{
	"id": "08fd8944-c97f-4312-bcb6-3fd641f62e4c",
	"created_at": "2026-04-06T01:29:48.882713Z",
	"updated_at": "2026-04-10T03:30:33.378802Z",
	"deleted_at": null,
	"sha1_hash": "86c92b2fbb37bb8ec65fd31d87fe327f34db2603",
	"title": "Examining New DawDropper Banking Dropper and DaaS on the Dark Web",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64950,
	"plain_text": "Examining New DawDropper Banking Dropper and DaaS on the Dark\r\nWeb\r\nBy Trend Micro ( words)\r\nPublished: 2022-07-29 · Archived: 2026-04-06 01:09:02 UTC\r\nWe explore the technical details of the new DawDropper dropper, look at the brief history of banking trojans released in\r\nearly 2022 that use malicious droppers, and discuss cybercriminal activities related to DaaS in the deep web in this entry.\r\nDawDropper technical analysis\r\nBased on our observation, DawDropper has variants that drop four types of banking trojans, including Octo, Hydra, Ermac,\r\nand TeaBot. All DawDropper variants use a Firebase Realtime Database, a legitimate cloud-hosted NoSQL database for\r\nstoring data, as their command-and-control (C\u0026C) server and host malicious payloads on GitHub.\r\nA similarity between Clast82 and DawDropper\r\nInterestingly, we found that another dropper called Clast82, which was reported by CheckPoint Research in March 2021,\r\nalso uses Firebase Realtime Database as a C\u0026C server.\r\nThe DawDropper C\u0026C server returns data similar to Clast82 data:\r\nThe Octo payload\r\nDawDropper’s malicious payload belongs to the Octo malware familynews article, which is a modular and multistage\r\nmalware that is capable of stealing banking information, intercepting text messages, and hijacking infected devices. Octo is\r\nalso known as Copernews article, and it has been historically used to target Colombian online banking users.\r\nBased on our analysis, DawDropper’s Octo malware payload is similar to previously reported variants. The package uses\r\nprogramming language keywords to obfuscate malicious functionalities.\r\nOnce the Octo malware is successfully launched in the victim’s device and gains primary permissions, it will keep the\r\ndevice awake and register a scheduled service to collect and upload sensitive data to its C\u0026C server. It also uses virtual\r\nnetwork computing (VNC) to record a user's screen, including sensitive information such as banking credentials, email\r\naddresses and passwords, and PINs. The malware also causes a user’s screen to turn black by turning the device’s backlight\r\noff and turns off the device’s sound to hide malicious behavior.\r\nThe malware can also disable Google Play Protect (which goes through a device’s apps and checks for malicious behavior)\r\nand collects user data, including an infected mobile phone’s Android ID, contact list, installed apps, and even text messages.\r\nA brief history of banking droppers in early 2022\r\nTo better understand this trend of banking trojans being distributed via malicious droppers, we must look back at how\r\ndroppers have been popping up on Google Play Store since the beginning of 2022, analyze how each of these droppers vary\r\nfrom one another and evolve, and learn how cybercriminals are disseminating them.