{ "id": "775216c3-2709-4b8a-a5e8-f47b2589f49a", "created_at": "2026-04-06T00:13:49.979448Z", "updated_at": "2026-04-10T03:36:22.126649Z", "deleted_at": null, "sha1_hash": "c9940c1746f5ad56c7cbac1d4095fdff766491cc", "title": "Hiding in plain sight: PhantomLance walks into a market", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1543905, "plain_text": "Hiding in plain sight: PhantomLance walks into a market\r\nBy Alexey Firsh\r\nPublished: 2020-04-28 · Archived: 2026-04-05 14:34:03 UTC\r\nIn July 2019, Dr. Web reported about a backdoor trojan in Google Play, which appeared to be sophisticated and unlike\r\ncommon malware often uploaded for stealing victims’ money or displaying ads. So, we conducted an inquiry of our own,\r\ndiscovering a long-term campaign, which we dubbed “PhantomLance”, its earliest registered domain dating back to\r\nDecember 2015. We found dozens of related samples that had been appearing in the wild since 2016 and had been deployed\r\nin various application marketplaces including Google Play. One of the latest samples was published on the official Android\r\nmarket on November 6, 2019. We informed Google of the malware, and it was removed from the market shortly after.\r\nThe latest example of spyware in Google Play disguised as a browser cleaner\r\nDuring our investigation, we discovered various overlaps with reported OceanLotus APT campaigns. Thus, we found\r\nmultiple code similarities with the previous Android campaign, as well as macOS backdoors, infrastructure overlaps with\r\nWindows backdoors and a few cross-platform resemblances.\r\nBesides the attribution details, this document describes the actors’ spreading strategy, their techniques for bypassing app\r\nmarket filters, malware version diversity and the latest sample deployed in 2020, which uses Firebase to decrypt the\r\nmalicious payload. We also found out that Blackberry Cylance research team investigated this activity.\r\nhttps://securelist.com/apt-phantomlance/96772/\r\nPage 1 of 18\n\nOur report is broken down into several sections.\r\n1. 1 Malware versions – technical description of versions found, their features and relationships between them.\r\n2. 2 Spread – information on specific tactics used by the threat actors for distributing their malware.\r\n3. 3 Infrastructure – further details on uncovered infrastructure pieces as well as overlaps found.\r\n4. 4 Victimology – thoughts on the actors’ interests in choosing their targets.\r\n5. 5 Overlaps with previous campaigns – details of similarities with all related campaigns that we have identified.\r\nMore information on PhantomLance is available to customers of Kaspersky Intelligence Reporting. For more information,\r\ncontact intelreports@kaspersky.com\r\nMalware versions\r\nFor the purposes of the research, we divided samples we found into a series of “versions” based on technical complexity:\r\nfrom the basic Version 1 to the highly sophisticated Version 3. Note that they do not fully correlate with the chronological\r\norder of their appearance ITW: for example, we observed Version 1 samples in late 2019 and in 2017, the year that we also\r\nsaw Version 3.\r\nFunctionality of all samples are similar – the main purpose of spyware was to gather sensitive information. While the basic\r\nfunctionality was not very broad, and included geolocation, call logs, contact access and SMS access, the application could\r\nalso gather a list of installed applications, as well as device information, such as model and OS version. Furthermore, the\r\nthreat actor was able to download and execute various malicious payloads, thus, adapting the payload that would be suitable\r\nto the specific device environment, such as Android version and installed apps. This way the actor is able to avoid\r\noverloading the application with unnecessary features and at the same time gather information needed.