{ "id": "b1b97c91-af7a-4b1e-846b-34093f18c205", "created_at": "2026-04-06T00:20:03.809609Z", "updated_at": "2026-04-10T03:36:50.320823Z", "deleted_at": null, "sha1_hash": "ec66e792edddf3f22a066d7e07d0c0aef7d52a78", "title": "eXotic Visit campaign: Tracing the footprints of Virtual Invaders", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1729236, "plain_text": "eXotic Visit campaign: Tracing the footprints of Virtual Invaders\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 17:57:37 UTC\r\nESET researchers have discovered an active espionage campaign targeting Android users with apps primarily posing as\r\nmessaging services. While these apps offer functional services as bait, they are bundled with open-source XploitSPY\r\nmalware. We have named this campaign eXotic Visit and have tracked its activities from November 2021 through to the end\r\nof 2023. The targeted campaign has been distributing malicious Android apps through dedicated websites and, for some\r\ntime, through the Google Play store as well. Because of the targeted nature of the campaign, the apps available on Google\r\nPlay had a low number of installs; all of them have been removed from the store. The eXotic Visit campaign appears to\r\nprimarily target a select group of Android users in Pakistan and India. There is no indication that this campaign is linked to\r\nany known group; however, we are tracking the threat actors behind it under the moniker Virtual Invaders.\r\nKey points of the report:\r\nThis active and targeted Android espionage campaign, which we have named eXotic Visit, started in late\r\n2021 and mainly impersonates messaging apps that are distributed through dedicated websites and Google\r\nPlay.\r\nOverall, at the time of writing, around 380 victims have downloaded the apps from both sources and\r\ncreated accounts to use their messaging functionality. Because of the targeted nature of the campaign, the\r\nnumber of installs of each app from Google Play is relatively low – between zero and 45.\r\nDownloaded apps provide legitimate functionality, but also include code from the open-source Android\r\nRAT XploitSPY. We have linked the samples through their use of the same C\u0026C, unique and custom\r\nmalicious code updates, and the same C\u0026C admin panel.\r\nThroughout the years, these threat actors have customized their malicious code by adding obfuscation,\r\nemulator detection, hiding of C\u0026C addresses, and use of a native library.\r\nThe region of interest seems to be South Asia; in particular, victims in Pakistan and India have been\r\ntargeted.\r\nCurrently, ESET Research does not have enough evidence to attribute this activity to any known threat\r\ngroup; we track the group internally as Virtual Invaders.\r\nApps that contain XploitSPY can extract contact lists and files, get the device’s GPS location and the names of files listed in\r\nspecific directories related to the camera, downloads, and various messaging apps such as Telegram and WhatsApp. If\r\ncertain filenames are identified as being of interest, they can subsequently be extracted from these directories via an\r\nadditional command from the command and control (C\u0026C) server. Interestingly, the implementation of the chat\r\nfunctionality integrated with XploitSPY is unique; we strongly believe that this chat function was developed by the Virtual\r\nInvaders group.\r\nThe malware also uses a native library, which is often used in Android app development for improving performance and\r\naccessing system features. However, in this case, the library is used to hide sensitive information, like the addresses of the\r\nC\u0026C servers, making it harder for security tools to analyze the app.\r\nThe apps described in the sections below were taken down from Google Play; moreover, as a Google App Defense Alliance\r\npartner, ESET identified ten additional apps that contain code that is based on XploitSPY and shared its findings with\r\nGoogle. Following our alert, the apps were removed from the store. Each of the apps described below had a low number of\r\ninstalls, suggesting a targeted approach rather than a broad strategy. The Timeline of eXotic Visit apps section below\r\ndescribes the “fake”, albeit functional, apps we have identified as part of this campaign, whereas the Technical analysis\r\nsection focuses on the details of the XploitSPY code, present in various incarnations across those apps.