\r\nMain differences among banking droppers\r\nAlthough these banking droppers have the same main objective —  to distribute and install malware on victims’ devices —\r\nwe have observed that there are marked differences in how these banking droppers implement their malicious routines. For\r\nexample, the banking droppers that were launched earlier this year have hard-coded payload download addresses.\r\nMeanwhile, the banking droppers that have been recently launched tend to hide the actual payload download address, at\r\ntimes use third-party services as their C\u0026C servers, and use third-party services such as GitHub to host malicious payloads.\r\nBanking dropper name and release date Dynamic address\r\nThird-party\r\nstorage\r\nEncrypted\r\npayload\r\nVultur dropper\r\nJan 12, 2022 \r\n(com.privacy.account.safetyapp)\r\n    ✓\r\nSharkbot dropper\r\nJan 14, 2022\r\n✓    \r\nhttps://www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html\r\nPage 1 of 8\n\n(com.pagnotto28.sellsourcecode.supercleaner)\r\nOcto dropper (Gymdrop dropper) \r\nFeb 17, 2022\r\n(com.moh.screen)\r\nFeb. 6, 2022\r\n(Vizeeva.fast.cleaner)\r\n✓    \r\nErmac dropper (DawDropper)\r\nMar 25, 2022\r\n(com.qaz.universalsaver)\r\n✓\r\n(Firebase Realtime\r\nDatabase)\r\n✓\r\n(GitHub)\r\n \r\nTeaBot dropper\r\nApr 3, 2022\r\n(com.zynksoftware.docuscanapp)\r\nFeb 11, 2022\r\n(com.scanner.buratoscanner)\r\n✓\r\n(GitHub)\r\n✓\r\n(GitHub)\r\n \r\nHydra dropper (DawDropper)\r\nApr 23, 2022\r\n(com.casualplay.leadbro)\r\n✓\r\n(Firebase Realtime\r\nDatabase)\r\n✓\r\n(GitHub)\r\n \r\nHydra dropper (Gymdrop dropper)\r\nMay 30, 2022\r\n(com.anatolijserba.docscanner)\r\n✓    \r\nOcto dropper (DawDropper) \r\nJun 28, 2022\r\n(com.scando.qukscanner)\r\n✓\r\n(Firebase Realtime\r\nDatabase)\r\n✓\r\n(GitHub)\r\n \r\nThe Vultur dropper (SHA-256: 00a733c78f1b4d4f54cf06a0ea8cc33604512d6032ef4ef9114c89c700bfafcf), also known as\r\nBrunhilda   was first reported as a DaaS at the end of 2020. In January 2022, we observed that it directly downloads the\r\nmalicious payload on the infected device and has its own method to decrypt the malicious payload.\r\nThe Sharkbot dropper (SHA-256: 7f55dddcfad05403f71580ec2e5acafdc8c9555e72f724eb1f9e37bf09b8cc0c), which was\r\nalso released in January 2022, has a unique behavior: It not only acts as a dropper but also requests for accessibility\r\npermissions and responds with all of the user interface (UI) events of the infected device.\r\nMeanwhile, the TeaBot dropper, released in April 2022, uses GitHub to host its malware payload. However, TeaBot uses\r\nanother GitHub repository to get the download address, in contrast to DawDropper, which uses a Firebase Realtime\r\nDatabase.\r\nDaaS dark web activities\r\nIn our investigation of banking trojans using droppers, we observed that one of the droppers that were first reported in 2021,\r\nGymdrop, is connected to a management panel (trackerpdfconnect[.]com and smartscreencaster[.]online) that cybercriminals\r\ncan use to manage both the dropper and the payload. We also found Gymdrop being advertised in a dark web forum as a\r\ntypical DaaS.