{ "id": "ad13e2ba-de44-475b-921b-8731abd115cc", "created_at": "2026-04-06T00:18:24.238804Z", "updated_at": "2026-04-10T13:12:48.586139Z", "deleted_at": null, "sha1_hash": "e903888eddc9f7143c2ef92701e60fd694435620", "title": "Cyble - Bitter APT Group Using \"Dracarys\" Android Spyware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1931758, "plain_text": "Cyble - Bitter APT Group Using \"Dracarys\" Android Spyware\r\nPublished: 2022-08-09 · Archived: 2026-04-05 15:18:25 UTC\r\nCyble analyzes the Bitter APT group leveraging trojanized Messaging Apps to deliver Dracarys Android Malware.\r\nAndroid Malware Disguised as a Messaging Application\r\nDuring our routine threat hunting exercise, Cyble Research Labs came across an article wherein the researchers\r\nmentioned Bitter APT delivering the Android Spyware “Dracarys.” Bitter aka T-APT-17 is a well-known Advanced\r\nPersistent Threat (APT) group active since 2013 and operates in South Asia. It has been observed targeting China,\r\nIndia, Pakistan, and other countries in South Asia.\r\nThe Bitter APT is actively involved in both desktop and mobile malware campaigns and uses techniques like spear\r\nphishing emails, exploiting known vulnerabilities to deliver Remote Access Trojan (RAT) and other malware\r\nfamilies.\r\nWorld's Best AI-Native Threat Intelligence\r\nDracarys Android Spyware impersonates genuine applications such as Signal, Telegram, WhatsApp, YouTube, and\r\nother chat applications and distributes through phishing sites.\r\nDuring analysis, we observed that one of the phishing sites is still live and distributing Dracarys. The phishing site\r\nmimics the genuine Signal site and delivers a trojanized Signal app.\r\nhttps://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/\r\nPage 1 of 11\n\nFigure 1 – Phishing site which distributes Dracarys malware\r\nUpon in-depth analysis of the malware, we observed that the Threat Actor (TA) had inserted the malicious code into\r\nthe Signal app source code to avoid being detected. The below image showcases the extra added spyware module\r\n“org.zcode.dracarys” in the trojanized version of the Signal App.\r\nFigure 2 – Comparison of the genuine and trojanized Signal App\r\nTechnical Analysis\r\nhttps://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/\r\nPage 2 of 11\n\nAPK Metadata Information   \r\nApp Name: Signal\r\nPackage Name: org.thoughtcrime.securesms.app\r\nSHA256 Hash: d16a9b41a1617711d28eb52b89111b2ebdc25d26fa28348a115d04560a9f1003\r\nFigure 3 shows the metadata information of the application.  \r\nFigure 3 – App Metadata Information \r\nManifest Description  \r\nThe malicious application mentions 24 permissions, of which the TA exploits 10. The harmful permissions requested\r\nby the malware are:  \r\nPermission   Description \r\nREAD_CONTACTS Access phone contacts\r\nRECEIVE_SMS Allows an application to receive SMS messages\r\nREAD_SMS Access phone messages\r\nCAMERA Required to access the camera device.\r\nREAD_CALL_LOG Access phone call logs\r\nREAD_EXTERNAL_STORAGE\r\nAllows the app to read the contents of the device’s\r\nexternal storage\r\nRECORD_AUDIO\r\nAllows the app to record audio with the microphone,\r\nwhich the attackers can misuse\r\nWRITE_EXTERNAL_STORAGE\r\nAllows the app to write or delete files to the external\r\nstorage of the device\r\nCALL_PHONE Allows an application to initiate a phone call without\r\ngoing through the Dialer user interface for the user to\r\nhttps://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/\r\nPage 3 of 11\n\nconfirm the call\r\nACCESS_FINE_LOCATION Allows an app to access precise location\r\nSource Code Review  \r\nThe trojanized version of the Signal application has registered the Accessibility Service in the Manifest file. The\r\nmalware abuses the Accessibility permissions\r\nsuch as auto granting permission to run the application in the background, activating Device Admin, and performing\r\nauto clicks.