{
	"id": "19f64fd3-3289-4550-8397-b8c1cbb4f375",
	"created_at": "2026-04-06T00:14:31.755555Z",
	"updated_at": "2026-04-10T03:20:03.9777Z",
	"deleted_at": null,
	"sha1_hash": "93c8bd4cd94eabffa7a9834e9bb7dc0b9d7f6f4c",
	"title": "Coper / Octo - A Conductor for Mobile Mayhem… With Eight Limbs?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5949291,
	"plain_text": "Coper / Octo - A Conductor for Mobile Mayhem… With Eight\r\nLimbs?\r\nBy Team Cymru\r\nPublished: 2025-04-08 · Archived: 2026-04-05 21:25:17 UTC\r\nAnalysis of an Android Malware-as-a-Service Operation\r\nCoper, a descendant of the Exobot malware family, was first observed in the wild in July 2021, targeting\r\nColombian Android users. At that time, Coper was distributed as a fake version of Bancolombia’s “Personas''\r\napplication. Its capabilities included keylogging, interception of push notifications and SMS messages, as well as\r\ncontrol over the infected device’s screen.\r\nIn early 2022, researchers at ThreatFabric identified a post on an underground economy forum where the author\r\nsought information on the ‘Octo Android botnet’. Their analysis of this post established a direct link to\r\nExobotCompact, a “lite” version of the aforementioned Exobot, which had been updated and rebranded as Octo.\r\nTherefore, Coper and Octo are considered synonymous names for the same malware family, which has evolved\r\nover time from its Exobot origins (circa 2016).\r\nToday, Coper/Octo is offered as malware-as-a-service, where customers are provided access to a panel and\r\nbuilder used to coordinate and execute campaigns. As a result, we observe Coper/Octo being used to target many\r\ncountries across the globe in campaigns crafted to ‘appeal’ to specific audiences. The aforementioned fake\r\n“Personas'' application serves as a good example of the level of regional focus that the service can provide its\r\ncustomers.\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 1 of 24\n\nIn this blog post, we will detail our analysis and understanding of the Coper/Octo Android malware, examining\r\nthe malware’s continued development, as well as providing insights into attack patterns, infrastructure utilization\r\nand management, and hunting tips.\r\nKey Findings\r\nCoper/Octo, originating from the Exobot malware family, has evolved from its initial observations in 2021\r\ntargeting Colombian Android users. It has transformed into a malware-as-a-service operation, providing\r\ncustomers with a range of malicious capabilities. The malware's distribution includes tactics such as\r\nimpersonating legitimate applications like banking apps to deceive users into installing it.\r\nThe malware offers a variety of advanced features, including keylogging, interception of SMS messages\r\nand push notifications, and control over the device's screen. It employs various injects to steal sensitive\r\ninformation, such as passwords and login credentials, by displaying fake screens or overlays. Additionally,\r\nit utilizes VNC (Virtual Network Computing) for remote access to devices, enhancing its surveillance\r\ncapabilities.\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 2 of 24\n\nCoper/Octo operates through a complex command-and-control (C2) infrastructure, encrypting\r\ncommunications to evade detection. Analysis of C2 servers reveals an understanding of victim targeting,\r\nwith notable concentrations in countries like Portugal, Spain, Turkey, and the United States. The malware\r\nemploys techniques to filter out certain regions, ensuring its operations align with the interests of its\r\noperators while evading detection in specific geopolitical areas.\r\nMalware Analysis\r\nInitial Command and Control Capabilities\r\nFirstly, we will examine the Coper/Octo malware payload which has been updated over the last few years to\r\ninclude new features and provide greater \"user\" flexibility. This flexibility becomes evident when we examine the\r\nmalware configuration, which is set by each customer/operator.\r\nAfter the initial compromise and once communication with the C2 server is established, the Coper/Octo bot\r\npayload is passed to the victim device. The payload includes the configuration file, the parameters of which\r\ninclude:\r\nblock_push_apps: blocks push notifications for the listed applications.\r\ndesired_apps: specifies the applications targeted by the malware.\r\ndomains_bot: provides the C2 server for bot communications. This field is combined with the\r\nextra_domains field, which serves as backup C2 information.\r\nkeylogger_enabled: a binary field determining whether the keylogging function is switched on or off.