{
	"id": "c13c18e9-9546-42bb-a4b6-eacd1865704b",
	"created_at": "2026-04-06T00:08:26.099105Z",
	"updated_at": "2026-04-10T03:28:17.390606Z",
	"deleted_at": null,
	"sha1_hash": "7833cbdc05d3ff3c6e9642b739e246294a009f80",
	"title": "BladeHawk group: Android espionage against Kurdish ethnic group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 914938,
	"plain_text": "BladeHawk group: Android espionage against Kurdish ethnic\r\ngroup\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 16:09:49 UTC\r\nESET researchers have investigated a targeted mobile espionage campaign against the Kurdish ethnic group. This\r\ncampaign has been active since at least March 2020, distributing (via dedicated Facebook profiles) two Android\r\nbackdoors known as 888 RAT and SpyNote, disguised as legitimate apps. These profiles appeared to be providing\r\nAndroid news in Kurdish, and news for the Kurds’ supporters. Some of the profiles deliberately spread additional\r\nspying apps to Facebook public groups with pro-Kurd content. Data from a download site indicates at least 1,481\r\ndownloads from URLs promoted in just a few Facebook posts.\r\nThe newly discovered Android 888 RAT has been used by the Kasablanka group and by BladeHawk. Both of\r\nthem used alternative names to refer to the same Android RAT - LodaRAT and Gaza007 respectively.\r\nBladeHawk Android espionage\r\nThe espionage activity reported here is directly connected to two publicly disclosed cases published in 2020.\r\nQiAnXin Threat Intelligence Center named the group behind these attacks BladeHawk, which we have adopted.\r\nBoth campaigns were distributed via Facebook, using malware that was built with commercial, automated tools\r\n(888 RAT and SpyNote), with all samples of the malware using the same C\u0026C servers.\r\nDistribution\r\nWe identified six Facebook profiles as part of this BladeHawk campaign, sharing these Android spying apps. We\r\nreported these profiles to Facebook and they have all been taken down. Two of the profiles were aimed at tech\r\nusers while the other four posed as Kurd supporters. All these profiles were created in 2020 and shortly after\r\ncreation they started posting these fake apps. These accounts, except for one, have not posted any other content\r\nbesides Android RATs masquerading as legitimate apps.\r\nThese profiles are also responsible for sharing espionage apps to Facebook public groups, most of which were\r\nsupporters of Masoud Barzani, former President of the Kurdistan Region; an example can be seen in Figure 1.\r\nAltogether, the targeted groups have over 11,000 followers.\r\nhttps://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/\r\nPage 1 of 13\n\nFigure 1. One of the Facebook posts\r\nIn one case, we spotted an attempt (Figure 2) to capture Snapchat credentials via a phishing website (Figure 3).\r\nhttps://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/\r\nPage 2 of 13\n\nFigure 2. Facebook post leading to a Snapchat phishing site\r\nFigure 3. Snapchat phishing website\r\nWe identified 28 unique posts as part of this BladeHawk campaign. Each of these posts contained fake app\r\ndescriptions and links to download an app, and we were able to download 17 unique APKs from these links. Some\r\nof the APK web links pointed directly to the malicious app, whereas others pointed to the third-party upload\r\nservice top4top.io, which tracks the number of file downloads (see Figure 4). Because of that, we obtained the\r\nhttps://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/\r\nPage 3 of 13\n\ntotal number of downloads from top4top.io for those eight apps. These eight apps were downloaded altogether\r\n1,481 times, from July 20, 2020 until June 28, 2021.\r\nFigure 4. Information about one RAT sample hosted on a third-party service\r\nSamples\r\nTo our knowledge, this campaign targeted only Android users, with the threat actors focused on two commercial\r\nAndroid RAT tools – 888 RAT and SpyNote. We found only one sample of the latter during our research. As it\r\nwas built using an old, already analyzed SpyNote builder, here we include only the analysis of the 888 RAT\r\nsamples.