\r\nFigure 4 – Malware abusing Accessibility Service\r\nThe malware connects to the Firebase server and receives the commands to execute operations for collecting the\r\ndata from the victim’s device, as shown in the below image.\r\nFigure 5 – Receiving commands from the Firebase server\r\nhttps://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/\r\nPage 4 of 11\n\nThe malware collects all the contacts from the infected device and sends them to the Command and Control (C\u0026C)\r\nserver “hxxps://signal-premium-app[.]org“.\r\nFigure 6 – Malware sending contact list to the C\u0026C server\r\nSimilarly, the malware collects SMS data, call logs, installed applications list, and files present on the infected\r\ndevice after receiving a command from the C\u0026C server, as shown in Figures 7 through 10.\r\nFigure 7 – Collecting call logs from the infected device\r\nhttps://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/\r\nPage 5 of 11\n\nFigure 8 – Collecting installed application list\r\nFigure 9 – Collecting SMS list from an infected device\r\nFigure 10 – Collecting files present in the victim’s device\r\nhttps://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/\r\nPage 6 of 11\n\nThe malware registers the “DracarysReceiver” broadcast receiver, which receives the event from the Firebase server\r\nand starts collecting Personal Identifiable Information (PII) data from the infected device, as shown below.\r\nFigure 11 – Dracarys receiver to send updated PII data\r\nThe malware can capture screenshots and record audio to spy on the victim’s device. The below figure shows the\r\ncode used by the malware to send captured screenshots and recordings to its C\u0026C server.\r\nFigure 12 – Collecting recordings and captured screenshots\r\nThe image below shows the C\u0026C server and the URL path to which the stolen data is sent.\r\nhttps://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/\r\nPage 7 of 11\n\nFigure 13 – C\u0026C server and endpoints\r\nConclusion \r\nAccording to our research, the TA has injected malicious code into genuine messaging applications such as Signal.\r\nThe TA also distributed the malware through a phishing site masquerading as a genuine website that tricks users into\r\ndownloading a trojanized version of popular messaging applications.\r\nWe have observed Bitter APT continuously attacking South Asian countries and changing its mode of attack with\r\neach new campaign. In this campaign, Bitter APT used a sophisticated phishing attack to infect devices with\r\nDracarys Android Spyware.\r\nIn the coming days, we may observe a change in the Bitter APT group’s activities, with different malware variants,\r\nenhanced techniques, and distribution modes.\r\nOur Recommendations \r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:   \r\nHow to prevent malware infection? \r\nDownload and install software only from official app stores like Play Store or the iOS App Store. \r\nUse a reputed anti-virus and internet security software package on your connected devices, such as PCs,\r\nlaptops, and mobile devices. \r\nUse strong passwords and enforce multi-factor authentication wherever possible. \r\nEnable biometric security features such as fingerprint or facial recognition for unlocking the mobile device\r\nwhere possible. \r\nBe wary of opening any links received via SMS or emails delivered to your phone. \r\nEnsure that Google Play Protect is enabled on Android devices. \r\nBe careful while enabling any permissions. \r\nKeep your devices, operating systems, and applications updated. \r\nHow to identify whether you are infected? \r\nhttps://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/\r\nPage 8 of 11\n\nRegularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices. \r\nKeep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly. \r\nWhat to do when you are infected? \r\nDisable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile\r\nData. \r\nPerform