{
	"id": "031ac35f-95c4-48bb-8b0b-3ebdb41b37ac",
	"created_at": "2026-04-06T00:18:22.966367Z",
	"updated_at": "2026-04-10T13:11:54.279181Z",
	"deleted_at": null,
	"sha1_hash": "cc7baacb14e7d70a3e014ccb838163705c568c6f",
	"title": "SpyNote targets IRCTC users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1147365,
	"plain_text": "SpyNote targets IRCTC users\r\nPublished: 2023-05-10 · Archived: 2026-04-05 14:55:46 UTC\r\nWe at K7 Labs, recently came across an email message as shown in Figure 1, from Indian Railway Catering and\r\nTourism Corporation (IRCTC) about SpyNote, an Android RAT targeting IRCTC users. This spyware is not only\r\nused to steal users’ sensitive information but can also spy on a user’s location or remotely control the victims’\r\ndevice.\r\nhttps://labs.k7computing.com/index.php/spynote-targets-irctc-users/\r\nPage 1 of 11\n\nhttps://labs.k7computing.com/index.php/spynote-targets-irctc-users/\r\nPage 2 of 11\n\nFigure 1: Email Notification from IRCTC\r\nLet’s now get into the details of how this SpyNote works.\r\nThis RAT is propagated via WhatsApp with the malicious link https://irctc[.]creditmobile[.]site/irctcconnect[.]apk\r\nOnce the user falls prey to this RAT and installs this malicious “irctcconnect.apk”, this app pretends to be the\r\ngenuine IRCTC icon in the device app drawer as shown in Figure 2.\r\nhttps://labs.k7computing.com/index.php/spynote-targets-irctc-users/\r\nPage 3 of 11\n\nhttps://labs.k7computing.com/index.php/spynote-targets-irctc-users/\r\nPage 4 of 11\n\nFigure 2: Fake IRCTC icon\r\nOnce this RAT is installed on the device, it frequently brings up the Accessibility Service setting option on the\r\ndevice, as shown in Figure 3, until the user eventually allows this app to have the Accessibility Service enabled.\r\nFigure 3: Request for Accessibility Service\r\nTechnical Analysis\r\n With the necessary permissions as shown in Figure 3, this APK acts as a Trojan with Keylogger capabilities. It\r\ncreates a directory “Config/sys/apps/log“, in the devices’ external storage and the logs are saved to the file “log-yyyy-mm-dd.log” in the created directory, where yyyy-mm-dd is the date of when the keystrokes were captured as\r\nshown in Figure 4.\r\nhttps://labs.k7computing.com/index.php/spynote-targets-irctc-users/\r\nPage 5 of 11\n\nFigure 4: Creating Log files\r\nThis malware collects location information like altitude, latitude, longitude, precision and even the speed at which\r\nthe device is moving as shown in Figure 5.\r\nFigure 5: Collects the device location information\r\nSpyNote then proceeds to combine all the aforementioned data and compresses (using gZIPOutputStream API)\r\nthem before forwarding it to the C2 server as shown in Figure 6.\r\nhttps://labs.k7computing.com/index.php/spynote-targets-irctc-users/\r\nPage 6 of 11\n\nFigure 6: DATA compression using gZIPOutputStream\r\nC2 Communication\r\nThis RAT contacts the C2 server online[.]spaxdriod[.]studio at IP 154.61.76[.]99, which is hardcoded in Figure 7. \r\nFigure 7: Hardcoded C2 URL\r\nFigure 8 shows the connection established with the C2.\r\nFigure 8: TCP connection with the C2 server\r\nAfter the connection is established, the malware sends the gzip compressed data to the C2 as evident from the\r\nnetwork packet’s header in Figure 9.\r\nhttps://labs.k7computing.com/index.php/spynote-targets-irctc-users/\r\nPage 7 of 11\n\nFigure 9: gzip data sent by the device after establishing the connection with the C2 Server\r\nThe decompressed gzip content of the data is shown below in Figure 10.\r\nFigure 10: Decompressed gzip data showing IP address\r\nDecoding packets from the C2\r\nThe C2 responds by sending a series of compressed data,  which when decompressed, is revealed to be system\r\ncommands and the related APK payload as shown in Figure 11. In our case, the APK was extracted using\r\nCyberchef.\r\nFigure 11: Getting commands and APK file from C\u0026C server\r\nWe analyzed the C\u0026C command ‘info’ and the associated APK. This command collects the clipboard data and\r\nverifies the victims’ device for the presence of a hardcoded list of mobile security products, may be with the aim\r\nof disabling them or forwarding the info to the C2.\r\nhttps://labs.k7computing.com/index.php/spynote-targets-irctc-users/\r\nPage 8 of 11\n\nFigure 12: Collects the clipboard information\r\nFigure 13: Checks for the presence of security related products\r\nhttps://labs.k7computing.com/index.php/spynote-targets-irctc-users/\r\nPage 9 of 11\n\nThe structure of the commands sent from the C2 to victims’ device is as follows:\r\nFigure 14: Commands sent by C2\r\nAt K7, we protect all our customers from such threats. Do ensure that you protect your mobile devices with a\r\nreputable security product like K7 Mobile Security and also regularly update and scan your devices with it. Also\r\nkeep your devices updated and patched against the latest vulnerabilities.\r\nIndicators of Compromise (IoCs)\r\nPackage Name Hash Detection Name\r\ncom.appser.verapp 45c154af52c65087161b8d87e212435a Spyware ( 0056a7b31 )\r\nURL\r\nhttps://irctc[.]creditmobile[.]site/irctcconnect[.]apk\r\nC2\r\n154.61.76[.]99\r\nonline[.]spaxdriod[.]studio\r\nMITRE ATT\u0026CK\r\nhttps://labs.k7computing.com/index.php/spynote-targets-irctc-users/\r\nPage 10 of 11\n\nTactics Techniques\r\nDefense Evasion\r\nApplication Discovery Obfuscated Files or Information,\r\nVirtualization/Sandbox Evasion\r\nDiscovery Security Software Discovery, System Information Discovery\r\nCollection Email Collection, Data from Local System\r\nCommand and\r\nControl\r\nEncrypted Channel, NonStandard Port\r\nSource: https://labs.k7computing.com/index.php/spynote-targets-irctc-users/\r\nhttps://labs.k7computing.com/index.php/spynote-targets-irctc-users/\r\nPage 11 of 11\n\n https://labs.k7computing.com/index.php/spynote-targets-irctc-users/  \nFigure 12: Collects the clipboard information \nFigure 13: Checks for the presence of security related products\n   Page 9 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.k7computing.com/index.php/spynote-targets-irctc-users/"
	],
	"report_names": [
		"spynote-targets-irctc-users"
	],
	"threat_actors": [],
	"ts_created_at": 1775434702,
	"ts_updated_at": 1775826714,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cc7baacb14e7d70a3e014ccb838163705c568c6f.pdf",
		"text": "https://archive.orkl.eu/cc7baacb14e7d70a3e014ccb838163705c568c6f.txt",
		"img": "https://archive.orkl.eu/cc7baacb14e7d70a3e014ccb838163705c568c6f.jpg"
	}
}