{
	"id": "182f0584-fbe0-4f96-9103-6a79e0cfb0a2",
	"created_at": "2026-04-06T00:16:08.373435Z",
	"updated_at": "2026-04-10T03:20:48.507Z",
	"deleted_at": null,
	"sha1_hash": "e27a20de1731879afe0862c7fa97ce2846768895",
	"title": "Story of an Uzbek Android Pandemic | Group-IB Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 930981,
	"plain_text": "Ajina attacks Central Asia: Story\r\nof an Uzbek Android Pandemic\r\nDiscovered by Group-IB in May 2024, the Ajina.Banker malware is a major cyber threat in the\r\nCentral Asia region, disguising itself as legitimate apps to steal banking information and intercept\r\n2FA messages.\r\nSeptember 12, 2024 · min to read · Malware Analysis\r\n← Blog\r\nBoris Martynyuk\r\nCyber Threat Intelligence Analyst, Europe\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 1 of 37\n\nAndroid malware Central Asia\r\nIntroduction\r\nIn May 2024, Group-IB analysts discovered suspicious activity targeting bank customers in the\r\nCentral Asia region. The threat actors have been spreading malicious Android malware designed\r\nto steal users’ personal and banking information, and potentially intercept 2FA messages. During\r\nthe investigation, Group-IB discovered .APK files masquerading as legitimate applications that\r\nfacilitated payments, banking, deliveries, and other daily uses. These malicious files were spread\r\nacross Telegram channels.\r\nAfter the initial analysis of this trojan, we discovered thousands of malicious samples. All the found\r\nsamples were divided into several activity clusters, each to be separately studied and investigated in\r\na series of articles. This article examines one of these clusters: meet the Ajina.Banker malware.\r\nAjina is a mythical spirit from Uzbek folklore, often depicted as a malevolent entity that embodies\r\nchaos and mischief. According to local legends, this spirit is known for its ability to shape-shift and\r\ndeceive humans, leading them astray or causing them harm. We chose the name Ajina for this\r\nmalware campaign because, much like the mythical spirit, the malware deceives users by\r\nmasquerading as legitimate applications, leading them into a trap compromising their devices and\r\ncausing significant harm.\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 2 of 37\n\nKey Findings\r\nThreat Actor Profile\r\nThe starting point of the research\r\nAs part of its continuous monitoring and hunting procedures, Group-IB analysts discovered a\r\nmalicious Android sample (SHA1 b04d7fa82e762ea9223fe258fcf036245b9e0e9c) that was\r\nDuring our research, we uncovered the ongoing malicious campaign that started from\r\nNovember 2023 to July 2024.\r\nWe found and analyzed approximately 1,400 unique samples of Android malware and identified\r\nchanges between versions of the same malware.\r\nThe attacker has a network of affiliates motivated by financial gain, spreading Android banker\r\nmalware that targets ordinary users.\r\nAnalysis of the file names, sample distribution methods, and other activities of the attackers\r\nsuggests a cultural familiarity with the region in which they operate.\r\nAnalysis also shows that the evolution of this malware campaign is causing attacks to expand\r\nbeyond the original region, causing more victims in other countries as well.\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 3 of 37\n\nuploaded to the VirusTotal platform from Uzbekistan via a web interface, and had an icon of a local\r\ntax authority app.\r\nFigure 1. Screenshot of the sample found on the VirusTotal platform\r\nBehavioral analysis has shown that the application tries to contact 109.120.135[.]42. Group-IB’s\r\nproprietary Graph Network Analysis tool reveals similar files that contacted the same server.\r\nFigure 2. Screenshot of graph analysis of network infrastructure of the detected server\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 4 of 37\n\nOur attention was also drawn to the package when our Fraud Protection solution detected the\r\npackage org.zzzz.aaa in one of our client sessions. During our investigation, we found more samples\r\non the VirusTotal platform. Our Fraud Analysts continued researching this malware and constructed\r\na timeline of the campaign, identifying methods of distribution and targets.