{
	"id": "e079f0e7-0df8-4f78-ad69-1d2ef7e4ae96",
	"created_at": "2026-04-06T00:21:28.082942Z",
	"updated_at": "2026-04-10T13:12:04.691005Z",
	"deleted_at": null,
	"sha1_hash": "7d8a8e0afa24fc63f6a02605a639f01a3fac7dbe",
	"title": "MESSAGETAP: Who's Reading Your Text Messages? | Mandiant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 260146,
	"plain_text": "MESSAGETAP: Who's Reading Your Text Messages? | Mandiant\r\nBy Mandiant\r\nPublished: 2019-10-31 · Archived: 2026-04-05 17:48:53 UTC\r\nWritten by: Raymond Leong, Dan Perez, Tyler Dean\r\nFireEye Mandiant recently discovered a new malware family used by APT41 (a Chinese APT group) that is\r\ndesigned to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for\r\nsubsequent theft. Named MESSAGETAP, the tool was deployed by APT41 in a telecommunications network\r\nprovider in support of Chinese espionage efforts. APT41’s operations have included state-sponsored cyber\r\nespionage missions as well as financially-motivated intrusions. These operations have spanned from as early as\r\n2012 to the present day. For an overview of APT41, see our August 2019 blog post or our full published report.\r\nMESSAGETAP was first reported to FireEye Threat Intelligence subscribers in August 2019 and initially\r\ndiscussed publicly in an APT41 presentation at FireEye Cyber Defense Summit 2019.\r\nMESSAGETAP Overview\r\nAPT41's newest espionage tool, MESSAGETAP, was discovered during a 2019 investigation at a\r\ntelecommunications network provider within a cluster of Linux servers. Specifically, these Linux servers operated\r\nas Short Message Service Center (SMSC) servers. In mobile networks, SMSCs are responsible for routing Short\r\nMessage Service (SMS) messages to an intended recipient or storing them until the recipient has come online.\r\nWith this background, let's dig more into the malware itself.\r\nMESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script. Once installed, the malware\r\nchecks for the existence of two files: keyword_parm.txt and parm.txt and attempts to read the configuration files\r\nevery 30 seconds. If either exist, the contents are read and XOR decoded with the string:\r\nhttp://www.etsi.org/deliver/etsi_ts/123000_123099/123040/04.02.00_60/ts_123040v040200p.pdf\r\nInterestingly, this XOR key leads to a URL owned by the European Telecommunications Standards\r\nInstitute (ETSI). The document explains the Short Message Service (SMS) for GSM and UMTS\r\nNetworks. It describes architecture as well as requirements and protocols for SMS.\r\nThese two files, keyword_parm.txt and parm.txt contain instructions for MESSAGETAP to target and save\r\ncontents of SMS messages.\r\nThe first file (parm.txt) is a file containing two lists:\r\nimsiMap: This list contains International Mobile Subscriber Identity (IMSI) numbers. IMSI\r\nnumbers identify subscribers on a cellular network.\r\nphoneMap: The phoneMap list contains phone numbers.\r\nThe second file (keyword_parm.txt) is a list of keywords that is read into keywordVec.\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html\r\nPage 1 of 5\n\nBoth files are deleted from disk once the configuration files are read and loaded into memory. After loading the\r\nkeyword and phone data files, MESSAGETAP begins monitoring all network connections to and from the server.\r\nIt uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers.\r\nIt continues parsing protocol layers including SCTP, SCCP, and TCAP. Finally, the malware parses and extracts\r\nSMS message data from the network traffic:\r\n1. SMS message contents\r\n2. The IMSI number\r\n3. The source and destination phone numbers\r\nThe malware searches the SMS message contents for keywords from the keywordVec list, compares the IMSI\r\nnumber with numbers from the imsiMap list, and checks the extracted phone numbers with the numbers in the\r\nphoneMap list.