{ "id": "3f08347c-7c95-434b-99c8-ddfff117495b", "created_at": "2026-04-06T00:18:35.089457Z", "updated_at": "2026-04-10T03:32:04.883858Z", "deleted_at": null, "sha1_hash": "842b5f840ce9983955afc34bc842e9f926dcde13", "title": "Grab your own copy of Phenakite iOS malware today", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1278473, "plain_text": "Grab your own copy of Phenakite iOS malware today\r\nArchived: 2026-04-05 15:33:38 UTC\r\n Facebook has recently published a technical paper regarding a threat actor named APT-C-23.\r\nAlmost half of their report is about a new iOS malware that is in use by the threat actor.\r\nFacebook called this malware Phenakite and provided 2 hashes of malware samples, however, those samples are\r\nnot publicly available (yet).\r\nSince I am Android type of person, naturally the Android malware interested me more than the iOS malware.\r\nAfter playing a little with the Android malware, I decided to see what I can learn about the iOS malware, but how?\r\nI don't have any sample and I am quite clueless with Apple devices at every possible level. Well:\r\nWe don’t need bombs we got fire kites\r\nFortunately, the distribution site of the malware was still alive:\r\nWell, not much to do other than download the app, well  the link is not directly the app apparently:\r\nhttps://malware4all.blogspot.com/2021/05/grab-your-own-copy-phenakite-ios.html\r\nPage 1 of 8\n\nThe file is binary, but also contains strings that might be interesting. There are several tools that parse\r\nmobileconfig files, a curious reader might try to parse the file for additional information, as this probably should\r\ntrigger the download of the app after the policy is accepted.\r\nBut now what?\r\nFeeling stuck? no worries I felt the same as well. Since I don't have iOS device to try it out, I decided to inspect\r\nthe code of the website:\r\nhttps://malware4all.blogspot.com/2021/05/grab-your-own-copy-phenakite-ios.html\r\nPage 2 of 8\n\nOh look at that, commented code, that must be good :P\r\nhttps://malware4all.blogspot.com/2021/05/grab-your-own-copy-phenakite-ios.html\r\nPage 3 of 8\n\nWhoOpSec!\r\nThere was also a reference to a file named app.plist lets try to grab it, shall we?\r\nhttps://malware4all.blogspot.com/2021/05/grab-your-own-copy-phenakite-ios.html\r\nPage 4 of 8\n\nOk, this is plain text and simple, the software package is app.ipa, lets grab that as well:\r\nAh, close, but no cigar, this hash doesn't match the two samples in Facebook report.\r\nCould it be a new sample? doubt it, look at the date. So what is this file? ipa obviously! Not to be confused with\r\nIPA.\r\nEssentially it is a Zip file, so lets unzip that payload:\r\nhttps://malware4all.blogspot.com/2021/05/grab-your-own-copy-phenakite-ios.html\r\nPage 5 of 8\n\nI moved all the images to a folder to keep only the potentially interesting files from the archive, namely \"app\"\r\nstands out, what is it?\r\nAnd that, kids, how I met your malware, e567efd5c800c5b0c6eb5aa0bccc10e9 , I met her on Facebook, report.\r\nCongratulations, this is the first time the blog actually does what it stands for, sharing malware for everyone with a\r\nhint of analysis. (if you are reading this too late and the distribution site of the malware is down, no worries, it is\r\nalso available at VirusTotal as a standalone and as an archive)\r\nNow you can enjoy your own copy of Phenakite and start reversing the Mach-O if you know how to :)\r\nhttps://malware4all.blogspot.com/2021/05/grab-your-own-copy-phenakite-ios.html\r\nPage 6 of 8\n\nBonus lol's:\r\nThe terms of service of the malware is.... Lorem Ipsum :\r\nThe privacy is seem to be borrowed from \"relatedcode.com\" which has an open source chat for iOS repository,\r\nthis is most likely the chat app that Facebook was referring to:\r\nAll your base is on fire:\r\nMore interesting strings:\r\nhttps://malware4all.blogspot.com/2021/05/grab-your-own-copy-phenakite-ios.html\r\nPage 7 of 8\n\nphenakite.zip\r\nMD5: 54e5e93c00c963cb66fd2d248c4c6ce7\r\nSHA-1: 05527dddb79329d844f1954e3d36601926410bca\r\nSHA-256: c2d66369c974558adbcd801b409492b73ad1cb5f9f412ef3a8820f1cae526903\r\napp\r\nMD5: e567efd5c800c5b0c6eb5aa0bccc10e9\r\nSHA-1: da99195ff43093fb8237201e2ce412a925580a53\r\nSHA-256: e1494164865acb719c1e32c86adf810ce52fcc48c46e777b9f98a99648de62c2\r\nSource: https://malware4all.blogspot.com/2021/05/grab-your-own-copy-phenakite-ios.html\r\nhttps://malware4all.blogspot.com/2021/05/grab-your-own-copy-phenakite-ios.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://malware4all.blogspot.com/2021/05/grab-your-own-copy-phenakite-ios.html" ], "report_names": [ "grab-your-own-copy-phenakite-ios.html" ], "threat_actors": [ { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434715, "ts_updated_at": 1775791924, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/842b5f840ce9983955afc34bc842e9f926dcde13.pdf", "text": "https://archive.orkl.eu/842b5f840ce9983955afc34bc842e9f926dcde13.txt", "img": "https://archive.orkl.eu/842b5f840ce9983955afc34bc842e9f926dcde13.jpg" } }