\r\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 1 of 21\n\nTimeline of eXotic Visit apps\r\nStarting chronologically, on January 12th, 2022, MalwareHunterTeam shared a tweet with a hash and a link to a website that\r\ndistributes an app named WeTalk, which impersonates the popular Chinese WeChat application. The website provided a link\r\nto a GitHub project to download a malicious Android app. Based on the date available on GitHub, the wetalk.apk app was\r\nuploaded in December 2021.\r\nAt that time, there were five apps available, using the names ChitChat.apk, LearnSindhi.apk, SafeChat.apk, wechat.apk, and\r\nwetalk.apk. The ChitChat app had been available on GitHub since November 2021, distributed using a dedicated website\r\n(chitchat.ngrok[.]io; see Figure 1) as well as the malicious WeTalk app mentioned earlier. Both use the same C\u0026C address\r\nwith the admin panel login interface shown in Figure 2.\r\nFigure 1. Distribution website of the ChitChat app\r\nFigure 2. Admin panel login page for the WeTalk and ChitChat C\u0026C server\r\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 2 of 21\n\nSince July 2023, the same GitHub account has hosted new malicious Android apps that have the same malicious code and\r\nC\u0026C server. We don’t have any information on how these apps are distributed. Apps are stored in five repositories, using\r\nnames such as ichat.apk, MyAlbums.apk, PersonalMessenger.apk, Photo Collage Grid \u0026 Pic Maker.apk, Pics.apk,\r\nPrivateChat.apk, SimInfo.apk, Specialist Hospital.apk, Spotify_ Music and Podcasts.apk, TalkUChat.apk, and Themes for\r\nAndroid.apk.\r\nReturning to ChitChat.apk and wetalk.apk: both apps contain the promised messaging functionality, but also include\r\nmalicious code we have identified as the open-source XploitSPY available on GitHub. XploitSPY is based on another open-source Android RAT called L3MON; however, it was removed from GitHub by its author. L3MON was inspired by yet\r\nanother open-source Android RAT named AhMyth, with extended functionality (we covered another AhMyth-derived\r\nAndroid RAT in this WeLiveSecurity blogpost).\r\nEspionage and remote control of the targeted device are the main purposes of the app. Its malicious code is capable of:\r\nlisting files on the device,\r\nsending SMS messages,\r\nobtaining call logs, contacts, text messages, and a list of installed apps,\r\ngetting a list of surrounding Wi-Fi networks, device location, and user accounts,\r\ntaking pictures using the camera,\r\nrecording audio from the device’s surroundings, and\r\nintercepting notifications received for WhatsApp, Signal, and any other notification that contains the string new\r\nmessages.\r\nThe last function might be a lazy attempt to intercept received messages from any messaging app.\r\nThe same C\u0026C address that was used by previously mentioned apps (wechat.apk and ChitChat.apk) is also used by Dink\r\nMessenger. Based on VirusTotal’s in-the-wild URLs, this sample was available for download from letchitchat[.]info on\r\nFebruary 24th, 2022. That domain was registered on January 28th, 2022. On top of messaging functionality, the attackers\r\nadded malicious code based on XploitSPY.\r\nOn November 8th, 2022, MalwareHunterTeam tweeted a hash of the malicious Android alphachat.apk app with its download\r\nwebsite. The app was available for download on the same domain as the Dink Messenger app (letchitchat[.]info). The Alpha\r\nChat app uses the same C\u0026C server and C\u0026C admin panel login page as in Figure 2, but on a different port; the app also\r\ncontains the same malicious code. We don’t have information about when Dink Messenger was available on the domain;\r\nsubsequently, it was replaced by Alpha Chat.