\r\nVersion 1\r\nWe attribute the latest Google Play sample (MD5: 2e06bbc26611305b28b40349a600f95c) to this version. This is a clear\r\npayload, and unlike the other versions, it does not drop an additional executable file. Our main theory about the reasons for\r\nall these versioning maneuvers is that the attackers are trying to use diverse techniques to achieve their key goal, to bypass\r\nthe official Google marketplace filters. And achieve it they did, as even this version passed Google’s filters and was\r\nuploaded to Google Play Store in 2019 (see Spreading for details).\r\nNo suspicious permissions are mentioned in the manifest file; instead, they are requested dynamically and hidden inside the\r\ndex executable. This seems to be a further attempt at circumventing security filtering. In addition to that, there is a feature\r\nthat we have not seen before: if the root privileges are accessible on the device, the malware can use a reflection call to the\r\nundocumented API function “setUidMode” to get permissions it needs without user involvement.\r\nNote that this trick only works with Android SDK version 19 or higher.\r\nhttps://securelist.com/apt-phantomlance/96772/\r\nPage 2 of 18\n\nMost of the aforementioned operations naturally require root access, but we believe that the root exploit may be delivered as\r\npayload in a server response to collected device info. Also, some of the applications that the malware mimics will have\r\nnotified the user that they only work on rooted devices. For instance, Browser Cleaner can only clean up the browser cache\r\nif it is given root permissions.\r\nVersion 2\r\nSpecimens of this version were also detected in 2019 and earlier. One of the samples was located in Google Play Store in\r\nNovember 2019 and described in the Dr. Web blog. Based on our detection statistics and spotted version stamps, we believe\r\nthat this version is a replacement for Version 3, which we did not observe in 2019.\r\nBelow are the most valuable points and main differences from the Version 1.\r\nThe malicious payload APK is now packed in an encrypted file in the assets directory and is decrypted by the first stage\r\nusing an AES algorithm. A decryption key and initialization vector (IV) are located in the first 32 + 16 bytes of the\r\nencrypted payload.\r\nAfter decryption, the asset file will look like this.\r\nAs you can see, before the APK magic, the file header contains strings that are used for making further reflection calls to\r\npayload methods. Here is the first-stage code fragment with explanations regarding the payload loading process.\r\nhttps://securelist.com/apt-phantomlance/96772/\r\nPage 3 of 18\n\nAll Version 2 payloads use the same package name, “com.android.play.games”, which probably mimics the official Google\r\nPlay Games package, “com.google.android.play.games”.\r\nMoreover, we spotted developer version stamps in decrypted payloads.\r\nMD5 Developer version stamp\r\n65d399e6a77acf7e63ba771877f96f8e 5.10.6084\r\n6bf9b834d841b13348851f2dc033773e 5.10.6090\r\n8d5c64fdaae76bb74831c0543a7865c3 5.10.9018\r\n3285ae59877c6241200f784b62531694 5.10.9018\r\ne648a2cc826707aec33208408b882e31 5.10.9018\r\nIt is worth mentioning payload manifests, which do not contain any permission requests. As stated in the description of\r\nVersion 1, permissions required by the malicious features are granted via an undocumented Android API.\r\nWe have found two different certificates used for signing Version 2 payloads.