{ "id": "4a11e2c4-1010-4f8d-aa9b-c02ec22ddfb6", "created_at": "2026-04-06T00:06:59.590593Z", "updated_at": "2026-04-10T13:11:39.493918Z", "deleted_at": null, "sha1_hash": "b4eff8c4131cdc164e9734c1d4d4a79072ad3511", "title": "Roaming Mantis: a new phishing method targets a Japanese MNO - HackMD", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1140299, "plain_text": "Roaming Mantis: a new phishing method targets a Japanese MNO\r\n- HackMD\r\nArchived: 2026-04-05 20:56:31 UTC\r\nRoaming Mantis is a campaign named by Kaspersky.\r\nIn March 2018, Japanese media reported the hijacking of DNS settings on routers located in Japan,\r\nredirecting users to malicious IP addresses. The redirection led to the installation of Trojanized\r\napplications named facebook.apk and chrome.apk that contained Android Trojan-Banker.\r\nSince we didn’t find a pre-existing name for this malware operation, we decided to assign a new one for\r\nfuture reference. Based on its propagation via smartphones roaming between Wi-Fi networks,\r\npotentially carrying and spreading the infection, we decided to call it ‘Roaming Mantis’.\r\n(source: https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/)\r\nThis campaign uses Android malware and also phishing scams.\r\nFor example, a Roaming Mantis landing page redirects a user to a phishing website when a victim uses an iOS\r\ndevice.\r\nif ((navigator.language || navigator.browserLanguage).toLowerCase().startsWith(\"ja\")) {\r\n} else {\r\n var u = navigator.userAgent;\r\n var isAndroid = u.indexOf('Android') \u003e -1 || u.indexOf('Adr') \u003e -1;\r\n var isiOS = !!u.match(/\\(i[^;]+;( U;)? CPU.+Mac OS X/);\r\n if (isAndroid) {\r\n window.alert(getString(0));\r\n window.location.href = \"http://\" + location.hostname + \"/\" + Math.random().toString().substring(2, 10) +\r\n }\r\n function isPC() {\r\n var userAgentInfo = navigator.userAgent;\r\n var Agents = [\"Android\", \"iPhone\", \"SymbianOS\", \"Windows Phone\", \"iPad\", \"iPod\"];\r\n var flag = true;\r\n for (var v = 0; v \u003c Agents.length; v++) {\r\n if (userAgentInfo.indexOf(Agents[v]) \u003e 0) {\r\n flag = false;\r\n break;\r\n }\r\n }\r\n return flag;\r\nhttps://hackmd.io/@ninoseki/Bkw66OhAN\r\nPage 1 of 8\n\n}\r\n if (isPC()) {\r\n }\r\n if (isiOS) {\r\n window.alert(getString(1));\r\n window.location.href = \"http://security.apple.com/\";\r\n }\r\n}\r\nNote that a victim of this campaign is controlled under a rogue DNS.\r\nThe rogue DNS resolved security.apple.com to 172.247.116[.]155 . This is an IP address of a phishing\r\nwebsite impersonates Apple.\r\nRoaming Mantis 2019 ver.\r\nRoaming Mantis seems disappeared since late 2018 but it comes back with new techniques this spring.\r\nRoaming Mantis, part IV: Mobile config for Apple phishing, and re-spreading an updated malicious APK\r\n(MoqHao/XLoader)\r\nhttps://hackmd.io/@ninoseki/Bkw66OhAN\r\nPage 2 of 8\n\nThe new Roaming Mantis landing page has a mysterious if-else branch.\r\nif ((navigator.language || navigator.browserLanguage).toLowerCase().startsWith(\"ja11111111\")) {\r\n setTimeout(function () {\r\n window.alert(getString(0));\r\n window.location.href = \"https://play.google.com/store/apps/details?id=com.jptest.tools2019\"\r\n }, 500);\r\n}\r\nhttps://play.google.com/store/apps/details?id=com.jptest.tools2019 returns 404 even if using a rogue\r\nDNS.\r\nHowever, the DOM structure of Roaming Mantis landing page is changed on 2019/06/10.\r\nhttps://hackmd.io/@ninoseki/Bkw66OhAN\r\nPage 3 of 8\n\nObviously, the message( 【ドコモ契約者様へ】お客様がご利用のdカードが第三者に不正利用の可能性がございま\r\nす。設定ページに切り替えますので、必ず本人認証設定をお願いします。 ) and the\r\nwebsite( hXXp://www.nttdocomo-urt[.]com ) indicates that Roaming Mantis targets a Japanese MNO, NTT\r\nDoCoMo.\r\nhttps://hackmd.io/@ninoseki/Bkw66OhAN\r\nPage 4 of 8\n\nInterestingly, this phishing website has a similarity with a phishing campaign I called GaoHao .\r\nGaoHao targets Japanese brands such as NTT, KDDI, SoftBank, Rakuten, etc.\r\n// an example list of GaoHao phishing website domains\r\ndocomo-login[.]com\r\nsecuritys-docomo[.]com\r\nnttdocomo-services[.]com\r\nsoftbank-securitys[.]com\r\nsoftbank-b[.]com\r\ndocomo-security[.]com\r\nmydocomo-smt-security[.]com\r\nmysoftbank-uses[.]com\r\ndocomo-id[.]com\r\nrakuten-card.gnway[.]cc\r\ninfo-docomo[.]com\r\nnttdocomo-smt-security[.]com\r\nnttdocomo-detect[.]com\r\nmyau-securitys[.]com\r\nmyau-supports[.]com\r\nsecurity-docomo[.]com\r\nnttdocomo-smt-supports[.]com\r\nhttps://hackmd.io/@ninoseki/Bkw66OhAN\r\nPage 5 of 8\n\nmydocomo-smt-supports[.]com\r\nsoftbank-sos[.]com\r\nbank-softbank[.]com\r\nThere is a common character in GaoHao phishing websites.\r\nThey use action_XXX as cookie names.\r\nhXXp://www.nttdocomo-urt[.]com uses the same cookie names.\r\nI don't have absolute confidence but I think this overlap suggests a connection between Roaming Mantis and\r\nGaoHao gangs.\r\nIoC\r\nLanding pages (2019 ver.)\r\n1[.]171.152.3\r\n1[.]171.153.177\r\n1[.]171.156.4\r\n1[.]171.156.75\r\n1[.]171.158.27\r\n1[.]171.158.91\r\n1[.]171.160.146\r\n1[.]171.160.155\r\n1[.]171.163.183\r\nhttps://hackmd.io/@ninoseki/Bkw66OhAN\r\nPage 6 of 8\n\n1[.]171.164.249\r\n1[.]171.165.17\r\n1[.]171.166.13\r\n1[.]171.166.219\r\n1[.]171.168.19\r\n1[.]171.169.160\r\n1[.]171.169.221\r\n1[.]171.170.228\r\n1[.]171.171.155\r\n1[.]171.171.52\r\n1[.]171.174.39\r\n1[.]171.175.119\r\n1[.]171.176.65\r\n1[.]171.177.233\r\n1[.]171.180.25\r\n1[.]171.40.74\r\n1[.]171.41.62\r\n1[.]171.46.86\r\n1[.]171.47.224\r\n1[.]171.48.241\r\n1[.]171.51.250\r\n1[.]171.52.233\r\n1[.]171.53.165\r\n1[.]171.53.54\r\n1[.]171.53.58\r\n1[.]171.54.203\r\n1[.]171.59.137\r\n1[.]171.59.144\r\n1[.]171.60.242\r\n1[.]171.61.13\r\n1[.]171.61.201\r\n1[.]171.62.207\r\n61[.]230.100.213\r\n61[.]230.101.102\r\n61[.]230.101.49\r\n61[.]230.102.66\r\n61[.]230.154.202\r\n61[.]230.154.31\r\n61[.]230.155.90\r\n61[.]230.155.93\r\n61[.]230.156.188\r\nOther phihsing websites\r\nhXXp://sasekr-qwq[.]top/xvideo/\r\nhXXp://apple.varifidogiones[.]com/verification/apple/alert\r\nhttps://hackmd.io/@ninoseki/Bkw66OhAN\r\nPage 7 of 8\n\nhXXp://bqh.idq.mybluehost[.]me\r\nSource: https://hackmd.io/@ninoseki/Bkw66OhAN\r\nhttps://hackmd.io/@ninoseki/Bkw66OhAN\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://hackmd.io/@ninoseki/Bkw66OhAN" ], "report_names": [ "Bkw66OhAN" ], "threat_actors": [ { "id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a", "created_at": "2023-01-06T13:46:38.823793Z", "updated_at": "2026-04-10T02:00:03.113045Z", "deleted_at": null, "main_name": "Roaming Mantis", "aliases": [ "Roaming Mantis Group" ], "source_name": "MISPGALAXY:Roaming Mantis", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3", "created_at": "2022-10-25T16:07:24.546437Z", "updated_at": "2026-04-10T02:00:05.029564Z", "deleted_at": null, "main_name": "Roaming Mantis", "aliases": [ "Roaming Mantis Group", "Shaoye" ], "source_name": "ETDA:Roaming Mantis", "tools": [ "MoqHao", "Roaming Mantis", "SmsSpy", "Wroba", "XLoader" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434019, "ts_updated_at": 1775826699, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b4eff8c4131cdc164e9734c1d4d4a79072ad3511.pdf", "text": "https://archive.orkl.eu/b4eff8c4131cdc164e9734c1d4d4a79072ad3511.txt", "img": "https://archive.orkl.eu/b4eff8c4131cdc164e9734c1d4d4a79072ad3511.jpg" } }