\r\nThe trojanized Alpha Chat app, compared to previous versions of XploitSPY from the eXotic Visit campaign, contains a\r\nmalicious code update that includes emulator detection. If this app detects that it is running in an emulator, then it uses a\r\nfake C\u0026C address instead of revealing the real one, as shown in Figure 3. This should most likely prevent automated\r\nmalware sandboxes, while performing dynamic analysis, from identifying the actual C\u0026C server.\r\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 3 of 21\n\nFigure 3. Emulator detection\r\nAlpha Chat also uses an additional C\u0026C address to exfiltrate non-image files with a size over 2 MB. Other files are\r\n exfiltrated via a web socket to the C\u0026C server.\r\nThat is a connection between the Dink Messenger and Alpha Chat apps: both were distributed on the same dedicated\r\nwebsite. However, Dink Messenger was also carefully distributed through the Google Play store: Version 1.0 of Dink\r\nMessenger appeared on Google Play on February 8th, 2022, but with no malicious functionality included. This might have\r\nbeen a test by the threat actor to see whether the app would be validated and successfully uploaded to the store. On May\r\n24th, 2022, version 1.2 was uploaded, still without malicious functionality. At that time the app was installed over 15 times.\r\nOn June 10th, 2022, version 1.3 was uploaded to Google Play. This version contained malicious code, as shown in Figure 4.\r\nFigure 4. Class name comparison of Dink Messenger without malicious functionality (left) and with (right)\r\nSubsequently, three more versions were uploaded to Google Play with the same malicious code; the last, version 1.6, was\r\nuploaded on December 15th, 2022. All in all, these six versions have over 40 installs. We have no information on when the\r\napp was removed from the store. All the app versions with and without malicious code were signed by the same developer\r\ncertificate, which means they were built and pushed to Google Play by the same malicious developer.\r\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 4 of 21\n\nIt is also important to mention that the Dink Messenger app available on letchitchat[.]info used the same C\u0026C server as the\r\nDink Messenger app on Google Play, and could perform extended malicious actions; however, the user interface of each was\r\ndifferent (see Figure 5). Dink Messenger on Google Play implemented emulator checks (just as Alpha Chat), whereas the\r\none on the dedicated website did not.\r\nFigure 5. User interface of Dink Messenger downloaded from a dedicated website (left) and Google Play\r\n(right)\r\nOn August 15th, 2022, the Telco DB app (with the package name com.infinitetechnology.telcodb), which claims to provide\r\ninformation about the owners of phone numbers, was uploaded to an alternative app store; see Figure 6. This app has the\r\nsame malicious code, a newly added emulator check with fake C\u0026C address redirection, and an additional C\u0026C server for\r\nfile exfiltration. The C\u0026C address is not hardcoded, as in previous cases; rather, it is returned from a Firebase server. We\r\nbelieve that this is another trick to hide the real C\u0026C server, and perhaps even to update it in the future. With a high level of\r\nconfidence, we assess that this app is a part of the eXotic Visit campaign.\r\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 5 of 21\n\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 6 of 21\n\nFigure 6. User interface of the Telco DB app\r\nFour days later, on August 19th, 2022, the Sim Info app was uploaded to Google Play as part of the campaign. It also claims\r\nto provide the user with information about who owns a phone number.\r\nThe malicious code communicates with the same C\u0026C server as previous samples and is otherwise the same except that the\r\nthreat actors included a native library. We elaborate on this native library in the Toolset section. Sim Info reached over 30\r\ninstalls on Google Play; we have no information about when it was removed from the store.