{
	"id": "4ee63e39-47d7-40a9-8d26-6862d4fc8a07",
	"created_at": "2026-04-06T00:15:30.06638Z",
	"updated_at": "2026-04-10T13:11:18.98526Z",
	"deleted_at": null,
	"sha1_hash": "9e68ac12525683d242b7af6c8659b83f4c39c961",
	"title": "The Brief Glory of Cabassous/FluBot — a private Android banking botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2221026,
	"plain_text": "The Brief Glory of Cabassous/FluBot — a private Android\r\nbanking botnet\r\nBy Aleksejs Kuprins\r\nPublished: 2021-03-16 · Archived: 2026-04-05 19:27:39 UTC\r\nIntroduction\r\nA novel piece of banking malware for Android OS has surfaced around December 2020, attacking users in Spain.\r\nIn this article, we will discuss the timeline of its existence, the targeted apps, the current size and the spread of the\r\nbotnet as well as the techniques and capabilities, which the authors have employed, and speculate about how\r\neffective they are.\r\nWe have found neither indications of its name/alias, nor any sales threads within the underground forums. The\r\nlatter fact suggests that the malware is likely a private bot, which means that it will have a small client base in the\r\nfuture and no advertisement campaigns.\r\nTimeline of Events\r\nWe have discovered the first in-the-wild samples during late December 2020. Since then, the ‘version’ field in the\r\nmalware’s configuration file was being incremented rather frequently with new features and fixes added every\r\nhttps://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027\r\nPage 1 of 16\n\nweek. The first piece of analysis about Cabassous that we can find came on January 06 from ThreatFabric.\r\nMoving onward, several researchers have been publicly documenting the malware’s spreading campaign on\r\nTwitter. Our sinkhole statistics were showing that Cabassous was growing very fast, until it reached around 60,000\r\ninfections. By that moment, it suffered a major blow from the Spanish law enforcement authorities on the day of\r\npublication of analysis by PRODAFT.\r\nThe Spanish authorities coordinated with PRODAFT and arrested 4 suspected members of the criminal group on\r\nMarch 05.\r\nCatalan police released the video of the arrest\r\nUnfortunately, the arrest did not bring the operation to a complete halt. The C\u0026C server was offline during March\r\n05, however, the campaign was restored a couple of days later. On the day of writing, Cabassous is alive and well,\r\nspreading the malware, defrauding its victims and even continuing the development of the bot, although the rate of\r\nnew infections has slowed down.\r\nAlberto Segura reports on the changes in the malware, days after the arrests in Spain\r\nThe same week, the malware has started to spread in Poland with the similar phishing theme. The list of targeted\r\napps did not change yet, the latest known version at the moment of writing is 3.6.\r\nOur sinkhole stats indicate that there has indeed been a fall in the spreading of Cabassous after 5th of March,\r\nwhen the number of infections dropped from ~40k unique connections per day down to ~15k in two days. The\r\nstatistics continue to fall after that for a different reason — the authors have updated the domain generation\r\nalgorithm in the newly distributed samples.\r\nStats from the sinkholed domain nfiuerwtftasnuk[.]com\r\nAttention: This is a sinkhole\r\nSpeaking of sinkholes, the C\u0026C server’s proxy used to display a curious message back in January, which was\r\nintended to either deter researchers from looking at the server or just an attempt at humor. Likely the latter. It is\r\nquite simple — the server’s HTTP response to the root “/” URI was the following text: “Attention: this is a\r\nsinkhole”. Sinkhole is a term used by security researchers and describes a web server, which was set up to have\r\nhttps://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027\r\nPage 2 of 16\n\nmalicious domains pointing at it. This is done in order to monitor or hijack a botnet, as the malware would connect\r\nto it, believing that it is the legitimate C\u0026C server. However in this case, it is just a fake message that means\r\nnothing and it is in fact the real C\u0026C server’s proxy into its backend.