{ "id": "ef5e74b2-a64a-41df-bb1c-e72197225ebc", "created_at": "2026-04-06T00:19:28.115431Z", "updated_at": "2026-04-10T03:35:47.176773Z", "deleted_at": null, "sha1_hash": "eb499644f4f284f237257f58809b89502fc23307", "title": "JadeRAT Mobile Surveillanceware Spikes in Espionage Activity", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 664044, "plain_text": "JadeRAT Mobile Surveillanceware Spikes in Espionage Activity\r\nBy Lookout\r\nPublished: 2017-10-10 · Archived: 2026-04-05 19:09:31 UTC\r\nLookout researchers are monitoring the evolution of an Android surveillanceware family known as JadeRAT, we believe\r\nmay be connected to a government sponsored APT group.\r\nEmerging in 2015 and becoming increasingly active, JadeRAT provides its operators with a significant degree of control\r\nover a compromised device and supports over 60 commands that are focused on retrieving sensitive information and\r\nprofiling victims.\r\nAll Lookout customers are protected from this threat.\r\nJadeRAT is just one example of numerous mobile surveillanceware families we've seen in recent months, indicating that\r\nactors are continuing to incorporate mobile tools in their attack chains. Some of these active families have included\r\nFrozenCell, an attack against government officials in Palestine; xRAT, associated with a family targeting Hong Kong\r\nprotestors; and ViperRAT, an attack targeting members of the Israeli Defense Force. Research into those families suggests\r\nthey are highly targeted however we've also seen more wide-reaching spyware such as SonicSpy that was discovered in\r\nthousands of malicious apps, some of which made their way into the Google Play Store.\r\nPotential attribution\r\nBased on the apps we've seen JadeRAT trojanize, it appears the actors behind it are primarily targeting groups and\r\nindividuals in China. While our analysis has identified several possible leads that could tie this surveillanceware family to\r\nthe Naikon APT, Scarlet Mimic, or one of several other groups operating in the region, at this point in time we do not have\r\nconclusive evidence to confirm this. Our findings do support the theory that the actor behind JadeRAT is operating around a\r\nsimilar set of objectives to those followed by other Chinese government sponsored groups. We're hoping that by sharing this\r\ninformation it will increase awareness about the rise in targeted surveillance attacks against mobile devices and provide\r\nfurther leads to the research community investigating actors operating in this region.\r\nJadeRAT samples\r\nThere is a strong indication that the actor behind this family is becoming increasingly active in the mobile space. As of June\r\n2017, we have acquired 34 JadeRAT samples, 50 percent of which were acquired just this year. Looking at hard coded\r\nconfiguration details, we were able to determine which samples are likely production releases and which are used for\r\ninternal testing. This shows that the majority of production samples were released this year.\r\nJadeRAT sample names have remained fairly consistent. The apps SIM卡管理 (SIM Card Management), 手机管家 (Phone\r\nGuardian), and Google Searcher are the most popular observed titles. Others have included Uyghur, 170602, Telegram, and\r\nVoxer, indicating the actor is impersonating communication apps and may be running some campaigns targeting ethnic\r\nminorities in China, given the Uyghur reference.\r\nJadeRAT supports over 60 commands that can be issued in the format !\u003ccommand_id\u003e\u0026\u003coptional_cmd_params\u003e@. Many\r\nof these offer standard information gathering functionality seen in typical mobile surveillanceware, however JadeRAT\r\nhttps://blog.lookout.com/mobile-threat-jaderat\r\nPage 1 of 3\n\nsupports several less common capabilities. These include notifying an operator via SMS when a device has booted and\r\nsilently dropping calls and texts to attacker specified numbers. The following are JadeRAT's core capabilities:\r\nGet a list of running processesConfigure call recording to occur if a call is made to a specified numberGet the name of the\r\nforeground taskAlert a 'secure phone' that a victim's device is now onlineGet active servicesRecord audio at a specific time\r\nfor a set durationRetrieve device locationStart / stop audio recording / set to record based on calls to certain\r\nnumbersRetrieve contacts, accounts, call logs, text messagesAttempt to call an attacker specified numberKill a specific\r\nprocessSilently drop calls and SMSes to specific numbersRetrieve location data that has been periodically collectedEnable /\r\ndisable Wi-FiList the contents of a specific directoryEnable / disable mobile dataDownload / upload / delete a specified file\r\n Enable / disable GPSRecursively search a directory on a victim's device for a specific filenameDelete all SMSes, call logs,\r\ncontacts, and content on the SDCardUse ZipUtils to compress a specific file, placing the compressed output in\r\n/sdcard/.tempExecute arbitrary commands if rootExfiltrate MicroMsg and QQ media files and chat databasesTake a\r\nscreenshotCheck for root accessShutdown / reboot deviceRetrieve Wi-Fi access points and their corresponding passwords\r\nAs JadeRAT simply opens up a socket to a specified address and uses quite a basic instruction format without any\r\nauthentication its capabilities can be tested out by redirecting traffic from a compromised device to an analysis machine\r\nrunning netcat.