\r\ninjects_list: the chosen injects the bot will deploy when a targeted application is accessed. Used in\r\nconjunction with injects_to_disable. We will cover injects in further detail below.\r\nnet_delay: determines the time delta for network requests, i.e., communications with the C2 server.\r\nsmarts_ver: determines the inject version to be utilized. Again we will cover this field in further detail\r\nbelow.\r\nuninstall_apps: a list of applications to be uninstalled from the infected device. Used in tandem with\r\nuninstall_delay to specify the interval when this action takes place.\r\nThe aforementioned smarts_ver configuration field relates to the injects functionality embedded into the\r\nCoper/Octo bot and the C2 infrastructure used to manage it. The smarts information is further broken down into a\r\nseparate table, likely to facilitate easier management.\r\nThis table contains information such as the inject and target type, as well as specific characteristics of the inject,\r\nsuch as how extracted data should be formatted and whether the inject is currently active or not. An example of\r\nthis table is provided below.\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 3 of 24\n\nFrom left to right, the data in the table is explained as follows:\r\n1, 2, 3 are the inject IDs\r\nHTML is the inject type\r\nspecials indicates that the inject is part of the default build provided when the bot is installed; these\r\ninjects cannot be removed\r\nGmail, pattern, pin are the inject payloads, followed by the path (denoted by the %FIELD_ value)\r\n1 is an “is alive” value, where in the case of the three injects shown this is “true”\r\nCoper/Octo supports several injects, for example:\r\nAccessibility Index: Displays instructions on how to enable Accessibility Services, which are required to\r\nbe activated in order to facilitate remote interactions with the infected device. A degree of social\r\nengineering is employed to encourage the victim to take this action\r\nFake Pattern: Displays a ‘fake’ unlock pattern screen to the victim user. This allows for the capture of the\r\nunlock pattern required to access the device, which is of particular value for VNC interactions\r\nGmail Fake: Displays a ‘fake’ Gmail login form to the victim user. Steps are taken to make this form\r\nfeel/look realistic, for example the user’s email address is prepopulated requiring only the password to be\r\nsubmitted. The obvious end goal being the theft of email login credentials\r\nURL Inject: Displays an overlay web page, such as an authentication form, when the victim user accesses\r\nan app. The URL inject allows for the harvesting of credentials from any accounts or applications the\r\noperator wishes to target. The inputted data and cookie information are transferred back to the control\r\nserver as with the other injects.\r\nIn addition to the configuration file and injects, the operator can further interact with the malware using a series of\r\ncommands. All requests to/from the C2 infrastructure are AES encrypted and Base64 encoded. Examples of these\r\ncommands include:\r\ndelete_bot: delete the Coper/Octo bot\r\nintercept_off / _on: disables or enables SMS interception\r\nlock_off / _on: unlock or lock the infected device\r\nopen_url: open a web page in the infected device’s default browser\r\nset_vnc_task: provide a remote action command, e.g., a gesture\r\nsms: used to send an SMS message from the infected device (to a specific phone number)\r\nstart_ / stop_keylogger: starts or stops keylogging on the infected device\r\nvnc_start / _stop: starts or stops VNC functionality - i.e., remote control of the device/screen\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 4 of 24\n\nOperators can also set further parameters to extract detailed information from the infected device, as summarized\r\nin the table below.\r\nMany of these parameters existed in earlier versions of Coper/Octo from around mid-2021, and Exobot dating as\r\nfar back as 2018, indicating the malware's development over time and the connections between the families.\r\nWith an understanding of how the operators communicate with each infected device (or “bot”), we can now delve\r\ninto more detail about how this story unfolds, with the support of examples and images.\r\nVictim Registration and Filtering\r\nWhen a victim device is initially registered with the bot C2 server, essential information such as the IMEI number,\r\nphone model, Android version, device uptime, etc., is collected and stored in an SQL database. This data serves as\r\na reference for the threat operator and can be reviewed in the future.\r\nFollowing registration, the victim device continues to send updates to the C2 server on a daily basis. These\r\nupdates allow the threat operator to monitor their infections and compile user interactions with the victim devices.