{ "id": "8da8b836-3c68-4f65-8c65-9735e8ead8f3", "created_at": "2026-04-06T00:15:06.257182Z", "updated_at": "2026-04-10T13:12:34.181562Z", "deleted_at": null, "sha1_hash": "91c627d038934a8753df63c29ad6ad2c12d2702e", "title": "Gustuff banking botnet targets Australia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1838798, "plain_text": "Gustuff banking botnet targets Australia\r\nBy Vitor Ventura\r\nPublished: 2019-04-09 · Archived: 2026-04-05 13:42:11 UTC\r\nTuesday, April 9, 2019 13:45\r\nEXECUTIVE SUMMARY\r\nCisco Talos has uncovered a new Android-based campaign targeting Australian financial institutions. As the\r\ninvestigation progressed, Talos came to understand that this campaign was associated with the \"ChristinaMorrow\"\r\ntext message spam scam previously spotted in Australia.\r\nAlthough this malware's credential-harvest mechanism is not particularly sophisticated, it does have an advanced\r\nself-preservation mechanism. Even though this is not a traditional remote access tool (RAT), this campaign seems\r\nto target mainly private users. Aside from the credential stealing, this malware also includes features like the theft\r\nof users' contact list, collecting phone numbers associated names, and files and photos on the device. But that\r\ndoesn't mean companies and organizations are out of the woods. They should still be on the lookout for these\r\nkinds of trojans, as the attackers could target corporate accounts that contain large amounts of money.\r\nThe information collected by the malware and the control over the victim's mobile device allows their operators to\r\nperform more complex social engineering attacks. A motivated attacker can use this trojan to harvest usernames\r\nand passwords and then reuse them to login into the organization's system where the victim works. This is a good\r\nexample where two-factor authentication based on SMS would fail since the attacker can read the SMS.\r\nCorporations can protect themselves from these side-channel attacks by deploying client-based two-factor\r\nauthentication, such as Duo Security.\r\nOne of the most impressive features of this malware is its resilience. If the command and control (C2) server is\r\ntaken down, the malicious operator can still recover the malware control by sending SMS messages directly to the\r\ninfected devices. This makes the taking down and recovery of the network much harder and poses a considerable\r\nchallenge for defenders.\r\nTHE CAMPAIGN\r\nThe malware's primary infection vector is SMS. Just like the old-school mail worms that used the victim's address\r\nbook to select the next victims, this banking trojan's activation cycle includes the exfiltration of the victim's\r\naddress book. The trojan will receive instructions from the C2 to spread.\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 1 of 22\n\nSpread command from C2\r\nThe victim receives the command sendSMSMass. Usually, this message targets four or five people at a time. The\r\nbody contains a message and URL. Again, the concept is that new victims are more likely to install the malware if\r\nthe SMS comes from someone they know. When a victim tries to access the URL in the SMS body, the C2 will\r\ncheck if the mobile device meets the criteria to receive the malware (see infrastructure section). If the device does\r\nnot meet the criteria, it won't receive any data, otherwise, it will be redirected to a second server to receive a copy\r\nof the malware to install on their device.\r\nThe domain on this campaign was registered on Jan. 19, 2019. However, Talos has identified that was used at least\r\nsince November 2018. During the investigation, Talos was also able to determine that the same infrastructure has\r\nbeen used to deploy similar campaigns using different versions of the malware.\r\nDistribution of victims\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 2 of 22\n\nTalos assess with high confidence that this campaign is targeting Australian financial institutions based on several\r\nfactors. Our Umbrella telemetry shows that the majority of the request comes from Australia and the majority of\r\nthe phone numbers infected have the international indicative for Australia. Finally, the specific overlays are\r\ndesigned for Australian financial institutions, and Australia is one of the geographic regions that is accepted by the\r\nC2.