{
	"id": "48fbac75-2db1-4415-a2e2-1bb20760ce66",
	"created_at": "2026-04-06T00:22:28.563658Z",
	"updated_at": "2026-04-10T03:34:16.441434Z",
	"deleted_at": null,
	"sha1_hash": "979ea93763791fbd13b6a6ea0492a483686a9659",
	"title": "Mobile Campaign ‘Bouncing Golf’ Affects Middle East",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 70721,
	"plain_text": "Mobile Campaign ‘Bouncing Golf’ Affects Middle East\r\nBy By: Ecular Xu, Grey Guo Jun 18, 2019 Read time: 5 min (1348 words)\r\nPublished: 2019-06-18 · Archived: 2026-04-05 17:25:37 UTC\r\nWe uncovered a cyberespionage campaign targeting Middle Eastern countries. We named this campaign\r\n“Bouncing Golf” based on the malware’s code in the package named “golf.” The malware involved, which Trend\r\nMicro detects as  AndroidOS_GolfSpy.HRX, is notable for its wide range of cyberespionage capabilities.\r\nMalicious codes are embedded in apps that the operators repackaged from legitimate applications. Monitoring the\r\ncommand and control (C\u0026C) servers used by Bouncing Golf, we’ve so far observed more than 660 Android\r\ndevices infected with GolfSpy. Much of the information being stolen appear to be military-related.\r\nThe campaign’s attack vector is also interesting. These repackaged, malware-laden apps are neither on Google\r\nPlay nor popular third-party app marketplaces, and we only saw the website hosting the malicious apps being\r\npromoted on social media when we followed GolfSpy’s trail. We were also able to analyze some GolfSpy samples\r\nsourced from the Trend Micro mobile app reputation serviceopen on a new tab.\r\nAlso of note is Bouncing Golf’s possible connection to a previously reported mobile cyberespionage campaign\r\nthat researchers named Domestic Kitten. The strings of code, for one, are similarly structured. The data targeted\r\nfor theft also have similar formats.\r\nintelFigure 1. GolfSpy’s infection chain\r\nGolfSpy's Potential Impact\r\nGiven GolfSpy’s information-stealing capabilities, this malware can effectively hijack an infected Android device.\r\nHere is a list of information that GolfSpy steals:\r\nDevice accounts\r\nList of applications installed in the device\r\nDevice’s current running processes\r\nBattery status\r\nBookmarks/Histories of the device’s default browser\r\nCall logs and records\r\nClipboard contents\r\nContacts, including those in VCard format\r\nMobile operator information\r\nFiles stored on SDcard\r\nDevice location\r\nList of image, audio, and video files stored on the device\r\nStorage and memory information\r\nConnection information\r\nSensor information\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/\r\nPage 1 of 4\n\nSMS messages\r\nPictures\r\nGolfSpy also has a function that lets it connect to a remote server to fetch and perform commands, including:\r\nsearching for, listing, deleting, and renaming files as well as downloading a file into and retrieving a file from the\r\ndevice; taking screenshots; installing other application packages (APK); recording audio and video; and updating\r\nthe malware.\r\nTechnical Analysis\r\nThe repackaged applications are embedded with malicious code, which can be found in the com.golf package.\r\nThese repackaged apps pose as communication, news, lifestyle, book, and reference apps popularly used in the\r\nMiddle East. The GolfSpy malware embedded in the apps is hardcoded with an internal name used by the attacker.\r\nintel\r\nintel\r\nFigure 2. Icons of the apps that Bouncing Golf’s operators repackaged (top) and a comparison of packages\r\nbetween the original legitimate app (bottom left) and GolfSpy (bottom right)\r\nintelFigure 3. GolfSpy’s configurations encoded by a custom algorithm (right) and its decoded version (left)\r\nAs shown in Figure 3, GolfSpy’s configurations (e.g., C\u0026C server, secret keys) are encoded by a customized\r\nalgorithm. After it is launched, GolfSpy will generate a unique ID for the affected device and then collect its data\r\nsuch as SMS, contact list, location, and accounts in this format: “%,[],time”(shown in Figure 4). The information\r\nis written into a file on the device. The attacker can choose the data types to collect, which are written in a certain\r\nformat.\r\nintel\r\nFigure 4. Code snippet showing GolfSpy generating UUID\r\nThe value of % is in the range of 1-9 or a-j. Each value represents a different type of data to steal from the device:\r\nValue Data Type\r\n1 Accounts\r\n2 Installed APP list\r\n3 Running processes list\r\n4 Battery status\r\n5 Browser bookmarks and histories\r\n6 Call logs\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/\r\nPage 2 of 4\n\n7 Clipboard\r\n8 Contacts\r\n9 Mobile operator information\r\na File list on SD card\r\nb Location\r\nc Image list\r\nd Audio list\r\ne Video list\r\nf Storage and memory information\r\ng Connection information\r\nh Sensors information\r\ni SMS messages\r\nj VCard format contacts\r\nTable 1. The type of data corresponding to the value coded in GolfSpy\r\nFigure 5 shows the code snippets that are involved in monitoring and recording the device’s phone call. It will also\r\ntake a photo using the device’s front camera when the user wakes the device.\r\nApart from collecting the above data, the spyware monitors users’ phone calls, records them, and saves the\r\nrecorded file on the device. GolfSpy encrypts all the stolen data using a simple XOR operation with a pre-configured key before sending it to the C\u0026C server using the HTTP POST method.