{
	"id": "435fa0cd-7784-4cab-b20d-4c0e296ad31a",
	"created_at": "2026-04-06T00:10:01.820273Z",
	"updated_at": "2026-04-10T03:21:09.627382Z",
	"deleted_at": null,
	"sha1_hash": "ca05f7d1d86f884e2c33fea469a64e356d095bf2",
	"title": "Turkey targeted by Cerberus and Anubis Android banking Trojan campaigns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 957332,
	"plain_text": "Turkey targeted by Cerberus and Anubis Android banking Trojan\r\ncampaigns\r\nBy BushidoToken\r\nPublished: 2020-05-09 · Archived: 2026-04-05 23:10:35 UTC\r\nI recently set out to become more acquainted with Maltego, a useful program for open-source intelligence\r\n(OSINT) and forensics, developed by Paterva. I also noticed there is an ongoing campaign against Turkey using\r\nAndroid banking Trojans such as Anubis and Cerberus. Both are Malware-as-a-Service offerings that supply a\r\nbuilder and mobile remote access Trojan (MRAT) to steal credentials from Android users.\r\nSecurity researchers such as @MalwareHunterTeam, @ReBensk, @pr3wtd, and @mertcangokgoz, and others\r\nhave all recently shared new samples of Cerberus and Anubis targeting users in Turkey with mobile data “gifts”\r\nthat are offered from their mobile carriers due to COVID-19. Various websites are registered hosting links to fake\r\napps, which were downloaded from the threat actor’s GitLab or BitBucket repositories. These apps are Android\r\npackages (.APK) that can be distributed via SMS, instant messaging app, on Twitter, via email, and other social\r\nengineering techniques.\r\nWith the Tweets of these security researchers I compiled the indicators of compromise (IOCs) such as file hashes,\r\ndomains, IP addresses, and any other useful artefacts. I then fired up Maltego and began compiling the IOCs and\r\ntrying to figure out how it was all connected.\r\nMultiple Anubis campaigns:\r\nhttps://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html\r\nPage 1 of 8\n\nCerberus GitLab campaign: \r\nhttps://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html\r\nPage 2 of 8\n\nCerberus BitBucket campaign: \r\nhttps://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html\r\nPage 3 of 8\n\nPhishing lures: \r\nhttps://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html\r\nPage 4 of 8\n\nhttps://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html\r\nPage 5 of 8\n\nNumber of people targeted in these campaigns: \r\nhttps://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html\r\nPage 6 of 8\n\nAdditional findings: \r\nFour of the command and control (C\u0026C) servers during the Cerberus BitBucket campaign were registered by the\r\nsame threat actor. All used the same throwaway Gmail address to register over a dozen malicious domains with\r\nthe \".top\" gTLD. \r\nAs previously mentioned the attackers are exploiting the lockdown due to the coronavirus with these key phrases\r\nin Turkish:\r\n- “Hediye” = Gift\r\n- “Evde internetim var” = Have internet at home\r\n- “Evde kal” = Stay at home\r\n- “Indir 20GB kazan” = Download win 20GB\r\n(Disclaimer - I only used Google translate)\r\nIndicators of Compromise: \r\nFilenames:\r\nEvdeHayatVar_build_obf.apk Covid_19.apk EvdeKal_build_obf.apk\r\nhttps://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html\r\nPage 7 of 8\n\nevdekal_obf.apk Covid19MobileInstall_obf.apk Vodafone-5G.apk\r\nevdekal-20gb.apk Covid-19Mobile.apk GooglePlay.apk\r\n20gb-evdekal.apk 20GBHediye.apk 20gb_hediye_internet.apk\r\n30GbKazan.apk 20gbhediyesi.apk HayatEveSigar.apk\r\nhediye20gb.apk 20gb-evde-kal.apk SenEvdesinDiye_build_obf.apk\r\n20gb_hediye_internet.apk hediye20gb.apk hayatevesigar.apk\r\nevdekaliyorum.apk basvuru_devlet_destegi.apk evde-kal.apk\r\nUsers: \r\nhttps://bitbucket[.]org/nilsudemir1881\r\nhttps://bitbucket[.]org/kaankaratas12881\r\nhttps://bitbucket[.]org/emreadamol34\r\nhttps://gitlab[.]com/akif65336\r\nhttps://gitlab[.]com/ordulkemal2\r\nIOCs such as Hashes, Domains, URLs, and IPv4 addresses can be found on my OTX feed here.\r\nSources: \r\nSource: https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html\r\nhttps://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html"
	],
	"report_names": [
		"turkey-targeted-by-cerberus-and-anubis.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434201,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ca05f7d1d86f884e2c33fea469a64e356d095bf2.pdf",
		"text": "https://archive.orkl.eu/ca05f7d1d86f884e2c33fea469a64e356d095bf2.txt",
		"img": "https://archive.orkl.eu/ca05f7d1d86f884e2c33fea469a64e356d095bf2.jpg"
	}
}