\r\nThe screenshot below illustrates the bot registration script, providing a detailed view of these information values,\r\ndenoted as $value (e.g., $imei and $model).\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 5 of 24\n\nTwo values hold particular significance during the bot registration stage: $country and $lang. Like many malware\r\nfamilies, Coper/Octo prohibits the infection of devices in Commonwealth of Independent States (CIS) countries\r\nand/or devices utilizing the official languages of these countries.\r\nThis means that for customers of Coper/Octo, victims in Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan,\r\nMoldova, Russia, Tajikistan, Turkmenistan, and Uzbekistan are strictly out of scope. The filter is applied by the\r\nmalware authors and is present in all standard distributions of the malware.\r\nAdditionally, eagle-eyed readers will notice that victims in China (cn) and Ukraine (ua) are also prohibited.\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 6 of 24\n\nThe process of checking against language and country filters occurs alongside checks to ensure that the victim\r\ndevice is not an emulator or running on a virtual machine, resulting in three distinct reasons why a bot may be\r\nrejected in the registration process..\r\nOnce the registration process has successfully occurred and regular updates are being received from the bot, the\r\nthreat operator can begin to interact further using the commands and features outlined previously.\r\nEncryption / Evading Detection\r\nTo evade detection, all Dex classes associated with Coper/Octo are encrypted using a hardcoded RC4 key,\r\nfollowing the encryption routine illustrated below.\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 7 of 24\n\nWith knowledge of the routine and the hardcoded key (lU0jgv9f6hgMZI48x) we are better equipped to\r\nunderstand the Coper/Octo code, including its functionalities and interactions with the C2 infrastructure.\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 8 of 24\n\nUsing CyberChef, we can input encrypted strings as follows, with the output being the decrypted string in plain\r\ntext.\r\nWe can then use this process to decipher the encrypted information described above, for example the below\r\nscreenshot has the plain text values for a number of encrypted strings commented out.\r\nIn addition to the usage of encryption, Coper/Octo seeks to hide its tracks in other ways. Indeed, the use of certain\r\npermissions like REQUEST_COMPANION_RUN_IN_BACKGROUND and\r\nREQUEST_COMPANION_USE_DATA_IN_BACKGROUND indicates a level of stealthiness sought by\r\nCoper/Octo.\r\nThese permissions are commonly utilized by Android malware to ensure their operations remain inconspicuous in\r\nthe background, reducing the likelihood of detection by the device's user. By running discreetly and utilizing data\r\nin the background, the malware can execute its malicious activities without drawing attention to itself, thereby\r\nmaximizing its effectiveness in compromising the victim's device.\r\nCapabilities in Action\r\nKeylogging\r\nThe keylogger functionality is a primary feature of Coper/Octo, enabling it to log every keystroke made on the\r\nvictim’s phone. Upon activation, Coper/Octo checks the status of the keylogger by verifying the value\r\n\"keylogger_enabled=1\". If enabled, it captures all information entered by the victim via the keyboard, including\r\nevents and taps on the device. This encompasses application passwords, graphical patterns, PINs, push\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 9 of 24\n\nnotifications, and screen passwords. Furthermore, the keylogger retrieves data from the device's web browser. In\r\ncases where the keylogger is not initially enabled, it can be activated later through the C2 panel.\r\nAll keylogged information is stored in a file within the device's data directory. Once the contents of the keylogger\r\ndata file have been fully read, the file is deleted. This indicates a policy of utilizing the storage space once and\r\ntemporarily, potentially for operational security reasons and to prevent sensitive data from remaining accessible on\r\nthe filesystem, which could serve as evidence of the device's compromise.\r\nInjects\r\nInjects also play a crucial role in the Coper/Octo service offering, providing customers with a wide range of data\r\ntheft mechanisms, as previously described. These injects are initially configured in the bot but can be later\r\nmodified from the customer's C2 panel. Below is an example of a URL inject designed to target Gmail user\r\ninformation, using an overlaid “spoofed” login form to capture the victim’s credentials.