\r\nintelFigure 5. Code snippets showing how GolfSpy monitors phone calls via register receiver (top left), its\r\nactions when the device is woken up (top right), and how it encrypts the stolen data (bottom)\r\nThe malware retrieves commands from the C\u0026C server via HTTP, and attackers can steal specific files on the\r\ninfected device. The command is a constructed string split into three parts using \"\u003cDEL\u003e\" as a separator. The first\r\npart is the target directory, the second is a regular expression used to match specific files, while the last part is an\r\nID.\r\nintelFigure 6. Example of a command that steals specific files from an infected device’s application (top), and\r\nGolfSpy’s parse-and-perform command (bottom)\r\nApart from the HTTP POST method, GolfSpy also creates a socket connection to the remote C\u0026C server in order\r\nto receive and perform additional commands. Stolen data will also be encrypted and sent to the C\u0026C server via\r\nthe socket connection. The encryption key is different from the one used for sending stolen data via HTTP.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/\r\nPage 3 of 4\n\nintelFigure 7. The additional commands that attackers can carry out via a socket connection (top) and the key\r\nused to encrypt the stolen data (bottom)\r\nCorrelating Bouncing Golf's Activities\r\nWe monitored Bouncing Golf’s C\u0026C-related activities and saw that the campaign has affected more than 660\r\ndevices as of this writing. The small or limited number is understandable given the nature of this campaign, but\r\nwe also expect it to increase or even diversify in terms of distribution. Most of the affected devices were located in\r\nthe Middle East, and many of the stolen data we saw is military-related (e.g., images, documents).\r\nBouncing Golf’s operators also try to cover their tracks. The registrant contact details of the C\u0026C domains used in\r\nthe campaign, for instance, were masked. The C\u0026C server IP addresses used also appear to be disparate, as they\r\nwere located in many European countries like Russia, France, Holland, and Germany.\r\nIt’s not a definite correlation, but Bouncing Golf also seems to have a connection with Domestic Kitten due to\r\nsimilarities we found in their code. For example, the Android malware that both deploy share the same strings of\r\ncode for their decoding algorithm. The data that Domestic Kitten steals follows a similar format with Bouncing\r\nGolf’s, with each type of data having a unique identifying character. It’s also worth noting that both campaigns\r\nrepackage apps that are commonly used in their target’s countries, such as Telegram, Kik, and Plus messaging\r\napps.\r\nintel\r\nintelFigure 8. Code snippets showing: the decoding algorithm shared by both Bouncing Golf and Domestic\r\nKitten (top), the format of data that Domestic Kitten’s malware targets to steal (center), and how both Bouncing\r\nGolf (bottom left) and Domestic Kitten (bottom right) use \"\u003cDEL\u003e\" as a separator in their command strings.\r\nAs we’ve seen in last year’s mobile threat landscape, we expect more cyberespionage campaigns targeting the\r\nmobile platform given its ubiquity, employing tried-and-tested techniques to lure unwitting users. The extent of\r\ninformation that these kinds of threats can steal is also significant, as it lets attackers virtually take over a\r\ncompromised device. Users should adopt best practicesnews article, while organizations should ensurenews-cybercrime-and-digital-threats that they balance the need for mobilitynews article and the importance of security.\r\nEnd users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™\r\nMobile Security™products . Trend Micro™ Mobile Security for Enterpriseproducts provides device, compliance\r\nand application management, data protection, and configuration provisioning, as well as protects devices from\r\nattacks that exploit vulnerabilities, preventing unauthorized access to apps, and detecting and blocking malware\r\nand fraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats\r\nusing leading sandbox and machine learning technologies, protecting devices against malware, zero-day and\r\nknown exploits, privacy leaks, and application vulnerabilities.\r\nA list of indicators of compromise (IoCs) is in this appendixopen on a new tab.\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"
	],
	"report_names": [
		"mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east"
	],
	"threat_actors": [
		{
			"id": "44d5df14-6a25-41d6-a54c-7c7ebac358cf",
			"created_at": "2023-01-06T13:46:38.817312Z",
			"updated_at": "2026-04-10T02:00:03.111227Z",
			"deleted_at": null,
			"main_name": "Domestic Kitten",
			"aliases": [
				"Bouncing Golf",
				"APT-C-50"
			],
			"source_name": "MISPGALAXY:Domestic Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c80783db-2b34-4321-ac7e-9a13692ffa31",
			"created_at": "2022-10-25T15:50:23.853579Z",
			"updated_at": "2026-04-10T02:00:05.422314Z",
			"deleted_at": null,
			"main_name": "Bouncing Golf",
			"aliases": [
				"Bouncing Golf"
			],
			"source_name": "MITRE:Bouncing Golf",
			"tools": [
				"GolfSpy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "30f6ddb3-f5aa-4b78-a1a5-e37c42b2c560",
			"created_at": "2022-10-25T16:07:23.544297Z",
			"updated_at": "2026-04-10T02:00:04.64999Z",
			"deleted_at": null,
			"main_name": "Domestic Kitten",
			"aliases": [
				"APT-C-50",
				"Bouncing Golf",
				"G0097"
			],
			"source_name": "ETDA:Domestic Kitten",
			"tools": [
				"FurBall",
				"GolfSpy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434948,
	"ts_updated_at": 1775792056,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/979ea93763791fbd13b6a6ea0492a483686a9659.pdf",
		"text": "https://archive.orkl.eu/979ea93763791fbd13b6a6ea0492a483686a9659.txt",
		"img": "https://archive.orkl.eu/979ea93763791fbd13b6a6ea0492a483686a9659.jpg"
	}
}