\r\nIndex page of the C\u0026C server\r\nAround the end of February 2021, the above message was changed to a strongly worded greeting phrase for\r\nresearchers in Russian. Also a quote by Dmitriy Medvedev and a video montage of him dancing to an old Russian\r\npop song about “American boy” and “Balalaika” from the 90s. Obviously, this page is reserved for the “public\r\nrelations” and the original message about the sinkhole is more of a joke rather than a legitimate attempt to conceal\r\nthe server’s location.\r\nPress enter or click to view image in full size\r\n“Greetings, researcher-****s. We wish you well, good mood and health!”\r\nSpreading\r\nThe main target and most of the current bot pool is the mobile banking and cryptocurrency users from Spain. The\r\nspreading campaign is the widely-tested scheme of impersonation of postal and delivery services. A given victim\r\nfirst receives an SMS message about a package delivery with a link to the fake page of the postal service. Upon\r\nvisiting, the victim is prompted to download the package tracking app, which in fact is the malware. The majority\r\nof infections likely come from the bot’s SMS spam: upon infection, the bot sends the local contact list over to the\r\nC\u0026C server, then requests the spam message and receives it with the number to be sent to.\r\nhttps://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027\r\nPage 3 of 16\n\nSamples of the SMS spam\r\nThe less frequently seen versions of the malware lure impersonate the DHL and FedEx delivery services:\r\nPress enter or click to view image in full size\r\nDelivery services themed lures\r\nWe have estimated the botnet to currently be of the size of around 60k unique infections in total.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027\r\nPage 4 of 16\n\nCurrent spread of Cabassous around Europe\r\nAbout half of the infected devices are running Android 10. Supporting the latest versions of Android OS seems to\r\nbe working out very well for Cabassous:\r\nhttps://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027\r\nPage 5 of 16\n\nDistribution of infected operating systems\r\nThe following applications are targeted by overlay attacks (aka injects). Spanish banking apps:\r\n“Bankinter Móvil” — com.bankinter.launcher\r\n“BBVA Spain | Online banking” — com.bbva.bbvacontigo\r\n“Cajasur” — com.cajasur.android\r\n“Grupo Cajamar” — com.grupocajamar.wefferent\r\n“Imagin. Much more than an app to manage your money” — com.imaginbank.app\r\n“Kutxabank” — com.kutxabank.android\r\n“ruralvía” — com.rsi\r\n“Banca Móvil Laboral Kutxa” — com.tecnocom.cajalaboral\r\n“Santander” — es.bancosantander.apps\r\n“Bankia” — es.cm.android\r\n“EVO Banco móvil” — es.evobanco.bancamovil\r\n“Ibercaja” — es.ibercaja.ibercajaapp\r\n“CaixaBankNow” — es.lacaixa.mobile.android.newwapicon\r\n“Banca Digital Liberbank” — es.liberbank.cajasturapp\r\n“Openbank — banca móvil” — es.openbank.mobile\r\n“Pibank” — es.pibank.customers\r\n“UnicajaMovil” — es.univia.unicajamovil\r\n“Banco Sabadell App. Your mobile bank” — net.inverline.bancosabadell.officelocator.android\r\n“ING España. Banca Móvil” — www.ingdirect.nativeframe\r\nCryptocurrency apps:\r\n“Binance: Bitcoin Marketplace \u0026 Crypto Wallet” — com.binance.dev\r\n“Coinbase — Buy \u0026 Sell Bitcoin. Crypto Wallet” — com.coinbase.android\r\n“Blockchain.com Wallet — Buy Bitcoin, ETH, \u0026 Crypto” — piuk.blockchain.android\r\nHere are a few examples of the inject screens:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027\r\nPage 6 of 16\n\nWebinjects targeting Spanish speaking users\r\nCapabilities\r\nAs mentioned above, the Cabassous’s main business is banking fraud. It provides the following functionality:\r\nIntercept SMS messages\r\nSend SMS messages and automated contact list spam\r\nDisplay overlays/injects for banking and cryptocurrency apps, as well as a generic credit card phishing\r\nscreen\r\nSteal contacts\r\nOpen URLs\r\nDisable PlayProtect\r\nRun USSD commands\r\nUninstall App\r\nSOCKS proxy\r\nThe overlays are displayed using the standard WebView.