\r\nMD5 Certificate\r\n6bf9b834d841b13348851f2dc033773e\r\nSerial Number: 0xa4ed88e620b8262e\r\nIssuer: CN=Lotvolron\r\n65d399e6a77acf7e63ba771877f96f8e Validity: from = Wed Jan 20 11:30:49 MSK 2010\r\n8d5c64fdaae76bb74831c0543a7865c3 Serial Number: 0xd47c08706d440384\r\nIssuer: CN=Ventoplex\r\nValidity: from = Wed Apr 13 05:21:26 MSK 2011\r\n3285ae59877c6241200f784b62531694\r\ne648a2cc826707aec33208408b882e31\r\nAlthough validity dates look spoofed in both cases and do not point to any real deployment times, by analyzing all payload\r\ncertificates, we discovered that the second one (Ventoplex) was used to sign Version 3 payloads as well.\r\nVersion 2.1\r\nThe latest samples of PhantomLance discovered in the early 2020 introduced a new technique for decrypting payloads: the\r\nmalicious payload was shipped with its dropper, encrypted with AES. The key is not stored anywhere in the dropper itself\r\nbut sent to the device using Google’s Firebase remote config system. The other technical features are very similar to the ones\r\nwe observed in Version 2, so we tagged this generation as Version 2.1.\r\nhttps://securelist.com/apt-phantomlance/96772/\r\nPage 4 of 18\n\nWe were able to make a valid request to PhantomLance’s Firebase API. The response consisted of a JSON struct containing\r\nthe AES decryption key, where the “code_disable” value is the decryption key for payload.\r\n{\r\n    \"entries\": {\r\n        \"code_disable\": \"27ypYitp1UFc9Tvh\"\r\n    },\r\n    \"appName\": \"com.ozerlab.callrecorder\",\r\n    \"state\": \"UPDATE\"\r\n}\r\nWhat is important, the dropper expects that the AES decryption key will be stored in a parameter named “code”, so this\r\nspecific variant should not function properly. Besides, we noticed that Firebase previously returned one more field, named\r\n“conf_disable”, which has the same value as the “code_disable”, so we assume that the actors are still tinkering with this\r\nnew feature.\r\nAnother interesting technique that the actors are trying to implement is a third-stage payload implant. The second-stage\r\npayload (MD5: 83cd59e3ed1ba15f7a8cadfe9183e156) contains an APK file named “data” (MD5:\r\n7048d56d923e049ca7f3d97fb5ba9812) with a corrupted header in the assets path.\r\nThe second stage reads this APK file, decrypts it and rewrites its first 27 bytes as described below.\r\nThis results in an APK file (MD5: c399d93146f3d12feb32da23b75304ba) that appears to be a typical PhantomLance\r\npayload configured with already known C2 servers (cloud.anofrio[.]com, video.viodger[.]com, api.anaehler[.]com). This\r\nthird-stage APK is deployed with a custom native library named “data.raw”, also stored at the assets path. This library is\r\nhttps://securelist.com/apt-phantomlance/96772/\r\nPage 5 of 18\n\nused for achieving persistence on the infected device and appears to be a custom daemonized ELF executable based on the\r\nopen-source “daemon.c” Superuser tool component, while in previous samples, we saw MarsDaemon used for this purpose.\r\nCode comparison of the library used to daemonize the third stage payload with daemon.c source code hosted on Github\r\nVersion 3\r\nWhile we have found that Version 2 has been used as a replacement for this one, as we have not observed any new\r\ndeployments of Version 3 in 2019, it still looks more advanced in terms of technical details than Version 2. According to our\r\ndetection statistics and deployment dates on application markets, Version 3 was active at least from 2016 to 2018.\r\nBelow are the most valuable points and main differences between Version 3 and Version 2.\r\nThe first-stage dropper appears even more obfuscated than that in Version 2; it uses a similar way of decrypting the payload,\r\nbut it has minor differences. The encrypted content is split into multiple asset files under 10256 bytes in size plus an\r\nencrypted config file, and contains payload decryption details.