\r\nBreaking this screenshot down step by step:\r\nFirstly, the inject type is defined, in this case, “url”\r\nNext, it injects “onblur” event handlers in order to capture user inputs\r\nThen, the HTML content of the page is updated with genuine device and application information,\r\nincreasing ‘realism’\r\nFinally, the captured Gmail credentials are stored in the file “gmail_login”\r\nInjects can also be used, as referenced previously, to obtain the infected device’s screen password or PIN, enabling\r\nremote access and management of the device.\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 10 of 24\n\nVNC (Remote Access)\r\nCoper/Octo is not unique among Android malware families in adopting VNC into its bag of tricks, with other\r\nnotable examples including Godfather, Hook, and Vultur.\r\nVNC provides an alternative option for monitoring user input, such as using its screen recording capabilities to\r\ncapture information inputted into things like banking services, or applications and websites of interest. In this way,\r\nVNC serves as the third \"alternative\" to inject and keylogging capabilities.\r\nTo execute all of its VNC features, Coper/Octo requires permissions for the Accessibility Service to be granted;\r\nwe previously covered an inject used to socially engineer the victim into activating this.\r\nOnce permissions are granted, VNC is utilized for a number of purposes, including:\r\nEnabling or disabling device sounds, which is useful when the operator wants to capture things like SMS\r\nmessages or push notifications\r\nEnabling the virtual keyboard, allowing the operator to enter information into the infected device.\r\nModifying the device backlight, which can potentially be used to interact with the device while it appears\r\nto be in sleep mode\r\nSending pattern codes to unlock the device\r\nTaking device screenshots (the process of which is illustrated in the screenshot below)\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 11 of 24\n\nReferring to the table of parameters used by Coper/Octo, we can observe that an action request is made (xc) for a\r\nscreenshot to be taken (vncScr), with a filename defined (fn) and an image body to be saved (bs) as a Base64\r\nstring.\r\nSMS Message Interaction\r\nThe final capability we'll examine is Coper/Octo's ability to interact with SMS messaging services, allowing it to\r\nintercept, read, and send messages within the device.\r\nAs with other aspects of the malware, the initial step is to ensure that the required permissions are granted.\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 12 of 24\n\nOnce confirmed, the bot will initiate the SMS interception process, whilst simultaneously aborting the\r\nSMSReceived broadcast to the victim (using the command “EXC_SMSRCV”), meaning notifications for new\r\nmessages are no longer served to the victim user.\r\nIn the below screenshot we have used the aforementioned decryption process (see the section on Encryption /\r\nEvading Detection) to help illustrate the SMS interception process.\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 13 of 24\n\nOnce again, referring to the table of parameters used by Coper/Octo, we can observe that the SMS address\r\n(sender) is defined (sA), along with the message body (sB) and timestamp (sT).\r\nAs mentioned earlier, this capability enables the operator to read messages received by the victim and send out\r\nnew messages from the compromised device. This functionality might be utilized as a method for further onward\r\ninfection of other devices, possibly by persuading the recipient(s) to download a malicious application.\r\nC2 Infrastructure Overview \u0026 Stats\r\nBefore looking into campaign and victim statistics, let's delve deeper into how the Coper/Octo bot communicates\r\nwith operator C2 infrastructure, expanding on the previous section discussed at the beginning of this blog post.\r\nWe will outline the process by which the C2 server gathers information from the bots, explain how we decrypt this\r\ndata, and then transition into examining the characteristics of the C2 servers, facilitating the discovery of other\r\ninfrastructure connected to Coper/Octo.\r\nAs referenced previously, communications between the bot and C2 server are AES encrypted and Base64\r\nencoded.\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 14 of 24\n\nThankfully, there is a means to decrypt the traffic and subsequently have a clear view of the communications,\r\nproviding us with context on who is being targeted and what types of information the threat operators are\r\nparticularly interested in\r\nWe will use the public sandbox from Triage for our analysis, as they have developed a configuration extractor for\r\nCoper/Octo, which makes all our lives easier (thanks for that!).