{
	"id": "8aaec1bd-13f5-4dda-a86d-0cdc48a97afd",
	"created_at": "2026-04-06T00:11:58.879475Z",
	"updated_at": "2026-04-10T03:30:33.263263Z",
	"deleted_at": null,
	"sha1_hash": "e95f57d5d59651928527f6e964f54e898fb53f89",
	"title": "Cyberespionage Campaign Sphinx Goes Mobile With AnubisSpy",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62099,
	"plain_text": "Cyberespionage Campaign Sphinx Goes Mobile With AnubisSpy\r\nBy By: Ecular Xu, Grey Guo Dec 19, 2017 Read time: 3 min (932 words)\r\nPublished: 2017-12-19 · Archived: 2026-04-05 17:14:44 UTC\r\nAndroid malware like ransomwareopen on a new tab exemplify how the platform can be lucrative for\r\ncybercriminals. But there are also other threats stirring up as of late: attacks that spy on and steal data from\r\nspecific targets, crossing over between desktops and mobile devices.\r\nTake for instance several malicious apps we came across with cyberespionage capabilities, which were targeting\r\nArabic-speaking users or Middle Eastern countries. These were published on Google Play — but have since been\r\ntaken down — and third-party app marketplaces. We named these malicious apps AnubisSpy\r\n(ANDROIDOS_ANUBISSPY) as all the malware’s payload is a package called watchdog.\r\nWe construe AnubisSpy to be linked to the cyberespionage campaign Sphinx (APT-C-15)open on a new tab based\r\non shared file structures and command-and-control (C\u0026C) server as well as targets. It’s also possible that while\r\nAnubisSpy’s operators may also be Sphinx’s, they could be running separate but similar campaigns. \r\nWhat can AnubisSpy do? \r\nAnubisSpy can steal messages (SMS), photos, videos, contacts, email accounts, calendar events, and browser\r\nhistories (i.e., Chrome and Samsung Internet Browser). It can also take screenshots and record audio, including\r\ncalls. It can spy on the victim through apps installed on the device, a list of which is in its configuration file that\r\ncan be updated. This includes Skype, WhatsApp, Facebook, and Twitter, among others.\r\nAfter the data are collected, they are encrypted and sent to the (C\u0026C) server. AnubisSpy can also self-destruct to\r\ncover its tracks. It can run commands and delete files on the device, as well as install and uninstall Android\r\nApplication Packages (APKs).\r\nAnubisSpy has several modules, each of which has a separate role. AnubisSpy’s code is well constructed,\r\nindicating the developer/s’ know-how. Below is a visualization of the modules:\r\nintelFigure 1: Structure of AnubisSpy’s modules\r\nHow is AnubisSpy related to Sphinx? \r\nSphinx reportedly uses the watering hole technique via social media sites to deliver its payloads — mainly a\r\ncustomized version of njRATopen on a new tab. The Sphinx campaign operators cloaked the malware with icons\r\nof legitimate applications to dupe recipients into clicking them. Sphinx was active between June 2014 and\r\nNovember 2015, but timestamps of the malware indicate the attacks started as early as 2011.\r\nA simple WHOIS query of AnubisSpy’s C\u0026C server showed it abused a legitimate managed hosting service\r\nprovider in Belize. We correlated the AnubisSpy variants to Sphinx’s desktop/PC-targeting malware through the\r\nfollowing:\r\nShared C\u0026C server, 86[.]105[.]18[.]107\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/\r\nPage 1 of 3\n\nShared technique of decrypting JSON files, and similarity between the file structures of AnubisSpy and\r\nSphinx’s malware\r\nSimilar targets (highly concentrated in Middle Eastern countries)\r\n \r\nintel\r\nFigure 2: Comparison of file structure in Sphinx’s desktop/PC-targeting malware (left) and AnubisSpy (right)\r\nThese apps were all written in Arabic and, in one way or another, related to something in Egypt (i.e., spoofing an\r\nEgypt-based TV program and using news/stories in the Middle East) regardless of the labels and objects in the\r\napps. Our coordination with Google also revealed that these apps were installed across a handful of countries in\r\nthe Middle East. \r\nWas AnubisSpy actively distributed?