{
	"id": "1fcf83df-3b7c-4d98-a129-18e725785f75",
	"created_at": "2026-04-06T00:09:42.539034Z",
	"updated_at": "2026-04-10T13:12:48.404632Z",
	"deleted_at": null,
	"sha1_hash": "9793145accb8504bdb363d1c85f9c28b32f43ba9",
	"title": "Gigabud RAT: Android Malware Posing As Govt Agencies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2075803,
	"plain_text": "Gigabud RAT: Android Malware Posing As Govt Agencies\r\nPublished: 2023-01-19 · Archived: 2026-04-05 15:05:27 UTC\r\nCRIL analyzes Gigabud RAT, the latest Android malware posing as a government agency to steal sensitive\r\ninformation.\r\nSophisticated Android Malware Strikes Users in Thailand, Philippines, and Peru\r\nCyble Research \u0026 Intelligence Labs (CRIL) discovered a phishing website, hxxp://lionaiothai[.]com, that was\r\nimpersonating the genuine Thai Airline – Thai Lion Air, and tricking victims into downloading a malicious\r\napplication.\r\nThe downloaded malicious application is a Remote Access Trojan (RAT) which receives commands from the\r\nCommand and Control (C\u0026C) server and performs various actions. The RAT has advanced features such as screen\r\nrecording and abusing the Accessibility Service to steal banking credentials.\r\nWorld's Best AI-Native Threat Intelligence\r\nDuring our investigation of the RAT, we discovered that the certificate used to sign this malicious application was\r\nfound in more than 50 similar malicious samples that use the same source code. These samples posed as\r\ngovernment agencies, shopping apps, and banking loan applications from Thailand, the Philippines, and Peru.\r\nhttps://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/\r\nPage 1 of 13\n\nFigure 1 –Certificate used to sign RAT present in over 50 malicious apps\r\nSince the discovered RAT is a new and unknown variant, we will refer to it as “Gigabud” due to the consistency of\r\nthe certificate issuer name across all identified malicious applications.\r\nThe Gigabud RAT malware has been specifically targeting individuals in Thailand since July 2022, and its spread\r\nhas been increasing each month to other countries. Despite the growing number of known samples, no antivirus\r\nsoftware detected this malware at the time of writing this blog, suggesting that the Threat Actor (TA) behind the\r\nRAT successfully stayed under the radar.\r\nFigure 2 – Zero detection for all malicious samples on Virus Total\r\nAdditionally, in July 2022, the Department of Special Investigation (DSI) Thailand issued a warning against the\r\nphishing site impersonating the DSI website and spreading the same Android RAT. Later in September 2022, the\r\nThailand Telecommunication Sector Cert (TTC-Cert) discovered the malware “Revenue.apk” associated with the\r\nsame campaign and issued a technical advisory on its behavior.\r\nhttps://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/\r\nPage 2 of 13\n\nAfter the discovery of the Gigabud RAT by TTC-Cert in September, we observed that the TA began distributing the\r\nmalware in various countries, such as Peru and the Philippines. The malware disguises itself using the icons of\r\ngovernment agencies from these countries to trick victims into giving away sensitive information.\r\nThe below figure shows the different icons used by Gigabud RAT.\r\nFigure 3 – Government agency and bank icons used by malware\r\nThese malicious applications impersonate below entities:\r\n1. Banco de Comercio – A Peruvian Bank\r\n2. Advice – A IT company from Thailand\r\n3. Thai Lion Air – Thailand Airline\r\n4. Shopee Thailand\r\n5. SUNAT – An organization from Peru\r\n6. DSI – Department of Special Investigation Thailand\r\n7. BIR – Bureau of Internal Revenue Philippine\r\n8. Kasikornbank Thailand\r\nIn this analysis, we will look at the sample “BANCO DE COMERCIO.apk”\r\n(a940c9c54ff69dacc6771f1ffb3c91ea05f7f08e6aaf46e9802e42f948dfdb66) which is impersonating a medium-scale\r\nPeruvian Bank and stealing sensitive information by offering the fake loan service. The in-depth analysis of this\r\nmalicious sample can be found in the technical analysis section.\r\nTechnical Analysis\r\nAPK Metadata Information \r\nApp Name: BANCO DE COMERCIO\r\nPackage Name: com.cloud.loan\r\nSHA256 Hash: a940c9c54ff69dacc6771f1ffb3c91ea05f7f08e6aaf46e9802e42f948dfdb66\r\nThe below figure shows the metadata information of the application. \r\nhttps://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/\r\nPage 3 of 13\n\nFigure 4 – Malicious Application Metadata Information\r\nOnce installed, the malware displays a login screen that prompts users to enter their mobile number and password.\r\nThe login screen is designed to mimic the user interface of a legitimate bank and uses an icon to deceive the victim\r\ninto thinking the application is genuine.