{
	"id": "f26a096b-5bb3-42f0-974b-0fdd67a04872",
	"created_at": "2026-04-06T00:15:30.200239Z",
	"updated_at": "2026-04-10T03:20:22.683397Z",
	"deleted_at": null,
	"sha1_hash": "cc3f4b9cd49a979d4ba4b68649d0f9e3e53c83d4",
	"title": "New Spyware Used by Sextortionists | iOS/Android Blackmail",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2102298,
	"plain_text": "New Spyware Used by Sextortionists | iOS/Android Blackmail\r\nBy Lookout\r\nPublished: 2020-12-16 · Archived: 2026-04-05 13:36:23 UTC\r\nWith contributions from Diane Wee, Innovation Strategist at Lookout. Diane helped with the translation portion of\r\nthis research.\r\nThe Lookout Threat Intelligence team has discovered a new mobile app threat targeting iOS and Android users in\r\nChinese speaking countries, Korea and Japan. The spyware, which we have named Goontact, targets users of\r\nillicit sites, typically offering escort services, and steals personal information from their mobile device. The types\r\nof sites used to distribute these malicious apps and the information exfiltrated suggests that the ultimate goal is\r\nextortion or blackmail.\r\nWe found that Goontact, which often disguises itself as secure messaging applications, can exfiltrate a wide range of data, such as:\r\nDevice identifiers and phone number.\r\nContacts.\r\nSMS messages.\r\nPhotos on external storage.\r\nLocation information.\r\nTablets and smartphones are a treasure trove of personal data. These devices store private data, such as contacts,\r\nphotos, messages and location. Access to all of this data enables cybercriminals like the operators of Goontact to\r\nrun a successful extortion campaign.\r\nMalicious functionality and impact\r\nThese sextortion scams are exploiting Chinese-, Japanese- and Korean-speaking people in multiple Asian\r\ncountries. Evidence on distribution sites also suggests that this operation is functional in China, Japan, Korea,\r\nThailand and Vietnam.\r\nThe scam begins when a potential target is lured to one of the hosted sites where they are invited to connect with\r\nwomen. Account IDs for secure messaging apps such as KakaoTalk or Telegram are advertised on these sites as\r\nthe best forms of communication and the individual initiates a conversation.\r\nhttps://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail\r\nPage 1 of 13\n\nLure site screenshots for Goontact that invite visitors to contact a KakaoTalk ID or a Telegram ID\r\nto access the services being advertised.\r\nIn reality, the targets are communicating with Goontact operators. Targets are convinced to install (or sideload) a\r\nmobile application on some pretext, such as audio or video problems. The mobile applications in question appears\r\nto have no real user functionality, except to steal the victim’s address book, which is then used by the attacker\r\nultimately to extort the target for monetary gain.\r\nPotential attribution\r\nWe found that the websites associated with Goontact bear many similarities in naming convention, appearance and\r\ntargeted geographic region. The sites also used logos associated with domains that were part of a sextortion\r\ncampaign reported by Trend Micro in 2015.1\r\nWe believe this campaign is operated by a crime affiliate, rather than nation state actors. While we have yet to\r\nuncover any definitive infrastructure links, we believe it is highly probable that Goontact is the newest addition to\r\nthis threat actor's arsenal. Most notably, the iOS component of this scam has not been reported on before.\r\nBased on our research, the campaign has been active since at least 2013. However, the Goontact malware family is\r\nnovel and is still actively being developed. The earliest sample of Goontact observed by Lookout was in\r\nNovember 2018, with matching APK packaging and signing dates, leading us to believe malware development\r\nlikely started in this time frame.