{
	"id": "7c8cafef-f26c-4330-aac9-fee657e90045",
	"created_at": "2026-04-06T01:30:24.488194Z",
	"updated_at": "2026-04-10T03:30:32.804682Z",
	"deleted_at": null,
	"sha1_hash": "8a2fc2541a87d303fd5e85ccf4843b58ad21e808",
	"title": "Vultur, with a V for VNC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60856,
	"plain_text": "Vultur, with a V for VNC\r\nPublished: 2024-10-01 · Archived: 2026-04-06 00:17:39 UTC\r\nIntroduction\r\nIn late March 2021, ThreatFabric detected a new RAT malware that we dubbed Vultur due to its full visibility on victims\r\ndevice via VNC. For the first time we are seeing an Android banking trojan that has screen recording and keylogging as\r\nmain strategy to harvest login credentials in an automated and scalable way. The actors chose to steer away from the\r\ncommon HTML overlay strategy we usually see in other Android banking Trojans: this approach usually requires more time\r\nand effort from the actors in order to steal relevant information from the user. Instead, they chose to simply record what is\r\nshown on the screen, effectively obtaining the same end result.\r\nBased on the intelligence gathered, ThreatFabric was able to obtain the list of apps targeted by Vultur. Italy, Australia and\r\nSpain were the countries with most banking institutions targeted. In addition, many crypto-wallets are targeted, which is in\r\nline with the trend we observed in our previous blog “The Rage of Android Banking Trojans”.\r\nDuring the investigation ThreatFabric analysts discovered its connection with a well-known dropper framework called\r\nBrunhilda, which uses droppers located in Google Play to distribute malware (MITRE T1475).\r\nIn this blogpost ThreatFabric will prove that this dropper and Vultur are both developed by the same threat actor group. The\r\nchoice of developing its own private trojan, instead of renting third-party malware, displays a strong motivation from this\r\ngroup, paired with the overall high level of structure and organization present in the bot as well as the server code.\r\nNOTE : ThreatFabric wants to make clear that both AlphaVNC and ngrok (the third party softwares on which\r\nVultur relies on to operate) are legitimate and legal products. The developers that created these projects have no\r\ncontrol over the misuse of their software.\r\nContext\r\nIn September 2020, Bitdefender published a Bitdefender report about malware droppers found on Google Play. The report\r\nstates that these droppers were used to distribute Cerberus banking malware. However, we believe that it was in\r\nfact Alien banking malware, the successor of Cerberus, first reported by ThreatFabric in September 2020.\r\nIf the user pays attention to the notification panel, he would also be able to see that Vultur, in this case masquerading as an\r\napp called “Protection Guard”, is projecting the screen.\r\nCommunication\r\nC2 Methods\r\nBelow is a complete list of the methods supported by the bot. These are the commands that the bot can send to the C2 to\r\nrequest, or to send back, information:\r\nMethod Description\r\nvnc.register Sends registration information\r\nvnc.status Sends device status (is DeviceAdmin, is AccessibilityService enabled, is display on) and VNC address\r\nhttps://www.threatfabric.com/blogs/vultur-v-for-vnc.html\r\nPage 1 of 7\n\nMethod Description\r\nvnc.apps Sends the list of installed packages\r\nvnc.keylog Sends pressed keys log\r\nvnc.syslog Sends logs\r\ncrash.logs Sends crash