{ "id": "c3a63736-8f09-4465-9cb6-a6208461f0c4", "created_at": "2026-04-06T00:21:49.09506Z", "updated_at": "2026-04-10T03:30:33.749613Z", "deleted_at": null, "sha1_hash": "aa86ce393810274e58f9a3c041a76c377fa604b0", "title": "Crocodilus in the wild: Mapping the campaign in Poland", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 777024, "plain_text": "Crocodilus in the wild: Mapping the campaign in Poland\r\nBy mvaks\r\nPublished: 2025-05-30 · Archived: 2026-04-05 18:47:20 UTC\r\nOver the past week, several malware distribution campaigns have been observed in Poland, all targeting Android\r\nusers with the same goal — full control over the device and theft of credentials.\r\nEach campaign impersonated a well-known Polish brand — including a major bank, e-commerce platform and\r\ntelecom provider — using fake apps to trick victims into installing malicious software.\r\nDespite the use of different themes and brands, all three campaigns relied on malware from the Crocodilus family.\r\nShared infrastructure — including the same AES key for traffic decryption and a common C2 address — strongly\r\nsuggests they were orchestrated by the same Turkish-speaking threat actor.\r\nPlay-Plus campaign\r\nhttps://medium.com/@mvaks/crocodilus-in-the-wild-mapping-the-campaign-in-poland-15d3078eb954\r\nPage 1 of 5\n\nA campaign impersonating the telecom provider Play used an app with an icon very similar to the legitimate one.\r\nUpon launch, the app displayed a message prompting the user to update the Play Store, which in reality was a\r\nrequest to allow the installation of additional applications by the malware.\r\nThe dropped application then requested access to Accessibility Services in order to take control of the device.\r\nThe user was asked to enter their phone number to supposedly receive 300 PLN on their mobile. They were told\r\nthe bonus would be activated within 24 hours, likely to delay suspicion and allow the attackers time to act.\r\nIOCs\r\nDropper:\r\npackage: collie.armchair.puppet\r\nMD5: 47687323c7a37ee5ab1c34226b23a360\r\ndex file: submersedfeast.dex\r\ninstalls: rVwMwHK.apk\r\nExtracted .apk:\r\npackage: untitled.lividly.disobey\r\nMD5: dc966268be1c40447c73bfc01808dd83\r\ndex file: hermitcrudely.dex\r\nC2: 7162abdd9fd6e28.click\r\nAES Key: DBeYRNqiFnsyGpY8\r\nAllegro campaign\r\nA campaign impersonating Allegro was distributed via the following URL:\r\nhxxps://allegro-kupony.sbs/Allegro%20Promo_3.16.apk\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mvaks/crocodilus-in-the-wild-mapping-the-campaign-in-poland-15d3078eb954\r\nPage 2 of 5\n\nThe downloaded app, named allegro Promo, displayed a message upon launch prompting the user to allegedly\r\nupdate their Chrome browser. It then installed another application embedded within its resources.\r\nThe dropped app — allegro Kupony — asked the user to provide their phone number and subsequently generated\r\na QR code, supposedly granting a bonus of 1000 PLN.\r\nThe link included in the app followed this format\r\nhxxps://allegro.pl/bonus?tel=+48(phone number)\r\nGet mvaks’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\ndirecting the victim to a non-existent resource on Allegro’s legitimate domain.\r\nThe attackers added a message stating that the bonus would be activated within 12 hours — likely to avoid raising\r\nsuspicion and buy time for further malicious activity.\r\nIOCs\r\nDropper:\r\npackage: alfalfa.ungodly\r\nMD5: aca6cc169fe860fe9230d99206a98d12\r\ndex file: lapelrover.dex\r\ninstalls: xdjoN.apk\r\nExtracted .apk:\r\nhttps://medium.com/@mvaks/crocodilus-in-the-wild-mapping-the-campaign-in-poland-15d3078eb954\r\nPage 3 of 5\n\npackage: shore.footprint\r\nMD5: dc966268be1c40447c73bfc01808dd83\r\ndex file: confettiunkind.dex\r\nC2: rentvillcr.homes\r\nAES Key: DBeYRNqiFnsyGpY8\r\nIKO campaign\r\nThe campaign described in my previous analysis was distributed through fake social media ads promoting the\r\nopportunity to receive allegedly attractive interest rates on bank deposits via a new application.\r\nThe app leveraged Accessibility settings to gain control over the device.\r\nIOCs\r\nDropper:\r\npackage: purge.tremble\r\nMD5: 689579531a417b84ddbceb17c75d3c39\r\ndex file: ablemocker.dex\r\ninstalls: iSZMv.apk\r\nExtracted .apk:\r\npackage: unrelated.hamburger\r\nMD5: e7551da0d6e05cce11d4bf3ae016bb15\r\ndex file: jasminenacho.dex\r\nC2: rentvillcr.homes\r\nAES Key: DBeYRNqiFnsyGpY8\r\nhttps://medium.com/@mvaks/crocodilus-in-the-wild-mapping-the-campaign-in-poland-15d3078eb954\r\nPage 4 of 5\n\nAdditional .apk found on VT:\r\npackage: nuttiness.pamperer.cosmetics\r\nMD5: f6f589d1a0a189aded4d008b671be0db\r\ndex file: gullyclosure.dex\r\nC2: rentvillcr.homes\r\nAES Key: DBeYRNqiFnsyGpY8\r\nThanks for checking out my analysis — I’ll update the article if any new campaigns pop up :-)\r\nSource: https://medium.com/@mvaks/crocodilus-in-the-wild-mapping-the-campaign-in-poland-15d3078eb954\r\nhttps://medium.com/@mvaks/crocodilus-in-the-wild-mapping-the-campaign-in-poland-15d3078eb954\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/@mvaks/crocodilus-in-the-wild-mapping-the-campaign-in-poland-15d3078eb954" ], "report_names": [ "crocodilus-in-the-wild-mapping-the-campaign-in-poland-15d3078eb954" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434909, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aa86ce393810274e58f9a3c041a76c377fa604b0.pdf", "text": "https://archive.orkl.eu/aa86ce393810274e58f9a3c041a76c377fa604b0.txt", "img": "https://archive.orkl.eu/aa86ce393810274e58f9a3c041a76c377fa604b0.jpg" } }