\r\nOn June 21st, 2023, the malicious Defcom app was uploaded to Google Play; see Figure 7.\r\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 7 of 21\n\nFigure 7. Defcom messaging app on Google Play\r\nDefcom is a trojanized messaging app that is part of the eXotic Visit campaign, using the same malicious code and native\r\nlibrary to retrieve its C\u0026C server. It uses a new C\u0026C server, but with the same admin panel login interface shown in Figure\r\n2. This C\u0026C domain (zee.xylonn[.]com) was registered on June 2nd, 2023.\r\nBefore the app was removed, sometime in June 2023, it reached around six installs on Google Play.\r\nIn Figure 8, we illustrate a timeline of when all the apps were first available for download as part of the campaign.\r\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 8 of 21\n\nFigure 8. Timeline of the first appearance of XploitSPY-riddled apps that are part of the malicious campaign\r\nBesides the already mentioned malicious apps that are part of the campaign, we were able to identify additional apps were\r\nuploaded to Google Play, and others where an attempt was made to upload, but we're unable to tell whether the uploads were\r\nsuccessful. Although we identified them based on the same detection names, we were not able to obtain the samples to\r\nanalyze them and verify whether they are part of the same campaign. In any case, they contain malicious code that is based\r\non XploitSPY. Table 1 list XploitSPY apps that were available on Google Play. Each of these apps had a low number of\r\ninstalls. A substantial number of the apps that were available on Google Play had zero installs, with some yielding under 10\r\ninstalls. The highest install count from the Play Store came in at under 45.\r\nTable 1. More XploitSPY-containing apps that were available on Google Play\r\nApp name Package name Date uploaded to Google Play\r\nZaangi Chat com.infinite.zaangichat July 22nd\r\n, 2022\r\nWicker Messenger com.reelsmart.wickermessenger August 25th\r\n, 2022\r\nExpense Tracker com.solecreative.expensemanager November 4th\r\n, 2022\r\nTable 2 lists the malicious apps that developers tried to upload on Google Play; however, we have no information about\r\nwhether or not they became available on Google Play.\r\nTable 2. XploitSPY-containing apps that were uploaded on Google Play\r\nApp name Package name Date uploaded to Google Play\r\nSignal Lite com.techexpert.signallite December 1st\r\n, 2021\r\nTelco DB com.infinitetech.telcodb July 25th\r\n, 2022\r\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 9 of 21\n\nApp name Package name Date uploaded to Google Play\r\nTelco DB com.infinitetechnology.telcodb July 29th\r\n, 2022\r\nTele Chat com.techsight.telechat November 8th\r\n, 2022\r\nTrack Budget com.solecreative.trackbudget December 30th\r\n, 2022\r\nSnapMe com.zcoders.snapme December 30th\r\n, 2022\r\nTalkU com.takewis.talkuchat February 14th\r\n, 2023\r\nESET is a member of the App Defense Alliance and an active partner in the malware mitigation program, which aims to\r\nquickly find Potentially Harmful Applications (PHAs) and stop them before they ever make it onto Google Play.\r\nAs a Google App Defense Alliance partner, ESET identified all mentioned apps as malicious and shared its findings with\r\nGoogle, who subsequently unpublished them. All the apps identified in the report that were on Google Play are no longer\r\navailable on the Play store.\r\nVictimology\r\nOur research indicates that malicious apps developed by eXotic Visit were distributed through Google Play and dedicated\r\nwebsites, and four of those apps mostly targeted users in Pakistan and India. We detected one of those four apps, Sim Info,\r\non an Android device in Ukraine, but we don’t think Ukraine is being targeted specifically, as the app was available on\r\nGoogle Play for anyone to download. Based on our data, each of the malicious apps available on Google Play was\r\ndownloaded tens of times; however, we don’t have any visibility into the download details.