{
	"id": "052e00d1-78eb-4488-96bd-993f108dfcbf",
	"created_at": "2026-04-06T00:13:23.267769Z",
	"updated_at": "2026-04-10T13:11:46.710081Z",
	"deleted_at": null,
	"sha1_hash": "b4cd1849e0e0c86bd7047507ff32d36c9b6b6a54",
	"title": "MoqHao Part 3: Recent Global Targeting Trends",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1224576,
	"plain_text": "MoqHao Part 3: Recent Global Targeting Trends\r\nBy Team Cymru\r\nPublished: 2025-04-08 · Archived: 2026-04-05 14:39:40 UTC\r\nIntroduction\r\nThis blog post is part of an ongoing series of analysis on MoqHao (also referred to as Wroba and XLoader), a\r\nmalware family commonly associated with Roaming Mantis. MoqHao is generally used to target Android users,\r\noften via an initial attack vector of phishing SMS messages (smishing).\r\nThe threat group behind Roaming Mantis are characterized as Chinese-speaking and financially motivated, first\r\npublic acknowledgement goes back to around 2018. The group has historically targeted countries in the Far East –\r\nJapan, South Korea and Taiwan, but they are expanding their campaign.\r\nhttps://www.team-cymru.com/post/moqhao-part-3-recent-global-targeting-trends\r\nPage 1 of 9\n\nIn our most recent post (MoqHao Part 2: Continued European Expansion), we demonstrated how Roaming Mantis\r\nhad widened their sights to Western countries, including France, Germany, the United Kingdom, and the United\r\nStates.\r\nFurther Reading\r\nMoqHao Part 1.5: High-Level Trends of Recent Campaigns Targeting Japan\r\nMoqHao Part 1: Identifying Phishing Infrastructure\r\nIn this post we will explore whether Roaming Mantis have continued to expand their operations over the past year,\r\nfocusing on their activities in recent months. In doing so we will seek to highlight some techniques which we have\r\nutilized to pivot to connected infrastructure.\r\nKey Findings\r\nIdentification of 14 MoqHao C2 servers, based on malware analysis and pivots within contextual data sets.\r\nEvidence of Roaming Mantis campaigns targeting every continent, with Africa, Asia, and Europe the most\r\nimpacted.\r\nClose to 1.5 million victim communications to the MoqHao C2 servers observed since the end of 2022.\r\nThe scope of Roaming Mantis continues to grow; all mobile users should be conscious of smishing threats,\r\nparticularly from operators who have evolved their campaigns over several years.\r\nMoqHao Command \u0026 Control\r\nAs in previous posts, our analysis begins with the identification of infrastructure utilized for the purpose of post-infection communications, once a malicious APK (MoqHao) has been installed on a victim device.\r\nThe rationale for this approach is two-fold:\r\n1. The delivery and installation methodology for MoqHao includes the use of ‘disposable’ staging\r\ninfrastructure which generally utilizes Dynamic DNS services, in addition to legitimate platforms, such as\r\nBaidu, Imgur, Pinterest, and VKontakte. Analysis of network telemetry data associated with these phases of\r\nan infection is complicated by the presence of security research, scanning, and (large volume) benign user\r\nactivity. Furthermore, until beacons to a Moqhao C2 server are observed, it is not wholly accurate to\r\nidentify any communications as ‘victim’ related.\r\n2. Whilst MoqHao’s delivery infrastructure has a short shelf life, its C2 infrastructure is used for extended\r\nperiods of time and in some cases even reused after periods of inactivity. By analyzing stable\r\ninfrastructure, we can draw higher level conclusions on targeting, i.e., where large groupings of victim\r\nconnections originate from. In addition, as this infrastructure is more static, by disclosing it we can have\r\nthe greatest impact on Roaming Mantis operations.\r\nhttps://www.team-cymru.com/post/moqhao-part-3-recent-global-targeting-trends\r\nPage 2 of 9\n\nFigure 1: Simplified Delivery Chain for MoqHao\r\nOur initial method of identifying MoqHao C2 infrastructure is based on analysis of malware samples. In this case\r\nwe have started with three malware samples identified within our internal malware holdings, which are also\r\navailable in VirusTotal.\r\nMoqHao is detected by several antivirus vendors as ‘Wroba’, querying for this string within malware repositories\r\nwill generally lead to connected samples.