\r\nhttps://www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html\r\nPage 2 of 8\n\nConclusion and security recommendations\r\nCybercriminals are constantly finding ways to evade detection and infect as many devices as possible. In a half-year span,\r\nwe have seen how banking trojans have evolved their technical routines to avoid being detected, such as hiding malicious\r\npayloads in droppers. As more banking trojans are made available via DaaS, malicious actors will have an easier and more\r\ncost-effective way of distributing malware disguised as legitimate apps. We foresee that this trend will continue and more\r\nbanking trojans will be distributed on digital distribution services in the future.\r\nTo avoid falling prey to malicious apps, users should adopt the following security best practices:\r\nAlways check app reviews to see if users voice out unusual concerns or negative experiences.\r\nApply due diligence when looking into app developers and publishers. Avoid downloading apps from suspicious-looking websites.\r\nAvoid installing apps from unknown sources.\r\nMobile users can help minimize the threats posed by these fraudulent apps by using Trend Micro Mobile Security Solutions\r\nto scan mobile devices in real time and on demand to detect malicious apps or malware to block or delete them. These apps\r\nare available for both Android and iOS.\r\nIndicators of compromise (IOCs)\r\nDawDropper\r\nSHA-256 Package name\r\nRelease\r\ndate\r\nDetection name\r\n022a01566d6033f6d90ab182c4e69f80a3851565aaaa386c8fa1a9435cb55c91 com.caduta.aisevsk 05/01/2021 AndroidOS_DawD\r\ne1598249d86925b6648284fda00e02eb41fdcc75559f10c80acd182fd1f0e23a com.vpntool.androidweb 11/07/2021 AndroidOS_DawD\r\n8fef8831cbc864ffe16e281b0e4af8e3999518c15677866ac80ffb9495959637 com.j2ca.callrecorder 11/11/2021 AndroidOS_DawD\r\n05b3e4071f62763b3925fca9db383aeaad6183c690eecbbf532b080dfa6a5a08 com.codeword.docscann 11/21/2021 AndroidOS_DawD\r\nf4611b75113d31e344a7d37c011db37edaa436b7d84ca4dfd77a468bdeff0271 com.virtualapps.universalsaver 12/09/2021 AndroidOS_DawD\r\na1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb com.techmediapro.photoediting 01/04/2022 AndroidOS_DawD\r\neb8299c16a311ac2412c55af16d1d3821ce7386c86ae6d431268a3285c8e81fb com.chestudio.callrecorder 01/2022 AndroidOS_DawD\r\nd5ac8e081298e3b14b41f2134dae68535bcf740841e75f91754d3d0c0814ed42 com.casualplay.leadbro 04/23/2022 AndroidOS_DawD\r\nhttps://www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html\r\nPage 3 of 8\n\nb4bd13770c3514596dd36854850a9507e5734374083a0e4299c697b6c9b9ec58 com.utilsmycrypto.mainer 05/04/2022 AndroidOS_DawD\r\n77f226769eb1a886606823d5b7832d92f678f0c2e1133f3bbee939b256c398aa com.cleaner.fixgate 05/14/2022 AndroidOS_DawD\r\n5ee98b1051ccd0fa937f681889e52c59f33372ffa27afff024bb76d9b0446b8a com.olivia.openpuremind 05/23/2022 AndroidOS_DawD\r\n0ebcf3bce940daf4017c85700ffc72f6b3277caf7f144a69fbfd437d1343b4ab com.myunique.sequencestore 2022/05/31 AndroidOS_DawD\r\n2113451a983916b8c7918c880191f7d264f242b815b044a6351c527f8aeac3c8 com.flowmysequto.yamer 05/2022 AndroidOS_DawD\r\n71c44a78cd77a8f5767096f268c3193108ac06ff3779c65e78bc879d3b0ff11d com.qaz.universalsaver 05/2022 AndroidOS_DawD\r\n9b2064f8808d3aaa2d3dc9f5c7ee0775b29e29df3a958466a8953f148b702461 com.luckyg.cleaner 06/02/2022 AndroidOS_DawD\r\nff8110883628f8d926588c0b7aedae8841df989d50f32c140d88f1105d1d3e02 com.scando.qukscanner 06/28/2022 AndroidOS_DawD\r\n02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4 com.qrdscannerratedx 07/01/2022 AndroidOS_DawD\r\n     \r\n022a01566d6033f6d90ab182c4e69f80a3851565aaaa386c8fa1a9435cb55c91 com.caduta.aisevsk 05/01/2021 