\r\nFigure 3. Screenshot of Android Info summary with unique package name\r\nTimeline\r\nAjina’s malicious campaign commenced in November 2023 and has persisted to present day. Initially\r\nthe activities detected included the malware distribution through Telegram, encompassing a range\r\nof threats from malware-laden attachments to phishing attempts.\r\nAjina refined their tactics as the campaign progressed into February through March 2024,\r\ndemonstrating heightened sophistication Social engineering techniques and the scale of the attack\r\nwere increasingly leveraged to enhance the campaign’s efficiency. Based on Group-IB’s Fraud\r\nProtection system, we have plotted the following timeline of new infections.\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 5 of 37\n\nFigure 4. New infections timeline\r\nThe timeline above illustrates the daily count of new infections, indicating a persistent and ongoing\r\nthreat. This trend reveals that many users continually fall victim to the malware, leading to a steady\r\nincrease in infections over time. The data shows that the adversary’s distribution techniques remain\r\neffective, successfully targeting new victims daily.\r\nMalware distribution\r\nOur analysis has revealed intensive attempts by Ajina to utilize messaging platforms, including\r\nTelegram, as a channel for disseminating malicious samples. Ajina orchestrated a widespread\r\ncampaign by creating numerous Telegram accounts, leveraging these accounts to disseminate\r\nmalware within regional community chats. Evidence suggests that this distribution process may\r\nhave been partially automated, allowing for a more efficient and far-reaching spread of the malicious\r\nsoftware.\r\nTo enhance their deception, Ajina crafted messages and sent links and files to lure unsuspecting\r\nusers. The malware is often disguised as legitimate banking, government, or everyday utility\r\napplications, designed to exploit the trust users placed in these essential services in order to\r\nmaximize infection rates and entice people to download and run the malicious file, thereby\r\ncompromising their devices. This targeting method resulted in a widespread and damaging malware\r\ncampaign that compromised numerous devices in the Central Asia region.\r\nTechniques\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 6 of 37\n\nFiles with themes\r\nTo further entice potential victims, the adversary shared these malicious files in local Telegram chats,\r\nusing a variety of deceptive methods. They crafted enticing giveaways and promotional messages\r\nthat promised lucrative rewards, special offers, or exclusive access to sought-after services. In the\r\nfollowing example, one of the following text messages was used for spreading files mimicking the\r\nlocal finance application (SHA1 5951640c2b95c6788cd6ec6ef9f66048a35d6070).\r\nThese messages were designed to create a sense of urgency and excitement, prompting users to\r\nclick on the links or download the files without suspecting any malicious intent. The use of themed\r\nmessages and localized promotion strategies proved to be particularly effective in regional\r\ncommunity chats. By tailoring their approach to the interests and needs of the local population,\r\nAjina was able to significantly increase the likelihood of successful infections.\r\nFile spamming\r\nFurther analysis of Ajina’s distribution techniques revealed instances where they spammed\r\nmessages containing only a malicious file attachment devoid of any accompanying text. This\r\napproach aimed to exploit the curiosity of users who might be inclined to open an unsolicited file or\r\nopen it accidentally.\r\nThese spam campaigns were conducted across multiple accounts, sometimes even simultaneously,\r\nsuggesting a highly coordinated effort. The simultaneous and widespread nature of these spam\r\nmessages hints at the potential use of an automated distribution tool.\r\nTranslated from Uzbek: arrow_drop_down\r\nFigure 5.1 Screenshot of the message with the malicious file\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 7 of 37\n\nFigure 6. Screenshot of sending multiple messages\r\nLink to Telegram channel\r\nIn addition to spamming messages with malicious attachments, Ajina also sent links to channels that\r\nhosted the malicious files, accompanied by promotional texts designed to engender trust and entice\r\nusers to download the malware.