\r\n37134b50f0c747fb238db633e7a782d9832ae84b\r\nThis file was first uploaded on 24 October 2022 by a user in Canada, it is configured to receive C2 information\r\n(91.204.227.31:28877) from a user profile on VKontakte.\r\nExamining network telemetry for 91.204.227.31 (HDTIDC - South Korea) we observe a campaign targeting users\r\nin Australia, with the most recent victim connections occurring around 29 January 2023.\r\nOpen Ports information for 91.204.227.31 identifies that TCP/5985 was open during the period when victim\r\nconnections occurred. The banner data obtained from scanning that port contains reference to a Computer /\r\nDomain Name - WIN-VLVN3FLKKGL.\r\nhttps://www.team-cymru.com/post/moqhao-part-3-recent-global-targeting-trends\r\nPage 3 of 9\n\nFigure 2: Open Ports Information for 91.204.227.31\r\nPivoting on the WIN-VLVN3FLKKGL value we identified four additional IP addresses, all within\r\n91.204.227.0/26.\r\nWe found victim communications to three of these IP addresses, two of which were identified in previous\r\nreporting (by Kaspersky) as MoqHao C2 servers:\r\n91.204.227.32 \u003c\u003c Kaspersky C2\r\n91.204.227.33 \u003c\u003c Kaspersky C2\r\n91.204.227.51\r\nThe first two C2s are used in campaigns primarily targeting users located in Asia, but also Australia (as was the\r\ncase with 91.204.227.31). A significant proportion of victims were in Japan, Nepal, and Thailand.\r\n91.204.227.51 was used as the C2 server for a campaign targeting users in France, with the last victim connections\r\nobserved around 26 February 2023.\r\n198b55d4e7c7c0ee4fc4cbe13859533e651b91f6\r\nThis file was first uploaded on 20 February 2023 by a user in Canada, it is configured to receive C2 information\r\n(198.144.149.142:28866) from a user profile on VKontakte.\r\nExamining network telemetry for 198.144.149.142 (NETMINDERS - Canada) we observe a campaign targeting\r\nusers globally - in Africa, Asia, Europe, North America, and Oceania, with victim connections still occuring at the\r\ntime of writing.\r\nOpen Ports information for 198.144.149.142 identifies an RDP certificate hosted on TCP/3389 with a Common\r\nName value of sid380.\r\nhttps://www.team-cymru.com/post/moqhao-part-3-recent-global-targeting-trends\r\nPage 4 of 9\n\nFigure 3: Certificate Data for 198.144.149.142\r\nPivoting on the sid380 value we identified 12 additional IP addresses, all within 198.144.149.128/28.\r\nWe found victim communications to one of these IP addresses, which was identified in the Kaspersky reporting as\r\na MoqHao C2 server:\r\n198.144.149.131 \u003c\u003c Kaspersky C2\r\nAs in the case of 198.144.149.142, this C2 is used in campaigns targeting users globally, further including South\r\nAmerica (Brazil and Suriname).\r\n5ceb8950759a8d9d31389d1370d381d158c79fbe\r\nThis file was first uploaded on 25 February 2023 by a user in Japan, it is configured to receive C2 information\r\n(91.204.227.43:29872) from a user profile on VKontakte.\r\nExamining network telemetry for 91.204.227.43 (HDTIDC - South Korea) we observe a campaign targeting users\r\nin India, with the most recent victim connections occurring around 03 March 2023.\r\nhttps://www.team-cymru.com/post/moqhao-part-3-recent-global-targeting-trends\r\nPage 5 of 9\n\nOpen Ports information for 91.204.227.43 identifies that TCP/5985 was open during the period when victim\r\nconnections occurred. The banner data obtained from scanning that port contains reference to a Computer /\r\nDomain Name - M172-17-64-184.\r\nFigure 4: Open Ports Information for 91.204.227.43\r\nPivoting on the M172-17-64-184 value we identified 13 additional IP addresses, all within 91.204.227.0/26.\r\nWe found victim communications to seven of these IP addresses, one of which was identified in the Kaspersky\r\nreporting as a MoqHao C2 server:\r\n91.204.227.37\r\nCampaigns targeting users in Turkey and the United States.\r\n91.204.227.39 \u003c\u003c Kaspersky C2\r\nCampaigns primarily targeting users in India and Nepal, with additional targeting in the Middle East and North\r\nAmerica.\r\n91.204.227.41\r\nA campaign targeting users in South Africa.\r\n91.204.227.42\r\nCampaigns primarily targeting users in Europe (Austria and Czech Republic), with additional targeting in Asia\r\nand the Middle East.\r\n91.204.227.47\r\nCampaigns targeting users in Malaysia and Nepal.\r\n91.204.227.48\r\nhttps://www.team-cymru.com/post/moqhao-part-3-recent-global-targeting-trends\r\nPage 6 of 9\n\nA campaign targeting users in the Czech Republic, with additional targeting in Belgium, the Dominican Republic,\r\nand Turkey.