\r\nAndroid 888 RAT\r\nThis commercial, multiplatform RAT was originally only published for the Windows ecosystem for $80. In June\r\n2018, it was extended in the Pro version with the additional capability to build Android RATs ($150). Later, the\r\nExtreme version could create Linux payloads as well ($200).\r\nIt was sold via the developer’s website at 888-tools[.]com (see Figure 5).\r\nhttps://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/\r\nPage 4 of 13\n\nFigure 5. Price for 888 RAT\r\nIn 2019 the Pro version (Windows and Android) was found cracked (see Figure 6) and available on a few websites\r\nfor free.\r\nFigure 6. Cracked version of 888 RAT builder\r\n888 RAT has not been directly identified with any organized campaigns before; this is the first time this RAT has\r\nbeen assigned as an indicator of a cyberespionage group.\r\nFollowing this discovery, we were able to connect the Android 888 RAT to two more organized campaigns: Spy\r\nTikTok Pro described here and a campaign by Kasablanka Group.\r\nhttps://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/\r\nPage 5 of 13\n\nFunctionality\r\nAndroid 888 RAT is capable of executing 42 commands received from its C\u0026C server, as seen in Table 1.\r\nIn short, it can steal and delete files from a device, take screenshots, get device location, phish Facebook\r\ncredentials, get a list of installed apps, steal user photos, take photos, record surrounding audio and phone calls,\r\nmake calls, steal SMS messages, steal the device’s contact list, send text messages, etc.\r\nThe builder is also used as the C\u0026C to control all the compromised devices since it uses dynamic DNS to be\r\nreached by them.\r\nTable 1. List of supported commands\r\nCommand Functionality\r\nUnistxcr Display app details of specified app\r\ndowsizetr Upload file to server from /sdcard/DCIM/.dat/\r\nDOWdeletx Delete file from /sdcard/DCIM/.dat/\r\nXr7aou Upload binary file to server from /sdcard/DCIM/.dat/\r\nCaspylistx List files from /sdcard/DCIM/.dat/\r\nspxcheck Check whether call recording service is running\r\nS8p8y0 Stop call recording service\r\nSxpxy1 Enable call recording service\r\nscreXmex Take screenshot and upload to server\r\nBatrxiops Get battery level\r\nL4oclOCMAWS Get device location\r\nFdelSRRT Delete file /sdcard/DCIM/.fdat (phished Facebook credentials)\r\nchkstzeaw Check whether Facebook app is installed\r\nIODBSSUEEZ Upload Facebook credentials to C\u0026C from /sdcard/DCIM/.fdat\r\nGUIFXB Launch Facebook phishing activity\r\nosEEs Get requested permissions of the specified application\r\nLUNAPXER Launch specific application\r\nGapxplister Get list of applications installed on the device\r\nhttps://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/\r\nPage 6 of 13\n\nCommand Functionality\r\nDOTRall8xxe Compress files in /sdcard/DCIM/.dat/ directory and upload them to C\u0026C\r\nAcouxacour Get all device accounts\r\nFimxmiisx Take photo from camera and upload it to C\u0026C\r\nScxreexcv4 Get information about device cameras\r\nmicmokmi8x Record surrounding audio for the specified time\r\nDTXXTEGE3 Delete specific file from /sdcard directory\r\nODDSEe Open specific URL in default browser\r\nYufsssp Get Exif information from specific media file\r\ngetsssspo Get info about whether a specific file exists on device\r\nDXCXIXM Get names of all photos stored in /sdcard/DCIM/\r\nf5iledowqqww Upload specific file from /sdcard/ directory\r\nGExCaalsss7 Get call logs from device\r\nSDgex8se List files from specific directory from /sdcard\r\nPHOCAs7 Make call to specified number\r\nGxextsxms Get SMS inbox\r\nMsppossag Send SMS message to specified number\r\nGetconstactx Get contacts\r\nRinxgosa Play ringtone for six seconds\r\nShetermix Execute shell command\r\nbithsssp64 Execute shell script\r\nDeldatall8 Cleanup, remove all /sdcard/DCIM/.dat files\r\npvvvoze Get IP address\r\npaltexw Get TTL from PING command\r\nM0xSSw9 Display specific Toast message to user\r\nAn important factor when identifying 888 RAT is the package name of the payload. The package name of every\r\nbuild of an Android payload is not custom or random; it always uses the com.example.dat.a8andoserverx package\r\nhttps://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/\r\nPage 7 of 13\n\nID. Because of this, it is easy to identify such samples as 888 RAT.