\r\nBelow is the payload decryption sequence.\r\n1. 1 Decrypt the payload config file from the assets with both a hardcoded name and AES key.\r\n2. 2 Read the following values from the decrypted payload config file in this order:\r\nAES key for APK payload decryption\r\nClass and method names for reflection calls to the payload\r\nMD5 for APK payload integrity check\r\nNumber and names of the split APK payload parts\r\n3. 3 Decrypt the APK payload header hardcoded in the first stage with the AES key from the payload config. Write it to\r\nthe APK payload file.\r\n4. 4 Using decrypted names of the split payload parts, decrypt their content and append them to the APK payload file\r\none by one.\r\n5. 5 Check the integrity of the resulting APK payload file by comparing with the MD5 value decrypted from the\r\npayload config.\r\n6. 6 Load and run the APK payload.\r\nThe following reversed code fragment represents the actual payload decryption process.\r\nhttps://securelist.com/apt-phantomlance/96772/\r\nPage 6 of 18\n\nEach Version 3 payload has the same package name, “com.android.process.gpsp”, and is signed with the same certificate\r\n(CN=Ventoplex), used to sign some of the Version 2 payloads.\r\nThe only developer version stamp that we have found in Version 3 payloads is “10.2.98”.\r\nAnother notable finding is the 243e2c6433815f2ecc204ada4821e7d6 sample, which we believe belongs to a Version 3\r\npayload. However, no related dropper has been spotted in the wild, and unlike the other payloads, it is signed with a debug\r\ncertificate and not obfuscated at all, revealing all variable/class/method names and even BuildConfig values. Our guess that\r\nthis is a debug developer version that somehow got leaked.\r\nAs a conclusion to this technical review, it is worth saying that all payloads across the different versions, even Version 1,\r\nwhich is in fact a clear payload without a dropper, share a code structure and locations where sensitive strings, such as С2\r\naddresses, are stored.\r\nSpread\r\nThe main spreading vector used by the threat actors is distribution through application marketplaces. Apart from the\r\ncom.zimice.browserturbo, which we have reported to Google, and  com.physlane.opengl, reported by Dr. Web, we have\r\nobserved tracks indicating that many malicious applications were deployed to Google Play in the past and have now been\r\nremoved.\r\nThese search results contain a link to already-removed malware in Google Play\r\nSome of the applications whose appearance in Google Play we can confirm.\r\nPackage name Google Play persistence date (at least)\r\ncom.zimice.browserturbo 2019-11-06\r\ncom.physlane.opengl 2019-07-10\r\nhttps://securelist.com/apt-phantomlance/96772/\r\nPage 7 of 18\n\ncom.unianin.adsskipper 2018-12-26\r\ncom.codedexon.prayerbook 2018-08-20\r\ncom.luxury.BeerAddress 2018-08-20\r\ncom.luxury.BiFinBall 2018-08-20\r\ncom.zonjob.browsercleaner 2018-08-20\r\ncom.linevialab.ffont 2018-08-20\r\nBesides, we have identified multiple third-party marketplaces that, unlike Google Play, still host the malicious applications,\r\nsuch as https://apkcombo[.]com, https://apk[.]support/, https://apkpure[.]com, https://apkpourandroid[.]com and many\r\nothers.\r\nExample of a malicious application with a description in Vietnamese that is still available in a third-party marketplace\r\n(hxxps://androidappsapk[.]co/detail-cham-soc-be-yeu-babycare/)\r\nIn nearly every case of malware deployment, the threat actors try to build a fake developer profile by creating a Github\r\naccount that contains only a fake end-user license agreement (EULA). An example is the one below, reported by us to\r\nGoogle.\r\nThis Google Play page contains a fake developer email\r\n Here is a related Github account with the same handle, registered on October 17, 2019.