\r\nGoontact iOS\r\nhttps://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail\r\nPage 2 of 13\n\nRecent active Goontact distribution sites mimicking App Store pages. The servers used for\r\ndistribution of the malware also host a login panel indicating that they serve as command-and-control (C2) servers. The apps are under continuous development and have been updated multiple\r\ntimes per month.\r\nEarly samples of the iOS version of Goontact show the primary functionality is to steal a victim’s phone number\r\nand contact list. Later iterations incorporated functionality to communicate to a secondary command-and-control\r\n(C2) server and display a message to the user that has been tailored by the attacker, before exiting the app.\r\nhttps://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail\r\nPage 3 of 13\n\nCode that exfiltrates a victim’s address list from an infected device.\r\nSigning identities\r\nGoontact on iOS relies on the user side-loading an IPA file from a distribution site. These sites contained links to a\r\ndistribution manifest, which provides a download URL for the IPA. To successfully do this, Goontact abuses the\r\nApple enterprise provisioning system.\r\nTo be distributed outside the App Store, an IPA file must contain a mobile provisioning profile with an enterprise\r\ncertificate. These enterprise certificates can be generated from the Apple Developer console and can then be used\r\nto code sign apps using a signing identity tied to the company’s developer profile or TeamID. The operators of\r\nGoontact were able to obtain enterprise certificates apparently associated with legitimate businesses to sign their\r\nmalware which was then distributed on sites mimicking App Store pages.\r\nThe Apple Developer Enterprise program is intended to permit organizations to distribute proprietary, in-house\r\napps to their employees without needing to use the iOS App Store. A business can obtain access to this program\r\nonly provided they meet requirements set out by Apple.\r\nThis is a similar tactic used by other iOS threats we have observed such as eSurvAgent. It requires the user to\r\ndownload the app through a browser, install it, navigate to their Settings app and then explicitly trust the signing\r\nidentity used to sign the IPA file. Only after a verification process of the signing identity with Apple’s servers, is\r\nthe app able to run on an iOS device.\r\nhttps://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail\r\nPage 4 of 13\n\nScreenshots of a live distribution site providing instructions on how to install the iOS version of\r\nGoontact. In the rightmost image above, the name of the company whose signing identity was used\r\nto create the mobile provisioning profile for the app can be seen.\r\nThe enterprise mobile provisioning profiles used by Goontact all reference apparently legitimate companies. The\r\nlist, as shown below, includes companies registered in China and in the United States across various sectors such\r\nas power generation companies, credit unions, and railroad companies.\r\nTeamID TeamName (Company Name)\r\nAKSVA57833 Jinhua Changfeng Information Technology Co., Ltd.\r\n5YMLXQ5HEE Qingdao Haier Technology Co., Ltd.\r\nVWEN6QTM5A Linkplay Tech Inc.\r\nGCDHET33K9 Norfolk Southern Corporation\r\nKRDUAN5QNS Dalian Rural Commercial Bank Co., Ltd.\r\n7TLJH7GP4B Daikin Airconditioning (Hong Kong) Ltd\r\n5383H5PWBS AbleSky Inc.\r\n229BL7A3HR GUANGZHOU INSOONTO NETPAY TECHNOLOGY CO.; LTD.\r\n7RZF8699DK Guangzhou Jianxin Automation Technology Co.,Ltd.\r\nhttps://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail\r\nPage 5 of 13\n\nMost of the companies observed either have current or past developer profiles and applications on the iOS App\r\nStore. However, It is still unclear to us whether these signing identities have truly been compromised, or if they\r\nwere created by the malware operators masquerading as representatives of the companies in question.