\r\nBy directing users to external channels rather than sending files directly within the chat, Ajina aimed\r\nto circumvent the common security measures and restrictions imposed by many community chats.\r\nSending files directly within a chat sometimes triggers automatic moderation and can lead to the\r\nadversary’s accounts being banned. However, by using links to external channels, they could\r\nbypass these restrictions, ensuring that their malicious content remained accessible to potential\r\nvictims for a longer period of time.\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 8 of 37\n\nThis approach helped the adversary avoid detection and leveraged the trust users have in\r\nseemingly legitimate channels. Once users clicked on the link and entered the channel, they were\r\ninclined to believe that the files shared there were safe, especially when presented with convincing\r\npromotional texts. This strategy highlights the adversary’s adaptability and continuous efforts to\r\nrefine their methods to evade security measures and maximize the reach of their malware campaign.\r\nLink to web-resource\r\nSome examples were found when the adversary sent links to web resources.\r\nFigure 8. Screenshot of a message containing a link to web-resource\r\nFigure 7.1 Screenshot of sending a link to channel\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 9 of 37\n\nAccounts\r\nOur investigation uncovered that the adversary established multiple accounts to execute their\r\nmalicious campaign effectively. These accounts were meticulously set up to blend in with regular\r\nusers and evade detection for as long as possible. Below, we provide detailed information on some\r\nof the identified accounts, including their account names, usernames, and user IDs, along with the\r\nvolume of messages sent from each account.\r\nLast Seen\r\nName\r\nINFINITOSSS\r\nMILLENNIUM\r\n—\r\nBarno\r\nUmarova\r\n—\r\nОксана\r\nЦветкова\r\nLast Seen\r\nUsername\r\ninfinitosss — — — —\r\nUser ID 6571903171 6856449327 6824678523 6477339333 7027991392\r\nNumber of\r\nmessages\r\n238 175 76 54 25\r\nLast Seen\r\nName\r\nРенат Алевтина! Эмилия!\r\nСвятослав\r\nПономарев\r\nEduard\r\nBocan\r\nLast Seen\r\nUsername\r\n— — — — EduardBocan\r\nUser ID 6406880636 7119728862 6556126401 7158481885 6125515928\r\nNumber of\r\nmessages\r\n16 48 46 10 43\r\nLast Seen\r\nName\r\nНикон\r\nДементьев\r\nЭрнест\r\nЩербаков\r\nشوكت\r\nЛукия\r\nРыбакова\r\nНинель\r\nМамонтова\r\nLast Seen\r\nUsername\r\n— — — — —\r\nUser ID 7133377920 6887020479 5526643036 6344107060 6701781993\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 10 of 37\n\nNumber of\r\nmessages\r\n7 2 2 9 13\r\nLast Seen Name Jason99 Linda Castaneda Alicia Willis Андреева Родригес\r\nLast Seen Username — — — Andreeva_5676\r\nUser ID 6553097862 6574219148 5668418863 6716964266\r\nNumber of messages 2 1 3 1\r\nThese accounts were used to distribute the malware through various local community chats. By\r\nusing multiple accounts, sometimes simultaneously, the adversary was able to increase the reach\r\nand frequency of their malicious content. The adversary’s ability to maintain and operate numerous\r\naccounts simultaneously, while consistently delivering tailored messages, suggests the possible use\r\nof automated distribution tools. These tools enabled the adversary to manage large-scale\r\noperations with precision, further amplifying the impact of their malicious campaign. This approach\r\nto account management indicates a high level of planning and coordination.\r\nMalware analysis\r\nFraud Protection telemetry found 1,402 packages with package names com.example.smshandler\r\n(187 samples) and org.zzzz.aaa (1,215 samples) between 30 November 2023 and 31 July 2024 across\r\n5,197 devices. Analyzed samples share a common code structure and subset of permissions that are\r\nrequested.\r\nThe first known infection occurred at 30 November 2023 via package name\r\ncom.example.smshandler (SHA1 cc6af149f1da110a570241dde6e3cfd0852cb0d8) with permission\r\nlist:\r\n[\r\n\"android.permission.READ_PHONE_STATE\",\r\n\"android.permission.RECEIVE_BOOT_COMPLETED\",\r\n\"android.permission.RECEIVE_SMS\",\r\n\"android.permission.ACCESS_WIFI_STATE\",\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 11 of 37\n\n\"android.permission.BROADCAST_SMS\",\r\n\"android.permission.DUMP\",\r\n\"android.permission.INTERNET\",\r\n\"android.permission.READ_PHONE_NUMBERS\",\r\n\"android.permission.ACCESS_NETWORK_STATE\",\r\n\"android.permission.CALL_PHONE\",\r\n\"com.example.smshandler.