\r\nDNS queries distribution over time\r\nThe campaign doesn't seem to be growing at a fast pace. Our data shows, on average, about three requests per\r\nhour to the drop host. This request is only made upon installation, but there is no guarantee that it will be installed.\r\nThis data, when analyzed with the number of commands to send SMSs that Talos received during the\r\ninvestigation, lead us to conclude that the malicious operator is aggressively spreading the malware, but that\r\ndoesn't seem to result in the same number of new infections.\r\nExamples of the overlays available to the malware\r\nAbove, you can see examples of the injections that distributed to the malware as part of this specific campaign.\r\nWhile doing our investigation we were able to identify other malware packages with different names. Some of\r\nthese might have been used on old campaigns or were already prepared for new campaigns.\r\nMALWARE TECHNICAL DETAILS\r\nDuring our investigation, researchers uncovered a malware known as \"Gustuff.\" . Given the lack of indicators of\r\ncompromise, we decided to check to see if this was the same malware we had been researching. Our Threat\r\nIntelligence and Interdiction team found the Gustuff malware being advertised in the Exploit.in forum as a botnet\r\nfor rent. The seller, known as \"bestoffer,\" was, at some point, expelled from the forum.\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 3 of 22\n\nGustuff advertising screenshot\r\nThe companies advertised in the image above were from Australia, which matches up with the campaign we\r\nresearched. The screenshots provided by the author align with the advertised features and the features that we\r\ndiscovered while doing our analysis.\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 4 of 22\n\nAdmin panel\r\nThe administration panel shows the application configuration, which matches the commands from the C2.\r\nCountry selection\r\nThe administration console screenshots also show the ability to filter the results by country. In this case, \"AU\" is\r\nthe code shown, which is Australia.\r\nBased on this information, Talos assesses with high confidence that the malware is the same and this is, in fact, the\r\nGustuff malware.\r\nDesign\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 5 of 22\n\nIn the manifest, the malware requests a large number of permissions. However, it doesn't request permissions like\r\nBIND_ADMIN. To perform some of its activities, the malware does not need high privileges inside the device, as\r\nwe will explain ahead.\r\nPermissions in the manifest\r\nThis malware is designed to avoid detection and analysis. It has several protections in place, both in the C2 and\r\nthe malware's code. The code is not only obfuscated but also packed. The packer, besides making the static\r\nanalysis more complex, will break the standard debugger.\r\nManifest activity declaration\r\nClass list inside the dex file\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 6 of 22\n\nThe main malware classes are packed, to a point where the class defined in the manifest has a handler for the\r\nMAIN category that does not exist in the DEX file.\r\nError when trying to debug the malware using the Android Studio IDE.\r\nOne of the side effects of this packer is the inability of Android Studio IDE to debug the code. This happens\r\nbecause the IDE executes the code from the Android debug bridge (ADB) by calling the activity declared in the\r\nmanifest by name. Since the class does not exist at startup, the application does not run on the debugger. Although\r\nTalos analyzed the unpacked version of the code, the packer analysis is beyond the scope of this post.\r\nCheck code for emulators\r\nAs part of its defense, the malware payload first checks for emulators to prevent analysis on sandboxes. It checks\r\nfor different kinds of emulators, including QEMU, Genymotion, BlueStacks and Bignox. If the malware\r\ndetermines that is not running on an emulator, it then performs additional checks to ensure that it won't be\r\ndetected.