\r\nDuring our research we observed multiple signing identities being revoked. In those cases, new malware samples\r\nusing a new identity immediately appeared on the distribution sites. We sometimes observed this occurring\r\nmultiple times a month,  indicating the actors behind Goontact have little difficulty acquiring access to additional\r\naccounts.\r\nGoontact Android\r\nThe Android component of Goontact is much more feature-rich. In addition to contact stealing, these samples\r\ncontain more advanced functionality such as exfiltration of SMS messages, photos and location.\r\nIcons of Goontact Android samples displaying the possible lures used in the campaign to entice\r\nindividuals to download and install the malware samples.\r\nInfrastructure\r\nMost command-and-control (C2) domains leveraged by Goontact are sites also hosting the iOS variant of the\r\nmalware. Almost all active malware C2s have login panels on non-standard ports such as 8085 and 9905.\r\nhttps://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail\r\nPage 6 of 13\n\nAll live C2 panels are in Chinese. This evidence, along with names of the companies being used for\r\ndeveloper profiles suggest that the developers and operators of the campaign are Chinese speakers.\r\nThe path component of the C2 URL in current samples commonly includes “/JYSystem/” on both iOS and\r\nAndroid, which is a reference to an open source HTML template available on Github.2 After exploring the\r\ninfrastructure during our research, we discovered dozens of active sites with the same patterns hosting numerous\r\nIPA files. A number of them are listed in our screenshot below but new domains are registered daily. These\r\ndomains were linked to each other using shared IP addresses and SSL certificates.\r\nLure sites are middleman sites that offer the option of setting up dates and chats with women after paying a\r\nsession fee. Recent lure sites include links to the malicious applications and provide detailed installation\r\ninstructions to the victims. The malicious APK files have been observed to be hosted on the lure sites, but the IPA\r\nfiles are all hosted on separate distribution sites as described above.\r\nhttps://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail\r\nPage 7 of 13\n\nA lure site (red-v10[.]com) in Korean links back to Goontact samples hosted on one of the\r\ndistribution sites (redvios[.]com) along with instructions on how to install it. Sites are sensitive to\r\nUser-Agent headers in order to display an application appropriate for the device of the user.\r\nWhile the Goontact surveillance apps described in this campaign are not available on Google Play or the iOS App\r\nStore, the duration, breadth and tactics exhibited highlight the lengths malicious actors will go to deceive victims\r\nand bypass built-in protections. Lookout secures consumers and enterprise users from Goontact. On Android, all\r\nLookout users are protected, whereas on iOS, Lookout for Work users and Lookout Premium Plus subscribers are\r\nprotected.\r\nLookout Threat Advisory Services customers have already been notified with additional intelligence on this and\r\nother threats. Take a look at our Threat Advisory Services page to learn more.\r\nIndicators of Compromise\r\nSHA1 BundleID/PackageName Version\r\n42ef90e6b780535ca9c5c8ebb579f67fde10aed0 com.llt2e3982st.usplodioudadcontacu 3.58\r\n2c09943657faa51f2ad04a13526dd15a532db419 com.te3999982st.usplodioudadcontact 3.58\r\n656442ef12a4387f03a82b124e78856e52011990 com.te3982st.usplodioudadcontact 3.58\r\n17dc78091721d0c5fdd6bc43e895ae41dce38843 com.tle3982st.usplodioudadcontact 3.58\r\n29459ac3115bb4544ac19bd4153e60a9568f7749 com.tle3982st.usplodioudadcontact 3.58\r\n70da86cebe0a83b5a0a026c92319bdd6ec176302 com.t2edddiw3982st.usplodioudadcontacu 3.58\r\n1e237e0e5154e3339d4cf9411d9beccc8145318d com.tae39b82st.usplodioudadcontact 3.58\r\nhttps://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail\r\nPage 8 of 13\n\nSHA1 BundleID/PackageName Version\r\n4b44850d9d4bbce5b53c89e5a0b4c595717167c3 