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION\",\r\n\"android.permission.READ_SMS\"\r\n]\r\nAjina.Banker.A\r\nAccording to Fraud Protection telemetry data, the first known sample of this malware uploaded to\r\nVirusTotal is “Узбек �екс ???” (SHA1 84af2ce3a2e58cc8a70d4cc95916cbfe15f2169e). It was\r\nuploaded to the VirusTotal platform in January 2024, providing the initial glimpse into this malicious\r\ncampaign.\r\nFigure 9. Detections at the moment of analysis\r\nOnce the trojan is launched it connects to the gate server 79[.]137[.]205[.]212:8080, generates AES\r\nencryption key, and sends it to the gate server along with a hard-coded worker’s name and userId\r\nthat is also stored into SharedPreferences.\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 12 of 37\n\nFigure 10. Initialization of the trojan\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 13 of 37\n\nFigure 11. Base-64 encoded string sent to server\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 14 of 37\n\nFigure 12. Decoded payload\r\nThis message is base64-encoded JSON:\r\n{\r\n\"key\": \"base64-encoded AES key\",\r\n\"action\": 1,\r\n\"worker\": \"Ares\",\r\n\"id\": \"c23aaac5774d4992a8d68de5eaf28535\"\r\n}\r\nAll messages except action 1 are encrypted with AES/GCM/NoPadding cipher suite.\r\nFurther research shows that messages are JSON-encoded, but are sent via raw TCP socket, not\r\nwrapped in HTTP. The general structure of messages contains a numeric action field with action\r\ntype and other fields with arbitrary data depending on the action type. For example, if something\r\ngoes wrong, the trojan sends a message to the gate server with the following structure:\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 15 of 37\n\n{\r\n\"action\": 5,\r\n\"msg\": \"string representation of the occured exception\"\r\n}\r\nFrom the victim’s point of view, once the trojan is initiated, it loads a background image from an\r\nexternal legit resource and requests the user to grant these permissions:\r\n[\r\n\"android.permission.READ_PHONE_STATE\",\r\n\"android.permission.CALL_PHONE\",\r\n\"android.permission.READ_PHONE_NUMBERS\",\r\n\"android.permission.RECEIVE_SMS\",\r\n\"android.permission.READ_SMS\"\r\n]\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 16 of 37\n\nFigure 13. The only activity in the trojan\r\n(censored)\r\nIf permissions are granted via system dialog, the trojan disables the activity thus prevents launching\r\nan application UI again from the OS launcher.\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 17 of 37\n\nsetComponentEnabledSetting(componentName, PackageManager.COMPONENT_ENABLED_STATE_DISABLED\r\nFigure 14. Prevention of further launching\r\nIf the user grants permissions via their mobile device’s operating system settings menu, the trojan\r\nthen launches an intent that activates a third-party application related to trojan’s legend:\r\nFigure 15. Starting a third-party activity\r\nIf permissions are not granted, the trojan sends a notification to the gate server (action 6).\r\nWhen permissions are granted, the trojan collects information from the infected device and sends it\r\nto the gate server (action 3). The following is the list of information collected:\r\nfor each active SIM card\r\nMCC+MNC codes of current registered operator\r\nName of the current registered operator\r\nISO-3166-1 alpha-2 country code equivalent of the MCC (Mobile Country Code) of the\r\ncurrent registered operator or the cell nearby\r\nISO-3166-1 alpha-2 country code equivalent for the SIM provider’s country code\r\nMCC+MNC codes of the provider of the SIM\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 18 of 37\n\nThe trojan abuses the \u003cqueries\u003e element in the app’s manifest instead of abusing\r\nQUERY_ALL_PACKAGES permission, and therefore it can get information only about what is\r\ndeclared in manifest packages. However, it does not prevent the expansion of the list of targets for\r\na particular sample because Trojan will send to the gate server every incoming SMS, including for\r\nbanks not included in the list of targets (action 2). This allows, for example, the initial registration of\r\naccounts in organizations that are not the target of the trojan.