AndroidOS_DawD\r\ne1598249d86925b6648284fda00e02eb41fdcc75559f10c80acd182fd1f0e23a com.vpntool.androidweb 11/07/2021 AndroidOS_DawD\r\n8fef8831cbc864ffe16e281b0e4af8e3999518c15677866ac80ffb9495959637 com.j2ca.callrecorder 11/11/2021 AndroidOS_DawD\r\n05b3e4071f62763b3925fca9db383aeaad6183c690eecbbf532b080dfa6a5a08 com.codeword.docscann 11/21/2021 AndroidOS_DawD\r\nhttps://www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html\r\nPage 4 of 8\n\nf4611b75113d31e344a7d37c011db37edaa436b7d84ca4dfd77a468bdeff0271 com.virtualapps.universalsaver 12/09/2021 AndroidOS_DawD\r\na1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb com.techmediapro.photoediting 01/04/2022 AndroidOS_DawD\r\neb8299c16a311ac2412c55af16d1d3821ce7386c86ae6d431268a3285c8e81fb com.chestudio.callrecorder 01/2022 AndroidOS_DawD\r\nd5ac8e081298e3b14b41f2134dae68535bcf740841e75f91754d3d0c0814ed42 com.casualplay.leadbro 04/23/2022 AndroidOS_DawD\r\nb4bd13770c3514596dd36854850a9507e5734374083a0e4299c697b6c9b9ec58 com.utilsmycrypto.mainer 05/04/2022 AndroidOS_DawD\r\n77f226769eb1a886606823d5b7832d92f678f0c2e1133f3bbee939b256c398aa com.cleaner.fixgate 05/14/2022 AndroidOS_DawD\r\n5ee98b1051ccd0fa937f681889e52c59f33372ffa27afff024bb76d9b0446b8a com.olivia.openpuremind 05/23/2022 AndroidOS_DawD\r\n0ebcf3bce940daf4017c85700ffc72f6b3277caf7f144a69fbfd437d1343b4ab com.myunique.sequencestore 2022/05/31 AndroidOS_DawD\r\n2113451a983916b8c7918c880191f7d264f242b815b044a6351c527f8aeac3c8 com.flowmysequto.yamer 05/2022 AndroidOS_DawD\r\n71c44a78cd77a8f5767096f268c3193108ac06ff3779c65e78bc879d3b0ff11d com.qaz.universalsaver 05/2022 AndroidOS_DawD\r\n9b2064f8808d3aaa2d3dc9f5c7ee0775b29e29df3a958466a8953f148b702461 com.luckyg.cleaner 06/02/2022 AndroidOS_DawD\r\nff8110883628f8d926588c0b7aedae8841df989d50f32c140d88f1105d1d3e02 com.scando.qukscanner 06/28/2022 AndroidOS_DawD\r\n02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4 com.qrdscannerratedx 07/01/2022 AndroidOS_DawD\r\nGithub repository\r\nRepository Description\r\nhttps://www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html\r\nPage 5 of 8\n\nhxxps://github.com/butcher65/test GitHub repository hosting the Octo and Hydra banking trojans\r\nhxxps://github.com/lotterevich/lott GitHub repository hosting the TeaBot banking trojan\r\nhxxps://github.com/asFirstYouSaid/test GitHub repository hosting the Ermac banking trojan\r\nhxxps://github.com/asFirstYouSaid/awdaw GitHub repository hosting the Ermac banking trojan\r\nhxxps://github.com/gohhas/gate GitHub repository hosting the Octo banking trojan\r\nhxxps://raw.github.com/k6062019/qq GitHub repository hosting the Octo banking trojan\r\nhxxps://github.com/briangreen7667/2705 GitHub repository hosting the Hydra banking trojan\r\nhxxps://github.com/uliaknazeva888/main GitHub repository hosting the Octo banking trojan\r\nhxxps://github.com/kazakovadana44/1.apk GitHub repository hosting the Octo banking trojan\r\nhxxps://github.com/sherrytho/test GitHub repository hosting the Hydra banking trojan\r\nOcto payload\r\nSHA-256 Package name Download address\r\n3834eb0ff1a955dab719f2ae6a51114995a7e3bd0ea201fb4f044218fe72ba4e com.fpkbdpwasnfa hxxps://github.com/uliaknazeva888/qs/raw/ma\r\n8e9fa712f490b50d13940cc3ab1509566f31627fce8848071a0547bda58ceac8 com.piecesimplevb hxxps://github.com/butcher65/test/raw/main/ga\r\n95182e759373f78c421b47dc92d15f1f37c1acea1cd76980058c6ad177491823 