{
	"id": "874337e6-c080-4f8c-809e-f1aa72e33a13",
	"created_at": "2026-04-06T00:14:26.903179Z",
	"updated_at": "2026-04-10T03:34:59.359898Z",
	"deleted_at": null,
	"sha1_hash": "deeede755b6727c8e18f95917826ced762429b29",
	"title": "Ongoing Roaming Mantis smishing campaign targeting France",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1016292,
	"plain_text": "Ongoing Roaming Mantis smishing campaign targeting France\r\nBy Quentin Bourgue,\u0026nbsp;Marc N.\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2022-07-18 · Archived: 2026-04-05 14:25:55 UTC\r\nThis blog post on Roaming Mantis group is an extract of the “FLINT 2022-037 – Ongoing Roaming Mantis\r\nsmishing campaign targeting France” report (Sekoia.io Flash Intelligence) sent to our clients on July 07, 2022.\r\nTable of contents\r\nSummary\r\nStep-by-step MoqHao’s compromise\r\nAnalysis of the Roaming Mantis campaign\r\nRoaming Mantis infrastructure\r\nMITRE ATT\u0026CK TTPs\r\nMoqHao malware IOCs \u0026 Technical Details\r\nSummary\r\nOn July 4, 2022, a Sekoia.io analyst received phishing SMS (also called smishing) embedding a malicious URL.\r\nThe URL either deploys the MoqHao Android malware, or redirects to an Apple login details credential harvesting\r\npage. Analysing this smishing activity led us to identify an active campaign targeting France wide victims.\r\nObserved modus operandi during the ongoing campaign targeting French mobile phone users is congruent with\r\npast observed Roaming Mantis’ activities documented by multiple security vendors. The campaigns distributing\r\nMoqHao in Japan, South Korea, Taiwan, Germany, France, the UK and the US, have similar techniques. Our\r\ninvestigation shows that this campaign widely impacts France and possibly results in around 70.000 Android\r\ndevice compromises.\r\nMoqHao (aka Wroba, XLoader for Android) is an Android Remote Access Trojan (RAT) with information-stealing and backdoor capabilities that likely spreads via SMS. It is attributed to Roaming Mantis, assessed to\r\nbe a financially motivated Chinese threat group.\r\nSekoia.io analysts monitor and track this threat since the beginning of 2022. In this blog post, we describe each\r\nstep of the ongoing smishing campaign and share our investigation on Roaming Mantis’ infrastructure.\r\nThe Roaming Mantis smishing campaign was first observed by Sekoia.io analysts through four malicious SMS\r\nreceived on two mobile phones. The distribution campaign shows geofencing and operating system checking\r\ncapabilities. We assess that these features allow Roaming Mantis to tailor their attack, as well as hinder analysis\r\nand detection efforts.\r\nHere is an overview of the infection chain depending on the victim’s location (based on their IP address) and\r\noperating system (based on its user-agent).\r\nhttps://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/\r\nPage 1 of 9\n\nFigure 1. MoqHao’s infection chain\r\nStep-by-step MoqHao’s compromise\r\nThe initial attack vector is a text message distributed by SMS and containing a malicious URL, as shown in the\r\nfollowing figure.\r\nhttps://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/\r\nPage 2 of 9\n\nFigure 2. Phishing SMS (translated from French: “Your package has been sent. Please check it and receive it.”)\r\nIf the target clicks on the link, an HTTP request is sent to the server. Depending on the location of the victim\r\n(likely inferred from its IP address), and its operating system (inferred from the user-agent), the server responds:\r\nNothing (404 Not found), if the victim’s device is not located in France;\r\nAn HTML page containing JavaScript code displaying an alert and redirecting to an APK (Android\r\nPackage Kit) file, if the mobile is located in France and runs Android;\r\nA fake Apple login web page, if the mobile is located in France and is an iPhone.