{ "id": "b2b8f81c-79f6-4d33-b7b2-b88d5ec5d9ff", "created_at": "2026-04-06T00:13:37.411529Z", "updated_at": "2026-04-10T03:30:32.950758Z", "deleted_at": null, "sha1_hash": "a73ea3112f027aa87e8e3829c4bbc74abf56a898", "title": "GravityRAT: The spy returns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1513040, "plain_text": "GravityRAT: The spy returns\r\nBy Tatyana Shishkova\r\nPublished: 2020-10-19 · Archived: 2026-04-05 21:33:45 UTC\r\nIn 2018, researchers at Cisco Talos published a post on the spyware GravityRAT, used to target the Indian armed\r\nforces. The Indian Computer Emergency Response Team (CERT-IN) first discovered the Trojan in 2017. Its\r\ncreators are believed to be Pakistani hacker groups. According to our information, the campaign has been active\r\nsince at least 2015, and previously targeted Windows machines. However, it underwent changes in 2018, with\r\nAndroid devices being added to the list of targets.\r\nMalicious guide\r\nIn 2019, on VirusTotal, we encountered a curious piece of Android spyware which, when analyzed, seemed\r\nconnected to GravityRAT. The cybercriminals had added a spy module to Travel Mate, an Android app for\r\ntravelers to India, the source code of which is available on Github.\r\nhttps://securelist.com/gravityrat-the-spy-returns/99097/\r\nPage 1 of 19\n\nClean Travel Mate app on Google Play\r\nThe attackers used a version of the app published on Github in October 2018, adding malicious code and changing\r\nthe name to Travel Mate Pro.\r\nhttps://securelist.com/gravityrat-the-spy-returns/99097/\r\nPage 2 of 19\n\nThe app requests permissions at startup\r\nThe Trojan’s manifest file includes Services and Receiver, which are not in the app from Github\r\nhttps://securelist.com/gravityrat-the-spy-returns/99097/\r\nPage 3 of 19\n\nList of Trojan classes\r\nThe spyware’s functions are fairly standard: it sends device data, contact lists, e-mail addresses, and call and text\r\nlogs to the C\u0026C server. In addition, the Trojan searches for files in the device memory and on connected media\r\nwith the extensions .jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx, and .opus, and sends\r\nthese to C\u0026C as well.\r\nThe malware does not resemble a “typical” Android spy in that the choice of app is rather specific and the\r\nmalicious code is not based on that of any known spyware app, as is often the case. As such, we decided to look\r\nfor connections with known APT families.\r\nC\u0026C addresses hardcoded into the Trojan\r\nThe simplest thing to do is to check the C\u0026C addresses used by the Trojan:\r\nnortonupdates[.]online:64443\r\nhttps://securelist.com/gravityrat-the-spy-returns/99097/\r\nPage 4 of 19\n\nnortonupdates[.]online:64443\r\nAs it turned out, n3.nortonupdates[.]online:64443 was used by another piece of malware to download data about\r\nfiles found on the computer (.doc, .ppt, .pdf, .xls, .docx, .pptx, .xlsx) together with data about the infected\r\nmachine. With the aid of Threat Intelligence, we found this malware: a malicious PowerShell script called\r\nEnigma.ps1 that executes C# code.\r\nThe PowerShell script was run using a VBS script:\r\nNext, we detected a very similar VBS script template with no specifiedpaths under the name iV.dll:\r\nIt was located inside the PyInstaller container enigma.exe signed by E-Crea Limited on 09.05.2019. The installer\r\nwas downloaded from the site enigma.net[.]in under the guise of a secure file sharing app to protect against\r\nransomware Trojans:\r\nhttps://securelist.com/gravityrat-the-spy-returns/99097/\r\nPage 5 of 19\n\nBesides the VBS template, inside the container were XML templates for Windows Task Scheduler under the\r\nnames aeS.dll, rsA.dll, eA.dll, and