\r\nWe analyzed seven apps that were actually AnubisSpy. These were signed with the same fake Google certificates.\r\nWe found two more apps created by the same developer, but they had no espionage-related codes; we think they\r\nwere made as experimental projects. Based on hardcoded strings in the Agent Version, the malicious apps were\r\ndeveloped as early as April 2015. Timestamps indicate that the earliest sample was signed on June 2015; the latest\r\nvariant was signed on May 2017.\r\nAnubisSpy wasn’t only published on Google Play. We also found versions of it in third-party app marketplaces,\r\nmost likely as a way to expand the malware’s reach. The apps mainly used Middle East-based news and\r\nsociopolitical themes as social engineering hooks and abused social media to further proliferate. Versions of\r\nAnubisSpy posed as social news, promotional, healthcare, and entertainment apps. \r\nWhat does AnubisSpy mean to the mobile landscape?\r\nPersistent and furtive spyware is an underrated problem for the mobile platform. While cyberespionage campaigns\r\non mobile devices may be few and far between compared to ones for desktops or PCs, AnubisSpy proves that they\r\ndo indeed occur, and may have been more active than initially thought. Will mobile become cyberespionage’s\r\nmain frontier? It won’t be a surprise given mobile platform’s increasing ubiquityopen on a new tab, especially in\r\nworkplaces.\r\nBeyond its effects, AnubisSpy also highlights the significance of proactively securing mobile devicesnews article,\r\nparticularly if they’re on BYOD programsnews- cybercrime-and-digital-threats and used to access sensitive data.\r\nEnforcing the principle of least privilege and implementing an app reputation system are just some of the best\r\npractices that can help mitigate threats.\r\nWe disclosed our findings to Google on October 12 and worked with Google on further analyzing the AnubisSpy-related apps. Updates were also made to Google Play Protectopen on a new tab to take appropriate action against\r\nthose apps that have been verified as in violation of Google Play policy. An in-depth technical analysis of\r\nAnubisSpy, along with indicators of compromise, is in this technical brief. \r\nTrend Micro Solutions\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/\r\nPage 2 of 3\n\nEnd users and enterprises can also benefit from multilayered mobile security solutions such as Trend\r\nMicro™ Mobile Securityproducts which is also available on Google Play. For organizations, Trend\r\nMicro™ Mobile Security for Enterpriseproducts provides device, compliance and application management, data\r\nprotection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities,\r\npreventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.\r\nTrend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox\r\nand machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy\r\nleaks, and application vulnerability.\r\nSource: http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/"
	],
	"report_names": [
		"cyberespionage-campaign-sphinx-goes-mobile-anubisspy"
	],
	"threat_actors": [
		{
			"id": "e90ec9cb-9959-455d-b558-4bafef64d645",
			"created_at": "2022-10-25T16:07:24.222081Z",
			"updated_at": "2026-04-10T02:00:04.903184Z",
			"deleted_at": null,
			"main_name": "Sphinx",
			"aliases": [
				"APT-C-15"
			],
			"source_name": "ETDA:Sphinx",
			"tools": [
				"AnubisSpy",
				"Backdoor.Oldrea",
				"Bladabindi",
				"Fertger",
				"Havex",
				"Havex RAT",
				"Jorik",
				"Oldrea",
				"PEACEPIPE",
				"njRAT",
				"yellowalbatross"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434318,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e95f57d5d59651928527f6e964f54e898fb53f89.pdf",
		"text": "https://archive.orkl.eu/e95f57d5d59651928527f6e964f54e898fb53f89.txt",
		"img": "https://archive.orkl.eu/e95f57d5d59651928527f6e964f54e898fb53f89.jpg"
	}
}