{ "id": "740494bd-6763-40df-b568-1d9b83cf3be2", "created_at": "2026-04-06T00:07:03.170176Z", "updated_at": "2026-04-10T13:11:29.480113Z", "deleted_at": null, "sha1_hash": "e7894135bc5ef7887d1445179e11c0ed542cb8ca", "title": "BadBazaar espionage tool targets Android users via trojanized Signal and Telegram apps", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2210941, "plain_text": "BadBazaar espionage tool targets Android users via trojanized Signal\r\nand Telegram apps\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 18:05:04 UTC\r\nESET researchers have identified two active campaigns targeting Android users, where the threat actors behind the tool are\r\nattributed to the China-aligned APT group GREF. Most likely active since July 2020 and since July 2022, respectively, the\r\ncampaigns have distributed the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store,\r\nand dedicated websites representing the malicious apps Signal Plus Messenger and FlyGram. The threat actors patched the\r\nopen-source Signal and Telegram apps for Android with malicious code that we have identified as BadBazaar.\r\nKey points of the report:\r\nESET Research discovered trojanized Signal and Telegram apps for Android, called Signal Plus\r\nMessenger and FlyGram, on Google Play and Samsung Galaxy Store; both apps were later removed from\r\nGoogle Play.\r\nThe malicious code found in these apps is attributed to the BadBazaar malware family, which has been\r\nused in the past by a China-aligned APT group called GREF.\r\nBadBazaar malware has previously been used to target Uyghurs and other Turkic ethnic minorities.\r\nFlyGram malware was also seen shared in a Uyghur Telegram group, which aligns with previous targeting\r\nof the BadBazaar malware family.\r\nFlyGram can access Telegram backups if the user enabled a specific feature added by the attackers; the\r\nfeature was activated by at least 13,953 user accounts.\r\nSignal Plus Messenger represents the first documented case of spying on a victim’s Signal communications\r\nby secretly autolinking the compromised device to the attacker’s Signal device.\r\nBased on our telemetry, we were able to identify active Android campaigns where an attacker uploaded and distributed\r\nmalicious apps that go by the names Signal Plus Messenger and FlyGram via the Google Play store, Samsung Galaxy Store,\r\nand dedicated websites, mimicking the Signal application ( signalplus[.]org ) and a Telegram alternative app\r\n( flygram[.]org ).\r\nThe purpose of these trojanized apps is to exfiltrate user data. Specifically, FlyGram can extract basic device information,\r\nbut also sensitive data, such as contact lists, call logs, and the list of Google Accounts. Moreover, the app is capable of\r\nexfiltrating some information and settings related to Telegram; however, this data doesn’t include the Telegram contact list,\r\nmessages, or any other sensitive information. Nevertheless, if users enable a specific FlyGram feature that allows them to\r\nback up and restore Telegram data to a remote server controlled by the attackers, the threat actor will have full access to\r\nthese Telegram backups, not only the collected metadata. It is important to note that these backups don’t contain actual\r\nmessages. During the analysis of this feature, we realized that the server assigns a unique ID to every newly created user\r\naccount. This ID follows a sequential pattern, indicating that a minimum of 13,953 FlyGram accounts had activated this\r\nfeature.\r\nSignal Plus Messenger collects similar device data and sensitive information; its main goal, however, is to spy on the\r\nvictim’s Signal communications – it can extract the Signal PIN number that protects the Signal account, and misuses the link\r\ndevice feature that allows users to link Signal Desktop and Signal iPad to their phones. This spying approach stands out due\r\nto its uniqueness, as it differs from the functionality of any other known malware.\r\nhttps://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nPage 1 of 20\n\nThe video above shows how the threat actor links the\r\ncompromised device to the attacker’s Signal account without any user interaction; it also explains how users can check\r\nwhether their Signal account has been connected to another device.\r\nAs a Google App Defense Alliance partner, ESET identified the most recent version of the Signal Plus Messenger as\r\nmalicious and promptly shared its findings with Google. Following our alert, the app was removed from the store. FlyGram\r\nwasn’t flagged as malicious by ESET at the time when it initially became available on the Google Play store.