\r\nFigure 1: General Overview Diagram of MESSAGETAP\r\nIf the SMS message text contains one of the keywordVec values, the contents are XORed and saved to a path with\r\nthe following format:\r\n/etc//kw_.csv\r\nThe malware compares the IMSI number and phone numbers with the values from the imsiMap and phoneMap\r\nlists. If found, the malware XORs the contents and stores the data in a path with the following format:\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html\r\nPage 2 of 5\n\n/etc//.csv\r\nIf the malware fails to parse a message correctly, it dumps it to the following location:\r\n/etc//_.dump\r\nSignificance of Input Files\r\nThe configuration files provide context into the targets of this information gathering and monitoring campaign.\r\nThe data in keyword_parm.txt contained terms of geopolitical interest to Chinese intelligence collection. The two\r\nlists phoneMap and imsiMap from parm.txt contained a high volume of phone numbers and IMSI numbers.\r\nFor a quick review, IMSI numbers are used in both GSM (Global System for Mobiles) and UMTS (Universal\r\nMobile Telecommunications System) mobile phone networks and consists of three parts:\r\n1. Mobile Country Code (MCC)\r\n2. Mobile Network Code (MNC)\r\n3. Mobile Station Identification Number (MSIN)\r\nThe Mobile Country Code corresponds to the subscriber’s country, the Mobile Network Code corresponds to the\r\nspecific provider and the Mobile Station Identification Number is uniquely tied to a specific subscriber.\r\nFigure 2: IMSI number description\r\nThe inclusion of both phone and IMSI numbers show the highly targeted nature of this cyber intrusion. If an SMS\r\nmessage contained either a phone number or an IMSI number that matched the predefined list, it was saved to a\r\nCSV file for later theft by the threat actor.\r\nSimilarly, the keyword list contained items of geopolitical interest for Chinese intelligence collection. Sanitized\r\nexamples include the names of political leaders, military and intelligence organizations and political movements at\r\nodds with the Chinese government. If any SMS messages contained these keywords, MESSAGETAP would save\r\nthe SMS message to a CSV file for later theft by the threat actor.\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html\r\nPage 3 of 5\n\nIn addition to MESSAGETAP SMS theft, FireEye Mandiant also identified the threat actor interacting with call\r\ndetail record (CDR) databases to query, save and steal records during this same intrusion. The CDR records\r\ncorresponded to foreign high-ranking individuals of interest to the Chinese intelligence services. Targeting CDR\r\ninformation provides a high-level overview of phone calls between individuals, including time, duration, and\r\nphone numbers. In contrast, MESSAGETAP captures the contents of specific text messages.\r\nLooking Ahead\r\nThe use of MESSAGETAP and targeting of sensitive text messages and call detail records at scale is\r\nrepresentative of the evolving nature of Chinese cyber espionage campaigns observed by FireEye. APT41 and\r\nmultiple other threat groups attributed to Chinese state-sponsored actors have increased their targeting of upstream\r\ndata entities since 2017. These organizations, located multiple layers above end-users, occupy critical information\r\njunctures in which data from multitudes of sources converge into single or concentrated nodes. Strategic access\r\ninto these organizations, such as telecommunication providers, enables the Chinese intelligence services an ability\r\nto obtain sensitive data at scale for a wide range of priority intelligence requirements.