\r\nhttps://securelist.com/apt-phantomlance/96772/\r\nPage 8 of 18\n\nA Github profile that is part of the fake developer identity\r\nThe account contains only one report with one file described as some type of EULA.\r\nDuring our extensive investigation, we spotted a certain tactic often used by the threat actors for distributing their malware.\r\nThe initial versions of applications uploaded to app marketplaces did not contain any malicious payloads or code for\r\ndropping a payload. These versions were accepted because they contained nothing suspicious, but follow-up versions were\r\nupdated with both malicious payloads and code to drop and execute these payloads. We were able to confirm this behavior\r\nin all of the samples, and we were able to find two versions of the applications, with and without a payload.\r\nAn example of this behavior can be seen in Ads Skipper (https://apkpure[.]ai/ads-skipper), in ApkPure.\r\nVersions of Ads Skipper with (v. 2.0) and without (v. 1.0) a malicious payload in ApkPure\r\nThird-party marketplaces like those mentioned in the table above often serve as a mirror for Google Play: they simply copy\r\napplications and metadata from Google Play to their own servers. Therefore, it is safe to assume that the samples listed in\r\nthe table were copied from Google Play as well.\r\nhttps://securelist.com/apt-phantomlance/96772/\r\nPage 9 of 18\n\nInfrastructure\r\nWhile analyzing the С2 server infrastructure, we quickly identified multiple domains that shared similarities with previous\r\nones but were not linked to any known malware samples. This allowed us to uncover more pieces of the attackers’\r\ninfrastructure.\r\nExample of related infrastructure\r\nTracking PhantomLance’s old infrastructure, which dated back four years, we noticed that the expired domain names had\r\nbeen extended. The maintenance suggested that the infrastructure might be used again in the future.\r\nDomain Registered Last updated\r\nosloger[.]biz 2015-12-09 2019-12-01\r\nlog4jv[.]info 2015-12-09 2019-11-26\r\nsqllitlever[.]info 2015-12-09 2019-11-26\r\nanofrio[.]com 2017-05-16 2020-03-30\r\nanaehler[.]com 2017-05-16 2020-03-30\r\nviodger[.]com 2017-05-16 2020-04-07\r\nThe PhantomLance TTPs indicate that samples are configured only with subdomains as C2 servers, while most, but not all,\r\nparent domains do not have their own IP resolution. We checked the ones that did have a valid resolution and found that they\r\nall resolved to the same IP address: 188.166.203[.]57. It belongs to the DigitalOcean cloud infrastructure provider and,\r\naccording to Domaintools, hosts a total of 129 websites.\r\nLooking up records for this IP address in our passive DNS database suggests that a few dozen of these websites are\r\nlegitimate, as well as the aforementioned PhantomLance domains and two more interesting overlaps with OceanLotus\r\ninfrastructure:\r\nbrowsersyn[.]com: known domain used as a C2 in a previously publicly reported sample (MD5:\r\nb1990e19efaf88206f7bffe9df0d9419) considered by the industry to be the OceanLotus APT.\r\ncerisecaird[.]com: privately received information indicates that this domain is related to OceanLotus as well.\r\nhttps://securelist.com/apt-phantomlance/96772/\r\nPage 10 of 18\n\nVictimology\r\nWe have observed around 300 infection attacks on Android devices in India, Vietnam, Bangladesh, Indonesia, etc. starting in\r\n2016. Below is a rough cartographic representation of countries with top attempted attacks.\r\nWe have also seen a number of detections in Nepal, Myanmar and Malaysia. As you can see, this part of South Asia seems\r\nto be targeted by the actors the most.