logs (logs all the content on the screen via accessibility logging)\r\nFCM Commands\r\nBelow is a complete list of the commands that the bot can receive via FirebaseCloudMessaging:\r\nMethod Description\r\nregistered Received after successful registration\r\nstart Starts VNC connection using ngrok\r\nstop Stops VNC connection by deleting address, killing the ngrok process and stopping VNC service\r\nunlock Unlocks screen\r\ndelete Uninstalls bot package\r\npattern Provides a pattern of gesture/stroke to be executed on the device\r\nC2 paths\r\nThese are the endpoints reachable on the C2:\r\nPath Description\r\n/rpc/ Endpoint for C2 communication via JSON-RPC\r\n/upload/ Endpoint for uploading files via POST (e.g. screen record)\r\n/version/app/?filename=ngrok\u0026arch={arm|386} Endpoint for downloading the corresponding ngrok version\r\nTargets\r\nVultur contains two sets of targets: screen recording and keylogging. The first list reported in the appendix includes all the\r\napplications that will be victim of screen recording using AlphaVNC, while the second list includes all the applications\r\ntargeted by the keylogging feature. The following chart shows the number of targeted banking applications per country\r\n(applications of cryptocurrency wallets and social applications are shown separately):\r\nConclusion\r\nThe story of Vultur shows again how actors shift from using rented Trojans (MaaS) that are sold on underground markets\r\ntowards proprietary/private malware tailored to the needs of the actor. It enables us to observe a group that covers both\r\nprocesses of distribution and operation of malicious software.\r\nBanking threats on the mobile platform are no longer only based on well-known overlay attacks, but are evolving into RAT-like malware, inheriting useful tricks like detecting foreground applications to start screen recording. This brings the threat\r\nhttps://www.threatfabric.com/blogs/vultur-v-for-vnc.html\r\nPage 2 of 7\n\nto another level, as such features open the door for on-device fraud, circumventing detection based on phishing MO’s that\r\nrequire fraud to be performed from a new device: With Vultur fraud can happen on the infected device of the victim. These\r\nattacks are scalable and automated since the actions to perform fraud can be scripted on the malware backend and sent in the\r\nform of sequenced commands.\r\nAs the mobile channels of financial institutions continue to grow, mobile banking malware will only become more popular.\r\nBesides a steep increase in mobile malware volumes targeting banking apps last and this year, we see mobile malware\r\nbecoming more and more sophisticated enabling hard-to-detect large scale attacks. This means that financial institutions\r\nshould consider preparing themselves by better understanding the risk posed to their mobile-first strategy based on the\r\ncurrent mobile threat landscape.\r\nCSD \u0026 MTI\r\nThreatFabric makes it easier than it has ever been to run a secure mobile payments business. With the most advanced threat\r\nintelligence for mobile banking, financial institutions are able to build a threat-driven mobile security strategy and use this\r\nunique knowledge to detect financial fraud on the mobile devices of their customers in real-time.\r\nTogether with our customers and partners, we are building an easy-to-access information system where financial institutions\r\nhave more visibility on their mobile banking threats in order to protect their end customers.