\r\nWe identified potential targets for four of these apps: Sim Info, Telco DB (com.infinitetechnology.telcodb), Shah jee Foods,\r\nand Specialist Hospital.\r\nThe Sim Info and Telco DB apps provide users the functionality to search for SIM owner information for any Pakistani\r\nmobile number, using the online service dbcenteruk.com; see Figure 9.\r\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 10 of 21\n\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 11 of 21\n\nFigure 9. Sim Info’s interface to search for Pakistani phone number information\r\nOn July 8th, 2022, an app named Shah jee Foods was uploaded to VirusTotal from Pakistan. This app is part of the\r\ncampaign. After startup, it displays a food ordering website for the Pakistan region, foodpanda.pk.\r\nThe Specialist Hospital app, available on GitHub, poses as the app for Specialist Hospital in India (specialisthospital.in); see\r\nFigure 10. After starting, the app requests the permissions necessary to perform its malicious activities and then requests\r\nuser to install the legitimate app from Google Play.\r\nFigure 10. The malicious Specialist Hospital app (left) impersonates the legitimate service (right)\r\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 12 of 21\n\nWe were able to find over 380 compromised accounts created in some of these apps; however, we were not able to retrieve\r\ntheir geolocation. Since the same insecure code was found in ten apps, we can say with a high level of confidence that they\r\nwere developed by the same threat actor.\r\nAttribution\r\nWe track this operation, active since the end of 2021, as eXotic Visit, but based on ESET research and that of others, we\r\ncannot attribute this campaign to any known group. As a result, we have internally labeled the group behind this operation as\r\nVirtual Invaders.\r\nXploitSPY is widely available and customized versions have been used by multiple threat actors such as the Transparent\r\nTribe APT group, as documented by Meta. However, the modifications found in the apps we describe as part of the eXotic\r\nVisit campaign are distinctive and differ from those in previously documented variants of the XploitSPY malware.\r\nTechnical analysis\r\nInitial access\r\nInitial access to the device is gained by tricking a potential victim into installing a fake, but functional, app. As described in\r\nthe Timeline of eXotic Visit apps section, the malicious ChitChat and WeTalk apps were distributed via dedicated websites\r\n(chitchat.ngrok[.]io and wetalk.ngrok[.]io, respectively), and hosted on GitHub (https://github[.]com/Sojal87/).\r\nAt that time, three more apps – LearnSindhi.apk, SafeChat.apk, and wechat.apk – were available from the same GitHub\r\naccount; we are not aware of their distribution vector. As of July 2023, these apps were not available for download from\r\ntheir GitHub repositories anymore. However, the same GitHub account now hosts several new malicious apps available for\r\ndownload. All of these new apps are also part of the malicious eXotic Visit espionage campaign, due to also containing\r\nvariants of the same XploitSPY code.\r\nThe Dink Messenger and Alpha Chat apps were hosted on a dedicated website (letchitchat[.]info), from which victims were\r\nenticed into downloading and installing the app.\r\nThe Dink Messenger, Sim Info, and Defcom apps had been available on Google Play until their removal by Google.\r\nToolset\r\nAll analyzed apps contain customizations of the code from the malicious XploitSPY app available on GitHub. Since the first\r\nversion found in 2021 until the latest version, first distributed in July 2023, we have seen continuing development efforts.\r\nVirtual Invaders has included:\r\nusage of a fake C\u0026C server if an emulator is detected,\r\ncode obfuscation,\r\nan attempt to hide the C\u0026C addresses from static analysis by retrieving it from its Firebase server, and\r\nuse of a native library that keeps the C\u0026C server and other information encoded and hidden from static analysis\r\ntools.