\r\nNote that due to the chosen distribution vector (publication of malicious samples on publicly available application stores),\r\nthere should be secondary infection of random victims not directly related to the actors’ interests.\r\nTo get more details on targeted victims, we looked at the types of applications that the malware mimicked. Apart from\r\ncommon luring applications, such as Flash plugins, cleaners and updaters, there were those that specifically targeted\r\nVietnam.\r\nluxury.BeerAddress – “Tim quan nhau | Tìm quán nhậu” (“Find each other | Find pubs” in Vietnamese). An\r\napplication for finding the nearest pub in Vietnam.\r\nhttps://securelist.com/apt-phantomlance/96772/\r\nPage 11 of 18\n\ncodedexon.churchaddress – “Địa Điểm Nhà Thờ” (“Church Place”)\r\nPublisher description (hxxps://apk.support/app-en/com.codedexon.churchaddress) translated from Vietnamese:\r\nInformation about churches near you or the whole of Vietnam, information about patronies, priests, phone numbers,\r\nwebsites, email, activities, holidays…\r\nbulknewsexpress.news – “Tin 247 – Đọc Báo Hàng Ngày” (“Read Daily Newspaper”)\r\nMimics the Vietnamese www.tin247.com mobile news application.\r\nOverlaps with previous campaigns\r\nIn this section, we provide a correlation of PhantomLance’s activity with previously reported campaigns related to the\r\nOceanLotus APT.\r\nOceanLotus Android campaign in 2014-2017\r\nIn May 2019, Antiy Labs published a report (https://www.antiy.net/p/analysis-of-the-attack-of-mobile-devices-by-oceanlotus/) in which they described an Android malware campaign, claiming that it was related to OceanLotus APT. We\r\nchecked the provided indicators using information from our telemetry and found that the very first tracks of these samples\r\ndate back to December 2014.\r\nIt is important to note that according to our detection statistics, the majority of users affected by this campaign were located\r\nin Vietnam, with the exception of a small number of individuals located in China.\r\nThe main infection vector seems to be links to malicious applications hosted on third-party websites, possibly distributed via\r\nSMS or email spearphishing attacks. Examples below.\r\nReferring URL for victim Malware URL\r\nF\r\nr\r\nhxxp://download.com[.]vn/android/download/nhaccuatui-downloader/31798\r\nhxxp://113.171.224.175/videoplayer/NhacCuaTuiDownloader[.]apk\r\n2\r\n0\r\nhttps://securelist.com/apt-phantomlance/96772/\r\nPage 12 of 18\n\nhxxp://nhaccuatui.android.zyngacdn.com/NhacCuaTuiDownloader[.]apk\r\n2\r\n1\r\nhxxp://www.mediafire.com/file/1elber8zl34tag4/framaroot-xpro[.]apkhxxp://download1825.mediafire.com/tyxddh46orzg/1elber8zl34tag4/framaroot-xpro[.]apk2\r\n0\r\nThe latest registered malware download event occurred in December 2017. We observed a small amount of activity in 2018,\r\nbut judging by the volume of hosted malware and the number of detections we observed, the main campaign took place\r\nfrom late 2014 to 2017.\r\nTo best visualize the similarities we discovered, we made a code structure comparison of the sample from the old reported\r\nOceanLotus Android campaign (MD5: 0e7c2adda3bc65242a365ef72b91f3a8) and the only unobfuscated (probably a\r\ndeveloper version) PhantomLance payload v3 (MD5: 243e2c6433815f2ecc204ada4821e7d6).\r\nCode structure comparison of a sample linked to OceanLotus and PhantomLance payload v3.\r\n Despite the multiple differences, we observed a similar pattern used in malware implementation. It seems that the\r\ndevelopers have renamed “module” to “plugin”, but the meaning remains the same. Overlapping classes look quite similar\r\nand have the same functionality. For example, here is a comparison of the methods contained in the Parser classes.