{
	"id": "44fd00fb-ab37-4ae6-a005-46eb0bb6ede3",
	"created_at": "2026-04-06T00:12:14.337721Z",
	"updated_at": "2026-04-10T13:12:29.115311Z",
	"deleted_at": null,
	"sha1_hash": "97b181642bd5b579ca73a1360778af8d6b4d0109",
	"title": "badbazaar (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48701,
	"plain_text": "badbazaar (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 18:44:31 UTC\r\nbadbazaar\r\nActor(s): APT15\r\nBadBazaar is a type of malware primarily functioning as a spyware. Designed to compromise Android and iOS\r\ndevices, it is often distributed through malicious apps downloaded from unofficial app stores, third-party websites,\r\nTelegram channels, and social engineering. Once installed, BadBazaar seeks to surveil the victim by intercepting\r\nSMS messages, performing screen recordings, and logging keystrokes on the device. Additionally, it can execute\r\nremote commands and download and install other malicious applications, further compromising the security of the\r\naffected device.\r\nReferences\r\n2025-04-09 ⋅ NCSC UK ⋅ ASD, BND, Bundesamt für Verfassungsschutz, Canadian Centre for Cyber Security (CCCS), FBI, NCSC\r\nUK, New Zealand National Cyber Security Centre (NZ NCSC), NSA\r\nNCSC and partners share guidance for communities at high risk of digital surveillance\r\nbadbazaar\r\n2025-04-09 ⋅ NCSC UK ⋅ ASD, BND, Bundesamt für Verfassungsschutz, Canadian Centre for Cyber Security (CCCS), FBI, NCSC\r\nUK, New Zealand National Cyber Security Centre (NZ NCSC), NSA\r\nAdvisory: BADBAZAAR and MOONSHINE: Spyware targeting Uyghur, Taiwanese and Tibetan groups and\r\ncivil society actors\r\nbadbazaar\r\n2025-04-09 ⋅ NCSC UK ⋅ ASD, BND, Bundesamt für Verfassungsschutz, Canadian Centre for Cyber Security (CCCS), FBI, NCSC\r\nUK, New Zealand National Cyber Security Centre (NZ NCSC), NSA\r\nAdvisory: BADBAZAAR and MOONSHINE: Technical analysis and mitigations\r\nbadbazaar\r\n2023-01-22 ⋅ Lookout ⋅ Alemdar Islamoglu, Justin Albrecht, Kristina Balaam, Ruohan Xiong\r\nBadBazaar: iOS and Android Surveillanceware by China’s APT15 Used to Target Tibetans and Uyghurs\r\nbadbazaar\r\nThere is no Yara-Signature yet.\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.badbazaar\r\nPage 1 of 2\n\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/apk.badbazaar\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.badbazaar\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/apk.badbazaar"
	],
	"report_names": [
		"apk.badbazaar"
	],
	"threat_actors": [
		{
			"id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e",
			"created_at": "2022-10-25T15:50:23.453824Z",
			"updated_at": "2026-04-10T02:00:05.28793Z",
			"deleted_at": null,
			"main_name": "Ke3chang",
			"aliases": [
				"Ke3chang",
				"APT15",
				"Vixen Panda",
				"GREF",
				"Playful Dragon",
				"RoyalAPT",
				"Nylon Typhoon"
			],
			"source_name": "MITRE:Ke3chang",
			"tools": [
				"Okrum",
				"Systeminfo",
				"netstat",
				"spwebmember",
				"Mimikatz",
				"Tasklist",
				"MirageFox",
				"Neoichor",
				"ipconfig"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "7d5531e2-0ad1-4237-beed-af009035576f",
			"created_at": "2024-05-01T02:03:07.977868Z",
			"updated_at": "2026-04-10T02:00:03.817883Z",
			"deleted_at": null,
			"main_name": "BRONZE PALACE",
			"aliases": [
				"APT15 ",
				"BRONZE DAVENPORT ",
				"BRONZE IDLEWOOD ",
				"CTG-6119 ",
				"CTG-6119 ",
				"CTG-9246 ",
				"Ke3chang ",
				"NICKEL ",
				"Nylon Typhoon ",
				"Playful Dragon",
				"Vixen Panda "
			],
			"source_name": "Secureworks:BRONZE PALACE",
			"tools": [
				"BMW",
				"BS2005",
				"Enfal",
				"Mirage",
				"RoyalCLI",
				"RoyalDNS"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7c8cf02c-623a-4793-918b-f908675a1aef",
			"created_at": "2023-01-06T13:46:38.309165Z",
			"updated_at": "2026-04-10T02:00:02.921721Z",
			"deleted_at": null,
			"main_name": "APT15",
			"aliases": [
				"Metushy",
				"Lurid",
				"Social Network Team",
				"Royal APT",
				"BRONZE DAVENPORT",
				"BRONZE IDLEWOOD",
				"VIXEN PANDA",
				"Ke3Chang",
				"Playful Dragon",
				"BRONZE PALACE",
				"G0004",
				"Red Vulture",
				"Nylon Typhoon"
			],
			"source_name": "MISPGALAXY:APT15",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434334,
	"ts_updated_at": 1775826749,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/97b181642bd5b579ca73a1360778af8d6b4d0109.pdf",
		"text": "https://archive.orkl.eu/97b181642bd5b579ca73a1360778af8d6b4d0109.txt",
		"img": "https://archive.orkl.eu/97b181642bd5b579ca73a1360778af8d6b4d0109.jpg"
	}
}