\r\nThe smishing campaign is therefore geofenced and aims to install Android malware, or collect Apple iCloud\r\ncredentials.\r\nIf the victim’s mobile phone is running the Android operating system, a message entices the victim to download\r\nthe malicious APK as a web browser update (SHA256: 3ba2b1c0352ea9988edeb608abf2c0\r\n37b1f30482bbc05c3ae79265bab7a44c9). This file corresponds to the MoqHao malware according to the analysis\r\nof the Hatching Triage sandbox.\r\nOnce the victim downloaded and executed the malware, the application requests permission to read and send SMS\r\nmessages. This permission allows the malware, among other things, to intercept SMS from victims’ mobile\r\nphones. It is worth noting the studied MoqHao sample mimics the Chrome application to lure the victim to give\r\nthe permission.\r\nThe malware then retrieves its C2 server by requesting one of the social network profiles stored in the payload. In\r\nthe analysed sample, the profiles are: shaoye77, shaoye88 and shaoye99 on Imgur service. In the above Triage\r\nanalysis, the malware requests the profile shaoye99 on the legitimate image hosting service Imgur\r\n(hxxps://imgur[.]com/user/shaoye99/about).\r\nhttps://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/\r\nPage 3 of 9\n\nAs shown in the figure, the “about” section contains the string “bgfrewiFaRPCdEp9o0GfWPL3dhKU2 uwZh-Z7eg9bgfrewi” which embeds the DES-encrypted C2 server contained between the markers “bgfrewi”. By using\r\nthe following recipe in CyberChef, we obtain the final IP address and port pair (107.148.243[.]103:28867).\r\nFigure 4. CyberChef recipe to decrypt the string containing the C2 server\r\nIt is worth noting the character “-” is replaced by “+” in URL safe Base64 encoding representation. Since 2020,\r\nthe DES key and IV (41 62 35 64 31 51 33 32) are unchanged.\r\nAnalysis of the Roaming Mantis campaign\r\nChinese intrusion set Roaming Mantis is assessed to be a financially motivated group, with a history of\r\ntargeting developed countries.\r\nIn addition to the received message, several French people are currently reporting this campaign on Twitter, as\r\nwell as on French websites dedicated to phishing. As reported by Kaspersky and Team Cymru in early 2022, and\r\nbased on our observation of more than 90.000 unique IP addresses that requested the C2 server distributing\r\nMoqHao, we confirm that the threat group Roaming Mantis currently focuses on France.\r\nThis activity leveraging MoqHao or Apple IDs’ credential harvesting pages notably provides Roaming Mantis\r\naccess to data from the local system, SD card, applications, messages or contact list, iCloud backups, iMessage,\r\ncall history, as well as allowing remote interaction with a victims’ device.\r\nWe assess Roaming Mantis’ wide collection of sensitive data could be further used in extortion schemes, sold to\r\nother threat groups or possibly leveraged in “Big Game Hunting” operations.\r\nRoaming Mantis infrastructure\r\nWe noticed two different infection chains depending on the user-agent of the target. In the following sections, we\r\ndescribe the infrastructure associated with these attack chains.\r\nhttps://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/\r\nPage 4 of 9\n\nAndroid payloads\r\nThe infrastructure hosting Android payloads was detailed by Team Cymru in their part 2 blogpost from April\r\n2022. According to our analysis, this infrastructure still has the same characteristics:\r\nServers are used to target only one country, meaning if an IP address from another country contacts the\r\nservers, it will get a 404 error.