{
	"id": "ff4bed56-b0b7-47cc-975b-08a1fb893ce2",
	"created_at": "2026-04-06T00:06:18.949996Z",
	"updated_at": "2026-04-10T13:12:04.640398Z",
	"deleted_at": null,
	"sha1_hash": "7ba09f8ce76f0e16973c12df7728c44903f7b3a8",
	"title": "Roaming Mantis dabbles in mining and phishing multilingually",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1101643,
	"plain_text": "Roaming Mantis dabbles in mining and phishing multilingually\r\nBy Suguru Ishimaru\r\nPublished: 2018-05-18 · Archived: 2026-04-05 23:47:11 UTC\r\nIn April 2018, Kaspersky Lab published a blogpost titled ‘Roaming Mantis uses DNS hijacking to infect Android\r\nsmartphones’. Roaming Mantis uses Android malware which is designed to spread via DNS hijacking and targets Android\r\ndevices. This activity is located mostly in Asia (South Korea, Bangladesh and Japan) based on our telemetry data. Potential\r\nvictims were redirected by DNS hijacking to a malicious web page that distributed a Trojanized application spoofed\r\nFacebook or Chrome that is then installed manually by users. The application actually contained an Android Trojan-Banker.\r\nSoon after our publication it was brought to our attention that other researchers were also focused on this malware family.\r\nThere was also another publication after we released our own blog. We’d like to acknowledge the good work of our\r\ncolleagues from other security companies McAfee and TrendMicro covering this threat independently. If you are interested\r\nin this topic, you may find the following articles useful:\r\nAndroid Banking Trojan MoqHao Spreading via SMS Phishing in South Korea\r\nXLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing\r\nIn May, while monitoring Roaming Mantis, aka MoqHao and XLoader, we observed significant changes in their M.O. The\r\ngroup’s activity expanded geographically and they broadened their attack/evasion methods. Their landing pages and\r\nmalicious apk files now support 27 languages covering Europe and the Middle East. In addition, the criminals added a\r\nphishing option for iOS devices, and crypto-mining capabilities for the PC.\r\n27 languages: targeting the world\r\nIn our previous blogpost we mentioned that a user attempting to connect to any websites while using a hijacked DNS, will\r\nbe redirected to malicious landing pages on the rogue server. The landing page displays a popup message that corresponds to\r\nthe language settings of the device and which urges the user to download a malicious apk file named ‘facebook.apk’ or\r\n‘chrome.apk’.\r\nKaspersky Lab confirmed several languages hardcoded in the HTML source of the landing page to display the popup\r\nmessage.\r\nhttps://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/\r\nPage 1 of 10\n\nThe attackers substantially extended their target languages from four to 27, including European and Middle Eastern\r\nlanguages. And yet, they keep adding comments in Simplified Chinese.\r\nBut, of course, this multilingualism is not limited to the landing page. The most recent malicious apk\r\n(MD5:”fbe10ce5631305ca8bf8cd17ba1a0a35″) also was expanded to supports 27 languages.\r\nThe landing page and malicious apk now support the following languages:\r\nArabic\r\nBulgarian\r\nBengali\r\nCzech\r\nGerman\r\nEnglish\r\nSpanish\r\nHebrew\r\nHindi\r\nArmenian\r\nIndonesian\r\nItalian\r\nJapanese\r\nGeorgian\r\nKorean\r\nMalay\r\nPolish\r\nPortuguese\r\nRussian\r\nSerbo-Croatian\r\nhttps://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/\r\nPage 2 of 10\n\nThai\r\nTagalog\r\nTurkish\r\nUkrainian\r\nVietnamese\r\nTraditional Chinese\r\nSimplified Chinese\r\nWe believe the attacker made use of an easy method to potentially infect more users, by translating their initial set of\r\nlanguages with an automatic translator.