\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 7 of 22\n\nCode to check the existence of SafetyNet Google API\r\nIt also checks if the Android SafetyNet is active and reporting back to the C2. This helps the C2 define what\r\nactions it can do before being detected on the mobile device.\r\nList of anti-virus packages that are checked\r\nThe payload goes a long way to protect itself and checks for anti-virus software installed on the mobile device.\r\nThe trojan uses the Android Accessibility API to intercept all interactions between the user and the mobile device.\r\nThe Android developer documentation describes the accessibility event class as a class that \"represents\r\naccessibility events that are seen by the system when something notable happens in the user interface. For\r\nexample, when a button is clicked, a view is focused, etc.\"\r\nFor each interaction, the malware will check if the generator is a package that belongs to the anti-virus list, the\r\nmalware will abuse another feature of the Accessibility API. There is a function called \"performGlobalAction\"\r\nwith the description below.\r\nAndroid documentation describes that function as \"a global action. Such an action can be performed at any\r\nmoment, regardless of the current application or user location in that application. For example, going back, going\r\nhome, opening recents, etc.\"\r\nThe trojan calls this function with the action GLOBAL_ACTION_BACK, which equals the pressing of the back\r\nbutton on the device, thus canceling the opening of the anti-virus application.\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 8 of 22\n\nThe same event interception is used to place the webview overlay when the user tries to access the targeted\r\napplications, allowing it to display its overlay, thus intercepting the credentials.\r\nThe beaconing only starts after the application is installed and removed from the running tasks.\r\nBeaconing information\r\nThe ID is generated for each installation of the malware, while the token remains unique. Some of the checks\r\nperformed previously are immediately sent to the C2, like the safetyNet, admin and defaultSMSApp. The\r\nbeaconing is sent to the URL http://\u003cSERVER\u003e/api/v2/get.php with an interval of 60 seconds.\r\nAnswer from the C2\r\nThe C2 will check the country field, if it's empty or if the country is not targeted, it will reply with a\r\n\"Unauthorized\" answer. Otherwise, it will return a JSON encoded \"OK,\" and if that is the case, the command to be\r\nexecuted.\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 9 of 22\n\nList of available commands\r\nThe command names are self-explanatory. The command will be issued as an answer to the beaconing, and the\r\nresult will be returned to the URL http://\u003cSERVER\u003e/api/v2/set_state.php\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 10 of 22\n\nExample of the command \"changeServer\"\r\nThe commands are issued in a JSON format, and the obfuscation is part of the malware code and not added by the\r\npacker. It is a custom obfuscation partly based on base85 encoding, which is in itself unusual, in malware. Base85\r\nencoding is usually used on pdf and postscript documentsThe configuration of the malware is stored in custom\r\npreferences files, using the same obfuscation scheme.\r\nActivation cycle\r\nAs we have explained above, the malware has several defence mechanisms. Beside the obfuscation and the\r\nenvironment checks, the malware also has some interesting anti-sandbox mechanisms.\r\nAfter installation, the user needs to run the application. The user needs to press the \"close\" button to finish the\r\ninstallation. However, this won't close the application, it will send it to the background, instead. While the\r\napplication is in the background, although the service is already running, the beaconing will not start. The\r\nbeaconing will only start after the application is removed from the background, ultimately stopping it. This will be\r\nthe trigger for the service to start the beaconing.\r\nAs mentioned previously, the beaconing is done every 60 seconds. However, no command is received from the C2\r\nuntil the inactiveTime field (see beaconing information image above) has at least the value of 2000000. This time\r\nresets every time the user performs some activity.