\r\nOnce we have submitted the payload to the sandbox, a few interesting findings become available to us:\r\nC2 information associated with the payload (in this case, a number of similar domains which resolve to\r\n94.156.68.191)\r\nThe applications targeted by the malware, which include a large number of banking applications\r\nThe AES key, which we can use to decrypt the C2 communications\r\nThe communications captured during the sandbox run can be downloaded in PCAP format, which can be analyzed\r\nfurther using a tool such as Wireshark.\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 15 of 24\n\nAt this stage, the data remains encrypted. However, we can extract it as a hex stream to transfer it to a decryption\r\ntool. Also, note the aforementioned C2 server, 94.156.68.191, observed in the captured communications.\r\nThe final step is to combine the extracted data from Wireshark with the AES key provided in our sandbox run. As\r\nbefore, we will use CyberChef to assist us with this step.\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 16 of 24\n\nThe output corresponds to the decrypted data, which contains all the parameters for this payload. Once beautified,\r\nit becomes easier to read and understand.\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 17 of 24\n\nIn this case, the payload is impersonating the Facebook application. We can also observe the language used in the\r\nprompt to encourage the victim to activate the Accessibility Service permissions required for the bot to operate\r\nfully.\r\nIn the bottom half of the screenshot, we observe further parameters being passed to provide information about the\r\nvictim host, for example:\r\niA = 0: the trojan is NOT the default SMS manager\r\niAc = 1: the trojan has Accessibility Services access\r\niBC = 100: the device is at 100% charge\r\nkL = 1: the keylogger is enabled\r\nrTS = 1707298428: the timestamp for the information provided (unix time corresponding to 7 February\r\n2024 09:33:48)\r\nThe final bullet point serves as a lasting alibi for our malware analyst in case of the question “where were\r\nyou on 7 February at 9:30 am?”.\r\nHaving repeated this process on numerous occasions with different payloads, we found that the parameter lB can\r\noffer up some interesting data points. In the case we have described in this blog, the lB parameter indicated the\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 18 of 24\n\nidentity of the malicious spoofed application (Facebook) used as a lure.\r\nIn addition to Facebook, we have seen recent campaigns impersonating Google Chrome, as well as a number of\r\nPoker applications.\r\nHowever, in other cases, we have often observed the lB parameter containing the value ‘apkcrypt’, indicating that\r\na different crypter had been used compared to the usual one we observe in the analysis of Coper/Octo. It is not\r\nclear why this happened, but it may suggest that the malware author collaborates with more than one crypter\r\nservice.\r\nIt's the Same, but Different\r\nAs mentioned previously, Coper/Octo operates as a Malware-as-a-Service (MaaS) offering, with customization\r\nplaced into the hands of its customers. However, there are some constants (outside of elements of the malware\r\ncode) that we can focus on to identify connected infrastructure.\r\nOne such constant is the X.509 certificate utilized for Coper/Octo C2 servers.\r\nExamining another C2 server to the one mentioned above, 91.240.118.224 appears to have been used in\r\nCoper/Octo campaigns commencing on 5 February 2024, based on uploads to VirusTotal. Our own analysis of the\r\nIP also identifies it as a Coper/Octo controller.\r\nAccording to our data holdings, 91.240.118.224 appears to be hosting what seems to be a fairly generic X.509\r\ncertificate.\r\nHowever, when expanding our query to seek further examples of IPs hosting an X.509 certificate with a subject\r\nvalue of ‘CN=www.example.com,OU=Department,O=Company’, we find that there are surprisingly few\r\ncandidates.\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 19 of 24\n\nIn total, we found 84 other IPs hosting a certificate that matched the same subject value, dating back to mid-January 2024.\r\nA search of Censys records returned a similarly low number of results.\r\nWhen we analyzed the resulting IPs, we found that, aside from a small number of false positives, this certificate\r\nvalue was a strong indicator of Coper/Octo infrastructure. The majority of the servers we identified as Coper/Octo\r\nwere located in Russia or the Netherlands.