\r\nFigure 16. Broadcast receiver for incoming SMSes\r\nWhile collecting SIM-card info, the trojan checks if the SPN is “known” and, if it is, sends a\r\nUnstructured Supplementary Service Data (USSD) request to get the phone number of the active\r\nSIM cards from the victim’s device.\r\nService Provider Name (SPN)\r\nPhone number\r\nIs SPN “known” or not\r\nlist of installed financial applications originated from Armenia, Azerbaijan, Iceland, Kazakhstan,\r\nKyrgyzstan, Pakistan, Russia, Uzbekistan and some international ones\r\nsent SMS\r\nRecipient\r\nBody\r\nDate\r\nreceived SMS\r\nSender\r\nBody\r\nDate\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 19 of 37\n\nCountry USSD\r\nArmenia\r\n*187#\r\n*420#\r\n*525#\r\nAzerbaijan\r\n*137#\r\n*540#\r\n*666#\r\nKazakhstan *160#\r\nKyrgyzstan\r\n*112#\r\n*212#\r\nAfter this USSD response is received, the trojan sends the response info to the gate server (action\r\n4):\r\nFigure 17. USSD response callback\r\nThere is no difference between samples with com.example.smshandler package name from first and\r\nlast infections with publicly available samples.\r\nAjina.Banker.B\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 20 of 37\n\nWe gathered several samples from the org.zzzz.aaa group and found little differences in the code\r\nstructure. Further analysis of the appearance of new samples and code similarities lead us to the\r\nconclusion that this family is still under active development, and we can suggest that org.zzzz.aaa is\r\nthe new version of the same family as com.example.smshandler.\r\nFigure 18. New samples stats\r\nAs shown above, another group of samples has the org.zzzz.aaa package name. The first known\r\ninfection occurred on February 18 2024, while the earliest publicly available sample was detected on\r\n20 February 2024, and is still the most downloaded for now.\r\nOne of the freshest samples has an interesting but less popular difference. It is a new execution flow\r\nbranch showing another view instead of just a background image. Based on the names of variables\r\nof type TextInputEditText, we assume that this is something like a phishing page, but we are not\r\nable to trigger this branch.\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 21 of 37\n\nFigure 19. New activity layout\r\nAlong with this new View there is a new action 7 message for sending user-provided phone number,\r\nbank card number and PIN-code.\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 22 of 37\n\nFigure 20.The user-inputed card info is sent to gate server\r\nIt appears that this new feature is developed to primarily target users in Azerbaijan because of the\r\nhard-coded phone number prefix and text language on the Toast popup.\r\nThere are some additional features that are common for most of analyzed org.zzzz.aaa samples:\r\nnew packages of interest\r\nAccessibility Service abuse:\r\nprevent uninstallation\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 23 of 37\n\nThere are several examples of layouts from discovered samples with various legends:\r\nInfrastructure\r\nAs mentioned before, the malware only sends exfiltrated data over raw TCP in JSON to the gate\r\nserver. There were no capabilities to receive commands found. But we’ve managed to find a web\r\npanel of “SMS handler”, which refers us to the version of package name com.example.smshandler.\r\nIt’s possible to find further servers by the same response, using search by body hash (SHA1\r\n1a9c98808a547d4b50cc31d46e19045bcd2cfc1b).\r\ngrant permissions\r\nRequests for additional permissions. However, we did not found calls of Android Platform API in\r\nthe analyzed samples that requires such permissions\r\nREAD_CALL_LOG\r\nGET_ACCOUNTS\r\nREAD_CONTACTS\r\nOpens another legitimate app instead of a browser when permissions are granted\r\nFigure 21.1 Example of interface of the new samples\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 24 of 37\n\nOn all of the adversaries servers we can find certificates with “WIN-PDDC81NCU8C” issuer and\r\nsubject common name. However,this common name is generic and widely used by a specific\r\nhosting service according to Shodan.