\r\nIn 2019, FireEye observed four telecommunication organizations targeted by APT41 actors. Further, four\r\nadditional telecommunications entities were targeted in 2019 by separate threat groups with suspected Chinese\r\nstate-sponsored associations. Beyond telecommunication organizations, other client verticals that possess sensitive\r\nrecords related to specific individuals of interest, such as major travel services and healthcare providers, were also\r\ntargeted by APT41. This is reflective of an evolving Chinese targeting trend focused on both upstream data and\r\ntargeted surveillance. For deeper analysis regarding recent Chinese cyber espionage targeting trends, customers\r\nmay refer to the FireEye Threat Intelligence Portal. This topic was also briefed at FireEye Cyber Defense Summit\r\n2019.\r\nFireEye assesses this trend will continue in the future. Accordingly, both users and organizations must consider the\r\nrisk of unencrypted data being intercepted several layers upstream in their cellular communication chain. This is\r\nespecially critical for highly targeted individuals such as dissidents, journalists and officials that handle highly\r\nsensitive information. Appropriate safeguards such as utilizing a communication program that enforces end-to-end\r\nencryption can mitigate a degree of this risk. Additionally, user education must impart the risks of transmitting\r\nsensitive data over SMS. More broadly, the threat to organizations that operate at critical information junctures\r\nwill only increase as the incentives for determined nation-state actors to obtain data that directly support key\r\ngeopolitical interests remains.\r\nFireEye Detections\r\nFE_APT_Controller_SH_MESSAGETAP_1\r\nFE_APT_Trojan_Linux64_MESSAGETAP_1\r\nFE_APT_Trojan_Linux_MESSAGETAP_1\r\nFE_APT_Trojan_Linux_MESSAGETAP_2\r\nFE_APT_Trojan_Linux_MESSAGETAP_3\r\nExample File\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html\r\nPage 4 of 5\n\nFile name: mtlserver\r\nMD5 hash: 8D3B3D5B68A1D08485773D70C186D877\r\n*This sample was identified by FireEye on VirusTotal and provides an example for readers to reference. The file is\r\na less robust version than instances of MESSAGETAP identified in intrusions and may represent an earlier test of\r\nthe malware. The file and any of its embedded data were not observed in any Mandiant Consulting engagement*\r\nReferences\r\nAPT41: A Dual Espionage and Cyber Crime Operation\r\nFireEye Threat Intelligence Portal, MESSAGETAP report\r\nFireEye 2019 Cyber Defense Summit – APT41: Technical TTPs and Malware Capabilities (recording to be\r\nreleased)\r\nFireEye 2019 Cyber Defense Summit – Achievement Unlocked: Chinese Cyber Espionage Evolves to\r\nSupport Higher Level Missions (recording to be released)\r\nAcknowledgements\r\nThank you to Adrian Pisarczyk, Matias Bevilacqua and Marcin Siedlarz for identification and analysis of\r\nMESSAGETAP at a FireEye Mandiant Consulting engagement.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html"
	],
	"report_names": [
		"messagetap-who-is-reading-your-text-messages.html"
	],
	"threat_actors": [
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e698860d-57e8-4780-b7c3-41e5a8314ec0",
			"created_at": "2022-10-25T15:50:23.287929Z",
			"updated_at": "2026-04-10T02:00:05.329769Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"APT41",
				"Wicked Panda",
				"Brass Typhoon",
				"BARIUM"
			],
			"source_name": "MITRE:APT41",
			"tools": [
				"ASPXSpy",
				"BITSAdmin",
				"PlugX",
				"Impacket",
				"gh0st RAT",
				"netstat",
				"PowerSploit",
				"ZxShell",
				"KEYPLUG",
				"LightSpy",
				"ipconfig",
				"sqlmap",
				"China Chopper",
				"ShadowPad",
				"MESSAGETAP",
				"Mimikatz",
				"certutil",
				"njRAT",
				"Cobalt Strike",
				"pwdump",
				"BLACKCOFFEE",
				"MOPSLED",
				"ROCKBOOT",
				"dsquery",
				"Winnti for Linux",
				"DUSTTRAP",
				"Derusbi",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434888,
	"ts_updated_at": 1775826724,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7d8a8e0afa24fc63f6a02605a639f01a3fac7dbe.pdf",
		"text": "https://archive.orkl.eu/7d8a8e0afa24fc63f6a02605a639f01a3fac7dbe.txt",
		"img": "https://archive.orkl.eu/7d8a8e0afa24fc63f6a02605a639f01a3fac7dbe.jpg"
	}
}