com.aodye3982st.usplodioudadcontacu 3.58\r\n107eb56cdfa573f75573e9d779184efcc9d99fae com.body3982st.usplodioudadcontact 3.58\r\n2865bf9187f42f4e9a6647680f1d62d90102d735 com.ae3982st.usplodioudadcontact 3.58\r\n514508dc681f514cd1bbb549704df4494f931dcb com.ts2e31982st.usplodioudadcontacu 3.58\r\nc90bbe81354eb15e2a7d744bc0d4c1f2a10e252c com.t2e3982d3st.usplodioudadcontacu 3.58\r\nd9a4e88538c5b9b571f8c8954c29332d73135695 com.t1e3982st.usplodioudadcontact 3.58\r\nb1d41ce7c25af9cd06b66827360346f5995bd4b6 com.test.uploadcontact 3.48\r\n09567f7e5ad96fd8d62495dccc65ac008ab8ea4a com.tes1t.uploadcontacu 3.48\r\na371c84bc31d7acff01a8a19407d09390b8f6ac2 com.t2e3982st.usplodioudadcontacu 3.58\r\n26e9429f32f658e9b7fda03ba432a7bdd3931ae3 com.te23s1t.up3lo5adcontacv 3.48\r\nf113e86f3ff4ef4d2530344047dd442ba3d5fdcc com.test.uploadcontact 3.48\r\nbae146f1338fab6d8171a7265a3d9b505ab684ec com.red1.uploadcontacu 3.48\r\n2d07a13dbb81c85771c21e51b8461f6226419036 com.test.uploadcontact 3.48\r\nc8101f36856da0c98bc6a0cdb2441fe271ffcc66 com.tewt.udjsu 3.48\r\n72881676401a4aa29bd8a256ff642e168f3ba789 com.tew3t.udjsv 3.48\r\nf897c880715f072e265f834ef60755985028dec1 com.tccpt.idyusui 3.28\r\n8dfac901f7bd31a84469ecf72f8534c590dc1ca2 com.myit.my 3.28\r\n1a75700ceef9601044b7bbabcd0c140354bf9962 com.meitu.diudiu 3.28\r\na6a81aa87fe82096d58937072dddc4dc00e1b707 com.tc.AVideo 3.29\r\n4e735d043fac23f08ccfee8cd23adb0eef1da4ed com.test.uploadcontact 3.28\r\n578d1f6be9c18c5ec4bc18277adc0dd85daf5529 com.test.myIT 3.28\r\n214d9116af4f67c9721af2e48e3b53935ca6fb36 com.test.uploadcontact 3.28\r\n1816960070779a929a196678fd3efd149da8d3e2 com.test.uploadcontact 3.28\r\n75b06fb18f9baaa6e4946200b026613801039dc7 com.test.uploadcontact 3.28\r\n1222632a75b2173a630944a3f0c8de0b8ba16fa9 com.test.uploadcontact 2.2\r\n034bc59cf7220ba38513c5109412d11f90d27b6c com.test.uploadcontact 2.2\r\nhttps://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail\r\nPage 9 of 13\n\nSHA1 BundleID/PackageName Version\r\n5c5d1fb9a1a900a49af730e9de6d421e9527fa91 com.test.uploadcontact 2.2\r\nd9c01d9d097cb78de883526fd43bbab23d14e083 com.test.uploadcontact 2.2\r\n08342041afde750e640ef51075568f8d8bdea078 com.test.uploadcontact 2.2\r\nf4eb37c2f7280fb1802230be772ac7ee4fc6f288 com.test.uploadcontact 2.2\r\n5f9d342d51d0565eeff42eed7c73540454d8a2cc com.test.uploadcontact 2.2\r\n86ec7307ea7b74f696533c56c5bc60636e3f701d com.test.uploadcontact 2.2\r\n5fa63b4e45db380475c9f836efe8e899d3d24073 com.test.uploadcontact 1.8\r\nde1dfc1593b1d139c48cda204e94e2061b2d9171 com.test.uploadcontact 2\r\n57a34a15fb939ddac60514a3ca5eef0a6bbb6844 com.test.uploadcontact 1.8\r\n01a1b2b7e7222125a29d6667fe456f7ea54e16e5 com.test.uploadcontact 1.8\r\n15e41e8aee06bb2e91148e51a4aac259d201a62c com.test.uploadcontact 1.8\r\nda9874a86d76c4bdf59eb5c04fb3383dbd3cfdf5 com.test.uploadcontact 2.2\r\nf958be18bd45ea081a389bdaa6e7bec6df06158a com.test.uploadcontact 2.2\r\n36af9c25a64805f1e6dfa8c57b19f9209dacb33a com.test.uploadcontact 1.8\r\n522285bbb8f772a1e14c5208fabf4df38e6cbd8d com.test.uploadcontact 1.8\r\nc9d3ad11cf635a866feb3aaa257474559298d292 com.test.uploadcontact 1.8\r\n691387fb96bee12c9682bc8f30214a663f25f44b com.test.uploadcontact 2.2\r\ne80494859b11915017d5bea161160467110af554 com.test.uploadcontact 2.2\r\n81849a70778485786a5344ce6b42d106804eec3b com.test.uploadcontact 2.2\r\n01934d389bd432ed82b3975276ecb9506d9dfb31 com.test.uploadcontact 1.8\r\ne84c675d7c30006f89333e97bbc4db9b0fd4ad53 com.test.uploadcontact 2.2\r\n16fd5be703a416c39bb18edff06637fef42fe912 com.test.uploadcontact 2.2\r\na09cbb671d33487b13e8c66264654bcb2d7fd985 com.test.uploadcontact 2.2\r\n81801ee0c9fc4eeb128b59d1ee3151b013c85000 com.test.uploadcontact 2\r\ne03c12cde59ec9af95d4dce7df64a40a04222d91 com.test.uploadcontact 2\r\n7d035edc6ee8bde0f1c3a6c837a5bc76e6181b5c com.test.uploadcontact 1.8\r\nhttps://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail\r\nPage 10 of 13\n\nSHA1 BundleID/PackageName Version\r\n7049a2b4be24375a0c829ec9afac845fb7b53fd1 