\r\nWe’ve seen 9 servers involved in this campaign, some of them shared the same Etags (e.g.\r\n1718668565.8504026-495-535763281). Network infrastructure involved in this attack is shown on\r\nthe graph analysis below.\r\nFigure 22.1 Discovery of the “SMS handler” Web Panel\r\nFigure 23.1 Certificate found on gate server\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 25 of 37\n\nFigure 24. Screenshot of graph analysis of network infrastructure\r\nTargets\r\nAs we’ve mentioned above, one significant aspect of our findings is based on the analysis of\r\nAndroid package names utilized in this campaign. Many of these packages mimicked popular\r\nregional apps, such as local banking applications, government service portals, or everyday utility\r\ntools. By replicating the appearance of these trusted applications, the adversary increased the\r\nlikelihood of users downloading and installing the malware. So the displayed names can be a\r\ntrustworthy indication of the target region.\r\nAnalysis indicates that most of these malware samples were specifically designed to target users in\r\nUzbekistan, suggesting that the adversary deliberately focused on this region. But there are also a\r\nfew other regions that have been targeted by the adversary. The main reason is that the samples\r\nhave hardcoded checks for attributes distinctive for other countries. We’ve also seen AM-CERT\r\n(National CERT/CSIRT Armenia) reporting this campaign.\r\nDuring the analysis we’ve also found the use of specific country phone provider codes embedded\r\nwithin the malicious APKs. These codes indicate that the adversary has an even wider pool of target\r\ncountries. The adversary checks for Service Provider Network (SPN) and then sends a Unstructured\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 26 of 37\n\nSupplementary Service Data (USSD) request to get the phone number of the active SIM cards from\r\nthe victim’s device. Based on this we can assume potential regions of interest, from where the user\r\ndata could be possibly stolen.\r\nFigure 25. Distribution of supported SPNs and apps of interest per country hardcoded in sample\r\nAttribution\r\nThe analysis of the malware has shown that the malicious files contain data about different affiliates.\r\nThis leads us to conclude that it’s based on an affiliate programme, where the support for the initial\r\nproject is led by a small group of people, and all the distribution and infection chains are made by\r\naffiliates working for the percentage.\r\nSample named “Вип Контент.apk” – “VIP Content.apk” in english – (SHA1\r\nb4b9562a9f4851cba5761b1341f58f324f258123) was seen by MalwareHunterTeam and mentioned in\r\nTwitter post in January 28, 2024. One of the replies written to the post by APK–47 highlights an\r\ninteresting username hardcoded as a name of one of the workers. The username\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 27 of 37\n\n“@glavnyypouzbekam” leads to the Telegram account named “Travis Bek” with description\r\n“Главный по узбекам” which means “Chief for Uzbeks”.\r\nGroup-IB Threat Intelligence system has found the following activity related to the Telegram\r\naccount mentioned. Adversary participated in programmers chats, searched for “Java coder” and,\r\naccording to his message, to an existing team. Detected user activity is shown on the figures below.\r\nWe’ve also found a Telegram bot connected to this campaign by username “@glavnyypouzbekam”\r\ncontained in its description. Bot with the username “@glavnyypouzbekambot” has information\r\nabout the possibility of earning money online and an invitation to join written in Russian.\r\nFigure 26.1 Screenshot of the Twitter post by APK--47\r\nFigure 27.1 User activity found by Group-IB Threat Intelligence\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 28 of 37\n\nWe assume that highly likely due to its uniqueness, the hardcoded worker’s name\r\n“@glavnyypouzbekam” is connected to the discovered Telegram activity. Based on our findings, we\r\nassume that the adversary standing behind this account is one of the operators of the Ajina\r\nmalicious campaign. The hiring of Java coders, created Telegram bot with the proposal of earning\r\nsome money, also indicates that the tool is in the process of active development and has support of\r\na network of affiliated employees. Worth noting, that soon after the adversary’s name was posted\r\non Twitter, current Telegram account was deleted.