\r\nAdditionally, we observed that while the certificates mainly appeared to be generated for each new C2 server,\r\nthere was also evidence of Coper/Octo customers moving their infrastructure. In these cases, we found that the\r\ncertificate serial number and associated C2 URL string remained the same, even when moving from one IP\r\naddress to another, as illustrated below.\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 20 of 24\n\nHaving filtered out false positives, we are now able to monitor all active C2 servers to gain a high-level\r\nunderstanding of current campaigns, drawing out the number of victims and the regions targeted.\r\nReturning to 91.240.118.224 as an example, at the time of our analysis we found that it had 486 bots connected to\r\nit, with approximately 80% of these victims located in Turkey.\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 21 of 24\n\nExpanding this to look at all active Coper/Octo C2 servers we were aware of at the time of this analysis, we found\r\nthere to be a total of nearly 45,000 bots, with nearly 700,000 SMS messages intercepted from them.\r\nWhen mapping out the locations of the victims, four countries stand out in particular as being heavily targeted by\r\nCoper/Octo campaigns (disclaimer - at the time of our analysis): Portugal, Spain, Turkey, and the United States.\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 22 of 24\n\nConclusion\r\nIn conclusion, this analysis of the Coper/Octo Android malware-as-a-service operation sheds light on the\r\nsophisticated and evolving nature of mobile malware threats. From its origins in the Exobot family to its current\r\nstatus as a full-fledged malware service, Coper/Octo represents a potential risk to Android users worldwide. Its\r\nrange of capabilities, including keylogging, injects, and VNC remote access, underscores the need for heightened\r\nvigilance and security measures among mobile device users.\r\nFurthermore, the examination of Coper/Octo's infrastructure and targeting strategies highlights the global reach\r\nand strategic focus of its operators. By understanding the intricacies of its command-and-control infrastructure and\r\nvictim targeting patterns, security researchers can better mitigate the threat posed by this malware and protect\r\nusers from falling victim to its malicious activities.\r\nAs the threat landscape continues to evolve, it is imperative for both users and security professionals to remain\r\nproactive in identifying and addressing emerging threats like Coper/Octo. By staying informed about the latest\r\ndevelopments in mobile malware and implementing robust security measures, we can collectively work towards a\r\nsafer and more secure mobile ecosystem for all users.\r\nRecommendations\r\nUsers of Pure Signal™ Recon can identify Coper/Octo infrastructure based on tags, and gain more\r\nprecision with an X.509 query using the following parameters:\r\nO: Company\r\nCN: www.example.com\r\nSubject: OU=Department\r\nPort: 443\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 23 of 24\n\nUsers of Pure Signal™ Scout can use the advanced query language to identify Coper/Octo infrastructure\r\nbased on tags.\r\nEnsure that all mobile devices, particularly Android devices, are running the latest operating system\r\nupdates and security patches. These updates often include fixes for vulnerabilities that malware like\r\nCoper/Octo may exploit.\r\nConsider installing reputable antivirus software on Android devices to detect and remove malware\r\ninfections. Regularly scan devices for suspicious activity and malware signatures.\r\nBe vigilant when downloading and installing applications from third-party sources or unknown developers.\r\nIndicators of Compromise\r\nhttps://karmelinanoonethousandbaby[.]net/YzI4MGFhZjI2MmM5/\r\nhttps://185.198.69[.]111/NTBiZmM4ZDQ2MWY2/\r\nhttps://2.57.149[.]150/ZTIwNDEzZjM4YjYw/\r\nhttps://2istanbullu2586[.]xyz/ZTIwNDEzZjM4YjYw/\r\nhttps://83.97.73[.]195/MzZhMGJjZTJkOGI3/\r\nhttps://o3c31x4fqdw2[.]lt/MTU2OWE0NzJjNGY5/\r\nhttps://0n75w55jyk66[.]pw/MTU2OWE0NzJjNGY5/\r\nhttps://91.240.118[.]224/NjQyNDcyMjE3ZWU3/\r\nhttps://sanagerekkalmaz1453[.]shop/MTFiMzQ4NGQ2MWU4/\r\nhttps://185.122.204[.]122/MDViMDU3NDYwMTBm/\r\nSource: https://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nhttps://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs\r\nPage 24 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs"
	],
	"report_names": [
		"coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs"
	],
	"threat_actors": [],
	"ts_created_at": 1775434471,
	"ts_updated_at": 1775791203,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/93c8bd4cd94eabffa7a9834e9bb7dc0b9d7f6f4c.pdf",
		"text": "https://archive.orkl.eu/93c8bd4cd94eabffa7a9834e9bb7dc0b9d7f6f4c.txt",
		"img": "https://archive.orkl.eu/93c8bd4cd94eabffa7a9834e9bb7dc0b9d7f6f4c.jpg"
	}
}