\r\nCabassous loading an overlay\r\nhttps://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027\r\nPage 7 of 16\n\nTechniques\r\nThere are two techniques that are worthy of noting in this case. The obfuscation and the C\u0026C communication.\r\nGet Aleksejs Kuprins’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nMost of the samples are packed with Tencent’s Legu Packer application. This solution encrypts the APK file and\r\nhides its content from the simple sandbox services. However, it is also trivial to unpack using either software like\r\nFrida, Xposed Framework, or the apklab.io service.\r\nThe second layer of obfuscation is the string encryption. The software package for that was taken from a public\r\ngithub repository. This means that after the first layer (Tencent Legu) is unpacked — you are still looking at the\r\nmalware code with all of its strings packed into a single class in an encrypted state, while any uses of the strings\r\nare replaced with calls to the obfuscator’s de-obfuscation routine, which only allows the strings to be decrypted\r\nduring runtime. This obfuscation is also trivial to bypass using any runtime hooking method, such as Frida or\r\nXposed Framework.\r\nPress enter or click to view image in full size\r\nPublic Github repository of the string obfuscation module\r\nCommunication\r\nThe specialty about the C\u0026C communication of this malware is the rare use of a DGA module (Domain\r\nGeneration Algorithm). Normally a piece of any malware comes with a domain name or an IP address of the C\u0026C\r\nserver embedded into it. The use of DGA is a different approach — instead of connecting to a predefined address,\r\nthe malware carries a block of code, which would manipulate text and/or digits in a specific way. The output of\r\nthis operation is a list of possible domain addresses, typically a lot of them — 2000 (5000 as of version 3.6) in\r\ncase of Cabassous.\r\nhttps://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027\r\nPage 8 of 16\n\nEvery time the malware starts up, it generates a set of possible domain names of the C\u0026C server, tries to resolve\r\nthem and then connects to the first one that resolves to an IP address and is not offline. The strength of this\r\ntechnique is the resilience against the domain takedowns. In the event of the current C\u0026C server domain getting\r\nseized and taken down by either the law enforcement or the domain registry service, the malware still has a lots of\r\nother domains to use. The threat actors can then simply register a new domain from the list and all of the infected\r\ndevices will automatically connect to it, thus being completely unaffected by the takedown.\r\nUsually a malware with a DGA module will begin its domain generation from a given seed value, like a short\r\nstring. This value can be frequently updated by the criminals in order to prevent the investigators from being able\r\nto predict their future domains and blocking them all before they are even used. However, the authors of\r\nCabassous took a different approach: the seed of their algorithm is the combined string of the digits of the current\r\nyear and month. They have also not added any mechanism to update the seed, or the malware itself. Basically this\r\nmeans that anyone can run their malware on an analysis device with a system date set to the next month and\r\npredict all of the future generated domains. The can then block all of these domains on the DNS level within their\r\norganization.