\r\nPrevention\r\nTo protect Group-IB customers from threats related to Ajina.Banker malware and other similar\r\nthreats, Group-IB Fraud Protection uses events/rules to detect and prevent Ajina.Banker and other\r\nsimilar malware:\r\nFor confirmed malware samples Ajina.Banker:\r\nGroup-IB’s Fraud Protection maintains an extensive database of all detected malware. When our\r\nsystem detects applications from the list of mobile Trojans downloaded to an end-users device, we\r\ntrigger the appropriate events to notify our customers promptly.\r\nFigure 28.1 Telegram bot found during the investigation\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 29 of 37\n\nFigure 29. Screenshot of event from Group-IB Fraud Protection system\r\nWhen the malware is detected on the user’s device:\r\nOnce the trojan is successful, sensitive customer data typically falls into the hands of the threat\r\nactor, who then seeks to monetize this data. Often, the threat actor or their software will log into the\r\nstolen account. In such cases, a new device may appear when accessing the user account.\r\nConsequently, a rule has been developed to monitor accounts where a mobile banking trojan has\r\nbeen confirmed and to detect logins from new devices.\r\nWhen new versions of a given Trojan family appear:\r\nFor cases where the malware has not yet been added to the malware database, a new rule has been\r\ndeveloped that focuses on the trojan’s specific characteristics. In particular, we check the\r\ncharacteristics of all software from a non-legitimate source for the ability to read SMS. These alerts\r\nare also transmitted to banks in the form of specific event types, increasing the likelihood of\r\npreventing fraudulent transactions by threats.\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 30 of 37\n\nFigure 30. Screenshot of event from Group-IB Fraud Protection system\r\nConclusion\r\nThe case of Ajina highlights how quickly malware developers can appear, set up distributional\r\nchains and evaluate their tools. The direct communication between the threat actor and victim also\r\nmakes Ajina.Banker an effective malware type in terms of keeping low detect rate on the first stages.\r\nWhile Group-IB does not have definitive data on the amount of money stolen by Ajina, the methods\r\nharnessed by malicious actors are cause for concern.\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 31 of 37\n\nRecommendations\r\nThe security of mobile applications and operating systems is improving rapidly. However, it is\r\npremature to completely write-off Android banking Trojans entirely. In our experience, banking\r\nTrojans are still highly active, with threat actors widely distributing modified Trojans based\r\non publicly available source code.\r\nA good example of this trend is Ajina.Banker, which poses a significant threat not only to end-users\r\nof banking applications but also the entire banking sector itself.\r\nFor users\r\nBelow are some basic recommendations on protecting mobile devices from banking Trojans\r\nlike Ajina.Banker.\r\nIf your device has been infected, do the following:\r\nFor organizations\r\nThe Group-IB Threat Intelligence team will continue to track Ajina.Banker and update our\r\ndatabase with new indicators related to this trojan. Additionally, our Threat Intelligence team will\r\nnotify customers when their application is targeted by Ajina.Banker, or any other Android malware\r\nwe track.\r\nFor organizations that wish to protect their customers, implementing a solution that monitors user\r\nsessions – such as Group-IB Fraud Protection – can prevent malware operators from defrauding\r\ntheir clients and damaging their reputations.\r\nAlways check for updates on your mobile device. Maintaining your mobile devices updated will\r\nmake them less vulnerable to such threats.\r\nAvoid downloading applications from sources other than Google Play. However, it’s important to\r\nnote that even Google Play cannot guarantee complete security. Always check the permissions\r\nthat an application requests before installing it.\r\nDo not click on links contained within suspicious SMS messages.