\r\n91.204.227.49\r\nCampaigns targeting users in India, Portugal, South Africa, and the United Kingdom, with smaller clusters of\r\nvictims globally (Africa, Asia, Europe, the Middle East, North America, and Oceania).\r\nConclusion\r\nWhilst this analysis is caveated by the fact it is based on sampled data, and that some researcher / scanning\r\nactivity likely slipped through our net, we were able to identify connections, indicative of victims, from 67 distinct\r\ncountries.\r\nApproximately 80% of connections were from the East Asian region (primarily Japan), which could be referred to\r\nas the ‘traditional’ operating base of Roaming Mantis. However, when you remove those connections from the\r\ndata, you’re left with a picture of the operators’ efforts to expand globally.\r\nFigure 5: Spread of Victim Communications\r\nUsers from Africa, other regions in Asia, and Europe in particular are increasingly appearing in victim\r\ncommunications to MoqHao infrastructure.\r\nSmishing often doesn’t receive the same level of attention as phishing when it comes to the malware delivery\r\nstakes. But, with over 1 million observed victim connections since the end of 2022 related to Roaming Mantis\r\nalone, it is clearly a viable initial access vector.\r\nIf Roaming Mantis can develop their delivery methods globally, to match the depth and ‘real feel’ spoofing of\r\ntheir East Asian campaigns, we would anticipate that the threat to users will continue to grow over coming months\r\nhttps://www.team-cymru.com/post/moqhao-part-3-recent-global-targeting-trends\r\nPage 7 of 9\n\nand years.\r\nRecommendations\r\nWe encourage continued education on mobile device security in general and smishing more specifically, to\r\narm users with the knowledge required to identify and avoid threats.\r\nWhere feasible, connections to the static MoqHao C2 servers listed in the IOC section below should be\r\npre-emptively blocked.\r\nUsers of Pure Signal Recon can track MoqHao campaigns based on the methods described in this blog\r\npost.\r\nIOCs\r\nMoqHao Samples\r\n198b55d4e7c7c0ee4fc4cbe13859533e651b91f6\r\n37134b50f0c747fb238db633e7a782d9832ae84b\r\n5ceb8950759a8d9d31389d1370d381d158c79fbe\r\nMoqHao C2 Servers (With Port Pairings 🍷)\r\nACTIVE (14 March 2023)\r\nHDTIDC LIMITED - South Korea:\r\n91.204.227.32:28877\r\n91.204.227.33:28899\r\n91.204.227.37:28836\r\n91.204.227.37:28856\r\n91.204.227.39:28844\r\n91.204.227.41:29869\r\n91.204.227.42:29871\r\n91.204.227.47:28999\r\n91.204.227.48:28843\r\n91.204.227.49:29870\r\nNETMINDERS - Canada:\r\nhttps://www.team-cymru.com/post/moqhao-part-3-recent-global-targeting-trends\r\nPage 8 of 9\n\n198.144.149.131:28866\r\n198.144.149.142:28866\r\nINACTIVE (Date)\r\nHDTIDC LIMITED - South Korea:\r\n91.204.227.31:28877 (29 January 2023)\r\n91.204.227.43:29872 (03 March 2023)\r\n91.204.227.51:36599 (26 February 2023)\r\nNETMINDERS - Canada:\r\n198.144.149.131:28867 (05 January 2023)\r\n198.144.149.131:28868 (22 February 2023)\r\n198.144.149.131:28869 (03 January 2023)\r\nSource: https://www.team-cymru.com/post/moqhao-part-3-recent-global-targeting-trends\r\nhttps://www.team-cymru.com/post/moqhao-part-3-recent-global-targeting-trends\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.team-cymru.com/post/moqhao-part-3-recent-global-targeting-trends"
	],
	"report_names": [
		"moqhao-part-3-recent-global-targeting-trends"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a",
			"created_at": "2023-01-06T13:46:38.823793Z",
			"updated_at": "2026-04-10T02:00:03.113045Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group"
			],
			"source_name": "MISPGALAXY:Roaming Mantis",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3",
			"created_at": "2022-10-25T16:07:24.546437Z",
			"updated_at": "2026-04-10T02:00:05.029564Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group",
				"Shaoye"
			],
			"source_name": "ETDA:Roaming Mantis",
			"tools": [
				"MoqHao",
				"Roaming Mantis",
				"SmsSpy",
				"Wroba",
				"XLoader"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434403,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b4cd1849e0e0c86bd7047507ff32d36c9b6b6a54.pdf",
		"text": "https://archive.orkl.eu/b4cd1849e0e0c86bd7047507ff32d36c9b6b6a54.txt",
		"img": "https://archive.orkl.eu/b4cd1849e0e0c86bd7047507ff32d36c9b6b6a54.jpg"
	}
}