\r\nApple phishing site for iOS device\r\nPreviously, this criminal group focused on Android devices only. They have apparently changed their monetizing strategy\r\nsince then. The attackers now target iOS devices as well, using a phishing site to steal user credentials. When a user connects\r\nto the landing page via iOS devices, the user is redirected to ‘http://security.apple.com/’:\r\nA legitimate DNS server wouldn’t be able to resolve a domain name like that, because it simply doesn’t exist. However, a\r\nuser connecting via a compromised router can access the landing page because the rogue DNS service resolves this domain\r\nto the IP address 172.247.116[.]155. The final page is a phishing page mimicking the Apple website with the very reassuring\r\ndomain name ‘security.apple.com’ in the address bar of the browser.\r\nThe phishing site steals user ID, password, card number, card expiration date and CVV. The HTML source of the phishing\r\nsite also supports 25 languages.\r\nhttps://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/\r\nPage 3 of 10\n\nThe supported languages are almost the same as on the landing pages and malicious apk files – only Bengali and Georgian\r\nare missing from the phishing site.\r\nWeb crypto mining for PC\r\nLooking at the HTML source code of the landing page, we also discovered a new feature: web mining via a special script\r\nexecuted in the browser. More details about web miners can be found in our blogpost ‘Mining is the new black‘.\r\nCoinhive is the most popular web miner used by cybercriminals around the world. When a user connects to the landing page\r\nfrom a PC, the CPU usage will drastically increase because of the crypto mining activity in the browser.\r\nOlder malicious apk samples include a legitimate website, accounts and a regular expression for retrieving the real C2\r\naddress, which the malware connects to by using a web socket. This process for obtaining its C2 changes in more recent\r\nsamples, further described below:\r\nhttps://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/\r\nPage 4 of 10\n\nMD5 f3ca571b2d1f0ecff371fb82119d1afe 4d9a7e425f8c8b02d598ef0a0a776a58 fbe10ce5631305ca8bf8cd17ba1a0a\nDate March 29 2018 April 7 2018 May 14 2018\nFile name chrome.apk facebook.apk $random_num{8}.apk\nLegitimate\nweb\nhttp://my.tv.sohu[.]com/user/%s https://www.baidu[.]com/p/%s/detail n/a\nEmail n/a n/a @outlook.com\nAccounts\n329505231\n329505325\n329505338\nhaoxingfu88\nhaoxingfu12389\nwokaixin158998\nhaoxingfu11\nhaoxingfu22\nhaoxingfu33\nRegExp\n\"\n\n([\\u4e00-\\u9fa5]+?)\n\n\\s+\"\n\"公司([\\\\u4e00-\\\\u9fa5]+?)\u003c\" “abcd”\nEncrypted\ndex\n\\assets\\db \\assets\\data.sql \\assets\\data.sql\nEncoding Base64 Base64 + zlib compression Base64 + zlib compression\nOlder samples retrieved the next C2 by accessing the legitimate website, extracting a Chinese string from a specific part of\nthe HTML code, and decoding it. This scheme has been changed in the recent sample. Instead of using HTML protocol, it\nnow uses email protocol to retrieve the C2.\nThe malware connects to an email inbox using hardcoded outlook.com credentials via POP3. It then obtains the email\nsubject (in Chinese) and extracts the real C2 address using the string “abcd” as an anchor.\nThe old and new decoding functions are exactly the same.\nWe decoded the following next stage C2 servers:\n220.136.78[.]40\n220.136.73[.]107\nhttps://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/\nPage 5 of 10\n\nBackdoor command “ping”\r\nKaspersky Lab observed that the previous malicious apk (MD5:f3ca571b2d1f0ecff371fb82119d1afe) had 18 backdoor\r\ncommands to confirm victims’ environments and to control devices.\r\nAccording to our analysis, the recent malicious apk (MD5:fbe10ce5631305ca8bf8cd17ba1a0a35) now implements 19\r\nbackdoor commands: “ping” was added.\r\nThe backdoor commands in the recent sample are as follows:\r\nsendSms\r\nsetWifi\r\ngcont\r\nlock\r\nbc\r\nsetForward\r\ngetForward\r\nhasPkg\r\nsetRingerMode\r\nsetRecEnable\r\nreqState\r\nshowHome\r\ngetnpki\r\nhttp\r\nonRecordAction\r\ncall\r\nget_apps\r\nshow_fs_float_window\r\nping NEW\r\nThis additional command calls the OS ping command with the IP address of the C2 server. By running this, the attackers\r\nvalidate the availability of the server, packet travel time or detect network filtering in the target network. This feature can\r\nalso be used to detect semi-isolated research environments.