eS.dll:\r\nAnd in the main program, the required paths and names were written into the templates and a scheduled task had\r\nbeen added:\r\nhttps://securelist.com/gravityrat-the-spy-returns/99097/\r\nPage 6 of 19\n\nThe program communicated with the server at the address download.enigma.net[.]in/90954349.php (note that\r\n90954349A is the start of the MD5 hash of the word “enigma”). It featured a simple graphical interface and\r\nencryption and file exchange logic:\r\nThe Mac version has a similar functionality and adds a cron job:\r\nhttps://securelist.com/gravityrat-the-spy-returns/99097/\r\nPage 7 of 19\n\nSimilar in functionality to enigma.exe is the app Titanium (titaniumx.co[.]in), signed on 04.14.2019 by Plano\r\nLogic Ltd, certificate revoked on 09.08.2019.\r\nAlongside the Enigma and Titanium payloads were the following spyware Trojans:\r\nWpd.exe, signed 09.17.2018 by Plano Logic Ltd, certificate revoked\r\nTaskhostex.exe, signed 02.18.2020 by Theravada Solutions Ltd\r\nWCNsvc.exe, signed on 09.17.2018 by Plano Logic Ltd, certificate revoked\r\nSMTPHost.exe, signed 12.21.2018 by Plano Logic Ltd, certificate revoked\r\nCSRP.exe\r\nTheir C\u0026Cs:\r\nwindowsupdates[.]eu:46769\r\nwindowsupdates[.]eu:46769\r\nmozillaupdates[.]com:46769\r\nmozillaupdates[.]com:46769\r\nmozillaupdates[.]us\r\nWe focused on port 46769, used by the above Trojans. The same port was used by the GravityRAT family.  A\r\nfurther search of nortonupdates[.]online led us to the PE file Xray.exe:\r\nThis version collected data and sent it to n1.nortonupdates[.]online and n2.nortonupdates[.]online.\r\nThe domains n*.nortonupdates[.]online resolved to the IP address 213.152.161[.]219. We checked our Passive\r\nDNS database for other domains previously found at this address, and discovered the suspicious looking\r\nu01.msoftserver[.]eu. A search of this domain led us to the app ZW.exe, written in Python and packaged using the\r\nsame PyInstaller (signed on 04.10.2019 by Plano Logic Ltd, certificate revoked on 09.08.2019).\r\nThe C\u0026C addresses called by ZW.exe are decrypted by the AES algorithm from the file\r\nExtras\\SystemEventBrokerSettings.dat:\r\nhttps://securelist.com/gravityrat-the-spy-returns/99097/\r\nPage 8 of 19\n\nmsoftserver[.]eu:64443\r\nmsoftserver[.]eu:64443\r\nmsoftserver[.]eu:64443\r\nmsoftserver[.]eu:64443\r\nCommunication with the server takes place at the relative address /ZULU_SERVER.php.\r\nThe spyware receives commands from the server, including to:\r\nget information about the system\r\nsearch for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx,\r\n.pdf, .odt, .odp, and .ods, and upload them to the server\r\nget a list of running processes\r\nintercept keystrokes\r\ntake screenshots\r\nexecute arbitrary shell commands\r\nrecord audio (not implemented in this version)\r\nscan ports\r\nThe code is multiplatform:\r\nThe characteristic path also confirms that we are dealing with a new version of GravityRAT:\r\nThe newer variants of the malware with similar functionality that we detected using Threat Intelligence — RW.exe\r\nand TW.exe — were signed by Theravada Solutions Ltd on 10.01.2019 and 02.20.2020, respectively; the\r\ncertificates are valid.\r\nRW.exe called the C\u0026C server at the relative address /ROMEO/5d907853.php, and TW.exe at\r\n/TANGO/e252a516.php, so we can assume that the first letter in the name of the executable file indicates the\r\nversion of the C\u0026C server.