{
	"id": "da973995-a345-4633-8ee8-8de389109418",
	"created_at": "2026-04-06T00:18:06.857463Z",
	"updated_at": "2026-04-10T03:30:33.685837Z",
	"deleted_at": null,
	"sha1_hash": "7d388ae0851be9ef5b41ef60437f725f8bd2ac55",
	"title": "Xenomorph (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38149,
	"plain_text": "Xenomorph (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-02 11:48:38 UTC\r\napk.xenomorph (Back to overview)\r\nXenomorph\r\nXenomorph is a Android Banking RAT developed by the Hadoken.Security actor.\r\nReferences\r\n2023-03-10 ⋅ ThreatFabric ⋅ ThreatFabric\r\nXenomorph v3: a new variant with ATS targeting more than 400 institutions\r\nXenomorph\r\n2022-12-08 ⋅ ThreatFabric ⋅ ThreatFabric\r\nZombinder: new obfuscation service used by Ermac, now distributed next to desktop stealers\r\nERMAC Xenomorph\r\n2022-11-10 ⋅ Zscaler ⋅ ThreatLabZ research team\r\nRise of Banking Trojan Dropper in Google Play\r\nXenomorph\r\n2022-08-16 ⋅ ThreatFabric ⋅ ThreatFabric\r\nBugDrop: the first malware trying to circumvent Google's security Controls\r\nXenomorph\r\n2022-06-27 ⋅ Medium (Cryptax) ⋅ Axelle Apvrille\r\nUnpacking a JsonPacker-packed sample\r\nXenomorph\r\n2022-02-01 ⋅ ThreatFabric\r\nXenomorph: A newly hatched Banking Trojan\r\nXenomorph\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/apk.xenomorph\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.xenomorph\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/apk.xenomorph"
	],
	"report_names": [
		"apk.xenomorph"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434686,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7d388ae0851be9ef5b41ef60437f725f8bd2ac55.pdf",
		"text": "https://archive.orkl.eu/7d388ae0851be9ef5b41ef60437f725f8bd2ac55.txt",
		"img": "https://archive.orkl.eu/7d388ae0851be9ef5b41ef60437f725f8bd2ac55.jpg"
	}
}