\r\nAuto-generating apk file and filename\r\nRoaming Mantis uses a very simple detection evasion trick on the malicious server. It entails the landing page generating a\r\nfilename for the malicious apk file using eight random numbers.\r\nAside from the filename, we also observed that all the downloaded malicious apk files are unique due to package generation\r\nin real time as of May 16, 2018. It seems the actor added automatic generation of apk per download to avoid denylisting by\r\nfile hashes. This is a new feature. According to our monitoring, the apk samples downloaded on May 8, 2018 were all the\r\nhttps://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/\r\nPage 6 of 10\n\nsame.\r\nHowever, the malicious apk still contains a loader inside ‘classes.dex’ and an encrypted payload inside ‘\\assets\\data.sql’ that\r\nare identical to those in the previous variants. For security researchers, we have added MD5 hashes of the decrypted\r\npayloads without hashes of the whole apk files in the IoC of this report, as well as a few full apk hashes that were uploaded\r\nto VirusTotal.\r\nRapidly improving malicious apk and landing pages\r\nSince our first report, Roaming Mantis has evolved quickly. The update history shows how rapidly the threat has been\r\ngrowing:\r\nThe actors behind it have been quite active in improving their tools. As seen in the graph below, which shows the unique\r\ndetected user counts per day according to KSN data, the count increased on May 5. That date is very close to the update date\r\nof the new features on the landing pages.\r\nhttps://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/\r\nPage 7 of 10\n\nGeographical expansion\r\nKaspersky Lab products detect Roaming Mantis’s malicious apk files as ‘Trojan-Banker.AndroidOS.Wroba’. Below is the\r\ndata from Kaspersky Security Network (KSN) based on the verdict ‘Trojan-Banker.AndroidOS.Wroba.al’ from May 1 to\r\nMay 10, 2018.\r\nIt’s clear from this that South Korea, Bangladesh and Japan are no longer the worst affected countries; instead, Russia,\r\nUkraine and India bore the brunt. According to data gathered between February 9 and April 9, the unique user count was\r\n150. It’s worth mentioning that the most recent data shows more than 120 users of Kaspersky Lab products were affected in\r\njust 10 days.\r\nAlso, it’s important to note that what we see in the KSN data is probably a tiny fraction of the overall picture. There are two\r\nreasons for that:\r\n1. 1 Some users may be using other AV products or no products at all.\r\n2. 2 Roaming Mantis, after all, uses DNS hijacking, which prevents even our customers from reporting a detection.\r\nHowever, some devices made it through – probably due to switching to cellular data or connecting to another Wi-Fi\r\nnetwork.\r\nConclusions\r\nThe Roaming Mantis campaign evolved significantly in a short period of time. The earliest report of this attack was made\r\npublic by researchers from McAfee in August 2017. At that time, the Roaming Mantis distribution method was SMS and\r\nthere was one target: South Korea. When we first reported this attack in April 2018, it had already implemented DNS\r\nhijacking and expanded its targets to the wider Asian region.\r\nIn our report of April this year, we called it an active and rapidly changing threat. New evidence shows a dramatic expansion\r\nin the target geography to include countries from Europe, the Middle East and beyond by supporting 27 languages in total.\r\nThe attackers have also gone beyond Android devices by adding iOS as a new target, and recently started targeting PC\r\nplatforms – the landing page PC users are redirected to is now equipped with the Coinhive web miner.\r\nThe evasion techniques used by Roaming Mantis have also become more sophisticated. Several examples of recent\r\nadditions described in this post include a new method of retrieving the C2 by using the email POP protocol, server side\r\ndynamic auto-generation of changing apk file/filenames, and the inclusion of an additional command to potentially assist in\r\nidentifying research environments, have all been added.