\r\nWhat follows is our analysis of custom XploitSPY malware that, in the Defcom app, was available on Google Play.\r\nDefcom integrates XploitSPY code with a unique chat functionality; we believe with high level of confidence the chat\r\nfunctionality was created by Virtual Invaders. This applies to all of the other messaging apps that have XploitSPY included.\r\nAfter its initial start, the app prompts users to create an account and simultaneously attempts to obtain device location details\r\nby querying api.ipgeolocation.io and forwarding the result to a Firebase server. This server also functions as the messaging\r\ncomponent’s server. The app interface is shown in Figure 11.\r\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 13 of 21\n\nFigure 11. Defcom’s login interface (left) and in-app tabs (right)\r\nDefcom utilizes a native library, often used in Android app development for performance enhancement and system feature\r\naccess. Written in C or C++, these libraries can be used to conceal malicious functionalities. Defcom’s native library is\r\nnamed defcome-lib.so.\r\ndefcome-lib.so’s purpose is to hide sensitive information such as C\u0026C servers from static app analysis. Methods\r\nimplemented in the library return a base64-encoded string that is then decoded by the malicious code during runtime. This\r\ntechnique isn’t very sophisticated, but it prevents static analysis tools from extracting C\u0026C servers. Figure 12 shows the\r\nnative method declarations in the Java code, and Figure 13 the implementation of the getServerUrl method in assembly\r\ncode. Note that the comment above each declaration in Figure 12 is the decoded return value when calling that method.\r\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 14 of 21\n\nFigure 12. Native method declarations\r\nFigure 13. Implementation of the native method getServerUrl in assembly language\r\nThe commands to execute on the compromised device are returned from the C\u0026C server. Each command is represented by a\r\nstring value. The list of the commands is:\r\n0xCO – Get contact list.\r\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 15 of 21\n\n0xDA – Exfiltrate file from device. The path to the file is received from the C\u0026C server.\r\n0xFI – List files in the directory specified by the server. With an additional argument it can upload files from a\r\nspecified directory to the C\u0026C server.\r\n0xIP – Get device geolocation using the ipgeolocation.io service.\r\n0xLO – Get device GPS location.\r\n0xOF – List files in seven specific directories. In four cases the file paths are hardcoded, in three cases only folder\r\nnames. An additional argument specifies the directory:\r\n0xCA – Camera\r\n0xDW – Downloads\r\n0xSS – /storage/emulated/0/Pictures/Screenshots\r\n0xTE – Telegram\r\n0xWB – /storage/emulated/0/Android/media/com.whatsapp.w4b/WhatsApp Business/Media\r\n0xWG – /storage/emulated/0/Android/media/com.gbwhatsapp/GBWhatsApp/Media\r\n0xWP – /storage/emulated/0/Android/media/com.whatsapp/WhatsApp/Media\r\nInterestingly, GB WhatsApp is an unofficial cloned version of WhatsApp. While it offers additional features that have made\r\nit quite popular, it is important to note that it’s not available on Google Play. Instead, it is often found on various download\r\nwebsites, where versions of it are frequently riddled with malware. The app has a substantial user base in several countries,\r\nincluding India, despite its associated security risks.\r\nFigure 14 and Figure 15 show the exfiltration of a contact list and a directory listing.\r\nFigure 14. Contact list exfiltration\r\nFigure 15. File list exfiltration\r\nNetwork infrastructure\r\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 16 of 21\n\nVirtual Invaders use ngrok as its C\u0026C server; the service is a cross-platform application that enables developers to expose a\r\nlocal development server to the internet. ngrok can create a tunnel that connects using ngrok servers to a local machine.\r\nngrok allows its users – so, the attackers in this case – to reserve a particular IP address or redirect the victim to the\r\nattacker’s own domain on a specific port.