{ "id": "34f72ead-c76c-4d7b-ab4b-dd8f345c4a79", "created_at": "2026-04-06T00:16:28.800807Z", "updated_at": "2026-04-10T03:30:32.863672Z", "deleted_at": null, "sha1_hash": "930bd3d68d9201ce22cef1183591a84bc510b02d", "title": "New Spyware RatMilad Targets Middle Eastern Mobile Devices", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 59957, "plain_text": "New Spyware RatMilad Targets Middle Eastern Mobile Devices\r\nPublished: 2022-10-06 · Archived: 2026-04-05 20:21:57 UTC\r\n1. Home\r\n2. Blog\r\n3. Cyber News\r\n4. New Spyware RatMilad Targets Middle Eastern Mobile Devices\r\nRatMilad, a newly discovered Android spyware, has been stealing data from mobile devices in the Middle East.\r\nThe malware is spread through links on social media and pretends to be applications for services like VPN and\r\nphone number spoofing. Unwary users download these trojan applications and grant access to malware. \r\nLoader Applications \r\nTrojan apps named Text Me and NumRent were seen sideloading the RatMilad spyware. The two apps claim to\r\nhelp verify social media accounts. They are unavailable on legitimate application stores like Google Play but\r\ndistributed on Telegram.\r\nWith more than 200 external shares, a post shared on a Telegram channel used to spread the malware sample has\r\nreceived over 4,700 views.\r\nRatMilad loader apps (Source: Zimperium) \r\nCapabilities of the Malware\r\nRatMilad performs as sophisticated spyware on compromised devices. It can be used for espionage, extortion,\r\nand victim-eavesdropping, according to mobile security company Zimperium. \r\nThe capabilities of spyware include the ability to receive and execute commands to gather and exfiltrate data and\r\ncarry out a wide range of malicious operations, like: \r\nMAC Address of Device \r\nContact List \r\nSMS List \r\nCall Logs \r\nAccount Names and Permissions \r\nClipboard Data \r\nGPS Location Data \r\nSim Information – Mobile number, Country, IMEI, Sim state \r\nFile list \r\nhttps://socradar.io/new-spyware-ratmilad-targets-middle-eastern-mobile-devices\r\nPage 1 of 3\n\nRead, write, and Delete Files \r\nSound Recording \r\nFile upload to C\u0026C \r\nList of the installed applications, along with their permissions. \r\nSet new application permissions. \r\nPhone info – Model, Brand, buildID, android version, manufacturer\r\nWho is Behind RatMilad? \r\nZimperium claims that RatMilad’s operators obtained the source code from the AppMilad hacker group in Iran\r\nand combined it with a fraudulent app to trick people into downloading it. \r\nAlthough it’s uncertain how widespread the infections are, the cybersecurity firm claimed it found the spyware\r\nduring an unsuccessful attempt to infiltrate a customer’s workplace device. \r\nAccording to Richard Melick, head of mobile threat intelligence at Zimperium, the RatMilad spyware, and the\r\nIranian-based hacking group AppMilad show a changing environment impacting mobile device security.\r\nRatMilad is only one of many mobile spyware options, including Pegasus and PhoneSpy, accessible from both\r\nlegitimate and illegitimate sources. \r\nRecommendations \r\nImpacts of malicious mobile applications can be prevented with simple security tips: \r\nBeware of malicious links distributed online. \r\nAvoid downloading applications from untrusted sources. \r\nCheck for application reviews and concerns on the internet.\r\nRatMilad IoCs\r\nApplication Names:\r\ncom.example.confirmcode\r\ncom.example.confirmcodf\r\ncom.example.confirmcodg\r\nC\u0026C Servers:\r\nhxxp://textme[.]network\r\napi[.]numrent[.]shop\r\nSHA-256 Hashes:\r\n31dace8ecb943daa77d71f9a6719cb8008dd4f3026706fb44fab67815546e032\r\n3da3d632d5d5dde62b8ca3f6665ab05aadbb4d752a3e6ef8e9fc29e280c5eb07\r\n0d0dcc0e2eebf07b902a58665155bd9b035d6b91584bd3cc435f11beca264b1e\r\nhttps://socradar.io/new-spyware-ratmilad-targets-middle-eastern-mobile-devices\r\nPage 2 of 3\n\n12f723a19b490d079bea75b72add2a39bb1da07d0f4a24bc30313fc53d6c6e42\r\nbae6312b00de73eb7a314fc33410a4d59515d56640842c0114bd1a2d2519e387\r\n30e5a03da52feff4500c8676776258b98e24b6253bc13fd402f9289ccef27aa8\r\nc195a9d3e42246242a80250b21beb7aa68c270f7b2c97a9c93b17fbb90fd8194\r\n73d04d7906706f90fb81676d4f023fbac75b0047897b289f2eb34f7640ed1e7f\r\nSource: https://socradar.io/new-spyware-ratmilad-targets-middle-eastern-mobile-devices\r\nhttps://socradar.io/new-spyware-ratmilad-targets-middle-eastern-mobile-devices\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://socradar.io/new-spyware-ratmilad-targets-middle-eastern-mobile-devices" ], "report_names": [ "new-spyware-ratmilad-targets-middle-eastern-mobile-devices" ], "threat_actors": [ { "id": "9c053829-e1ff-4b85-9d4f-f2a9af4bbdd4", "created_at": "2023-11-17T02:00:07.613931Z", "updated_at": "2026-04-10T02:00:03.460689Z", "deleted_at": null, "main_name": "AppMilad", "aliases": [], "source_name": "MISPGALAXY:AppMilad", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434588, "ts_updated_at": 1775791832, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/930bd3d68d9201ce22cef1183591a84bc510b02d.pdf", "text": "https://archive.orkl.eu/930bd3d68d9201ce22cef1183591a84bc510b02d.txt", "img": "https://archive.orkl.eu/930bd3d68d9201ce22cef1183591a84bc510b02d.jpg" } }