\r\nhttps://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/\r\nPage 8 of 10\n\nThe rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded.\r\nFor our previous findings, please refer to the Securelist post Roaming Mantis uses DNS hijacking to infect Android\r\nsmartphones.\r\nKaspersky products detect this malware as:\r\nHEUR:Trojan-Banker.AndroidOS.Wroba\r\nKaspersky Lab products block the Coinhive web miner for PC.\r\nIoCs\r\nMalicious hosts:\r\n43.240.14[.]44\r\n118.168.201[.]70 NEW\r\n118.168.202[.]125 NEW\r\n128.14.50[.]147\r\n172.247.116[.]155 NEW\r\n220.136.73[.]107 NEW\r\n220.136.76[.]200\r\n220.136.78[.]40 NEW\r\n220.136.111[.]66\r\n220.136.179[.]5\r\n220.136.182[.]72 NEW\r\nshaoye11.hopto[.]org\r\nhaoxingfu01.ddns[.]net\r\nMalicious apks:\r\n03108e7f426416b0eaca9132f082d568\r\n07eab01094567c6d62a73f7098634eb8 NEW\r\n1cc88a79424091121a83d58b6886ea7a\r\n2a1da7e17edaefc0468dbf25a0f60390\r\n31e61e52d38f19cf3958df2239fba1a7\r\n34efc3ebf51a6511c0d12cce7592db73\r\n4d9a7e425f8c8b02d598ef0a0a776a58\r\n531714703557a58584a102ecc34162ff NEW\r\n904b4d615c05952bcf58f35acadee5c1\r\n9f94c34aae5c7d50bc0997d043df032b NEW\r\na21322b2416fce17a1877542d16929d5\r\nb84b0d5f128a8e0621733a6f3b412e19\r\nbd90279ad5c5a813bc34c06093665e55\r\ncc1e4d3af5698feb36878df0233ab14a NEW\r\nff163a92f2622f2b8330a5730d3d636c\r\n808b186ddfa5e62ee882d5bdb94cc6e2\r\nee0718c18b2e9f941b5d0327a27fbda1 NEW\r\nclasses.dex:\r\n13c8dda30b866e84163f82b95008790a NEW\r\nhttps://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/\r\nPage 9 of 10\n\n19e3daf40460aea22962d98de4bc32d2\r\n1b984d8cb76297efa911a3c49805432e NEW\r\n36b2609a98aa39c730c2f5b49097d0ad\r\n3ba4882dbf2dd6bd4fc0f54ec1373f4c\r\n46c34be9b3ff01e73153937ef35b0766 NEW\r\n5145c98d809bc014c3af39415be8c9ac NEW\r\n6116dc0a59e4859a32caddaefda4dbf4 NEW\r\n8a4ed9c4a66d7ccb3d155f85383ea3b3\r\na5d2403b98cddcd80b79a4658df4d147 NEW\r\nb43335b043212355619fd827b01be9a0\r\nb4152bee9eca9eb247353e0ecab37aa5 NEW\r\nb7afa4b2dafb57886fc47a1355824199\r\nbf5538df0688961ef6fccb5854883a20 NEW\r\nf89214bfa4b4ac9000087e4253e7f754\r\n6cac4c9eda750a69e435c801a7ca7b8d\r\ne56cccd689a9e354cb539bb069733a43 NEW\r\nfe0198f4b3d9dc501c2b7db2750a228b NEW\r\nDecrypted payload (dex file) from \\assets\\data.sql:\r\n1bd7815bece1b54b7728b8dd16f1d3a9\r\n28ef823d10a3b78f8840310484e3cc69 NEW\r\n307d2780185ba2b8c5ad4c9256407504\r\n3e01b64fb9fe9605fee7c07e42907a3b NEW\r\n3e4bff0e8ed962f3c420692a35d2e503\r\n3ed3b8ecce178c2e977a269524f43576 NEW\r\n57abbe642b85fa00b1f76f62acad4d3b\r\n6e1926d548ffac0f6cedfb4a4f49196e\r\n6d5f6065ec4112f1581732206539e72e NEW\r\n7714321baf6a54b09baa6a777b9742ef\r\n7aa46b4d67c3ab07caa53e8d8df3005c\r\na0f88c77b183da227b9902968862c2b9\r\nb964645e76689d7e0d09234fb7854ede\r\nSource: https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/\r\nhttps://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/"
	],
	"report_names": [
		"85607"
	],
	"threat_actors": [
		{
			"id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a",
			"created_at": "2023-01-06T13:46:38.823793Z",
			"updated_at": "2026-04-10T02:00:03.113045Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group"
			],
			"source_name": "MISPGALAXY:Roaming Mantis",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3",
			"created_at": "2022-10-25T16:07:24.546437Z",
			"updated_at": "2026-04-10T02:00:05.029564Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group",
				"Shaoye"
			],
			"source_name": "ETDA:Roaming Mantis",
			"tools": [
				"MoqHao",
				"Roaming Mantis",
				"SmsSpy",
				"Wroba",
				"XLoader"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433978,
	"ts_updated_at": 1775826724,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7ba09f8ce76f0e16973c12df7728c44903f7b3a8.pdf",
		"text": "https://archive.orkl.eu/7ba09f8ce76f0e16973c12df7728c44903f7b3a8.txt",
		"img": "https://archive.orkl.eu/7ba09f8ce76f0e16973c12df7728c44903f7b3a8.jpg"
	}
}