\r\n1. Disable network access.\r\n2. Freeze any bank accounts that may have been accessed from your device.\r\nContact experts to receive detailed information about the risks that the malware could pose to\r\nyour device.\r\n3.\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 32 of 37\n\nGroup-IB’s Fraud Protection detects the latest fraud techniques, phishing preparation, and other\r\ntypes of attacks. The platform integrates data from Group-IB’s attribution-based Threat Intelligence\r\nsystem. Exclusive information about cybercriminals, malware, adversary IP addresses, and\r\ncompromised data (logins, passwords, bank cards) helps develop anti-fraud systems and\r\ncybersecurity teams, which allows the latter to identify intruders and their actions.\r\nIn this way, Fraud Protection “catches” banking Trojans and detects unauthorized remote access,\r\nweb injections, cross-channel attacks, and personal data collection. Group-IB’s solution implements\r\npatented algorithms that help detect infected devices without the client’s involvement and without\r\ninstalling additional software.\r\nFraud Matrix\r\nTactic Technique Procedure\r\nResource\r\ndevelopment\r\nMalware\r\nAttackers use Ajina.Banker malware to gain\r\naccess to user accounts\r\nScam workers\r\nAttacker has a network of affiliated employees\r\nacting with financial motivation, spreading\r\nAjina.Banker that victimizes ordinary users\r\nSocial Network Account\r\nAttackers use Telegram accounts to spread\r\nAjina.Banker\r\nTrust abuse\r\nBluffing\r\nAttackers promise easy earnings and lucrative\r\noffers to convince end users to install\r\nAjina.Banker\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 33 of 37\n\nFake application\r\nAjina.Banker mimics popular banking apps and\r\npayment systems\r\nMITRE ATT\u0026CK® Matrix\r\nTactic Technique Procedure\r\nInitial Access\r\n(TA0027)\r\nPhishing (T1660)\r\nAjina spreaded malicious applications via\r\nTelegram.\r\nPersistence\r\n(TA0028)\r\nEvent Triggered Execution:\r\nBroadcast Receivers\r\n(T1624.001)\r\nAjina.Banker registers to receive system-wide\r\nbroadcast intents such as receiving SMS\r\nmessage, device boot completion, network\r\nchanges, battery charging state changes,\r\nlocking and unlocking the screen.\r\nDefense-evasion\r\n(TA0030)\r\nIndicator Removal on Host:\r\nUninstall Malicious\r\nApplication (T1630.001)\r\nAjina.Banker can uninstall itself.\r\nMasquerading: Match\r\nLegitimate Name or Location\r\n(T1655.001)\r\nAjina.Banker mimics legitimate applications,\r\ntrying to match their names and icons.\r\nCredential-Indicators of compromise\r\nmd5 sha1 sh\r\n4b0256974d7250e3ddc3d13d6c506f4f cc6af149f1da110a570241dde6e3cfd0852cb0d8 a5\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 34 of 37\n\na61c0d53f624024d401c987032270e7d 2405e7b762e65011f7d107b2b2bcf069a18a5278 44\r\n34a42857113ab2c856d533105494eb41 8a3c5e0c0438588640fbf4afe3a9c176a8204eec 1e\r\nbf20e58236c2020cd5eeceff0bf7974c 209aa1222bf59dd397aa38779cb0f48dcc961424 38\r\n7f2e9aa66f802727a52eeec72ed2d458 84af2ce3a2e58cc8a70d4cc95916cbfe15f2169e 82\r\n00241d7334d78340cd5eb721f40b8682 15de15a6f4af9c32cccbee23d99b80d33f3dcb50 2e\r\n48eb80adac9c2c9bd046c8f3da8c7f58 7f4b4f2b941e4472ece092a409099716aadcf16b f4\r\nbf1cb7d7c3bccaca23a652bd69feb539 5765162d8e5c5f903b4a297c5d2d2bbb5fedaa0f 35\r\n22 390 26 3 232 9 8 9 6 0 8 3 98 26 2 3 6\r\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nNetwork indicators arrow_drop_down\r\nProducts Resources\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 35 of 37\n\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 36 of 37\n\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nhttps://www.group-ib.com/blog/ajina-malware/\r\nPage 37 of 37\n\nIndicators md5 of compromise sha1 sh\n4b0256974d7250e3ddc3d13d6c506f4f cc6af149f1da110a570241dde6e3cfd0852cb0d8 a5\n Page 34 of 37",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.group-ib.com/blog/ajina-malware/"
	],
	"report_names": [
		"ajina-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434568,
	"ts_updated_at": 1775791248,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e27a20de1731879afe0862c7fa97ce2846768895.pdf",
		"text": "https://archive.orkl.eu/e27a20de1731879afe0862c7fa97ce2846768895.txt",
		"img": "https://archive.orkl.eu/e27a20de1731879afe0862c7fa97ce2846768895.jpg"
	}
}