a factory reset. \r\nRemove the application in case a factory reset is not possible. \r\nTake a backup of personal media Files (excluding mobile applications) and perform a device reset. \r\nWhat to do in case of any fraudulent transaction? \r\nIn case of a fraudulent transaction, immediately report it to the concerned bank. \r\nWhat should banks do to protect their customers? \r\nBanks and other financial entities should educate customers on safeguarding themselves from malware\r\nattacks via telephone, SMS, or emails. \r\nMITRE ATT\u0026CK® Techniques \r\nTactic Technique ID Technique Name\r\nInitial Access T1476 Deliver Malicious App via Other Mean.\r\nInitial Access T1444 Masquerade as Legitimate Application\r\nCollection T1412 Capture SMS Messages\r\nCollection T1432 Access Contacts List\r\nCollection T1433 Access Call Logs\r\nCollection T1517 Access Notifications\r\nCollection T1533 Data from Local System\r\nCollection T1429 Capture Audio\r\nExfiltration T1437 Standard Application Layer Protocol\r\nIndicators of Compromise (IOCs) \r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\nhttps://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/\r\nPage 9 of 11\n\nd16a9b41a1617711d28eb52b89111b2ebdc25d26fa28348a115d04560a9f1003 SHA256\r\nHash of the\r\nanalyzed\r\nAPK file\r\n2c60fbb9eb22d0eb5e62f15d1e49028944c3ff51 SHA1\r\nHash of the\r\nanalyzed\r\nAPK file \r\n761705bd1681b94e991593bdcf190743 MD5\r\nHash of the\r\nanalyzed\r\nAPK file\r\nhxxps://signal-premium-app[.]org URL C\u0026C server\r\nhxxps://signalpremium[.]com/ URL\r\nMalware\r\ndistribution\r\nsite\r\n43e3a0b0d5e2f172ff9555897c3d3330f3adc3ac390a52d84cea7045fbae108d SHA256\r\nHash of the\r\nanalyzed\r\nAPK file\r\na35653c3d04aaaa76266db6cd253f086872a5d27 SHA1\r\nHash of the\r\nanalyzed\r\nAPK file \r\nd9a39c41e9f599766b5527986e807840 MD5\r\nHash of the\r\nanalyzed\r\nAPK file\r\nhxxp://94[.]140.114[.]22:41322 URL C\u0026C server\r\n220fcfa47a11e7e3f179a96258a5bb69914c17e8ca7d0fdce44d13f1f3229548 SHA256\r\nHash of the\r\nanalyzed\r\nAPK file\r\n04ec835ae9240722db8190c093a5b2a7059646b1 SHA1\r\nHash of the\r\nanalyzed\r\nAPK file \r\n07532dea34c87ea2c91d2e035ed5dc87 MD5\r\nHash of the\r\nanalyzed\r\nAPK file\r\nhxxps://youtubepremiumapp[.]com/ URL C\u0026C server\r\nhttps://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/\r\nPage 10 of 11\n\nSource: https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/\r\nhttps://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/" ], "report_names": [ "bitter-apt-group-using-dracarys-android-spyware" ], "threat_actors": [ { "id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b", "created_at": "2022-10-27T08:27:13.133291Z", "updated_at": "2026-04-10T02:00:05.315213Z", "deleted_at": null, "main_name": "BITTER", "aliases": [ "T-APT-17" ], "source_name": "MITRE:BITTER", "tools": [ "ZxxZ" ], "source_id": "MITRE", "reports": null }, { "id": "acd789fa-d488-47f3-b9cc-fdb18b1fa375", "created_at": "2023-01-06T13:46:39.332092Z", "updated_at": "2026-04-10T02:00:03.290017Z", "deleted_at": null, "main_name": "HAZY TIGER", "aliases": [ "T-APT-17", "APT-C-08", "Orange Yali", "TA397" ], "source_name": "MISPGALAXY:HAZY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bf6cb670-bb69-473f-a220-97ac713fd081", "created_at": "2022-10-25T16:07:23.395205Z", "updated_at": "2026-04-10T02:00:04.578924Z", "deleted_at": null, "main_name": "Bitter", "aliases": [ "G1002", "T-APT-17", "TA397" ], "source_name": "ETDA:Bitter", "tools": [ "Artra Downloader", "ArtraDownloader", "Bitter RAT", "BitterRAT", "Dracarys" ], "source_id": "ETDA", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434704, "ts_updated_at": 1775826768, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e903888eddc9f7143c2ef92701e60fd694435620.pdf", "text": "https://archive.orkl.eu/e903888eddc9f7143c2ef92701e60fd694435620.txt", "img": "https://archive.orkl.eu/e903888eddc9f7143c2ef92701e60fd694435620.jpg" } }