\r\nAfter the checks, the malware becomes active, but first, it goes through seven steps, each one calling a different\r\ncommand:\r\n1. uploadPhoneNumbers: Exfiltrates all phone numbers that are in the contact list. Aside from the natural\r\nvalue of phone numbers associated with the names of their owners. Using the SMS has an initial infection\r\nvector is another possibility for the exfiltration. One of the purposes of the exfiltration of the contact list is\r\nto use them to attack other victims using SMS as an initial vector.\r\n2. checkApps: Asks the malware to see if the packages sent as parameters are installed. The malware contains\r\na list of 209 packages hardcoded in its source code. However, the C2 can send an updated list.\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 11 of 22\n\nList of packages received from the C2\r\n1. adminNumber: Setup of the admin phone number. In our case, the administrator phone number belongs to\r\na mobile network in Australia.\r\nPhone number for administration\r\n1. changeServer: At this point, the malware changes the C2 to a new host, even though the API and\r\ncommunication protocol continues to be the same.\r\nChange server request\r\nThe URL's for the new server is obfuscated, preventing easy network identification.\r\n1. changeActivity: This command will set up the webview to overlay any of the target activities.\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 12 of 22\n\nchangeActivity command\r\nThe webview injects are not hosted on the C2, they are hosted on a completely different server.\r\n1. params: This command allows the malicious operator to change configuration parameters in the malware.\r\nDuring this stage of the activation cycle, the malware increases the beaconing time to avoid detection.\r\nCommand to change the beaconing\r\n1. changeArchive: The final command of the activation cycle is the download of an archive. This archive is\r\nstored in the same host has the webviews. The archive is a ZIP containing several files, which is protected\r\nwith a password.\r\nChange archive command\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 13 of 22\n\nAfter this activation cycle, the malware will start the collection of information activities and dissemination.\r\nMalicious activity\r\nOnce the activation cycle ends, the trojan will start its malicious activities. These activities depend on the device\r\nconfiguration. Depending if the victim has any of the targeted applications, the anti-virus installed or geographic\r\nlocation, the malware can harvest credentials from the targeted applications, exfiltrate all personal information or\r\nsimply use the victim's device to send SMS to spread the trojan\r\nThe malware deploys overlaying webviews to trick the user and eventually steal their login credentials. These are\r\nadapted to the information the malicious operator wants to retrieve. The first webview overlay is created on step 6\r\nof the activation cycle.\r\nPin request overlay\r\nThis overlay asks the user to provide their PIN to unlock the mobile device, which is immediately exfiltrated to\r\nthe C2. The last step of the activation cycle is the download of a password-protected ZIP file. This file contains all\r\nHTML, CSS and PNG files necessary to create overlays. Talos found 189 logos from banks to cryptocurrency\r\nexchanges inside the archive, all of which could be targeted. The archive also contained all the necessary codes to\r\ntarget Australian financial institutions. The overlays are activated by the malicious operator using the command\r\nchangeActivity, as seen on step 5 of the activation cycle. In this case, we can see that the HTML code of the\r\noverlay is stored in the C2 infrastructure. However, since the archive that is downloaded into the device has all the\r\nnecessary information and the malicious actor has access to the device via SMS, the malicious operator can keep\r\nits activity even without the C2 infrastructure.\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 14 of 22\n\nInfrastructure\r\nThe infrastructure supporting this malware is rather complex. It is clear that on all stages there are at least two\r\nlayers.