\r\nFigure 5 – Malware loads the login page\r\nhttps://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/\r\nPage 4 of 13\n\nThe malware sends the entered mobile number and password to the C\u0026C server hxxp://bweri6[.]cc and receives\r\nthe response code 400 with an error message, as shown in the below figure.\r\nFigure 6 – Malware sending the entered mobile number to the C\u0026C server\r\nTA behind the Gigabud has implemented a server-side verification process to ensure the mobile number entered\r\nduring registration is legitimate and to limit malicious activity for invalid users. It could be the reason for the\r\ndelayed detection of the malware.\r\nFigure 7 – Malware has a server-side check to validate the mobile number\r\nDuring registration, the malware prompts the victim to provide their name and ID number and also allows them to\r\nselect a bank name from a list received from the Command-and-Control server with the cardholder’s name and\r\nnumber.\r\nhttps://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/\r\nPage 5 of 13\n\nFigure 8 – Malware prompting for card details during the registration process\r\nOnce the victim successfully logs in or registers to the malicious app, Gigabud begins gathering information about\r\nthe installed applications on the device and then runs a service called “OpenService,” which connects to the\r\nCommand-and-Control server to receive commands, as illustrated in the figure below.\r\nFigure 9 – Malware collecting installed application list\r\nOnce the registration or login is complete, the malware displays a fake loan contract received from the server and\r\nthen prompts the victim to confirm their information.\r\nIt also shows a withdrawal activity, as depicted in the figure below.\r\nFigure 10 – Fake loan approval process by malware\r\nMalware does not show any malicious activity until the final stage, where it presents a “Real Name Authentication”\r\npage and prompts the victim to press a “click to activate” button to apply for a loan. Once the button is clicked, the\r\nmalware requests the victim to grant accessibility permissions, including permission for screen recording and\r\nscreen overlay.\r\nhttps://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/\r\nPage 6 of 13\n\nFigure 11 – Malware displays the authentication page and prompts the victim to grant permissions\r\nAfter the victim grants the accessibility permission, the malware starts exploiting it by automatically enabling the\r\nscreen recording feature. Additionally, the malware requests permission to display over other apps.\r\nFigure 12 – Malware abusing Accessibility service to start screen recording feature\r\nGigabud uses WebSocket connections to send the recorded screen content to a server\r\nhxxp://8.219.85[.]91:8888/push-streaming?id=1234.\r\nThe malware sends the recorded content every second through the WebSocket connection, as shown in the figure.\r\nhttps://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/\r\nPage 7 of 13\n\nFigure 13 – Malware sending screen recording content using WebSocket connection\r\nThe malware connects to the C\u0026C server hxxp://bweri6[.]cc/x/command?token=\u0026width=1080\u0026height=1920 to\r\nreceive commands and executes various actions such as creating a floating window service, receiving targeted bank\r\ndetails, sending text messages from the infected device, opening targeted application and many other.\r\nFigure 14 – Malware processing commands received from the C\u0026C server\r\nThe malware receives the “bankName”, “bankImg” and “bank_id” along with action code “15” from the C\u0026C\r\nserver. The “bankName” is the name of the targeted banking application whose credentials the malware will steal.\r\nUpon receiving this command, the malware displays a fake dialog box using the “bankName” and “bankImg”\r\nreceived from the server on top of the targeted banking application and prompts the victim to enter their password.\r\nhttps://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/\r\nPage 8 of 13\n\nFigure 15 – Malware receiving targeted bank name to steal credentials\r\nThe entered password by the victim will be sent to the server using the retrofit object.\r\nThe below figure shows the endpoints and the stolen data sent to the server.\r\nFigure 16 – POST \u0026 GET requests used by malware\r\nThe malware receives the mobile number, the message text, and the action code “5” from the C\u0026C server to send\r\nthe text message from an infected device.