\r\nThe open ports on the servers are still the same: TCP/443,TCP/5985,TCP/10081andTCP/47001.\r\nThe certificate identified in April is still in use on these servers:\r\nSHA1: 834024f91f67445a7fd1a98689cb3f49b4c3ade7\r\nSHA256: 76de629b3e446e99d45541e95da0bfa18db43a48daa23f5551fdbde0c295a36c\r\nApple phishing\r\nSekoia.io analysts also studied the infrastructure of Apple phishing pages:\r\nThose servers have the following ports open: TCP/80, TCP/5432, TCP/5985 and TCP/47001.\r\nThe landing page mimics the Apple ID login page. As the Android infrastructure, the geofencing is set and\r\nthe landing page language matches the language of targeted users.\r\nFigure 5. Apple ID phishing page in French (source: urlscan)\r\nThose pages can be tracked on scanning services like urlscan using hashes of sub-ressources requested by the\r\nmain page such as Card.js file (6d5516bbbebba2d51878f1e791b642f3b2944270b8e 84770f15a16376b202213).\r\nDomains\r\nhttps://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/\r\nPage 5 of 9\n\nDomains used inside SMS messages are either registered with Godaddy or use dynamic dns services such as\r\nduckdns.org. The intrusion set uses more than hundreds subdomains. Indeed each IP address is resolved by dozens\r\nof FQDN (eg: more than 5000 FQDN resolve to 134[.]119[.]205[.]21). As it is complex to list all domains,\r\nSekoia.io rather tracks associated IP addresses to monitor this intrusion set.\r\nMoqHao C2 server\r\nRoaming Mantis uses a separate infrastructure for the MoqHao C2 servers.\r\nAt the time of writing, we were able to identify 9 servers hosted on EHOSTIDC and VELIANET Autonomous\r\nSystems.\r\nAll infrastructures are monitored by Sekoia.io internal project “SEKOIA C2 Trackers” and can be found in our\r\nIntelligence Center portal.\r\nMITRE ATT\u0026CK TTPs\r\nT1583.001 – Acquire Infrastructure: Domains\r\nT1583.004 – Acquire Infrastructure: Server\r\nT1583.006 – Acquire Infrastructure: Web Services\r\nT1566.002 – Phishing: Spearphishing Link\r\nT1204.001 – User Execution: Malicious Link\r\nT1102.001 – Web Service: Dead Drop Resolver\r\nT1071.001 – Application Layer Protocol: Web Protocols\r\nT1041 – Exfiltration Over C2 Channel\r\nMoqHao malware IOCs \u0026 Technical Details\r\nDomains contained in SMS\r\ncoqrf.xpddg[.]com\r\nznjjq.udsuc[.]com\r\ngesee.udsuc[.]com\r\nbswhd.mrheu[.]com\r\nxpddg[.]com\r\nudsuc[.]com\r\nmrheu[.]com\r\nMalicious APK\r\n83ba2b1c0352ea9988edeb608abf2c037b1f30482bbc05c3ae79265bab7a44c9\r\nAPK permissions\r\nhttps://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/\r\nPage 6 of 9\n\nandroid.permission.BROADCAST_SMS\r\nandroid.permission.BROADCAST_WAP_PUSH\r\nandroid.permission.SEND_RESPOND_VIA_MESSAGE\r\nandroid.permission.ACCESS_WIFI_STATE\r\nandroid.permission.BROADCAST_WAP_PUSH\r\nandroid.permission.SEND_RESPOND_VIA_MESSAGE\r\nandroid.permission.ACCESS_WIFI_STATE\r\nandroid.permission.CHANGE_NETWORK_STATE\r\nandroid.permission.CALL_PHONE\r\nandroid.permission.WRITE_EXTERNAL_STORAGE\r\nandroid.permission.READ_EXTERNAL_STORAGE\r\nandroid.permission.ACCESS_NETWORK_STATE\r\nandroid.permission.MODIFY_AUDIO_SETTINGS\r\nandroid.permission.RECEIVE_BOOT_COMPLETED\r\nandroid.permission.WAKE_LOCK\r\nandroid.permission.INTERNET\r\nandroid.permission.RECEIVE_SMS\r\nandroid.permission.READ_SMS\r\nandroid.permission.WRITE_SMS\r\nandroid.permission.SEND_SMS\r\nandroid.permission.SYSTEM_ALERT_WINDOW\r\nandroid.permission.READ_CONTACTS\r\nandroid.permission.READ_PHONE_STATE\r\nandroid.permission.GET_ACCOUNTS\r\nAndroid payload servers\r\n134[.]119[.]193[.]106\r\n134[.]119[.]193[.]108\r\n134[.]119[.]193[.]109\r\n134[.]119[.]193[.]110\r\n134[.]119[.]205[.]18\r\n134[.]119[.]205[.]21\r\n134[.]119[.]205[.]22\r\n142[.]0[.]136[.]49\r\n142[.]0[.]136[.]50\r\n142[.]0[.]136[.]52\r\n142[.]4[.]97[.]105\r\n142[.]4[.]97[.]106\r\n142[.]4[.]97[.]107\r\n142[.]4[.]97[.]108\r\n142[.]4[.]97[.]109\r\n146[.]0[.]74[.]157\r\nhttps://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/\r\nPage 