\r\nThe infrastructure has several layers, although not being very dynamic, still has several layers each one providing\r\nsome level of protection. All the IP addresses belong to the same company Hetzner, an IP-hosting firm in\r\nGermany.\r\nCOVERAGE\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 15 of 22\n\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nINDICATORS OF COMPROMISE (IOCS)\r\nDomains\r\nFacebook-photos-au.su\r\nHomevideo2-12l.ml\r\nvideohosting1-5j.gq\r\nURLs\r\nhxxp://88.99.227[.]26/html2/2018/GrafKey/new-inj-135-3-dark.html\r\nhxxp://88.99.227[.]26/html2/arc92/au483x.zip\r\nhxxp://94.130.106[.]117:8080/api/v1/report/records.php\r\nhxxp://88.99.227[.]26/html2/new-inj-135-3-white.html\r\nhxxp://facebook-photos-au[.]su/ChristinaMorrow\r\nhxxp://homevideo2-12l[.]ml/mms3/download_3.php\r\nIP addresses\r\n78.46.201.36\r\n88.99.170.84\r\n88.99.227.26\r\n94.130.106.117\r\n88.99.174.200\r\n88.99.189.31\r\nHash\r\n369fcf48c1eb982088c22f86672add10cae967af82613bee6fb8a3669603dc48\r\nb2d4fcf03c7a8bf135fbd3073bea450e2e6661ad8ef2ab2058a3c04f81fc3f3e\r\n8f5d5d8419a4832d175a6028c9e7d445f1e99fdc12170db257df79831c69ae4e\r\na5ebcdaf5fd10ec9de85d62e48cc97a4e08c699a7ebdeab0351b86ab1370557d\r\n84578b9b2c3cc1c7bbfcf4038a6c76ae91dfc82eef5e4c6815627eaf6b4ae6f6\r\n89eecd91dff4bf42bebbf3aa85aa512ddf661d3e9de4c91196c98f4fc325a018\r\n9edee3f3d539e3ade61ac2956a6900d93ba3b535b6a76b3a9ee81e2251e25c61\r\n0e48e5dbc3a60910c1460b382d28e087a580f38f57d3f82d4564309346069bd1\r\nc113cdd2a5e164dcba157fc4e6026495a1cfbcb0b1a8bf3e38e7eddbb316e01f\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 16 of 22\n\n1819d2546d9c9580193827c0d2f5aad7e7f2856f7d5e6d40fd739b6cecdb1e9e\r\nb213c1de737b72f8dd7185186a246277951b651c64812692da0b9fdf1be5bf15\r\n453e7827e943cdda9121948f3f4a68d6289d09777538f92389ca56f6e6de03f0\r\n0246dd4acd9f64ff1508131c57a7b29e995e102c74477d5624e1271700ecb0e2\r\n88034e0eddfdb6297670d28ed810aef87679e9492e9b3e782cc14d9d1a55db84\r\ne08f08f4fa75609731c6dd597dc55c8f95dbdd5725a6a90a9f80134832a07f2e\r\n01c5b637f283697350ca361f241416303ab6123da4c6726a6555ac36cb654b5c\r\n1fb06666befd581019af509951320c7e8535e5b38ad058069f4979e9a21c7e1c\r\n6bdfb79f813448b7f1b4f4dbe6a45d1938f3039c93ecf80318cedd1090f7e341\r\nADDITIONAL INFORMATION\r\nPackages monitored\r\npin.secret.access\r\ncom.chase.sig.android\r\ncom.morganstanley.clientmobile.prod\r\ncom.wf.wellsfargomobile\r\ncom.citi.citimobile\r\ncom.konylabs.capitalone\r\ncom.infonow.bofa\r\ncom.htsu.hsbcpersonalbanking\r\ncom.usaa.mobile.android.usaa\r\ncom.schwab.mobile\r\ncom.americanexpress.android.acctsvcs.us\r\ncom.pnc.ecommerce.mobile\r\ncom.regions.mobbanking\r\ncom.clairmail.fth\r\ncom.grppl.android.shell.BOS\r\ncom.tdbank\r\ncom.huntington.m\r\ncom.citizensbank.androidapp\r\ncom.usbank.mobilebanking\r\ncom.ally.MobileBanking\r\ncom.key.android\r\ncom.unionbank.ecommerce.mobile.android\r\ncom.mfoundry.mb.android.mb_BMOH071025661\r\ncom.bbt.cmol\r\ncom.sovereign.santander\r\ncom.mtb.mbanking.sc.retail.prod\r\ncom.fi9293.godough\r\ncom.commbank.netbank\r\norg.westpac.bank\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 17 of 22\n\norg.stgeorge.bank\r\nau.com.nab.mobile\r\nau.com.bankwest.mobile\r\nau.com.ingdirect.android\r\norg.banksa.bank\r\ncom.anz.android\r\ncom.anz.android.gomoney\r\ncom.citibank.mobile.au\r\norg.bom.bank\r\ncom.latuabancaperandroid\r\ncom.comarch.mobile\r\ncom.jpm.sig.android\r\ncom.konylabs.cbplpat\r\nby.belinvestbank\r\nno.apps.dnbnor\r\ncom.arkea.phonegap\r\ncom.alseda.bpssberbank\r\ncom.belveb.belvebmobile\r\ncom.finanteq.finance.ca\r\npl.eurobank\r\npl.eurobank2\r\npl.noblebank.mobile\r\ncom.getingroup.mobilebanking\r\nhr.asseco.android.mtoken.getin\r\npl.getinleasing.mobile\r\ncom.icp.ikasa.getinon\r\neu.eleader.mobilebanking.pekao\r\nsoftax.pekao.powerpay\r\nsoftax.pekao.mpos\r\ndk.jyskebank.mobilbank\r\ncom.starfinanz.smob.android.bwmobilbanking\r\neu.newfrontier.iBanking.mobile.SOG.Retail\r\ncom.accessbank.accessbankapp\r\ncom.sbi.SBIFreedomPlus\r\ncom.zenithBank.eazymoney\r\nnet.cts.android.centralbank\r\ncom.f1soft.nmbmobilebanking.activities.main\r\ncom.lb.smartpay\r\ncom.mbmobile\r\ncom.db.mobilebanking\r\ncom.botw.mobilebanking\r\ncom.fg.wallet\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 18 of 