{ "id": "67cbb17c-26c3-489a-8a76-4af1753298f0", "created_at": "2026-04-06T00:15:17.5584Z", "updated_at": "2026-04-10T03:36:33.455982Z", "deleted_at": null, "sha1_hash": "941da85a0c407136b133d2fc9de0346651b03ddc", "title": "Triada Trojan in WhatsApp mod", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 330679, "plain_text": "Triada Trojan in WhatsApp mod\r\nBy Igor Golovin\r\nPublished: 2021-08-24 · Archived: 2026-04-05 17:03:45 UTC\r\nMalware descriptions\r\nMalware descriptions\r\n24 Aug 2021\r\n 2 minute read\r\nhttps://securelist.com/triada-trojan-in-whatsapp-mod/103679/\r\nPage 1 of 6\n\nWhatsApp users sometimes feel the official app is lacking a useful feature of one sort or another, be it animated\r\nthemes, self-destructing messages which automatically delete themselves, the option of hiding certain\r\nconversations from the main list, automatic translation of messages, or the option of viewing messages that have\r\nbeen deleted by the sender. This is where amateurs step in with modified versions of WhatsApp which offer extra\r\nfeatures. These mods can contain ads, usually in the form of various different banners displayed in the app.\r\nHowever, we discovered that the Trojan Triada snook into one of these modified versions of the messenger called\r\nFMWhatsapp 16.80.0 together with the advertising software development kit (SDK). This is similar to what\r\nhappened with APKPure, where the only malicious code that was embedded in the app was a payload downloader.\r\nTrojan loaded from advertising SDK\r\nWe detect the Trojan modification as Trojan.AndroidOS.Triada.ef.\r\nHow Triada operates\r\nOnce the app is launched, the malware gathers unique device identifiers (Device IDs, Subscriber IDs, MAC\r\naddresses) and the name of the app package where they’re deployed. The information they collect is sent to a\r\nremote server to register the device. It responds by sending a link to a payload which the Trojan downloads,\r\ndecrypts and launches.\r\nhttps://securelist.com/triada-trojan-in-whatsapp-mod/103679/\r\nPage 2 of 6\n\nDecrypting and launching a malicious payload\r\nBy analyzing the statistics on files downloaded by FMWhatsapp, we identified a number of different types of\r\nmalware:\r\nTrojan-Downloader.AndroidOS.Agent.ic (MD5: 92b5eedc73f186d5491ec3e627ecf5c0) downloads and\r\nlaunches other malicious modules.\r\nTrojan-Downloader.AndroidOS.Gapac.e (MD5: 6a39493f94d49cbaaa66227c8d6db919) also downloads\r\nand launches other malicious modules. Apart from that, it displays full-screen ads when users least expect\r\nthem to pop up.\r\nTrojan-Downloader.AndroidOS.Helper.a (MD5: 61718a33f89ddc1781b4f43b0643ab2f) downloads and\r\nlaunches the xHelper Trojan installer module. It also runs invisible ads in the background to increase the\r\nnumber of views they get.\r\nTrojan.AndroidOS.MobOk.i (MD5: fa9f9727905daec68bac37f450d139cd) signs the device owner up for\r\npaid subscriptions.\r\nThe MobOk Trojan opens the subscription page in an invisible window to click “subscribe” while posing as the\r\nuser…\r\nhttps://securelist.com/triada-trojan-in-whatsapp-mod/103679/\r\nPage 3 of 6\n\n…and intercepts the confirmation code to confirm the subscription\r\nTrojan.AndroidOS.Subscriber.l (MD5: c3c84173a179fbd40ef9ae325a1efa15) also serves to sign victims up\r\nfor premium subscriptions.\r\nTrojan.AndroidOS.Whatreg.b (MD5: 4020a94de83b273f313468a1fc34f94d) signs in Whatsapp accounts\r\non the victim’s phone. The malware gathers information about the user’s device and mobile operator, then\r\nsends it to the command and control server (C\u0026C server). The server responds with an address to request a\r\nconfirmation code and other information required to sign in. The attackers seem to have done their\r\nhomework on the protocol WhatsApp uses.\r\nObtaining information for signing in\r\nOnce the necessary IDs have been collected, the malware requests a verification code.\r\nhttps://securelist.com/triada-trojan-in-whatsapp-mod/103679/\r\nPage 4 of 6\n\nRequesting an SMS confirmation code\r\nIt’s worth highlighting that FMWhatsapp users grant the app permission to read their SMS messages, which\r\nmeans that the Trojan and all the further malicious modules it loads also gain access to them. This allows attackers\r\nto automatically sign the victim up for premium subscriptions, even if a confirmation code is required to complete\r\nthe process.\r\nWe don’t recommend using unofficial modifications of apps, especially WhatsApp mods. You may well end up\r\nwith an unwanted paid subscription, or even loose control of your account altogether, which attackers can hijack\r\nto use for their own purposes, such as spreading spam sent in your name.\r\nIOC\r\nMD5\r\nTrojan.AndroidOS.Triada.ef b1aa5d5bf39fee0b1e201d835e4dc8de\r\nC\u0026C\r\nhttp://t1k22.c8xwor[.]com:13002/\r\nhttps://dgmxn.c8xwor[.]com:13001/\r\nhttps://securelist.com/triada-trojan-in-whatsapp-mod/103679/\r\nPage 5 of 6\n\nLatest Posts\r\nLatest Webinars\r\nReports\r\nKaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka\r\nMustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.\r\nKaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a\r\nkernel-mode rootkit to deliver and protect a ToneShell backdoor.\r\nKaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with\r\nDPAPI and RC5, as well as the MgBot implant.\r\nKaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their\r\nsignature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.\r\nSource: https://securelist.com/triada-trojan-in-whatsapp-mod/103679/\r\nhttps://securelist.com/triada-trojan-in-whatsapp-mod/103679/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/triada-trojan-in-whatsapp-mod/103679/" ], "report_names": [ "103679" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434517, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/941da85a0c407136b133d2fc9de0346651b03ddc.pdf", "text": "https://archive.orkl.eu/941da85a0c407136b133d2fc9de0346651b03ddc.txt", "img": "https://archive.orkl.eu/941da85a0c407136b133d2fc9de0346651b03ddc.jpg" } }