7 of 9\n\n146[.]0[.]74[.]197\r\n146[.]0[.]74[.]199\r\n146[.]0[.]74[.]202\r\n146[.]0[.]74[.]203\r\n146[.]0[.]74[.]205\r\n146[.]0[.]74[.]206\r\n146[.]0[.]74[.]228\r\n192[.]51[.]188[.]107\r\n192[.]51[.]188[.]108\r\n192[.]51[.]188[.]109\r\n192[.]51[.]188[.]142\r\n192[.]51[.]188[.]145\r\n192[.]51[.]188[.]146\r\n27[.]124[.]36[.]32\r\n27[.]124[.]36[.]34\r\n27[.]124[.]36[.]52\r\n27[.]124[.]39[.]241\r\n27[.]124[.]39[.]242\r\n27[.]124[.]39[.]243\r\n91[.]204[.]227[.]19\r\n91[.]204[.]227[.]20\r\n91[.]204[.]227[.]21\r\n91[.]204[.]227[.]22\r\n91[.]204[.]227[.]23\r\n91[.]204[.]227[.]24\r\n91[.]204[.]227[.]25\r\n91[.]204[.]227[.]26\r\n91[.]204[.]227[.]27\r\n91[.]204[.]227[.]28\r\nApple phishing servers\r\n172[.]81[.]131[.]12\r\n172[.]81[.]131[.]14\r\n172[.]81[.]131[.]10\r\n172[.]81[.]131[.]11\r\n172[.]81[.]131[.]13\r\n103[.]80[.]134[.]41\r\n103[.]80[.]134[.]40\r\n103[.]80[.]134[.]42\r\nMoqHao C2 servers\r\nhttps://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/\r\nPage 8 of 9\n\n61[.]97[.]248[.]6\r\n61[.]97[.]248[.]7\r\n61[.]97[.]248[.]8\r\n61[.]97[.]248[.]9\r\n103[.]249[.]28[.]206\r\n103[.]249[.]28[.]207\r\n103[.]249[.]28[.]208\r\n103[.]249[.]28[.]209\r\n92[.]204[.]255[.]172\r\nImgur profile used as Dead Drop resolvers\r\nhxxps://imgur[.]com/user/shaoye99/about\r\nhxxps://imgur[.]com/user/shaoye88/about\r\nhxxps://imgur[.]com/user/shaoye77/about\r\nhxxps://imgur[.]com/user/shaoye66/about\r\nhxxps://imgur[.]com/user/shaoye55/about\r\nhxxps://imgur[.]com/user/shaoye44/about\r\nhxxps://imgur[.]com/user/shaoye33/about\r\nhxxps://imgur[.]com/user/shaoye22/about\r\nhxxps://imgur[.]com/user/shaoye11/about\r\nIoCs are available on the Sekoia.io Community Github: https://github.com/SEKOIA-IO/Community/blob/main/IOCs/roamingmantis/roaming_mantis_iocs_20220718.csv\r\nMore IoCs related to MoqHao malware or Roaming Mantis intrusion set are available on Sekoia.io for our XDR\r\nand CTI customers.\r\nYou can find out how we track threats on our SOC platform Sekoia.io.\r\nChat with our team!\r\nWould you like to know more about our solutions?\r\nDo you want to discover our XDR and CTI products?\r\nDo you have a cybersecurity project in your organization?\r\nMake an appointment and meet us!\r\nRead also :\r\nAPT CTI Cybercrime Detection Infrastructure Malware Ransomware Stealer\r\nShare this post:\r\nSource: https://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/\r\nhttps://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/"
	],
	"report_names": [
		"ongoing-roaming-mantis-smishing-campaign-targeting-france"
	],
	"threat_actors": [
		{
			"id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a",
			"created_at": "2023-01-06T13:46:38.823793Z",
			"updated_at": "2026-04-10T02:00:03.113045Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group"
			],
			"source_name": "MISPGALAXY:Roaming Mantis",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3",
			"created_at": "2022-10-25T16:07:24.546437Z",
			"updated_at": "2026-04-10T02:00:05.029564Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group",
				"Shaoye"
			],
			"source_name": "ETDA:Roaming Mantis",
			"tools": [
				"MoqHao",
				"Roaming Mantis",
				"SmsSpy",
				"Wroba",
				"XLoader"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434466,
	"ts_updated_at": 1775792099,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/deeede755b6727c8e18f95917826ced762429b29.pdf",
		"text": "https://archive.orkl.eu/deeede755b6727c8e18f95917826ced762429b29.txt",
		"img": "https://archive.orkl.eu/deeede755b6727c8e18f95917826ced762429b29.jpg"
	}
}