at": "2026-04-10T02:00:03.243996Z", "deleted_at": null, "main_name": "Yanbian Gang", "aliases": [], "source_name": "MISPGALAXY:Yanbian Gang", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a", "created_at": "2023-01-06T13:46:38.823793Z", "updated_at": "2026-04-10T02:00:03.113045Z", "deleted_at": null, "main_name": "Roaming Mantis", "aliases": [ "Roaming Mantis Group" ], "source_name": "MISPGALAXY:Roaming Mantis", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8f350ed9-134e-4160-b63d-701f562ba64a", "created_at": "2022-10-25T16:07:24.589322Z", "updated_at": "2026-04-10T02:00:05.045635Z", "deleted_at": null, "main_name": "Yanbian Gang", "aliases": [], "source_name": "ETDA:Yanbian Gang", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3", "created_at": "2022-10-25T16:07:24.546437Z", "updated_at": "2026-04-10T02:00:05.029564Z", "deleted_at": null, "main_name": "Roaming Mantis", "aliases": [ "Roaming Mantis Group", "Shaoye" ], "source_name": "ETDA:Roaming Mantis", "tools": [ "MoqHao", "Roaming Mantis", "SmsSpy", "Wroba", "XLoader" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434429, "ts_updated_at": 1775826784, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/732387f90c716b00b61864b7348da4a70c10438b.pdf", "text": "https://archive.orkl.eu/732387f90c716b00b61864b7348da4a70c10438b.txt", "img": "https://archive.orkl.eu/732387f90c716b00b61864b7348da4a70c10438b.jpg" } }