22\n\ncom.sbi.SBISecure\r\ncom.icsfs.safwa\r\ncom.interswitchng.www\r\ncom.dhanlaxmi.dhansmart.mtc\r\ncom.icomvision.bsc.tbc\r\nhr.asseco.android.jimba.cecro\r\ncom.vanso.gtbankapp\r\ncom.fss.pnbpsp\r\ncom.mfino.sterling\r\ncy.com.netinfo.netteller.boc\r\nge.mobility.basisbank\r\ncom.snapwork.IDBI\r\ncom.lcode.apgvb\r\ncom.fact.jib\r\nmn.egolomt.bank\r\ncom.pnbrewardz\r\ncom.firstbank.firstmobile\r\nwit.android.bcpBankingApp.millenniumPL\r\ncom.grppl.android.shell.halifax\r\ncom.revolut.revolut\r\nde.commerzbanking.mobil\r\nuk.co.santander.santanderUK\r\nse.nordea.mobilebank\r\ncom.snapwork.hdfc\r\ncom.csam.icici.bank.imobile\r\ncom.msf.kbank.mobile\r\ncom.bmm.mobilebankingapp\r\nnet.bnpparibas.mescomptes\r\nfr.banquepopulaire.cyberplus\r\ncom.caisseepargne.android.mobilebanking\r\ncom.palatine.android.mobilebanking.prod\r\ncom.ocito.cdn.activity.creditdunord\r\ncom.fullsix.android.labanquepostale.accountaccess\r\nmobi.societegenerale.mobile.lappli\r\ncom.db.businessline.cardapp\r\ncom.skh.android.mbanking\r\ncom.ifs.banking.fiid1491\r\nde.dkb.portalapp\r\npl.pkobp.ipkobiznes\r\npl.com.suntech.mobileconnect\r\neu.eleader.mobilebanking.pekao.firm\r\npl.mbank\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 19 of 22\n\npl.upaid.nfcwallet.mbank\r\neu.eleader.mobilebanking.bre\r\npl.asseco.mpromak.android.app.bre\r\npl.asseco.mpromak.android.app.bre.hd\r\npl.mbank.mnews\r\neu.eleader.mobilebanking.raiffeisen\r\npl.raiffeisen.nfc\r\nhr.asseco.android.jimba.rmb\r\ncom.advantage.RaiffeisenBank\r\npl.bzwbk.ibiznes24\r\npl.bzwbk.bzwbk24\r\npl.bzwbk.mobile.tab.bzwbk24\r\ncom.comarch.mobile.investment\r\ncom.android.vending\r\ncom.snapchat.android\r\njp.naver.line.android\r\ncom.viber.voip\r\ncom.gettaxi.android\r\ncom.whatsapp\r\ncom.tencent.mm\r\ncom.skype.raider\r\ncom.ubercab\r\ncom.paypal.android.p2pmobile\r\ncom.circle.android\r\ncom.coinbase.android\r\ncom.walmart.android\r\ncom.bestbuy.android\r\ncom.ebay.gumtree.au\r\ncom.ebay.mobile\r\ncom.westernunion.android.mtapp\r\ncom.moneybookers.skrillpayments\r\ncom.gyft.android\r\ncom.amazon.mShop.android.shopping\r\ncom.comarch.mobile.banking.bgzbnpparibas.biznes\r\npl.bnpbgzparibas.firmapp\r\ncom.finanteq.finance.bgz\r\npl.upaid.bgzbnpp\r\nde.postbank.finanzassistent\r\npl.bph\r\nde.comdirect.android\r\ncom.starfinanz.smob.android.sfinanzstatus\r\nde.sdvrz.ihb.mobile.app\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 20 of 22\n\npl.ing.mojeing\r\ncom.ing.mobile\r\npl.ing.ingksiegowosc\r\ncom.comarch.security.mobilebanking\r\ncom.comarch.mobile.investment.ing\r\ncom.ingcb.mobile.cbportal\r\nde.buhl.finanzblick\r\npl.pkobp.iko\r\npl.ipko.mobile\r\npl.inteligo.mobile\r\nde.number26.android\r\npl.millennium.corpApp\r\neu.transfer24.app\r\npl.aliorbank.aib\r\npl.corelogic.mtoken\r\nalior.bankingapp.android\r\ncom.ferratumbank.mobilebank\r\ncom.swmind.vcc.android.bzwbk_mobile.app\r\nde.schildbach.wallet\r\npiuk.blockchain.android\r\ncom.bitcoin.mwallet\r\ncom.btcontract.wallet\r\ncom.bitpay.wallet\r\ncom.bitpay.copay\r\nbtc.org.freewallet.app\r\norg.electrum.electrum\r\ncom.xapo\r\ncom.airbitz\r\ncom.kibou.bitcoin\r\ncom.qcan.mobile.bitcoin.wallet\r\nme.cryptopay.android\r\ncom.bitcoin.wallet\r\nlt.spectrofinance.spectrocoin.android.wallet\r\ncom.kryptokit.jaxx\r\ncom.wirex\r\nbcn.org.freewallet.app\r\ncom.hashengineering.bitcoincash.wallet\r\nbcc.org.freewallet.app\r\ncom.coinspace.app\r\nbtg.org.freewallet.app\r\nnet.bither\r\nco.edgesecure.app\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 21 of 22\n\ncom.arcbit.arcbit\r\ndistributedlab.wallet\r\nde.schildbach.wallet_test\r\ncom.aegiswallet\r\ncom.plutus.wallet\r\ncom.coincorner.app.crypt\r\neth.org.freewallet.app\r\nsecret.access\r\nsecret.pattern\r\nSource: https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nhttps://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" ], "report_names": [ "gustuff-targets-australia.html" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434506, "ts_updated_at": 1775826754, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/91c627d038934a8753df63c29ad6ad2c12d2702e.pdf", "text": "https://archive.orkl.eu/91c627d038934a8753df63c29ad6ad2c12d2702e.txt", "img": "https://archive.orkl.eu/91c627d038934a8753df63c29ad6ad2c12d2702e.jpg" } }