\r\nYou can request our free trial for our MTI feed for the following TIPs:\r\nAnomali\r\nThreatConnect\r\nThreatQuotient\r\nIf you want more information on how our MTI and CSD solutions can help your organization, feel free to contact us\r\nat: sales@threatfabric.com\r\nAppendix\r\nBrunhilda Dropper\r\nApp name Package name SHA-256\r\nProtection\r\nGuard\r\ncom.protectionguard.app d3dc4e22611ed20d700b6dd292ffddbc595c42453f18879f2ae4693a4d4d925a\r\nVultur\r\nApp name Package name SHA-256\r\nProtection\r\nGuard\r\ncom.appsmastersafey f4d7e9ec4eda034c29b8d73d479084658858f56e67909c2ffedf9223d7ca9bd\r\nAuthenticator\r\n2FA\r\ncom.datasafeaccountsanddata.club 7ca6989ccfb0ad0571aef7b263125410a5037976f41e17ee7c022097f827bd7\r\nScreen recording targets\r\nhttps://www.threatfabric.com/blogs/vultur-v-for-vnc.html\r\nPage 3 of 7\n\nPackage Name Application Label\r\ncom.commbank.netbank CommBank\r\nau.com.nab.mobile NAB Mobile Banking\r\norg.westpac.bank Westpac Mobile Banking\r\nau.com.macquarie.banking Macquarie Mobile Banking\r\ncom.bendigobank.mobile Bendigo Bank\r\nau.com.suncorp.SuncorpBank Suncorp Bank\r\nau.com.ingdirect.android ING Australia Banking\r\ncom.anz.android.gomoney ANZ Australia\r\ncom.abnamro.nl.mobile.payment ABN AMRO Wallet App\r\ncom.ing.mobile ING Bankieren\r\nit.ingdirect.app ING Italia\r\nposteitaliane.posteapp.appposteid PosteID\r\nposteitaliane.posteapp.apppostepay Postepay\r\ncom.bankofqueensland.boq BOQ Mobile\r\nau.com.amp.myportfolio.android My AMP\r\nau.com.bankwest.mobile Bankwest\r\nau.com.mebank.banking ME Bank\r\ncom.fusion.banking Bank Australia app\r\norg.bom.bank Bank of Melbourne Mobile Banking\r\norg.stgeorge.bank St.George Mobile Banking\r\nau.com.cua.mb CUA Mobile Banking\r\nau.com.hsbc.hsbcaustralia HSBC Australia\r\ncom.virginmoney.cards Virgin Money Credit Card\r\norg.banksa.bank BankSA Mobile Banking\r\ncedacri.mobile.bank.crbolzano isi-mobile Cassa di Risparmio\r\ncom.latuabancaperandroid.pg Intesa Sanpaolo Business\r\ncedacri.mobile.bank.esperia Mediobanca Private Banking\r\ncom.ria.moneytransfer Ria Money Transfer – Send Money Online Anywhere\r\nit.bnl.apps.banking.privatebnl My Private Banking\r\nit.bcc.iccrea.mycartabcc myCartaBCC\r\nhttps://www.threatfabric.com/blogs/vultur-v-for-vnc.html\r\nPage 4 of 7\n\nPackage Name Application Label\r\nit.cedacri.hb3.desio.brianza D-Mobile\r\nit.cedacri.hb2.bpbari Mi@\r\nit.relaxbanking RelaxBanking Mobile\r\ncom.sella.BancaSella Banca Sella\r\nit.caitalia.apphub Crédit Agricole Italia\r\ncom.unicredit Mobile Banking UniCredit\r\ncom.latuabancaperandroid Intesa Sanpaolo Mobile\r\nposteitaliane.posteapp.appbpol BancoPosta\r\nit.copergmps.rt.pf.android.sp.bmps Banca MPS\r\ncom.lynxspa.bancopopolare YouApp\r\nit.nogood.container UBI Banca\r\nit.gruppobper.ams.android.bper Smart Mobile Banking\r\nit.gruppobper.smartbpercard Smart BPER Card\r\nit.bper.mobile.mymoney Smart Mobile My Money\r\ncom.vipera.chebanca CheBanca!