\r\nOn April 27th, 2023, we reported Signal Plus Messenger to both Google Play and Samsung Galaxy Store. Google took\r\naction and removed the app on May 23rd, 2023. FlyGram was taken down from Google Play sometime after January 6th,\r\n2021. At the time of writing, both apps are still available on the Samsung Galaxy Store.\r\nhttps://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nPage 2 of 20\n\nOverview\r\nThe malicious Signal Plus Messenger app was initially uploaded to Google Play on July 7th, 2022, and it managed to get\r\ninstalled more than a hundred times. However, the Galaxy Store does not provide any information about the app’s initial\r\nupload date or the number of installations. Its presence on both platforms is depicted in Figure 1.\r\nFigure 1. Signal Plus Messenger available on Google Play (left) and Samsung Galaxy Store (right)\r\nBoth apps were created by the same developer, share the same malicious features, and the app descriptions on both stores\r\nrefer to the same developer website, signalplus[.]org . The domain was registered on February 15th, 2022, and\r\nprovides a link to download the malicious Signal Plus Messenger application either from Google Play or directly from the\r\nwebsite, as shown in Figure 2. Regardless of where the app is downloaded from – be it the Google Play version, the\r\nSamsung Galaxy Store version, or the website version – all three downloads result in obtaining a maliciously modified (or\r\npatched) version of the open-source Signal for Android app.\r\nhttps://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nPage 3 of 20\n\nhttps://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nPage 4 of 20\n\nFigure 2. Distribution website of the malicious Signal Plus Messenger app\r\nThe malicious FlyGram app was initially uploaded to Google Play around June 4th, 2020, and it managed to garner more\r\nthan 5,000 installations before being taken down sometime after January 6th, 2021.\r\nBoth FlyGram apps were signed using the identical code-signing certificate. Moreover, the same FlyGram app is also\r\navailable for download from its dedicated website flygram[.]org . This website was registered on April 6th\r\n, 2020, and\r\nprovides a link to download the malicious FlyGram application directly from the website, as you can see in Figure 3.\r\nhttps://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nPage 5 of 20\n\nFigure 3. The malicious FlyGram app available for download on Galaxy Store (left) and a dedicated website\r\n(right)\r\nBased on code similarities, we can assign Signal Plus Messenger and FlyGram to the BadBazaar malware family, which has\r\nbeen previously used against Uyghurs and other Turkic ethnic minorities outside of China. BadBazaar was attributed to the\r\nChina-aligned APT15 group by Lookout; below we explain why we limit attribution to the GREF group, and why we are\r\ncurrently unable to link GREF to APT15, but continue to monitor the situation. Further details about the BadBazaar\r\ndiscovery timeline are available in Figure 4.\r\nFigure 4. BadBazaar discovery timeline\r\nVictimology\r\nOur telemetry reported detections on Android devices from Australia, Brazil, Denmark, the Democratic Republic of the\r\nCongo, Germany, Hong Kong, Hungary, Lithuania, the Netherlands, Poland, Portugal, Singapore, Spain, Ukraine, the United\r\nStates, and Yemen.\r\nFigure 5. Detection telemetry\r\nBased on our research, except for distribution from the official Google Play store and Samsung Galaxy Store, potential\r\nvictims were also lured to install the FlyGram app from a Uyghur Telegram group focused on Android app sharing, which\r\nnow has more than 1,300 members.\r\nhttps://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nPage 6 of 20\n\nOn July 26th\r\n, 2020, one of the group users posted a link to FlyGram at the Google Play store with a description to download\r\na multilanguage Telegram app, as shown in Figure 6. This might help to identify who targeted Uyghurs with the malicious\r\nFlyGram application.\r\nFigure 6. Link to download FlyGram posted in a Uyghur Telegram group\r\nBased on available information on official app stores, we can’t tell who has been targeted by the campaign, since the apps\r\nwere available for download without region restrictions.\r\nAttribution to GREF\r\nSignificant code similarities between the Signal Plus Messenger and FlyGram samples, and the BadBazaar malware\r\nfamily, which Lookout attributes to the GREF cluster of APT15. To the best of our knowledge, this malware family is\r\nunique to GREF.