{ "id": "7157a988-f20b-4300-8161-6d3657bc3082", "created_at": "2026-04-06T00:21:57.921805Z", "updated_at": "2026-04-10T13:12:24.734437Z", "deleted_at": null, "sha1_hash": "952ea40b3109a2b101b170075c5e50be663f50d3", "title": "Roaming Mantis Group Testing Coinhive Miner Redirects on iPhones", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 941137, "plain_text": "Roaming Mantis Group Testing Coinhive Miner Redirects on iPhones\r\nBy Lawrence Abrams\r\nPublished: 2018-10-01 · Archived: 2026-04-02 12:38:05 UTC\r\nAccording to new research by Kaspersky's GReAT team, the online criminal activities of the Roaming Mantis Group have\r\ncontinued to evolve since they were first discovered in April 2018. As part of their activities, this group hacks into\r\nexploitable routers and changes their DNS configuration. This allows the attackers to redirect the router user's traffic to\r\nmalicious Android apps disguised as Facebook and Chrome or to Apple phishing pages that were used to steal Apple ID\r\ncredentials.\r\nRecently, Kaspersky has discovered that this group is testing a new monetization scheme by redirecting iOS users to pages\r\nthat contain the Coinhive in-browser mining script rather than the normal Apple phishing page. When users are redirected to\r\nthese pages, they will be shown a blank page in the browser, but their CPU utilization will jump to 90% or higher.\r\nBlank page utilizing Coinhive\r\nThis is caused by the page utilizing the Coinhive mining script shown below.\r\nhttps://www.bleepingcomputer.com/news/security/roaming-mantis-group-testing-coinhive-miner-redirects-on-iphones/\r\nPage 1 of 4\n\nhttps://www.bleepingcomputer.com/news/security/roaming-mantis-group-testing-coinhive-miner-redirects-on-iphones/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nCoinhive Mining Script\r\nThe day after the GReAT discovered this new page, the attackers reverted back to redirecting to the Apple phishing page, so\r\nthis appears to be a test that is not ready for full release.\r\nLimited hacking of Japanese devices\r\nAfter Japanese researchers started releasing reports regarding Roaming Mantis, the group is making an effort to avoid\r\nhacking Japanese devices.\r\nOn landing pages that users were redirected to, Kaspersky noticed that there was JavaScript that checked if the device's\r\nlanguage was set to \"ja\" or Japanese. If the ja language was detected, the page would not offer any malicious applications or\r\nredirects to the visitor.\r\nChecking for Japanese Browser Language\r\nThis group appears to also be taking a page out of the Adware handbook by promoting scam sites for adult videos, games,\r\nmusic, and downloads.\r\nThese scam sites are being promoted through Prezi.com, a presentation sharing site, where the group would create page that\r\ncontain links to URLS at https://tinyurl.com. When a visitor goes to these urls, though, they will be redirected to various\r\nscam sites as shown below.\r\nPrezi.com Ads\r\nProtecting your devices\r\nTo protect yourself from attacks like this, make sure that your routers are upgraded to the latest firmware so that any\r\nvulnerabilities are patched.  Kaspersky also suggests that Android users turn off the ability to install app from third-party\r\nhttps://www.bleepingcomputer.com/news/security/roaming-mantis-group-testing-coinhive-miner-redirects-on-iphones/\r\nPage 3 of 4\n\nsites.\r\n\"We strongly recommend that Android users turn off the option that allows installation of applications from third-party\r\nrepositories, to keep their device safe,\" stated Kaspersky's research. \"They should also be suspicious if their phones become\r\nunusually hot, which may be a side-effect of the hidden crypto-mining application in action.\"\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/roaming-mantis-group-testing-coinhive-miner-redirects-on-iphones/\r\nhttps://www.bleepingcomputer.com/news/security/roaming-mantis-group-testing-coinhive-miner-redirects-on-iphones/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/roaming-mantis-group-testing-coinhive-miner-redirects-on-iphones/" ], "report_names": [ "roaming-mantis-group-testing-coinhive-miner-redirects-on-iphones" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a", "created_at": "2023-01-06T13:46:38.823793Z", "updated_at": "2026-04-10T02:00:03.113045Z", "deleted_at": null, "main_name": "Roaming Mantis", "aliases": [ "Roaming Mantis Group" ], "source_name": "MISPGALAXY:Roaming Mantis", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3", "created_at": "2022-10-25T16:07:24.546437Z", "updated_at": "2026-04-10T02:00:05.029564Z", "deleted_at": null, "main_name": "Roaming Mantis", "aliases": [ "Roaming Mantis Group", "Shaoye" ], "source_name": "ETDA:Roaming Mantis", "tools": [ "MoqHao", "Roaming Mantis", "SmsSpy", "Wroba", "XLoader" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434917, "ts_updated_at": 1775826744, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/952ea40b3109a2b101b170075c5e50be663f50d3.pdf", "text": "https://archive.orkl.eu/952ea40b3109a2b101b170075c5e50be663f50d3.txt", "img": "https://archive.orkl.eu/952ea40b3109a2b101b170075c5e50be663f50d3.jpg" } }