{
	"id": "1ec50bbd-c0e7-482f-8927-8135269e6fb9",
	"created_at": "2026-04-06T00:09:05.906784Z",
	"updated_at": "2026-04-10T03:30:57.7159Z",
	"deleted_at": null,
	"sha1_hash": "790fcb8bc0fd895b3b42ec0706e0e832c403f06b",
	"title": "Coper (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 86988,
	"plain_text": "Coper (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 14:56:59 UTC\r\napk.coper (Back to overview)\r\nCoper\r\naka: ExobotCompact, Octo\r\nCoper is an Android banking trojan and RAT descended from ExobotCompact, itself a rewrite of Exobot. It uses a\r\nmodular architecture, a multi-stage infection chain and (in some variants) a DGA. First observed in Colombia, it\r\nhas since spread to Europe.\r\nReferences\r\n2026-01-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update July to December 2025\r\nCoper FluBot Joker Aisuru Mirai AsyncRAT BianLian Cobalt Strike DCRat Havoc Latrodectus PureLogs\r\nStealer Quasar RAT Remcos Rhadamanthys Sliver ValleyRAT Venom RAT Vidar XWorm\r\n2025-07-14 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update January to June 2025\r\nCoper FluBot Hook Joker Mirai AsyncRAT BianLian BumbleBee Chaos Cobalt Strike DanaBot DCRat\r\nHavoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver ValleyRAT\r\nWarmCookie XWorm\r\n2025-03-14 ⋅ K7 Security ⋅ Baran S\r\nAndroid Banking Trojan – OctoV2, masquerading as Deepseek AI\r\nCoper\r\n2025-01-10 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update July to December 2024\r\nCoper FluBot Hook Mirai FAKEUPDATES AsyncRAT BianLian Brute Ratel C4 Cobalt Strike DanaBot\r\nDCRat Havoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver Stealc\r\n2024-11-21 ⋅ Intrinsec ⋅ CTI Intrinsec, Intrinsec\r\nPROSPERO \u0026 Proton66: Uncovering the links between bulletproof networks\r\nCoper SpyNote FAKEUPDATES GootLoader EugenLoader\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.coper\r\nPage 1 of 3\n\n2024-11-20 ⋅ Intrinsec ⋅ Equipe CTI\r\nPROSPERO \u0026 Proton66: Tracing Uncovering the links between bulletproof networks\r\nCoper SpyNote FAKEUPDATES GootLoader EugenLoader IcedID Matanbuchus Nokoyawa Ransomware\r\nPikabot\r\n2024-10-10 ⋅ DomainTools ⋅ Steve Behm\r\nUncovering Domains Created by Octo2’s Domain Generation Algorithm\r\nCoper\r\n2024-10-04 ⋅ VirusBulletin ⋅ Thibault Seret\r\nOctopus Prime: it didn't turn into a truck, but a widely spread Android botnet\r\nCoper\r\n2024-09-24 ⋅ ThreatFabric ⋅ ThreatFabric\r\nOcto2: European Banks Already Under Attack by New Malware Variant\r\nCoper\r\n2024-09-09 ⋅ Cleafy ⋅ Cleafy\r\nTweet about malware version Octo 2\r\nCoper\r\n2024-07-09 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update January to June 2024\r\nCoper FluBot Hook Bashlite Mirai FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc NjRAT\r\nQakBot Quasar RAT RedLine Stealer Remcos Rhadamanthys RisePro Sliver\r\n2024-03-05 ⋅ Team Cymru ⋅ S2 Research Team\r\nCoper / Octo - A Conductor for Mobile Mayhem… With Eight Limbs?\r\nCoper\r\n2023-02-08 ⋅ K7 Security ⋅ Baran S\r\nPlay Store App Serves Coper Via GitHub\r\nCoper\r\n2022-11-25 ⋅ Resecurity ⋅ Resecurity\r\n\"In The Box\" - Mobile Malware Webinjects Marketplace\r\nAlien Cerberus Coper ERMAC Hydra\r\n2022-07-29 ⋅ Trend Micro ⋅ Trend Micro Mobile Team\r\nExamining New DawDropper Banking Dropper and DaaS on the Dark Web\r\nCoper DawDropper\r\n2022-07-19 ⋅ ⋅ Cert-AgID ⋅ Cert-AgID\r\nAnalysis and technical insights on the Coper malware used to attack mobile devices\r\nCoper\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.coper\r\nPage 2 of 3\n\n2022-06-28 ⋅ Twitter (@_icebre4ker_) ⋅ Fr4\r\nRevive and Coper are using similar phishing template and app\r\nCoper\r\n2022-04-09 ⋅ Bleeping Computer ⋅ Bill Toulas\r\nNew Android banking malware remotely takes control of your device\r\nCoper ExoBot\r\n2022-04-08 ⋅ ThreatFabric ⋅ ThreatFabric\r\nLook out for Octo's tentacles! A new on-device fraud Android Banking Trojan with a rich legacy\r\nCoper ExoBot\r\n2022-04-07 ⋅ The Hacker News ⋅ Ravie Lakshmanan\r\nNew Octo Banking Trojan Spreading via Fake Apps on Google Play Store\r\nCoper\r\n2022-03-24 ⋅ Cybleinc ⋅ Cyble\r\nCoper Banking Trojan: Android Malware Posing As Google Play Store App Installer\r\nCoper ExoBot\r\n2021-12-31 ⋅ ⋅ CERT.PL ⋅ Marcin Dudek, Michał Praszmo\r\nIKO activation - Malware campaign\r\nCoper\r\n2021-07-21 ⋅ Doctor Web ⋅ @m0br3v\r\nThe Coper―a new Android banking trojan targeting Colombian users\r\nCoper\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/apk.coper\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.coper\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/apk.coper"
	],
	"report_names": [
		"apk.coper"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d9b39228-0d9d-4c1e-8e39-2de986120060",
			"created_at": "2023-01-06T13:46:39.293127Z",
			"updated_at": "2026-04-10T02:00:03.277123Z",
			"deleted_at": null,
			"main_name": "BelialDemon",
			"aliases": [
				"Matanbuchus"
			],
			"source_name": "MISPGALAXY:BelialDemon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434145,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/790fcb8bc0fd895b3b42ec0706e0e832c403f06b.pdf",
		"text": "https://archive.orkl.eu/790fcb8bc0fd895b3b42ec0706e0e832c403f06b.txt",
		"img": "https://archive.orkl.eu/790fcb8bc0fd895b3b42ec0706e0e832c403f06b.jpg"
	}
}