\r\nOverlap in the targeting: the malicious FlyGram app used a Uyghur Telegram group as one of the distribution\r\nmechanisms. This aligns with the targeting of other Android trojans previously used by GREF (BadBazaar, SilkBean,\r\nDoubleAgent, CarbonSteal, and GoldenEagle).\r\nFigure 7. Code that gathers device info: BadBazaar sample discovered by Lookout (left) and Signal Plus\r\nMessenger (right)\r\nhttps://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nPage 7 of 20\n\nFigure 8. Malicious code responsible for gathering Wi-Fi info from BadBazaar (left) and FlyGram (right)\r\nSignal Plus Messenger and FlyGram also contain the same code as in BadBazaar to check whether the device operator is\r\nChinese: see Figure 9.\r\nFigure 9. Code responsible for identifying whether the device operator is Chinese\r\nTechnical analysis\r\nBoth Signal Plus Messenger and FlyGram are slightly different variants of BadBazaar that focus on user data exfiltration\r\nand espionage. However, it’s important to note that each of them possesses unique malicious functionalities. To ensure\r\nclarity and avoid any confusion, we will analyze each variant separately.\r\nTrojanized Signal – Signal Plus Messenger app\r\nAfter initial app start, the user has to log into Signal Plus Messenger via legitimate Signal functionality, just like they would\r\nwith the official Signal app for Android. Once logged in, Signal Plus Messenger starts to communicate with its command\r\nand control (C\u0026C) server, located at signalplus[.]org:4332 . During this communication, the app sends the server various\r\ndevice information, such as: IMEI number, phone number, MAC address, operator details, location data, Wi-Fi information,\r\nSignal PIN number that protects the account (if enabled by the user), emails for Google accounts, and contact list. The server\r\nrequest is visible in Figure 10.\r\nhttps://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nPage 8 of 20\n\nFigure 10. BadBazaar uploads device information to its C\u0026C server\r\nLegitimate Signal apps provide a feature that allows users to link Signal Desktop and Signal iPad to their phones to\r\ncommunicate conveniently across multiple devices. To properly link additional Signal devices to a smartphone, the user first\r\nneeds to scan a QR code displayed on a device they wish to pair. After scanning, the user grants permission for the\r\nconnection by tapping on the Link device button, as displayed in Figure 11. The QR code contains a unique URI with a\r\ngenerated ID and key, ensuring secure and individualized linking for each new QR code. An example of such URI is\r\nsgnl://linkdevice?uuid=\u003credacted\u003efV2MLK3P_FLFJ4HOpA\u0026pub_key=\r\n\u003credacted\u003e1cCVJIyt2uPJK4fWvXt0m6XEBN02qJG7pc%2BmvQa .\r\nhttps://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nPage 9 of 20\n\nFigure 11. User needs to confirm device linking\r\nSignal Plus Messenger can spy on Signal messages by misusing the link device feature. It does this by automatically\r\nconnecting the compromised device to the attacker’s Signal device. This method of spying is unique, as we haven’t seen this\r\nfunctionality being misused before by other malware, and this is the only method by which the attacker can obtain the\r\ncontent of Signal messages.\r\nBadBazaar, the malware responsible for the spying, bypasses the usual QR code scan and user click process by receiving the\r\nnecessary URI from its C\u0026C server, and directly triggering the necessary action when the Link device button is clicked.\r\nThis enables the malware to secretly link the victim’s smartphone to the attacker’s device, allowing them to spy on Signal\r\ncommunications without the victim’s knowledge, as illustrated in Figure 12.\r\nFigure 12. Mechanism of linking the victim’s Signal communications to the attacker\r\nhttps://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nPage 10 of 20\n\nESET Research has informed Signal’s developers about this loophole. The encrypted messaging service indicated that threat\r\nactors can alter the code of any messaging app and promote it in a deceptive or misleading manner. In this case, if the\r\nofficial Signal clients were to display a notification whenever a new device is linked to the account, the fake version could\r\nsimply disable that code path to bypass the warning and hide any maliciously linked devices. The only way to prevent\r\nbecoming a victim of a fake Signal – or any other malicious messaging app – is to download only official versions of such\r\napps, only from official channels.