\r\ncom.CredemMobile Credem\r\ncom.opentecheng.android.webank Webank\r\ncom.mediolanum.android.fullbanca Mediolanum\r\nit.popso.SCRIGNOapp SCRIGNOapp\r\nit.icbpi.mobile Nexi Pay\r\ncom.scrignosa SCRIGNOIdentiTel\r\ncom.VBSmartPhoneApp BankUp Mobile\r\nit.carige Carige Mobile\r\nit.creval.bancaperta Bancaperta\r\nit.bnl.apps.banking BNL\r\nit.volksbank.android Volksbank · Banca Popolare\r\nes.bancosantander.apps Santander\r\nnet.inverline.bancosabadell.officelocator.android Banco Sabadell App. Your mobile bank\r\nes.liberbank.cajasturapp Banca Digital Liberbank\r\nes.lacaixa.mobile.android.newwapicon CaixaBank\r\nhttps://www.threatfabric.com/blogs/vultur-v-for-vnc.html\r\nPage 5 of 7\n\nPackage Name Application Label\r\ncom.bankinter.launcher Bankinter Móvil\r\ncom.bbva.bbvacontigo BBVA Spain\r\nes.cecabank.ealia2103appstore UniPay Unicaja\r\ncom.db.pbc.mibanco Mi Banco db\r\ncom.grupocajamar.wefferent Grupo Cajamar\r\nes.univia.unicajamovil UnicajaMovil\r\nes.bancosantander.empresas Santander Empresas\r\ncom.rsi ruralvía\r\napp.wizink.es WiZink, tu banco senZillo\r\nes.cm.android Bankia\r\ncom.imaginbank.apps Imagin. Much more than an app to manage your money\r\nes.ibercaja.ibercajaapp Ibercaja\r\ncom.bendigobank.mobile Bendigo Bank\r\ncom.mfoundry.mb.android.mb Multiple minor US financial institution\r\ncom.popular.android.mibanco Mi Banco Mobile\r\ncom.grupocajamar.wefferent Grupo Cajamar\r\nes.unicajabanco.app Unicaja Banco\r\nes.univia.unicajamovil UnicajaMovil\r\ncom.binance.dev Binance - Buy \u0026 Sell Bitcoin Securely\r\ncom.coinbase.android Coinbase – Buy \u0026 Sell Bitcoin. Crypto Wallet\r\ncom.coinbase.pro Coinbase Pro – Bitcoin \u0026 Crypto Trading\r\ncom.coinbase.wallite Coinbase Wallet Lite\r\norg.toshi Coinbase Wallet — Crypto Wallet \u0026 DApp Browser\r\ncom.defi.wallet Crypto.com l DeFi Wallet\r\nco.mona.android Crypto.com - Buy Bitcoin Now\r\npiuk.blockchain.android Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum\r\ncom.wallet.crypto.trustapp Trust: Crypto \u0026 Bitcoin Wallet\r\nexodusmovement.exodus Exodus: Crypto Bitcoin Wallet\r\nio.atomicwallet Bitcoin Wallet \u0026 Ethereum Ripple ZIL DOT\r\ncom.coinomi.wallet Coinomi Wallet :: Bitcoin Ethereum Altcoins Tokens\r\nhttps://www.threatfabric.com/blogs/vultur-v-for-vnc.html\r\nPage 6 of 7\n\nPackage Name Application Label\r\ncom.krakenfutures Kraken Futures: Bitcoin \u0026 Crypto Futures Trading\r\ncom.kraken.trade Pro: Advanced Bitcoin \u0026 Crypto Trading\r\ncom.kraken.invest.app Kraken - Buy Bitcoin \u0026 Crypto\r\nio.cex.app.prod CEX.IO Cryptocurrency Exchange\r\nnet.bitstamp.app Bitstamp – Buy \u0026 Sell Bitcoin at Crypto Exchange\r\ncom.etoro.wallet eToro Money\r\ncom.kubi.kucoin KuCoin: Bitcoin Exchange \u0026 Crypto Wallet\r\ncom.bittrex.trade Bittrex Global\r\ncom.bitfinex.mobileapp Bitfinex\r\ncom.plunien.poloniex Poloniex Crypto Exchange\r\ncom.hittechsexpertlimited.hitbtc HitBTC – Bitcoin Trading and Crypto Exchange\r\ncom.paxful.wallet Paxful Bitcoin Wallet\r\ncom.cryptonator.android Cryptonator cryptocurrency wallet\r\nKeylogging targets\r\nPackage Name Application Label\r\ncom.whatsapp WhatsApp Messenger\r\ncom.viber.voip Viber Messenger - Messages, Group Chats \u0026 Calls\r\ncom.zhiliaoapp.musically TikTok - Make Your Day\r\ncom.facebook.katana Facebook\r\ncom.facebook.orca Messenger – Text and Video Chat for Free\r\ncom.facebook.lite Facebook Lite\r\nSource: https://www.threatfabric.com/blogs/vultur-v-for-vnc.html\r\nhttps://www.threatfabric.com/blogs/vultur-v-for-vnc.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.threatfabric.com/blogs/vultur-v-for-vnc.html"
	],
	"report_names": [
		"vultur-v-for-vnc.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439024,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8a2fc2541a87d303fd5e85ccf4843b58ad21e808.pdf",
		"text": "https://archive.orkl.eu/8a2fc2541a87d303fd5e85ccf4843b58ad21e808.txt",
		"img": "https://archive.orkl.eu/8a2fc2541a87d303fd5e85ccf4843b58ad21e808.jpg"
	}
}