\r\nThe DGA seed is based on the current year and month\r\nThe order of the generated domains in this case is also intentionally randomized, but not to a great extent. It\r\nappears that the generated lists of domains are very similar with just a few differences. In our tests we observed a\r\ncertain degree of predictability. To measure it, we ran the malware on a device with the date set to the first day of\r\nthe next month, then we wrote down the first 10 out of 2000 generated domains. Then we ran the test 10 more\r\ntimes. Around 5 domains from the first run’s first 10 domains would appear within the first 10 domains in the\r\nfollowing 10 tests, usually on almost identical position in the order of generation.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027\r\nPage 9 of 16\n\nDGA order randomization feature\r\nThe version 3.6 of Cabassous has introduced an actual full randomization of the domain order, using the standard\r\nJava library — Collections.shuffle().\r\nThe DGA module also protects the botnet from hijacking. Since the domains can be predicted and anyone can\r\nregister the future domains of the malware, in theory one should be able to steal all of the bots from the criminals.\r\nHowever, Cabassous has implemented a server verification mechanism. The bot’s outgoing messages to the C\u0026C\r\nare encrypted with the server’s public key. This means that no one will be able to decrypt the hijacked traffic until\r\nthey obtain the private key from the C\u0026C server. The incoming traffic is encrypted with the simple XOR, which\r\ndoes not matter much.\r\nWhenever the bot first connects to a server, it sends it a PKI encrypted bot ID string. It then expects the server to\r\nbe able to decrypt it and send it back. The DGA module will move on to the next domain if the server does not\r\nrespond with the same bot ID.\r\nPress enter or click to view image in full size\r\nOutgoing traffic encryption with an embedded public key\r\nThe listing of the set of commands, which the server can exchange with the bot are included in the IOC section of\r\nthis article.\r\nThe DGA domains point to a server running an instance of PRIVOXY, which is a software that redirects the\r\nrequests to the real server, as another measure of takedown resilience. Early on in the campaign we have observed\r\nthe server to leak the real backend address via the PRIVOXY info page:\r\nhkwl6qgewwvj2q7rtfxehu3jq3cypvr435u4vby3dwo4lwuxi47i5bqd[.]onion . Very soon the misconfiguration was\r\nfixed and the onion address was changed.\r\nhttps://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027\r\nPage 10 of 16\n\nPress enter or click to view image in full size\r\nMisconfigured PRIVOXY info page\r\nSummary\r\nThe threat actors in this case are definitely somewhat savvy and hardly beginners in the business. The authors\r\nhave started out with targeting just one country, knowing fully well that defrauding even one country takes a lot of\r\neffort. There is no need to make too much noise in the other countries, when you know up front that you will not\r\nhave enough time to fraud their victims. While taking those careful steps, they probably felt that their private\r\nmalware could become unique, so they stuffed it with a DGA algorithm. Domain generation is very rarely used in\r\nAndroid malware.\r\nThe authors release updates to the malware code every few days, which is quite frequent. Despite the many\r\nsuccesses, the arrests have still taken place and we may see more of them.\r\nThe implementation of the DGA is unique and secure. Throwing PKI cryptography on the bot’s outgoing\r\nmessages and only simple XOR on the incoming messages shows that the criminals know about the hijacking\r\nrisks and how to address the issue. We speculate that the criminals might rent the botnet out for use by other\r\ncarders, at which point we will start seeing other countries to be targeted by it.