\r\nIn later versions of the 888 RAT (not the cracked RAT builder), we noticed that the builder was capable of\r\nobfuscating strings (command strings, C\u0026C, and other plain text strings) by encrypting them using AES with a\r\nhardcoded key; however, the package name still remained the same.\r\nC\u0026C\r\n888 RAT uses a custom IP protocol and port (it doesn’t have to be standard ports). Compromised devices are\r\ncontrolled directly from the builder GUI.\r\nFacebook phishing\r\nWhen this functionality is triggered, 888 RAT will deploy phishing activity that appears to be coming from the\r\nlegitimate Facebook app. When the user taps on the recent apps button, this activity will seem legitimate, as seen\r\nin Figure 7. However, after a long press on this app’s icon, as in Figure 8, the true app name responsible for the\r\nFacebook login request is disclosed.\r\nFigure 7. Phishing request visible from the recent app menu\r\nhttps://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/\r\nPage 8 of 13\n\nFigure 8. Real application name responsible for phishing\r\nDetection\r\nSince 2018, ESET products have identified hundreds of instances of Android devices where the 888 RAT was\r\ndeployed. Figure 9 presents the country distribution of this detection data.\r\nhttps://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/\r\nPage 9 of 13\n\nFigure 9. Detection of Android 888 RAT by country\r\nConclusion\r\nThis espionage campaign has been active since March 2020 aiming only at Android devices. It targeted the\r\nKurdish ethnic group through at least 28 malicious Facebook posts that would lead potential victims to download\r\nAndroid 888 RAT or SpyNote. Most of the malicious Facebook posts led to downloads of the commercial,\r\nmultiplatform 888 RAT, which has been available on the black market since 2018. In 2019, a cracked copy of the\r\nPro version of the 888 RAT builder was made available from a few websites, and since then, we detected hundreds\r\nof cases all around the world using the Android 888 RAT.\r\nIoCs\r\nFiles and ESET detection names\r\nSHA-1 Detection name\r\n87D44633F99A94C9B5F29F3FE75D04B2AB2508BA Android/Spy.Agent.APU\r\nE47AB984C0EC7872B458AAD803BE637F3EE6F3CA Android/Spy.Agent.APG\r\n9A8E5BAD246FC7B3D844BB434E8F697BE4A7A703 Android/Spy.Agent.APU\r\nFED42AB6665649787C6D6164A6787B13513B4A41 Android/Spy.Agent.APU\r\n8E2636F690CF67F44684887EB473A38398234430 Android/Spy.Agent.APU\r\nF0751F2715BEA20A6D5CD7E9792DBA0FA45394A5 Android/Spy.Agent.APU\r\n60280E2F6B940D5CBDC3D538E2B83751DB082F46 Android/Spy.Agent.APU\r\nF26ADA23739366B9EBBF08BABD5000023921465C Android/Spy.Agent.APU\r\n4EBEED1CFAC3FE5A290FA5BF37E6C6072A6869A7 Android/Spy.Agent.APU\r\nA15F67430000E3F6B88CD965A01239066C0D23B3 Android/Spy.Agent.BII\r\n425AC620A0BB584D59303A62067CC6663C76A65D Android/Spy.Agent.APU\r\n4159E3A4BD99067A5F8025FC59473AC53E07B213 Android/Spy.Agent.APU\r\nEF9D9BF1876270393615A21AB3917FCBE91BFC60 Android/Spy.Agent.APU\r\n231296E505BC40FFE7D308D528A3664BFFF069E4 Android/Spy.Agent.APU\r\n906AD75A05E4581A6D0E3984AD0E6524C235A592 Android/Spy.Agent.APU\r\n43F36C86BBD370884E77DFD496FD918A2D9E023D Android/Spy.Agent.APU\r\n8B03CE129F6B1A913B6B143BB883FC79C2DF1904 Android/Spy.Agent.APU\r\nhttps://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/\r\nPage 10 of 13\n\nFacebook profiles\r\nhttps://www.facebook[.]com/android4kurd.official/\r\nhttps://www.facebook[.]com/tech.info00\r\nhttps://www.facebook[.]com/hewr.dliwar\r\nhttps://www.facebook[.]com/husain.techno\r\nhttps://www.facebook[.]com/zaid.abd.3785\r\nhttps://www.facebook[.]com/profile.php?id=100039915424311\r\nFacebook groups\r\nhttps://www.facebook[.]com/groups/478454429578545/\r\nhttps://www.facebook[.]com/groups/275108075847240/\r\nhttps://www.facebook[.]com/groups/751242802375989/\r\nhttps://www.facebook[.]com/groups/238330163213092/\r\nDistribution