\r\nC\u0026Cs of this instance:\r\nmozillaupdates[.]us\r\nhttps://securelist.com/gravityrat-the-spy-returns/99097/\r\nPage 9 of 19\n\nmozillaupdates[.]us\r\nmozillaupdates[.]us\r\nmozillaupdates[.]us\r\nmicrosoftupdate[.]in\r\nmicrosoftupdate[.]in\r\nmicrosoftupdate[.]in\r\nmicrosoftupdate[.]in\r\nOther versions of GravityRAT\r\nlolomycin\u0026Co\r\nAn older version of GravityRAT, Whisper, in addition to the string “lolomycin2017” (whose byte representation\r\nwas used as a salt for AES encryption in the component lsass.exe), contained in the component whisper.exe the\r\nstring “lolomycin\u0026Co” for use as a password to unpack downloaded ZIP archives with the payload:\r\nThrough this string, we found newer .NET versions of GravityRAT in the apps:\r\nWeShare\r\nTrustX\r\nClick2Chat\r\nBollywood\r\nNew versions of GravityRAT\r\nAll sites that distribute malware examined below are hidden behind Cloudflare to make it hard to determine the\r\nreal IP.\r\n.NET versions\r\nSharify\r\nMelodyMate (signed by E-Crea Limited on 11.05.2019)\r\nhttps://securelist.com/gravityrat-the-spy-returns/99097/\r\nPage 10 of 19\n\nPython version\r\nGoZap\r\nAnother PyInstaller container. Note that the code explicitly mentions the names of the potential payload already\r\nfamiliar to us:\r\nhttps://securelist.com/gravityrat-the-spy-returns/99097/\r\nPage 11 of 19\n\nDepending on the specific payload, the destination directory is selected, as well as the name of the task for\r\nWindows Task Scheduler:\r\nPayload Name Path Task Name\r\nZW %APPDATA%\\Programs WinUpdate\r\nSMTPHost %APPDATA%\\WinUpdates Disksynchronization\r\nWCNsvc %APPDATA%\\System Windows_startup_update\r\nCSRP %APPDATA%\\Applications Antivirus_Update\r\nWindows-Portable-Devices %APPDATA%\\ System Updates System_Update\r\nElectron versions\r\nThe following versions are multiplatform for Windows and Mac based on the Electron framework. The logic is as\r\nbefore: the Trojan checks if it is running on a virtual machine, collects information about the computer, downloads\r\nthe payload from the server, and adds a scheduled task.\r\nStrongBox (signed by E-Crea Limited on 11.20.2019)\r\nTeraSpace (signed by E-Crea Limited on 11.20.2019)\r\nOrangeVault\r\nCvStyler (signed by E-Crea Limited 02.20.2020)\r\nhttps://securelist.com/gravityrat-the-spy-returns/99097/\r\nPage 12 of 19\n\nAndroid versions\r\nSavitaBhabi exists for Windows and Android.\r\nhttps://securelist.com/gravityrat-the-spy-returns/99097/\r\nPage 13 of 19\n\nThe Windows version is based on .NET. The functionality is standard: the Trojan checks if it is running on a\r\nvirtual machine and if security software is installed on the computer, transmits information about the computer to\r\nthe server, and receives commands in response. It uses Windows Task Scheduler to launch the payload.\r\nCommunication with the server is through POST requests to download.savitabhabi.co[.]in/A5739ED5.php.\r\nThe second file, downloaded from the same site, is the Android app Savitabhabi.apk, which is an adult comic strip\r\nwith an embedded spyware module. Unlike the Travel Mate Pro version, this time it seems that the cybercriminals\r\ntook a bottom-up approach and wrote the app themselves.\r\nhttps://securelist.com/gravityrat-the-spy-returns/99097/\r\nPage 14 of 19\n\nThe app requests suspicious permissions at startup\r\nThe malicious functionality of this Android app is identical to that of Travel Mate Pro; the C\u0026C addresses and\r\ncode (save for minor details) also coincide:\r\nhttps://securelist.com/gravityrat-the-spy-returns/99097/\r\nPage 15 of 19\n\nList of Trojan classes\r\nConclusion\r\nIn 2019, The Times of India published an article about the cybercriminal methods used to distribute GravityRAT\r\nduring the period 2015-2018. Victims were contacted through a fake Facebook account, and asked to install a\r\nmalicious app disguised as a secure messenger in order to continue the conversation. Around 100 cases of\r\ninfection of employees at defense, police, and other departments and organizations were identified.