\r\nDuring our research, the server hasn’t returned to the device a URI for linking, indicating this is most likely enabled only for\r\nspecifically targeted users, based on the data previously sent by the malware to the C\u0026C server.\r\nTo understand and replicate the behavior, we used the Frida instrumentation toolkit to simulate malicious behavior and\r\nautolinked our compromised Signal Android device (victim) to our Signal Desktop device (attacker), running on a laptop.\r\nThis linking process happened silently, without any interaction or notification to the user.\r\nTo ensure that a Signal account is not linked to another device, the user needs to go to Settings -\u003e Linked devices .\r\nThis provides a way for users to detect any unauthorized linkages to their Signal account and take appropriate actions to\r\nsecure their communications, as BadBazaar can’t hide an attacker-connected device from the Linked devices menu, as\r\ndepicted in Figure 13.\r\nFigure 13. List of linked devices\r\nhttps://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nPage 11 of 20\n\nBadBazaar uses proxy servers that are received from the C\u0026C server. The malware can receive up to six different proxy\r\nservers, which refer to subdomains of the C\u0026C server.\r\nAll proxy servers provided by Signal Plus Messenger are:\r\nproxy1.signalplus[.]org 154.202.59[.]169\r\nproxy2.signalplus[.]org 92.118.189[.]164\r\nproxy3.signalplus[.]org 45.154.12[.]151\r\nproxy4.signalplus[.]org 45.154.12[.]202\r\nproxy5.signalplus[.]org 103.27.186[.]195\r\nproxy6.signalplus[.]org 103.27.186[.]156\r\nThe feature to use a proxy server by the app is not implemented by the attacker; instead, legitimate Signal proxy\r\nfunctionality is used but routed through the attacker’s server instead. As a result, the attacker’s proxy server can possibly log\r\nsome metadata, but can’t decrypt data and messages that are sent or received by Signal itself.\r\nTrojanized Telegram – FlyGram app\r\nAfter initial app launch, the user has to log into the FlyGram app via its legitimate Telegram functionality, as is necessary for\r\nthe official Telegram app. Before the login is complete, FlyGram starts to communicate with the C\u0026C server located at\r\nflygram[.]org:4432 by sending basic device information such as: IMEI number, MAC address, operator name, device\r\nlanguage, and time zone. Based on the server’s response, BadBazaar gains the ability to exfiltrate further sensitive\r\ninformation from the device, including:\r\ncontact list,\r\ncall logs,\r\nlist of installed apps,\r\nlist of Google accounts,\r\ndevice location, and\r\nWi-Fi information (IP address, SSID, BSSID, MAC address, gateway, DNS, local network device scan discovery).\r\nFlyGram can also receive a URL from the C\u0026C server to download an update; see Figure 14. The downloaded update\r\n( flygram.apk ) is not dynamically loaded as an additional payload, but needs to be manually installed by the user. During\r\nour examination, we were unable to access the update file as the download link was no longer active.\r\nhttps://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nPage 12 of 20\n\nFigure 14. Server response with URL link to FlyGram update\r\nBadBazaar can exfiltrate internal Telegram files located in the /data/data/org.telegram.messenger/shared_prefs\r\ndirectory. These files contain information and settings related to Telegram, such as the account token, the last called number,\r\nand the app language. However, they do not include the Telegram contact list, messages, or any other sensitive data.\r\nTo carry out the exfiltration process, BadBazaar compresses the content of this directory, excluding files with .jpg or\r\n.png extensions. The compressed data is then stored in the file\r\n/data/data/org.telegram.FlyGram/cache/tgmcache/tgdata.rc . Finally, the malware sends this compressed file to the\r\nC\u0026C server, as shown in Figure 15.\r\nFigure 15. Code snippet responsible for listing files in the shared_prefs directory\r\nhttps://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nPage 13 of 20\n\nThe BadBazaar actors took steps to protect their FlyGram app from being intercepted during network traffic analysis by\r\nmalware analysts or automated sandbox tools that attempt to identify the C\u0026C server and data exfiltration activities. They\r\nachieved this protection through a technique called SSL pinning.