com.test.uploadcontact 1.5\r\nad971e0456483841261fd3bcd678d9c50f2c9ace com.test.uploadcontact 1.5\r\n89e1a0122ab1094ab1767f058041c893bfa76011 com.test.uploadcontact 1.5\r\n5fbaef82614307bb0d1bd55ae9f455c096f7b203 com.test.uploadcontact 1.5\r\n86118a86c61178451564494ada015fc6f4f72ac4 com.test.uploadcontact 1.5\r\n9c1eeb1e47e2ca87daee3e52fe954a2ef035d693 com.test.uploadcontacu 1.5\r\nb41eb2a6e13795af412a4c1af34fd17e9d4f39f4 com.test.uploadcontact 1.6\r\n611769cb7ee62e157d501a0a5f6a90550f3fb9a8 com.test.uploadcontact 1.5\r\ne184f8b44d386dc7f47a8134ff8a8a817333c592 com.apps.agent37 1.0\r\nb48ad2807fb21cf4f7f1c6764cd589aa7f2d2128 com.apps.agent37 1.0\r\n0f779956f066b03f77b44bc3973b62150e07a78f com.apps.agent37 1.0\r\ncb3f592a664fadcc5adc8dbd80a4331b9be2f524 com.apps.agent37 1.0\r\ne1294bf1e31913dad5ab545987f6a70cde1fffaf com.txl.ry3 1.0\r\nb782b0261f6a5b47efa26ea5aead615ab9ee1f5c com.apps.agent37 1.0\r\n7cf9a57e0330760848ad3fdf820f8f1699deea33 com.apps.agent37 1.0\r\n9370642bdabcf6ccf020574bdc673a0a19405024 com.apps.agent37 1.0\r\n167e15f9ac27df69d9e5533559b3b34c2396495e com.apps.agent37 1.0\r\n5f20a02aa0a59824f69e3527d26c0fcbc65dc288 com.apps.agent37 1.0\r\nfb818da6de6f7434636196d6357525fbf3ca8262 com.apps.agent37 1.0\r\n5ae65ab4c35a080b1541f966f2965828e1bc151e com.txl.ry3 1.0\r\n613b90b3f0db271e6f7f92bdbcf3b03747e97161 com.apps.agent37 1.0\r\nc766251844dceedf65d235696b81b5f5ea3d77a8 com.apps.agent37 1.0\r\n029cee8238477198ab4133478bd2ba51ae937073 com.apps.agent37 1.0\r\n6f94b680989edc3bd227440023ad4557f04680b9 com.apps.agent37 1.0\r\n2f69024df6d0a2ace8d0e3534a9cab68ba9d81fa com.apps.agent37 1.0\r\na287c2498098214871a6a2cff467c5ccc7cdbb43 com.apps.agent37 1.0\r\nhttps://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail\r\nPage 11 of 13\n\nSHA1 BundleID/PackageName Version\r\n0ea6491ada324637163e2afda774598e829e51e2 com.apps.agent37 1.0\r\nf728d4e1e53d10b7d643354ee67e93005b32be58 com.apps.agent37 1.0\r\n21d83bc3153b255627d077d6368dd0b728178eaa com.txl.ry3 1.0\r\n3a0b362962bd0a486baef9c33f424ce732012182 com.txl.ry3 1.0\r\n8fe73b7337b39ba700d3bd072e537a70c6b93e4b com.apps.agent37 1.0\r\n33bcb634d5dc38850a5e2b2ba9ccd78fb4778f4c com.apps.agent37 1.0\r\ncb768e4483c1753a28dd13a6e8c60e39878cc862 com.txl.ry3 1.0\r\nDomains\r\nredvios[.]com\r\nv-talk[.]top\r\nv-talk[.]vip\r\nladysizi[.]top\r\nmmbox[.]top\r\noncamera[.]top\r\noncast[.]top\r\nmimibox[.]top\r\nvoicecontrol[.]top\r\nsignaltalk[.]top\r\noncamera[.]vip\r\ndalbam[.]vip\r\nmimimsg[.]net\r\nsignal-live[.]vip\r\ntele-gram[.]vip\r\nvtalk[.]vip\r\nhttps://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail\r\nPage 12 of 13\n\na-video[.]vip\r\nlivetalk[.]vip\r\nlivetalk[.]top\r\ndownload-file[.]top\r\ngrd77[.]cn\r\nmimicwt[.]net\r\nsuper-voice[.]vip\r\nmimi18s[.]top\r\nmomomsg[.]top\r\nlive-live[.]vip\r\nzerobyte[.]top\r\nzerobt[.]net\r\nw-video[.]vip\r\nser-chat[.]com\r\ntocast[.]vip\r\nvideosound[.]vip\r\ntwi-tter[.]vip\r\nmy-player[.]vip\r\nvoicesupport[.]vip\r\n1 https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-sextortion-in-the-far-east.pdf\r\n2 https://github.com/cnloli/JYSystem\r\nSource: https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail\r\nhttps://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail\r\nPage 13 of 13\n\nInfrastructure Most command-and-control  (C2) domains leveraged by Goontact are sites also hosting the iOS variant of the\nmalware. Almost all active malware C2s have login panels on non-standard ports such as 8085 and 9905.\n   Page 6 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail"
	],
	"report_names": [
		"lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail"
	],
	"threat_actors": [],
	"ts_created_at": 1775434530,
	"ts_updated_at": 1775791222,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cc3f4b9cd49a979d4ba4b68649d0f9e3e53c83d4.pdf",
		"text": "https://archive.orkl.eu/cc3f4b9cd49a979d4ba4b68649d0f9e3e53c83d4.txt",
		"img": "https://archive.orkl.eu/cc3f4b9cd49a979d4ba4b68649d0f9e3e53c83d4.jpg"
	}
}