\r\nInfrastructure\r\nJadeRAT's operators have consistently changed their infrastructure. Production releases rarely reuse domains or IP\r\naddresses, frequently use dynamic DNS, and communicate on various non-standard ports. JadeRAT is configured to send\r\nSMS messages to an attacker-specified phone number when the compromised device first comes online, however these have\r\nonly been pre-configured in three of the most recently observed samples. We extracted the following phone numbers from\r\nsamples acquired during April of 2017:\r\nNumberRegionOperatorBrand18395610195Shijiazhuang City, Hebei ProvinceChina Mobile Communications\r\nCorporationGlobal pass, M-Zone, Shenzhou line, G318633666566Handan City, Hebei ProvinceChina United Network\r\nCommunications Group Co., LtdUnknown13910674787BeijingChina Mobile Communications CorporationGlobal pass, M-Zone, Shenzhou line, G3\r\nThough these phone numbers are only associated with a limited number of samples, all samples come configured with\r\nspecific infrastructure to which they communicate. Below are observed domains and external IP addresses.\r\nIP /\r\nDomainPortgoogleservhlp.oicp.net8096iponetest.eicp.net8001myofficedesktop.rkfree.net8000asd887655.6655.la8080103.226.127.9880125.41.93.32500\r\nhttps://blog.lookout.com/mobile-threat-jaderat\r\nPage 2 of 3\n\nLookout is continuing to track JadeRAT and its associated infrastructure closely as we anticipate this family will only\r\ncontinue to grow.\r\nSHA-1sfea0bc1df035ea8eb683bc91cef4d925d8a260f3b86d8dc815f50377e444a297f5f33bba1b16cc8e674224a4fe7ec9badd5eefce303ec0867a4afcdf3e883ac8e\r\nAll these indicators have been added to AlienVault under the JadeRAT pulse.\r\nMichael Flossman\r\nHead of Threat Intelligence\r\nMichael is Head of Threat Intelligence at Lookout where he works on reverse engineering sophisticated mobile threats while\r\ntracking their evolution, the campaigns they are used in, and the actors behind them. He has hands-on experience in\r\nvulnerability research, incident response, security assessments, pen-testing, reverse engineering and the prototyping of\r\nautomated analysis solutions. When not analysing malware there’s a good chance he’s off snowboarding, diving, or looking\r\nfor flaws in popular mobile apps.\r\nSource: https://blog.lookout.com/mobile-threat-jaderat\r\nhttps://blog.lookout.com/mobile-threat-jaderat\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.lookout.com/mobile-threat-jaderat" ], "report_names": [ "mobile-threat-jaderat" ], "threat_actors": [ { "id": "8c5c318c-0e71-4184-92bb-d1c28f68a411", "created_at": "2022-10-25T15:50:23.692481Z", "updated_at": "2026-04-10T02:00:05.409574Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Scarlet Mimic" ], "source_name": "MITRE:Scarlet Mimic", "tools": [ "Psylo", "MobileOrder", "CallMe", "FakeM" ], "source_id": "MITRE", "reports": null }, { "id": "cac03bbf-0c42-470d-951e-0e92656be6cb", "created_at": "2023-01-06T13:46:38.463275Z", "updated_at": "2026-04-10T02:00:02.985402Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Golfing Taurus", "G0029" ], "source_name": "MISPGALAXY:Scarlet Mimic", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "9fc2aed1-c838-41e9-b469-922e7bab6f94", "created_at": "2022-10-25T16:07:24.162936Z", "updated_at": "2026-04-10T02:00:04.886029Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "G0029", "Golfing Taurus" ], "source_name": "ETDA:Scarlet Mimic", "tools": [ "BrutishCommand", "CallMe", "CrypticConvo", "Elirks", "FakeFish", "FakeHighFive", "FakeM", "FakeM RAT", "FullThrottle", "HTran", "HUC Packet Transmit Tool", "MobileOrder", "Psylo", "RaidBase", "SkiBoot", "SubtractThis", "Terminator RAT" ], "source_id": "ETDA", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434768, "ts_updated_at": 1775792147, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eb499644f4f284f237257f58809b89502fc23307.pdf", "text": "https://archive.orkl.eu/eb499644f4f284f237257f58809b89502fc23307.txt", "img": "https://archive.orkl.eu/eb499644f4f284f237257f58809b89502fc23307.jpg" } }