\r\nSSL pinning is implemented in the org.telegram.Api.Utils.CertUtils class, as shown in Figure 16. The certificate is\r\nstored in the resources directory of the APK file, specifically in the /res/raw/telemon_client.cer file using WMSvc-WIN-50QO3EIRQVP as the common name (CN). This SSL pinning mechanism ensures that only encrypted communication with the\r\npredefined certificate is allowed, making it difficult for outsiders to intercept and analyze the network traffic between the\r\nFlyGram app and its C\u0026C server. In contrast, the Signal Plus Messenger app does not employ SSL pinning, which means it\r\ndoes not have this specific level of protection in place.\r\nFigure 16. SSL pinning implemented by BadBazaar\r\nOn top of its legitimate Telegram functionality, FlyGram developers implemented a Cloud Sync feature that allows the users\r\nto back up and restore Telegram contacts, profile pictures, groups, channels, etc. (see Figure 17). To use this feature, the user\r\nfirst needs to create an account. The account is created using the attacker’s C\u0026C server API ( flygram[.]org:4432 ); once\r\nthe account is set up, users can upload their backups to the attacker’s C\u0026C server or retrieve their previous backups from\r\nthere.\r\nhttps://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nPage 14 of 20\n\nFigure 17. Cloud Sync login screen (left) and account sync interface (right)\r\nDuring our in-depth examination of the Cloud Sync API, we made an interesting discovery. The server provides a distinct ID\r\nfor each newly created user account. This ID is a unique value that increases sequentially (by one) with each new account.\r\nBy analyzing these ID values, we can estimate the number of users who have installed FlyGram and signed up for the Cloud\r\nSync feature. At the time of our analysis, our last test account was assigned the ID value 13,953 (see Figure 18), indicating\r\nthat at that time 13,953 users (including us two times) had created accounts with the Cloud Sync feature enabled.\r\nhttps://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nPage 15 of 20\n\nFigure 18. C\u0026C server response returns user data with ID\r\nFlyGram also uses proxy servers received from the C\u0026C server; we observed these five proxy servers:\r\n45.63.89[.]238:1011\r\n45.133.238[.]92:6023\r\n217.163.29[.]84:7011\r\n185.239.227[.]14:3023\r\n62.210.28[.]116:2011\r\nTo enable the proxy server functionality, the attackers didn’t implement it directly into the app. Instead, they utilized the\r\nlegitimate Telegram functionality but rerouted it through their own servers. As a result, the attacker’s proxy server may be\r\nable to log some metadata, but it cannot decrypt the actual data and messages exchanged within Telegram itself. Unlike\r\nSignal Plus Messenger, FlyGram lacks the ability to link a Telegram account to the attacker or intercept the encrypted\r\ncommunications of its victims.\r\nConclusion\r\nTwo active Android campaigns operated by the GREF APT group distributed Android malware called BadBazaar via two\r\napps, through the official Google Play store, and still distributes it via Samsung Galaxy Store, alternative app stores, and\r\ndedicated websites. A link to FlyGram in the Google Play store was also shared in a Uyghur Telegram group. Malicious\r\ncode from the BadBazaar family was hidden in trojanized Signal and Telegram apps, which should provide victims a\r\nworking app experience (without reason to remove it) but with espionage happening in the background.\r\nBadBazaar’s main purpose is to exfiltrate device information, the contact list, call logs, and the list of installed apps, and to\r\nconduct espionage on Signal messages by secretly linking the victim’s Signal Plus Messenger app to the attacker’s device.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nhttps://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nPage 16 of 20\n\nthe ESET Threat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 Package name ESET detection name Descriptio\r\n19E5CF2E8EED73EE614B668BC1DBDDA01E058C0C\r\norg.thoughtcrime.securesmsplus\r\nAndroid/Spy.BadBazaar.A\r\nBadBazaa\r\nmalware.\r\nDAB2F85C5282889E678CD0901CD6DE027FD0EC44 org.thoughtcrime.securesmsplus Android/Spy.BadBazaar.A\r\nBadBazaa\r\nmalware\r\nfrom\r\nGoogle\r\nPlay store\r\n606E33614CFA4969F0BF8B0828710C9A23BDA22B\r\norg.thoughtcrime.securesmsplus\r\nAndroid/Spy.BadBazaar.A\r\nBadBazaa\r\nmalware\r\nfrom\r\nSamsung\r\nGalaxy\r\nStore.