\r\nParser from\r\n0e7c2adda3bc65242a365ef72b91f3a8\r\nParserWriter/Reader from\r\n243e2c6433815f2ecc204ada4821e7d6\r\npublic void appendBoolean(boolean f) public void appendBoolean(boolean value)\r\npublic void appendByte(byte data) public void appendByte(byte value)\r\npublic void appendBytes(byte[] data) public void appendBytes(byte[] value)\r\nhttps://securelist.com/apt-phantomlance/96772/\r\nPage 13 of 18\n\npublic void appendDouble(double val) public void appendDouble(double value)\r\npublic void appendInt(int val) public void appendInt(int value)\r\npublic void appendLong(long val) public void appendLong(long value)\r\nprivate void appendNumber(Object value)\r\npublic void appendShort(short val) public void appendShort(short value)\r\npublic void appendString(String str) public void appendString(String value)\r\n public byte[] getContents() public byte[] getContents()\r\npublic void appendFloat(float val)\r\npublic boolean getBoolean() public boolean getBoolean()\r\npublic byte getByte() public byte getByte()\r\npublic byte[] getBytes() public byte[] getBytes()\r\npublic double getDouble() public double getDouble()\r\npublic float getFloat()\r\npublic int getInt() public int getInt()\r\npublic long getLong() public long getLong()\r\npublic short getShort() public short getShort()\r\nbyte getSignal()\r\npublic String getString() public String getString()\r\ngetStringOfNumber()\r\nUsing our malware attribution technology, we can see that the PhantomLance payloads are at least 20% similar to the ones\r\nfrom the old OceanLotus Android campaign.\r\nOceanLotus macOS backdoors\r\nThere are multiple public reports of macOS backdoors linked by the industry to OceanLotus. We examined these in order to\r\nfind possible overlaps, with the caveat that it was really difficult to compare malware implemented for two completely\r\ndifferent platforms, since two different programming languages were obviously used for the implementation process.\r\nHowever, during the analysis of the macOS payload (MD5: 306d3ed0a7c899b5ef9d0e3c91f05193) dated early 2018, we\r\nwere able to catch a few minor tracks of the code pattern used in the Android malware implementation described above. In\r\nparticular, three out of seven main classes had the same names and similar functionality: “Converter”, “Packet” and\r\n“Parser”.\r\nhttps://securelist.com/apt-phantomlance/96772/\r\nPage 14 of 18\n\nSummary of overlaps\r\nAnother notable attribution token that applies to most of OceanLotus malware across platforms is usage of three redundant,\r\ndifferent C2 servers by each sample, mostly subdomains. Below is an example of this from the samples examined above and\r\nOceanLotus Windows malware described in our private report.\r\nMD5 C2 servers Description\r\n0d5c03da348dce513bf575545493f3e3\r\nmine.remaariegarcia[.]com\r\negg.stralisemariegar[.]com\r\napi.anaehler[.]com\r\nPhantomLance Android\r\nd1eb52ef6c2445c848157beaba54044f\r\nsadma.knrowz[.]com\r\nckoen.dmkatti[.]com\r\nitpk.mostmkru[.]com\r\nOceanLotus Android campaign 2014-2017\r\n306d3ed0a7c899b5ef9d0e3c91f05193\r\nssl.arkouthrie[.]com\r\ns3.hiahornber[.]com\r\nwidget.shoreoa[.]com\r\nOceanLotus MacOS backdoor\r\n51f9a7d4263b3a565dec7083ca00340f\r\nps.andreagahuvrauvin[.]com\r\npaste.christienollmache[.]xyz\r\natt.illagedrivestralia[.]xyz\r\nOceanLotus Windows backdoor\r\nBased on the complete analysis of previous campaigns, with the actors’ interests in victims located in Vietnam, infrastructure\r\noverlaps between PhantomLance and OceanLotus for Windows, multiple code similarities between an old Android\r\ncampaign and MacOS backdoors, we attribute the set of the Android activity (campaign 2014-2017 and PhantomLance) to\r\nOceanLotus with medium confidence.