{ "id": "08c43c36-c3bd-47ef-8953-f550dc078bda", "created_at": "2026-04-06T00:21:50.917448Z", "updated_at": "2026-04-10T03:37:37.071672Z", "deleted_at": null, "sha1_hash": "ccf0ca1c1021d562b6f580e408c0d89330b7ae4b", "title": "SpyNote (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 71500, "plain_text": "SpyNote (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 22:32:20 UTC\r\nAccording to Cleafy, SpyNote abuses Accessibility services and other Android permissions in order to: Collect\r\nSMS messages and contacts list; Record audio and screen; Perform keylogging activities; Bypass 2FA; Track GPS\r\nlocations.\r\n2026-01-23 ⋅ Medium Ireneusz Tarnowski ⋅ Ireneusz Tarnowski\r\nSpyNote: Comprehensive Analysis of an Android Remote Access Trojan\r\nSpyNote 2025-05-19 ⋅ cocomelonc ⋅ cocomelonc\r\nAIYA - Mobile malware development book. First edition\r\nAndroRAT Anubis CraxsRAT Dendroid FakeGram Hydra IPStorm SpyNote 2025-04-10 ⋅ DomainTools ⋅ DomainTools\r\nNewly Registered Domains Distributing SpyNote Malware\r\nSpyNote 2025-02-09 ⋅ Medium (@mvaks) ⋅ mvaks\r\nAnalysis of malicious mobile applications impersonating popular Polish apps — OLX, Allegro, IKO\r\nSpyNote TrickMo 2024-11-21 ⋅ Intrinsec ⋅ CTI Intrinsec, Intrinsec\r\nPROSPERO \u0026 Proton66: Uncovering the links between bulletproof networks\r\nCoper SpyNote FAKEUPDATES GootLoader EugenLoader 2024-11-20 ⋅ Intrinsec ⋅ Equipe CTI\r\nPROSPERO \u0026 Proton66: Tracing Uncovering the links between bulletproof networks\r\nCoper SpyNote FAKEUPDATES GootLoader EugenLoader IcedID Matanbuchus Nokoyawa Ransomware\r\nPikabot 2024-10-08 ⋅ Hunt.io ⋅ Hunt.io\r\nInside a Cybercriminal’s Server: DDoS Tools, Spyware APKs, and Phishing Pages\r\nSpyNote 2024-06-26 ⋅ Group-IB ⋅ Group-IB\r\nCraxs Rat, the master tool behind fake app scams and banking fraud\r\nCraxsRAT SpyMax SpyNote 2024-06-20 ⋅ Hunt.io ⋅ Michael R\r\nCaught in the Act: Uncovering SpyNote in Unexpected Places\r\nSpyNote 2024-02-19 ⋅ Fortinet ⋅ Axelle Apvrille\r\nAndroid/SpyNote bypasses Restricted Settings + breaks many RE tools\r\nSpyNote 2024-02-15 ⋅ Fortinet ⋅ Axelle Apvrille\r\nAndroid/SpyNote Moves to Crypto Currencies\r\nSpyNote 2023-07-31 ⋅ Cleafy ⋅ Francesco Iubatti\r\nSpyNote continues to attack financial institutions\r\nSpyNote 2023-05-10 ⋅ K7 Security ⋅ Baran S\r\nspynote\r\nSpyNote 2023-01-05 ⋅ ThreatFabric ⋅ ThreatFabric\r\nSpyNote: Spyware with RAT capabilities targeting Financial Institutions\r\nSpyMax SpyNote 2023-01-05 ⋅ Bleeping Computer ⋅ Bill Toulas\r\nSpyNote Android malware infections surge after source code leak\r\nSpyNote 2022-12-06 ⋅ ⋅ 360 Threat Intelligence Center ⋅ 360 Beacon Lab\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote\r\nPage 1 of 2\n\nAnalysis of suspected APT-C-56 (Transparent Tribe) attacks against terrorism\r\nAhMyth Meterpreter SpyNote AsyncRAT 2022-08-17 ⋅ ⋅ 360 ⋅ 360 Threat Intelligence Center\r\nKasablanka organizes attacks against political groups and non-profit organizations in the Middle East\r\nSpyNote Loda Nanocore