\r\nC6E26EAFBF6703DC19446944AF5DED65F86C9571\r\norg.telegram.FlyGram\r\nAndroid/Spy.BadBazaar.A\r\nBadBazaa\r\nmalware\r\nfrom\r\ndistributio\r\nwebsite an\r\nSamsung\r\nGalaxy\r\nStore.\r\nB0402E3B6270DCA3DD42FFEB033F02B9BCD9228E\r\norg.telegram.FlyGram\r\nAndroid/Spy.BadBazaar.A\r\nBadBazaa\r\nmalware\r\nfrom\r\nGoogle\r\nPlay store\r\nNetwork\r\nhttps://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nPage 17 of 20\n\nIP Domain Hosting provider\r\nFirst\r\nseen\r\nDetails\r\n45.63.89[.]238\r\n45.63.89.238.vultrusercontent[.]com\r\nThe Constant\r\nCompany, LLC\r\n2020-\r\n01-04\r\nFlyGram\r\nproxy server.\r\n45.133.238[.]92 mail.pmumail[.]com XNNET LLC\r\n2020-\r\n11-26\r\nFlyGram\r\nproxy server.\r\n45.154.12[.]132 signalplus[.]org MOACK.Co.LTD\r\n2022-\r\n06-13\r\nC\u0026C server.\r\n45.154.12[.]151 proxy3.signalplus[.]org MOACK.Co.LTD\r\n2021-\r\n02-02\r\nSignal Plus\r\nproxy server.\r\n45.154.12[.]202 proxy4.signalplus[.]org MOACK.Co.LTD\r\n2020-\r\n12-14\r\nSignal Plus\r\nproxy server.\r\n62.210.28[.]116\r\n62-210-28-116.rev.poneytelecom[.]eu\r\nSCALEWAY S.A.S.\r\n2020-\r\n03-08\r\nFlyGram\r\nproxy server.\r\n82.180.174[.]230\r\nwww.signalplus[.]org\r\nHostinger International\r\nLimited\r\n2022-\r\n10-26\r\nDistribution\r\nwebsite.\r\n92.118.189[.]164\r\nproxy2.signalplus[.]org\r\nCNSERVERS LLC N/A\r\nSignal Plus\r\nproxy server.\r\n103.27.186[.]156\r\nproxy6.signalplus[.]org\r\nStarry Network\r\nLimited\r\n2022-\r\n06-13\r\nSignal Plus\r\nproxy server.\r\n103.27.186[.]195\r\nproxy5.signalplus[.]org\r\nStarry Network\r\nLimited\r\n2021-\r\n12-21\r\nSignal Plus\r\nproxy server.\r\n148.251.87[.]245\r\nflygram[.]org\r\nHetzner Online GmbH\r\n- Contact Role, ORG-HOA1-RIPE\r\n2020-\r\n09-10\r\nC\u0026C server.\r\nhttps://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nPage 18 of 20\n\n154.202.59[.]169\r\nproxy1.signalplus[.]org\r\nCNSERVERS LLC\r\n2022-\r\n06-13\r\nSignal Plus\r\nproxy server.\r\n156.67.73[.]71\r\nwww.flygram[.]org\r\nHostinger International\r\nLimited\r\n2021-\r\n06-04\r\nDistribution\r\nwebsite.\r\n185.239.227[.]14\r\nN/A\r\nStarry Network\r\nLimited\r\nN/A\r\nFlyGram\r\nproxy server.\r\n217.163.29[.]84\r\nN/A\r\nAbuse-C Role N/A\r\nFlyGram\r\nproxy server.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 13 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nDiscovery\r\nT1418 Software Discovery BadBazaar can obtain a list of installed applications.\r\nT1422\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nBadBazaar can extract IMEI, IMSI, IP address, phone\r\nnumber, and country.\r\nT1426\r\nSystem Information\r\nDiscovery\r\nBadBazaar can extract information about the device,\r\nincluding SIM serial number, device ID, and common\r\nsystem information.\r\nCollection T1533 Data from Local System BadBazaar can exfiltrate files from a device.\r\nT1430 Location Tracking BadBazaar tracks device location.\r\nT1636.002\r\nProtected User Data:\r\nCall Logs\r\nBadBazaar can extract call logs.\r\nT1636.003\r\nProtected User Data:\r\nContact List\r\nBadBazaar can extract the device’s contact list.\r\nhttps://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nPage 19 of 20\n\nTactic ID Name Description\r\nT1638\r\nAdversary-in-the-Middle\r\nBadBazaar can link the victim’s Signal account to a\r\ndevice the attacker controls and intercept\r\ncommunications.\r\nCommand and\r\nControl\r\nT1437.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nBadBazaar uses HTTPS to communicate with its C\u0026C\r\nserver.\r\nT1509 Non-Standard Port\r\nBadBazaar communicates with its C\u0026C server using\r\nHTTPS requests over port 4332 or 4432.\r\nExfiltration T1646\r\nExfiltration Over C2\r\nChannel\r\nBadBazaar exfiltrates data using HTTPS.\r\nSource: https://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nhttps://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/" ], "report_names": [ "badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps" ], "threat_actors": [ { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "adfbe698-24b2-41fc-a701-781fef330b16", "created_at": "2024-01-09T02:00:04.17648Z", "updated_at": "2026-04-10T02:00:03.504826Z", "deleted_at": null, "main_name": "GREF", "aliases": [], "source_name": "MISPGALAXY:GREF", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434023, "ts_updated_at": 1775826689, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e7894135bc5ef7887d1445179e11c0ed542cb8ca.pdf", "text": "https://archive.orkl.eu/e7894135bc5ef7887d1445179e11c0ed542cb8ca.txt", "img": "https://archive.orkl.eu/e7894135bc5ef7887d1445179e11c0ed542cb8ca.jpg" } }