\r\nFor now, we recommend being very careful about dealing with your package tracking since this infection vector\r\nhas proven itself incredibly viable and effective. Whenever you expect a package, we recommend that you copy\r\nthe tracking number from your email and then navigate to the website of the delivery service manually. This way,\r\nyou avoid clicking the links, which you receive over SMS or email. Also, your delivery service would always\r\nhave their real tracking app published on the official application stores — that is Apple AppStore for iOS devices\r\nand GooglePlay for Android devices. Getting the app only from the official store makes it far less likely that you\r\nwill download a fake malicious version instead.\r\nhttps://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027\r\nPage 11 of 16\n\nReferences\r\nhttps://twitter.com/ThreatFabric/status/1346807891152560131 — ThreatFabric’s initial report on\r\nCabassous\r\nhttps://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/FluBot.pdf — PRODAFT’s analysis\r\npaper\r\nhttps://twitter.com/alberto__segura/status/1368833293051977735 — Alberto Segura’s report on the version\r\n3.4 after the arrests in Spain\r\nhttps://twitter.com/danlopgom/status/1359966295307993091 — Daniel López’s collection of spam\r\ndomains\r\nhttps://github.com/MichaelRocks/paranoid/ — OpenSource string obfuscator “paranoid”\r\nhttps://frida.re/ — powerful runtime debugging framework for Android and other platforms\r\nhttps://www.xda-developers.com/xposed-framework-hub/ — Runtime hooking framework Xposed\r\nhttps://www.privoxy.org/ — the free web proxying software which the Cabassous criminals have used to\r\nhide their real malware backend\r\nhttps://blog.quarkslab.com/a-glimpse-into-tencents-legu-packer.html — Analysis of the Tencent’s Legu\r\npacker\r\nIOC\r\nBot Commands\r\nPREPING\r\nPING\r\nLOG\r\nSMS_RATE\r\nGET_SMS\r\nGET_INJECT\r\nGET_INJECTS_LIST\r\nCONTACTS\r\nSMS\r\nINTERCEPTING\r\nINTERCEPTING_ERR_NOT_DEF\r\nAMI_DEF_SMS_APP\r\nINJECT\r\nBAL_GRABBER\r\nEXCEPTION\r\nGET_CONTACTS\r\nSMS_INT_TOGGLE\r\nOPEN_URL\r\nDISABLE_PLAY_PROTECT\r\nCARD_BLOCK\r\nSEND_SMS\r\nRELOAD_INJECTS\r\nRETRY_INJECT\r\nhttps://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027\r\nPage 12 of 16\n\nRUN_USSD\r\nUNINSTALL_APP\r\nBLOCK\r\nSOCKS\r\nNONE\r\nC2 proxy IPs\r\n8.209.76.91\r\n8.209.80.73\r\n8.208.101.253\r\nold C2 backend onion address\r\nhkwl6qgewwvj2q7rtfxehu3jq3cypvr435u4vby3dwo4lwuxi47i5bqd[.]onion\r\nSpam/APK delivery URLs (cheers to @danlopgom on his twitter)\r\n7277320[.]ru/app/\r\nacoi[.]my/fedex/\r\nailnoir[.]com/app/\r\naminatech[.]net/fedex/\r\namzstudy[.]com/pack/\r\napp[.]crconsultoriacontable[.]com/info/\r\navacoper[.]com/fedex/\r\nblog[.]sidmach[.]com/app/\r\nboattrip[.]amsterdam/info/\r\nbuguilou[.]com/p/\r\nbxc[.]net[.]au/fedex/\r\ncanopusbd[.]com/fedex/\r\ncashboxcafe[.]ru/web/\r\nchevychasefarmersmarket[.]org/info/\r\nclone[.]app[.]home-cost[.]com/app/\r\ncolegioaugustoribeiro[.]com[.]br/fedex/\r\ncontornosdesign[.]pt/pkg/\r\ncwfplaceoptin[.]com/info/\r\ndclifechanging[.]com/fedex/\r\ndelhi[.]tie[.]org/p/\r\ndgeneration[.]in/pack/\r\ndiamondcup[.]gr/fedex/\r\ndibae[.]blog/fedex/\r\ndilalla[.]com[.]ar/web/\r\nekremakin[.]org/pack/\r\nelonatheexplorer[.]com/fedex/\r\nerbiltursu[.]com/app/\r\nhttps://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027\r\nPage 13 of 16\n\nericom[.]ltd/fedex/\r\nfallenjewellery[.]com/fedex/\r\nfbtataw[.]w99[.]hk-network[.]com/web/\r\nganesha[.]com[.]py/web/\r\ngeeklevi[.]com/fedex/\r\nilluminate[.]org/info/\r\ninvestisho[.]com/fedex/\r\nkakagems[.]com/fedex/\r\nkeyofislam[.]com/dhl/\r\nkidimy[.]org/pkg/\r\nlacasa-dh[.]nl/pack/\r\nlavozislamica[.]com/www/\r\nlgklgklgk[.]com/fedex/\r\nmagicboximportados[.]com[.]br/web/\r\nmartinsinnovativeproductsoptin[.]com/app/\r\nmaskarena[.]co[.]il/fedex/\r\nmicrodreamit[.]net/info/\r\nmir2018[.]mrororr[.]ru/fedex/\r\nmmcamping[.]com/app/\r\nnbkangxi[.]com/pack/\r\nnbkfinance[.]ru/fedex/\r\nnjzmfcls[.]com/fedex/\r\nnuevocalor[.]com/fedex/\r\noffx[.]link/info/\r\nordermy[.]vn/web/\r\nouyangpengcheng[.]xyz/p/\r\nparadjsproductores[.]club/fedex/\r\npochitto-daikou[.]com/info/\r\nprtysh[.]in/app/\r\nraeloficial[.]com/pkg/\r\nraisegroup[.]it/fedex/\r\nrasf[.]sa/fedex/\r\nrees[.]games/app/\r\nrishipes[.]co[.]nz/pack/\r\nryansa[.]com/pkg/\r\nsafemarkglobal[.]com/fedex/\r\nsimplestepsllc[.]com/info/\r\nsmcsme[.]com/fedex/\r\nspave[.]com[.]pk/p/\r\nstandwithsabeena[.]com/info/\r\ntacloban[.]gov[.]ph/info/\r\ntest[.]runningandliving[.]com/info/\r\ntesttaglabel[.]com/web/\r\nthetopinterioraccentsoptin[.]com/web/\r\ntopblackfridaydealz[.]com/web/\r\ntourvoltaire[.]fr/app/\r\ntrophygamer[.]de/app/\r\nhttps://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027\r\nPage 14 of 16\n\nvalleclean[.]com/fedex/\r\nverdun[.]com[.]br/app/\r\nviralfeeds[.]net/fedex/\r\nvisotka[.]in/pack/\r\nwalton[.]circusvn[.]com/dhl/\r\nwebelevates[.]com/app/\r\nweboyal[.]com/p/\r\nwittyx[.]com/fedex/\r\nwowfollowers[.]com/fedex/\r\nxn--thvitstore-c7a[.]com/pack/\r\nyangbin[.]100cuo[.]com/pack/\r\nylem222[.]com/p/\r\nyourelectricians[.]co[.]uk/app/\r\nzyzlk[.]com/pack/\r\nSHA256\r\nd22c5db75f6260823e83057721a2d3e90a9821bdbc81ec52683e8cce49d9a49d\r\n80260cc2e49e1014d64f871f5cc89754ecd0124337e3ce0a2ec9c2ec7f65c726\r\n86e40d6ceb89373b121e9ce0c6af8777d976ceb7931edfe42eeba2646bc2f778\r\n68d377abecc0b4505cc05552f602abed314ad75fea766086376cadd7ea5a09b0\r\n78397b3bc5bb086787474d81a3cea6a6c58f89931c7bb19eb52b1795b2695cdc\r\n804e48d95ee79a82d05e8616155e6ef9bf17277d01ab2ef900f67292ce1b8d56\r\n2ac92933595be179484d18b672645d763a8177db4bc48826c4a688726f291084\r\n31140a45bbd38bd69df903efe9d9fee1c08e620a3de102a3533bbbe583b3060e\r\n13cf22d878e208ea3d290532612e0f2fd805732c2e4c93f5b263bebc21eca801\r\ncf7ab4597dd8530b36bdebdb5b94ea89e49450ace25acdcdfaaa603f22e21842\r\nb8e728113d204794f5b566d14a4f8b1e9aaf1042aec336104ea08ba57f9bd594\r\na2f1e1fa5c54caf389db3d987689e658944c63f784191b812fa2632fc088deca\r\n60fee547a07856bb7fd5dfa8434d02403a8204b6b405f3398f8f1547b4bc57ac\r\n19e6e34762a605989fa2b1bedfd1e7333e77c6c8528622813db5f69affd0bd6e\r\n5bb121bf54f3317dfe65e6382040d4366244bab84e40a5f6dae966be0f4933f6\r\n6de8e6aeda050c499a2908be94209153f2f86b46e71cb33524e445a8c8b058a7\r\nd0d5065262bc77c1cecd94c44a4c754e64657110d3de8904e8ad5e55e4a271e8\r\nb66cf091750015413f63d048de8eb05b41d3e0d7e6ee33b86ae852f5bca40a66\r\n67cd309e42e9b3cabbea8c4ecb4d37235fa209b52356cfc23b505e81cb9e491b\r\ncb1b15162f8a776a2942379f34459d784162ac7ccc4c312458d8ee1fd3712b41\r\nC2 proxy DGA domains (a short batch of them for the sake of example)\r\nafhckrfcucjbpln.com\r\naoeaqxivuikhhdp.cn\r\narymabkciiyygmh.com\r\nbdoefrixkguoivh.ru\r\nbfsggebsrhigyxh.com\r\nblaganfaqbsmgwc.ru\r\nhttps://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027\r\nPage 15 of 16\n\ncorxcbfbpjcunia.ru\r\ndckhborssheephs.com\r\ndsjllaauvfxtxuu.cn\r\neboyewtljkwywbr.ru\r\nehjhihxkxtgbayy.cn\r\neiobblimcjpilij.com\r\nffqjqgorpsotrsj.ru\r\ngfnkhxbixjshqdx.com\r\ngykgaiboudkqllm.com\r\nhxntfaqyapsiqap.cn\r\nilynavfqveqtaeg.cn\r\nipiravjcwmjpjxa.cn\r\nivsidewdwmtqhib.com\r\nixexifcomsummmw.ru\r\nixshbrjebrwhnwp.cn\r\njagwvpmhykktllh.cn\r\njiuyniwbhmnrubd.ru\r\njoslxklqphibnhn.cn\r\njoxcxsbjibkwoqe.cn\r\njoysqegeomjdipq.com\r\njpbqlxiallxpxnf.ru\r\njrjarkacjxptwaa.ru\r\nkuoycxqewotcwnr.cn\r\nlarrowlygahvjrf.cn\r\nlaxixnnswnfcoat.com\r\nlbdvdftoknnjgnt.cn\r\nlboyoqtrjngmxot.cn\r\nlcbqyugshoarnup.ru\r\nlqibdkotaucksjv.com\r\nltyijgdjdiwatrd.cn\r\nluwardwlejahsbl.cn\r\nmcwaoarumdwfuoi.ru\r\nmkomjxfqmkpdsnp.com\r\nSource: https://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027\r\nhttps://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027"
	],
	"report_names": [
		"the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027"
	],
	"threat_actors": [],
	"ts_created_at": 1775434530,
	"ts_updated_at": 1775826678,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9e68ac12525683d242b7af6c8659b83f4c39c961.pdf",
		"text": "https://archive.orkl.eu/9e68ac12525683d242b7af6c8659b83f4c39c961.txt",
		"img": "https://archive.orkl.eu/9e68ac12525683d242b7af6c8659b83f4c39c961.jpg"
	}
}