\r\nhttps://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/\r\nPage 9 of 13\n\nFigure 17 – Malware sending text messages from an infected device\r\nThe malware also receives the server’s bank card number and action code “29” and sets it to the clipboard. We\r\nsuspect that the bank card number could be the TA’s account or card number, which can be used to perform on-device fraud.\r\nFigure 18 – Malware setting the bank card number to the clipboard\r\nConclusion\r\nOur analysis indicates that the Threat Actor has been actively running the campaign since July 2022, mainly\r\ntargeting victims in Thailand. Later, the campaign expanded to target victims in other countries like Peru and the\r\nPhilippines. The malware specifically targets genuine victims and conceals its malicious activity from invalid\r\nvictims. The TA has employed a unique technique to evade detection and sustain the campaign for an extended\r\nperiod.\r\nWe also noticed that the Gigabud RAT utilizes screen recording as a primary method for gathering sensitive\r\ninformation instead of using HTML overlay attacks. It also abuses the Accessibility service, like other banking\r\ntrojans.\r\nThe Threat Actor behind the Gigabud is continuously developing new variants of the malware intending to target\r\ndifferent countries. New malware variants will likely be discovered in the future, featuring new targets and\r\nhttps://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/\r\nPage 10 of 13\n\ncapabilities.\r\nSee Cyble Vision in Action\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:\r\nDownload and install software only from official app stores like Google Play Store or the iOS App Store.\r\nUse a reputed antivirus and internet security software package on your connected devices, such as PCs,\r\nlaptops, and mobile devices.\r\nNever share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted\r\nsource.\r\nGovernment agencies or other legitimate organizations never ask for a Card PIN or password with other\r\nbanking information, and avoid sharing such information on any suspicious application.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nEnable biometric security features such as fingerprint or facial recognition for unlocking the mobile device\r\nwhere possible.\r\nBe wary of opening any links received via SMS or emails delivered to your phone.\r\nEnsure that Google Play Protect is enabled on Android devices.\r\nBe careful while enabling any permissions.\r\nKeep your devices, operating systems, and applications updated.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nInitial Access T1476 Deliver Malicious App via Other Means.\r\nInitial Access T1444 Masquerade as a Legitimate Application\r\nDiscovery T1418 Application discovery\r\nCollection T1513 Screen Capture\r\nCredential Access T1411 Input Prompt\r\nImpact T1582 SMS Control\r\nImpact T1510 Clipboard Modification\r\nCommand and Control T1436 Commonly Used Port\r\nExfiltration T1567 Exfiltration Over Web Service\r\nIndicators of Compromise (IOCs)\r\nhttps://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/\r\nPage 11 of 13\n\nIndicators\r\nIndicator\r\nType\r\nDescription\r\na940c9c54ff69dacc6771f1ffb3c91ea05f7f08e6aaf46e9802e42f948dfdb66\r\nSHA256\r\n \r\nHash of\r\nanalyzed\r\nmalicious\r\nAPK\r\n1012a7627b6b82e3afb87380bbfda515764ce0a6 SHA1  \r\nHash of\r\nanalyzed\r\nmalicious\r\nAPK\r\nca6aa6c5a7910281a899695e61423079 MD5\r\nHash of\r\nanalyzed\r\nmalicious\r\nAPK\r\nhxxp://8.219.85[.]91:8888/push-streaming?id=1234 URL\r\nC\u0026C server\r\nused to send\r\nscreen\r\nrecording\r\ncontent\r\nhxxp://bweri6[.]cc/x/command?token=\u0026width=1080\u0026height=1920 URL\r\nC\u0026C server\r\nused to\r\nreceive\r\ncommands\r\nand send\r\nstolen data\r\nec1e2ff5c72c233f2b5ad538d44059a06b81b5e5da5e2c82897be1ca4539d490\r\nSHA256\r\n \r\nHash of\r\nmalicious\r\nLionAir\r\nAPK\r\nea5359c8408cdb4ebb7480704fe06a8e3bfa37c3 SHA1  \r\nHash of\r\nmalicious\r\nLionAir\r\nAPK\r\nb2429371b530d634b2b86c331515904f MD5\r\nHash of\r\nmalicious\r\nLionAir\r\nAPK\r\nhttps://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/\r\nPage 12 of 13\n\nhxxp://lionaiothai[.]com URL\r\nMalware\r\ndistribution\r\nsite\r\nhxxp://cmnb9[.]cc URL\r\nC\u0026C server\r\nused to\r\nreceive\r\ncommands\r\nand send\r\nstolen data\r\nSource: https://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/\r\nhttps://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/"
	],
	"report_names": [
		"gigabud-rat-new-android-rat-masquerading-as-government-agencies"
	],
	"threat_actors": [],
	"ts_created_at": 1775434182,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9793145accb8504bdb363d1c85f9c28b32f43ba9.pdf",
		"text": "https://archive.orkl.eu/9793145accb8504bdb363d1c85f9c28b32f43ba9.txt",
		"img": "https://archive.orkl.eu/9793145accb8504bdb363d1c85f9c28b32f43ba9.jpg"
	}
}