\r\nhttps://securelist.com/apt-phantomlance/96772/\r\nPage 15 of 18\n\nConsidering the timeline of the Android campaigns, we believe that the activity reported by Antiy Labs is a previous\r\ncampaign that was conducted by OceanLotus until 2017, and PhantomLance is a successor, active since 2016.\r\nIn summarizing the results of this research, we are able to assess the scope and evolution of the actors’ Android set of\r\nactivity, operating for almost six years.\r\nIOC\r\nKaspersky Lab products verdicts\r\nPhantomLance\r\nHEUR:Backdoor.AndroidOS.PhantomLance.*\r\nHEUR:Trojan-Dropper.AndroidOS.Dnolder.*\r\nAndroid campaign linked to OceanLotus (2014-2017)\r\nHEUR:Trojan.AndroidOS.Agent.eu\r\nHEUR:Trojan.AndroidOS.Agent.vg\r\nHEUR:Trojan-Downloader.AndroidOS.Agent.gv\r\nmacOS campaign linked to OceanLotus\r\nHEUR:Backdoor.OSX.OceanLotus.*\r\nMD5\r\nPhantomLance malware\r\n2e06bbc26611305b28b40349a600f95c\r\nb1990e19efaf88206f7bffe9df0d9419\r\n7048d56d923e049ca7f3d97fb5ba9812\r\ne648a2cc826707aec33208408b882e31\r\n3285ae59877c6241200f784b62531694\r\n8d5c64fdaae76bb74831c0543a7865c3\r\n6bf9b834d841b13348851f2dc033773e\r\n0d5c03da348dce513bf575545493f3e3\r\nhttps://securelist.com/apt-phantomlance/96772/\r\nPage 16 of 18\n\n0e7c2adda3bc65242a365ef72b91f3a8\r\na795f662d10040728e916e1fd7570c1d\r\nd23472f47833049034011cad68958b46\r\n8b35b3956078fc28e5709c5439e4dcb0\r\naf44bb0dd464680395230ade0d6414cd\r\n65d399e6a77acf7e63ba771877f96f8e\r\n79f06cb9281177a51278b2a33090c867\r\nb107c35b4ca3e549bdf102de918749ba\r\n83cd59e3ed1ba15f7a8cadfe9183e156\r\nc399d93146f3d12feb32da23b75304ba\r\n83c423c36ecda310375e8a1f4348a35e\r\n94a3ca93f1500b5bd7fd020569e46589\r\n54777021c34b0aed226145fde8424991\r\n872a3dd2cd5e01633b57fa5b9ac4648d\r\n243e2c6433815f2ecc204ada4821e7d6\r\nPhantomLance payload-free versions\r\na330456d7ca25c88060dc158049f3298\r\na097b8d49386c8aab0bb38bbfdf315b2\r\n7285f44fa75c3c7a27bbb4870fc0cdca\r\nb4706f171cf98742413d642b6ae728dc\r\n8008bedaaebc1284b1b834c5fd9a7a71\r\n0e7b59b601a1c7ecd6f2f54b5cd8416a\r\nAndroid campaign 2014-2017\r\n0e7c2adda3bc65242a365ef72b91f3a8\r\n50bfd62721b4f3813c2d20b59642f022\r\n5079cb166df41233a1017d5e0150c17a\r\n810ef71bb52ea5c3cfe58b8e003520dc\r\nc630ab7b51f0c0fa38a4a0f45c793e24\r\nce5bae8714ddfca9eb3bb24ee60f042d\r\nd61c18e577cfc046a6252775da12294f\r\nfe15c0eacdbf5a46bc9b2af9c551f86a\r\n07e01c2fa020724887fc39e5c97eccee\r\n2e49775599942815ab84d9de13e338b3\r\n315f8e3da94920248676b095786e26ad\r\n641f0cc057e2ab43f5444c5547e80976\r\nDomains and IP addresses\r\nPhantomLance\r\nmine.remaariegarcia[.]com\r\negg.stralisemariegar[.]com\r\napi.anaehler[.]com\r\ncloud.anofrio[.]com\r\nvideo.viodger[.]com\r\nterm.ursulapaulet[.]com\r\ninc.graceneufville[.]com\r\nlog.osloger[.]biz\r\nfile.log4jv[.]info\r\nnews.sqllitlever[.]info\r\nus.jaxonsorensen[.]club\r\nstaff.kristianfiedler[.]club\r\nbit.catalinabonami[.]com\r\nhr.halettebiermann[.]com\r\ncyn.ettebiermahalet[.]com\r\nAndroid campaign 2014-2017\r\nhttps://securelist.com/apt-phantomlance/96772/\r\nPage 17 of 18\n\nmtk.baimind[.]com\r\nming.chujong[.]com\r\nmokkha.goongnam[.]com\r\nckoen.dmkatti[.]com\r\nsadma.knrowz[.]com\r\nitpk.mostmkru[.]com\r\naki.viperse[.]com\r\ngame2015[.]net\r\ntaiphanmemfacebookmoi[.]info\r\nnhaccuatui.android.zyngacdn[.]com\r\nquam.viperse[.]com\r\njang.goongnam[.]com\r\nSource: https://securelist.com/apt-phantomlance/96772/\r\nhttps://securelist.com/apt-phantomlance/96772/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://securelist.com/apt-phantomlance/96772/" ], "report_names": [ "96772" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434429, "ts_updated_at": 1775792182, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c9940c1746f5ad56c7cbac1d4095fdff766491cc.pdf", "text": "https://archive.orkl.eu/c9940c1746f5ad56c7cbac1d4095fdff766491cc.txt", "img": "https://archive.orkl.eu/c9940c1746f5ad56c7cbac1d4095fdff766491cc.jpg" } }