RAT NjRAT 2022-08-10 ⋅ K7 Security ⋅ Baran S\r\nspynote\r\nSpyNote 2021-09-21 ⋅ civilsphereproject ⋅ civilsphereproject\r\nCapturing and Detecting AndroidTester Remote Access Trojan with the Emergency VPN\r\nSpyNote 2021-04-21 ⋅ Facebook ⋅ David Agranovich, Mike Dvilyanski\r\nTaking Action Against Hackers in Palestine\r\nSpyNote Houdini NjRAT 2020-12-10 ⋅ Intel 471 ⋅ Intel 471\r\nNo pandas, just people: The current state of China’s cybercrime underground\r\nAnubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT 2020-12-01 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center\r\nBlade Eagle Group - Targeted attack group activities circling the Middle East and West Asia's cyberspace revealed\r\nSpyNote BladeHawk 2020-07-15 ⋅ Relativity ⋅ Bartlomiej Czyż\r\nAn in-depth analysis of SpyNote remote access trojan\r\nSpyNote 2020-03-31 ⋅ Volexity ⋅ Volexity Threat Research\r\nStorm Cloud Unleashed: Tibetan Focus of Highly Targeted Fake Flash Campaign\r\nSpyNote Stitch Godlike12 Storm Cloud 2019-04-30 ⋅ ClearSky ⋅ ClearSky Cyber Security\r\nRaw Threat Intelligence 2019-04-30: Oilrig data dump link analysis\r\nSpyNote OopsIE\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote\r\nPage 2 of 2\n\nSpyMax SpyNote SpyNote Android 2023-01-05 malware ⋅ Bleeping Computer infections surge after ⋅ Bill Toulas source code leak\nSpyNote 2022-12-06 ⋅ ⋅ 360 Threat Intelligence Center ⋅ 360 Beacon Lab\n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote" ], "report_names": [ "apk.spynote" ], "threat_actors": [ { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "d4135989-e577-4133-bdae-a24243c832a4", "created_at": "2023-11-05T02:00:08.068657Z", "updated_at": "2026-04-10T02:00:03.396218Z", "deleted_at": null, "main_name": "Kasablanka", "aliases": [], "source_name": "MISPGALAXY:Kasablanka", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "5886dd90-47de-4191-8b49-b56562251f26", "created_at": "2023-01-06T13:46:39.341062Z", "updated_at": "2026-04-10T02:00:03.292998Z", "deleted_at": null, "main_name": "BladeHawk", "aliases": [], "source_name": "MISPGALAXY:BladeHawk", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "33eef76c-a6fa-4855-a77e-9a1e92fe8474", "created_at": "2023-11-21T02:00:07.393519Z", "updated_at": "2026-04-10T02:00:03.477407Z", "deleted_at": null, "main_name": "Storm Cloud", "aliases": [], "source_name": "MISPGALAXY:Storm Cloud", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d9b39228-0d9d-4c1e-8e39-2de986120060", "created_at": "2023-01-06T13:46:39.293127Z", "updated_at": "2026-04-10T02:00:03.277123Z", "deleted_at": null, "main_name": "BelialDemon", "aliases": [ "Matanbuchus" ], "source_name": "MISPGALAXY:BelialDemon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434910, "ts_updated_at": 1775792257, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ccf0ca1c1021d562b6f580e408c0d89330b7ae4b.pdf", "text": "https://archive.orkl.eu/ccf0ca1c1021d562b6f580e408c0d89330b7ae4b.txt", "img": "https://archive.orkl.eu/ccf0ca1c1021d562b6f580e408c0d89330b7ae4b.jpg" } }