links\r\nhttps://apkup[.]xyz/M.Muhammad.Mala.Fayaq_v0.0.6.apk\r\nhttps://apkup[.]xyz/5G.VPN.Speed_v1.3.4.apk\r\nhttps://apkup[.]xyz/Ftwa.Islam.Online_v1.0.1.apk\r\nhttps://apkup[.]xyz/Al-Hashd_V1.0.3.apk\r\nhttps://apkup[.]xyz/KitabAltawhid_v1.0.4.apk\r\nhttps://apkup[.]xyz/KDP._V1.2.0.apk\r\nhttps://apkup[.]xyz/Dosyay16October_V1.2.0.apk\r\nhttps://apkup[.]xyz/MobileNumberFinder__v1.3.apk\r\nhttps://f.top4top[.]io/f_LusheAYOtmjzehyF8seQcA/1613135449/1662yvch41.apk\r\nhttps://a.top4top[.]io/f_Jlno8C2DLeaq71Fq1JV6hg/1613565568/1837ppxen1.apk\r\nhttps://b.top4top[.]io/f_yTmhbte0yVNbhQbKyh12og/1613135036/1665tzq3x1.apk\r\nhttps://j.top4top[.]io/f_FQCcQa5qAWHzK_0NdcGWyg/1613134993/16874mc5b1.apk\r\nhttps://l.top4top[.]io/f_MHfW2u_xnKoXdhjPknEx5Q/1613134914/1703t5b2z1.apk\r\nhttps://b.top4top[.]io/f_cbXNkHR0T0ZOsTecrGM6iA/1613134863/1703lttbn1.apk\r\nhttps://k.top4top[.]io/f_bznLRhgqMpAmWXYp1LLrNQ/1613134409/1690q040d1.apk\r\nhttps://d.top4top[.]io/f_t7G4JjYm7_kzTsa0XYis6Q/1613134182/1749lglct1.apk\r\nhttps://up4net[.]com/uploads/up4net-Xwakurk-1-0-4.apk\r\nPhishing links\r\nhttps://apkup[.]xyz/snapchat/login.html\r\nMITRE ATT\u0026CK techniques\r\nThis table only covers TTPs for 888 RAT, and was built using version 9 of the ATT\u0026CK framework.\r\nhttps://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/\r\nPage 11 of 13\n\nTactic ID Name Description\r\nInitial Access T1444\r\nMasquerade as\r\nLegitimate Application\r\nThe 888 RAT impersonates legitimate\r\napplications.\r\nPersistence T1402 Broadcast Receivers\r\nThe 888 RAT listens for the\r\nBOOT_COMPLETED broadcast, ensuring that\r\nthe app's functionality will be activated every time\r\nthe device starts.\r\nDefense\r\nEvasion\r\nT1508\r\nSuppress Application\r\nIcon\r\nThe 888 RAT hides its icon.\r\nT1447 Delete Device Data\r\nThe 888 RAT can delete gathered and temporary\r\nstored files and any other specific file.\r\nCredential\r\nAccess\r\nT1411 Input Prompt The 888 RAT tries to phish Facebook credentials.\r\nDiscovery\r\nT1418 Application Discovery The 888 RAT obtains a list of installed apps.\r\nT1420\r\nFile and Directory\r\nDiscovery\r\nThe 888 RAT identifies content of specific\r\ndirectories.\r\nCollection\r\nT1433 Access Call Log The 888 RAT exfiltrates call log history.\r\nT1430 Location Tracking The 888 RAT retrieves device location.\r\nT1432 Access Contact List The 888 RAT exfiltrates the victim’s contact list.\r\nT1429 Capture Audio\r\nThe 888 RAT can record audio from surroundings\r\nand calls.\r\nT1512 Capture Camera\r\nThe 888 RAT can take pictures from the front or\r\nrear cameras.\r\nT1412 Capture SMS Messages\r\nThe 888 RAT can exfiltrate sent and received\r\nSMS messages.\r\nT1533 Data from Local System\r\nThe 888 RAT exfiltrates files with particular\r\nextensions from external media.\r\nT1513 Screen Capture The 888 RAT can take screenshots.\r\nCommand\r\nAnd Control\r\nT1509 Uncommonly Used Port\r\nThe 888 RAT communicates with its C\u0026C over\r\nport 4000.\r\nImpact T1582 SMS Control The 888 RAT adversary can send SMS messages.\r\nhttps://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/\r\nPage 12 of 13\n\nTactic ID Name Description\r\nT1447\r\nDelete\r\nDevice\r\nData\r\nThe 888 RAT can delete\r\nattacker-specified files\r\nfrom the device.\r\nSource: https://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/\r\nhttps://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/"
	],
	"report_names": [
		"bladehawk-android-espionage-kurdish"
	],
	"threat_actors": [
		{
			"id": "d4135989-e577-4133-bdae-a24243c832a4",
			"created_at": "2023-11-05T02:00:08.068657Z",
			"updated_at": "2026-04-10T02:00:03.396218Z",
			"deleted_at": null,
			"main_name": "Kasablanka",
			"aliases": [],
			"source_name": "MISPGALAXY:Kasablanka",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5886dd90-47de-4191-8b49-b56562251f26",
			"created_at": "2023-01-06T13:46:39.341062Z",
			"updated_at": "2026-04-10T02:00:03.292998Z",
			"deleted_at": null,
			"main_name": "BladeHawk",
			"aliases": [],
			"source_name": "MISPGALAXY:BladeHawk",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434106,
	"ts_updated_at": 1775791697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7833cbdc05d3ff3c6e9642b739e246294a009f80.pdf",
		"text": "https://archive.orkl.eu/7833cbdc05d3ff3c6e9642b739e246294a009f80.txt",
		"img": "https://archive.orkl.eu/7833cbdc05d3ff3c6e9642b739e246294a009f80.jpg"
	}
}