com.holdremember0 hxxps://raw.githubusercontent.com/k6062019/\r\n95182e759373f78c421b47dc92d15f1f37c1acea1cd76980058c6ad177491823 com.holdremember0 hxxps://raw.githubusercontent.com/k6062019/\r\nf0ee3582856f3f406970530138c06ba3c1c175e9d2dae95e6d3ef3c5ed6dc13a com.turncani hxxps://raw.githubusercontent.com/k6062019/\r\nb16769c154fbb8023ada13cf58a9b289b9643f6cb932afb4dde0189a147d5e11 com.thinkfinddau hxxps://github.com/gohhas/gate/raw/main/live\r\nNetwork indicator Description\r\nvntososupplsos.live Octo C\u0026C server\r\nolopokogulya.site Backup Octo C\u0026C server\r\nnbvb3954.fun Backup Octo C\u0026C server\r\nhttps://www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html\r\nPage 6 of 8\n\nnbvvvb.hair Backup Octo C\u0026C server\r\nnbvbbn.lol Backup Octo C\u0026C server\r\nnbvber.makeup Backup Octo C\u0026C server\r\nnbvbsd.mom Backup Octo C\u0026C server\r\nnbvbwe.monster Backup Octo C\u0026C server\r\nnbvb.one Backup Octo C\u0026C server\r\nvbnbvb.online Backup Octo C\u0026C server\r\nccnbvb.pics Backup Octo C\u0026C server\r\nxxnbvb.quest Backup Octo C\u0026C server\r\neenbvb.sbs Backup Octo C\u0026C server\r\nasqwnbvb.shop Backup Octo C\u0026C server\r\nqwnbvb.skin Backup Octo C\u0026C server\r\nqqnbvb.space Backup Octo C\u0026C server\r\nwwerenbvb.store Backup Octo C\u0026C server\r\nErmac payload\r\nSHA-256 Package name Download address\r\ncdf66b98f90a9e83b204bf2bb28915784f9e9ad4d2fb86648d1d1f7d3152dadd com.ceveluriseze.xuca\r\nhxxps://raw.githubusercontent.com/asFirstYo\r\nhxxps://raw.githubusercontent.com/asFirstYo\r\n71927786fc16e90fe05e1eb032c3591d878c7cfd197d02113d7d006e2d7b171f com.ceveluriseze.xuca\r\nhxxps://github.com/asFirstYouSaid/test/raw/m\r\nhxxps://github.com/asFirstYouSaid/test/raw/m\r\nNetwork indicator Description\r\n193.106.191.121:3435 Ermac C\u0026C server\r\nHydra payload\r\nhttps://www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html\r\nPage 7 of 8\n\nSHA-256 Package name Download address\r\n3194e25f89540e98698bcd221c8a5dbfe4658ac14fd7e7cf7c29299f3675fcdd com.bulb.crush hxxps://github.com/briangreen7667/2705/raw/m\r\n93c5e98c06963c8a320f5876148ad45fb6cce1a40a7aaee195cfa5027e19426b com.alley.work hxxps://github.com/butcher65/test/raw/main/latt\r\n9c9bc75ce675754c655b0757a8655ff50186b1626862bcb5b8200c4047f3ab3c com.risk.better hxxps://github.com/butcher65/test/raw/main/loli\r\nad84c798e3c30ad941b37aababeb8edfaf52f13c0c7d32bfa96c4b989b135a8b com.plug.follow hxxps://github.com/butcher65/test/raw/main/gol\r\n7e95e9a306886dadbae68c586bf19eec6903bac15290fd60c47d29a2e3cbf047 com.tunnel.voyage https://github.com/sherrytho/test/raw/main/golgo\r\nTeabot payload\r\nSHA-256 Package name Download address\r\naea39ddf59ae764c40211a4d0e9c10514b37a9bbabf5b528de4cb7d2574b732b com.bthlu.xnbhp hxxps://github.com/lotterevich/lott/raw/main/main\r\nSource: https://www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html\r\nhttps://www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html"
	],
	"report_names": [
		"examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775438988,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/86c92b2fbb37bb8ec65fd31d87fe327f34db2603.pdf",
		"text": "https://archive.orkl.eu/86c92b2fbb37bb8ec65fd31d87fe327f34db2603.txt",
		"img": "https://archive.orkl.eu/86c92b2fbb37bb8ec65fd31d87fe327f34db2603.jpg"
	}
}