\r\nIt is safe to assume that the current GravityRAT campaign uses similar infection methods — targeted individuals\r\nare sent links pointing to malicious apps.\r\nThe main modification seen in the new GravityRAT campaign is multiplatformity: besides Windows, there are\r\nnow versions for Android and macOS. The cybercriminals also started using digital signatures to make the apps\r\nlook more legitimate.\r\nIoCs\r\nMD5\r\nhttps://securelist.com/gravityrat-the-spy-returns/99097/\r\nPage 16 of 19\n\nTravel Mate Pro — df6e86d804af7084c569aa809b2e2134\r\niV.dll — c92a03ba864ff10b8e1ff7f97dc49f68\r\nenigma.exe — b6af1494766fd8d808753c931381a945\r\nTitanium — 7bd970995a1689b0c0333b54dffb49b6\r\nWpd.exe — 0c26eb2a6672ec9cd5eb76772542eb72\r\nTaskhostex.exe — 0c103e5d536fbd945d9eddeae4d46c94\r\nWCNsvc.exe — cceca8bca9874569e398d5dc8716123c\r\nSMTPHost.exe — 7bbf0e96c8893805c32aeffaa998ede4\r\nCSRP.exe — e73b4b2138a67008836cb986ba5cee2f\r\nChat2Hire.exe — 9d48e9bff90ddcae6952b6539724a8a3\r\nAppUpdater.exe — 285e6ae12e1c13df3c5d33be2721f5cd\r\nXray.exe — 1f484cdf77ac662f982287fba6ed050d\r\nZW.exe — c39ed8c194ccf63aab1db28a4f4a38b9\r\nRW.exe — 78506a097d96c630b505bd3d8fa92363\r\nTW.exe — 86c865a0f04b1570d8417187c9e23b74\r\nWhisper — 31f64aa248e7be0be97a34587ec50f67\r\nWeShare —e202b3bbb88b1d32dd034e6c307ceb99\r\nTrustX — 9f6c832fd8ee8d8a78b4c8a75dcbf257\r\nClick2Chat — defcd751054227bc2dd3070e368b697d\r\nBollywood — c0df894f72fd560c94089f17d45c0d88\r\nSharify — 2b6e5eefc7c14905c5e8371e82648830\r\nMelodyMate — ee06cfa7dfb6d986eef8e07fb1e95015\r\nGoZap — 6689ecf015e036ccf142415dd5e42385\r\nStrongBox — 3033a1206fcabd439b0d93499d0b57da (Windows), f1e79d4c264238ab9ccd4091d1a248c4 (Mac)\r\nTeraSpace — ee3f0db517f0bb30080a042d3482ceee (Windows), 30026aff23b83a69ebfe5b06c3e5e3fd (Mac)\r\nOrangeVault — f8da7aaefce3134970d542b0e4e34f7b (Windows), 574bd60ab492828fada43e88498e8bd2 (Mac)\r\nhttps://securelist.com/gravityrat-the-spy-returns/99097/\r\nPage 17 of 19\n\nCvStyler — df1bf7d30a502e6388e2566ada4fe9c8\r\nSavitaBhabi — 092e4e29e784341785c8ed95023fb5ac (Windows), c7b8e65e5d04d5ffbc43ed7639a42a5f\r\n(Android)\r\nURLs\r\ndaily.windowsupdates[.]eu\r\nnightly.windowsupdates[.]eu\r\ndailybuild.mozillaupdates[.]com\r\nnightlybuild.mozillaupdates[.]com\r\nu01.msoftserver[.]eu\r\nu02.msoftserver[.]eu\r\nu03.msoftserver[.]eu\r\nu04.msoftserver[.]eu\r\nn1.nortonupdates[.]online\r\nn2.nortonupdates[.]online\r\nn3.nortonupdates[.]online\r\nn4.nortonupdates[.]online\r\nsake.mozillaupdates[.]us\r\ngyzu.mozillaupdates[.]us\r\nchuki.mozillaupdates[.]us\r\nzen.mozillaupdates[.]us\r\nud01.microsoftupdate[.]in\r\nud02.microsoftupdate[.]in\r\nud03.microsoftupdate[.]in\r\nud04.microsoftupdate[.]in\r\nchat2hire[.]net\r\nwesharex[.]net\r\nhttps://securelist.com/gravityrat-the-spy-returns/99097/\r\nPage 18 of 19\n\nclick2chat[.]org\r\nx-trust[.]net\r\nbollywoods[.]co[.]in\r\nenigma[.]net[.]in\r\ntitaniumx[.]co[.]in\r\nsharify[.]co[.]in\r\nstrongbox[.]in\r\nteraspace[.]co[.]in\r\ngozap[.]co[.]in\r\norangevault[.]net\r\nsavitabhabi[.]co[.]in\r\nmelodymate[.]co[.]in\r\ncvstyler[.]co[.]in\r\nSource: https://securelist.com/gravityrat-the-spy-returns/99097/\r\nhttps://securelist.com/gravityrat-the-spy-returns/99097/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/gravityrat-the-spy-returns/99097/" ], "report_names": [ "99097" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434417, "ts_updated_at": 1775791832, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a73ea3112f027aa87e8e3829c4bbc74abf56a898.pdf", "text": "https://archive.orkl.eu/a73ea3112f027aa87e8e3829c4bbc74abf56a898.txt", "img": "https://archive.orkl.eu/a73ea3112f027aa87e8e3829c4bbc74abf56a898.jpg" } }