\r\nConclusion\r\nWe have described the eXotic Visit campaign, operated by the Virtual Invaders threat actor, which has been active since at\r\nleast the end of 2021. Throughout the years the campaign has evolved. Distribution started on dedicated websites and then\r\neven moved to the official Google Play store.\r\nWe have identified the malicious code used as a customized version of the open-source Android RAT, XploitSPY. It is\r\nbundled with legitimate app functionality, most of the time being a fake, but functioning, messaging application. The\r\ncampaign has evolved over the years to include obfuscation, emulator detection, and hiding of C\u0026C addresses. The purpose\r\nof the campaign is espionage and probably is targeting victims in Pakistan and India.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 Filename ESET detection name Description\r\nC9AE3CD4C3742CC3353A\r\nF353F96F5C9E8C663734\r\nalphachat.apk Android/Spy.XploitSPY.A XploitSPY malwa\r\n89109BCC3EC5B8EC1DC9\r\nC4226338AECDBE4D8DA4\r\ncom.appsspot.defcom.apk Android/Spy.XploitSPY.A XploitSPY malwa\r\nBB28CE23B3387DE43EFB\r\n08575650A23E32D861B6\r\ncom.egoosoft.siminfo-4-apksos.com.apk Android/Spy.XploitSPY.A XploitSPY malwa\r\n7282AED684FB1706F026\r\nAA85461FB852891C8849\r\ncom.infinitetech.dinkmessenger_v1_3.apk Android/Spy.XploitSPY.A XploitSPY malwa\r\nB58C18DB32B72E6C0054\r\n94DE166C291761518E54\r\ncom.infinitetechnology.telcodb.apk Android/Spy.XploitSPY.A XploitSPY malwa\r\nA17F77C0F98613BF349B\r\n038B9BC353082349C7AA\r\ndinkmessenger.apk Android/Spy.XploitSPY.A XploitSPY malwa\r\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 17 of 21\n\nSHA-1 Filename ESET detection name Description\r\n991E820274AA02024D45\r\n31581EA7EC6A801C38FA\r\nChitChat.apk Android/Spy.XploitSPY.A XploitSPY malwa\r\n7C7896613EB6B54B9E9A\r\nAD5C19ACC7BF239134D4\r\nichat.apk Android/Spy.XploitSPY.A XploitSPY malwa\r\n17FCEE9A54AD174AF971\r\n3E39C187C91E31162A2F\r\nMyAlbums.apk Android/Spy.XploitSPY.A XploitSPY malwa\r\n3F0D58A6BA8C0518C8DF\r\n1567ED9761DC9BDC6C77\r\nPersonalMessenger.apk Android/Spy.XploitSPY.A XploitSPY malwa\r\nA7AB289B61353B632227\r\n2C4E7A4C19F49CB799D7\r\nPhotoCollageGridAndPicMaker.apk Android/Spy.XploitSPY.A XploitSPY malwa\r\nFA6624F80BE92406A397\r\nB813828B9275C39BCF75\r\nPics.apk Android/Spy.XploitSPY.A XploitSPY malwa\r\n4B8D6B33F3704BDA0E69\r\n368C18B7E218CB7970EE\r\nPrivateChat.apk Android/Spy.XploitSPY.A XploitSPY malwa\r\n706E4E701A9A2D42EF35\r\nC08975C79204A73121DC\r\nShah_jee_Foods__com.electron.secureapp.apk Android/Spy.XploitSPY.A XploitSPY malwa\r\nA92E3601328CD9AF3A69\r\n7B5B09E7EF20EDC79F8E\r\nSimInfo.apk Android/Spy.XploitSPY.A XploitSPY malwa\r\n6B71D58F8247FFE71AC4\r\nEDFD363E79EE89EDDC21\r\nSpecialistHospital.apk Android/Spy.XploitSPY.A XploitSPY malwa\r\n9A92224A0BEF9EFED027\r\n8B70300C8ACC4F7E0D8E\r\nSpotify_Music_and_Podcasts.apk Android/Spy.XploitSPY.A XploitSPY malwa\r\n7D50486C150E9E4308D7\r\n6A6BF81788766292AE55\r\nTalkUChat.apk Android/Spy.XploitSPY.A XploitSPY malwa\r\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 18 of 21\n\nSHA-1 Filename ESET detection name Description\r\n50B896E999FA96B5AEBD\r\nA7FE8E28E116B1760ED5\r\nThemes_for_Android.apk Android/Spy.XploitSPY.A XploitSPY malwa\r\n0D9F42CE346090F7957C\r\nA206E5DC5A393FB3513F\r\nwetalk.apk Android/Spy.XploitSPY.A XploitSPY malwa\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n3.13.191[.]225 phpdownload.ngrok[.]io Amazon.com, Inc. 2022-11-14 C\u0026C server.\r\n3.22.30[.]40\r\nchitchat.ngrok[.]io\r\nwetalk.ngrok[.]io\r\nAmazon.com, Inc. 2022-01-12 Distribution websites.\r\n3.131.123[.]134 3.tcp.ngrok[.]io Amazon Technologies Inc. 2020-11-18 C\u0026C server.\r\n3.141.160[.]179 zee.xylonn[.]com Amazon.com, Inc. 2023‑07‑29 C\u0026C server.\r\n195.133.18[.]26 letchitchat[.]info Serverion LLC 2022‑01‑27 Distribution website.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 14 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nPersistence T1624.001\r\nEvent Triggered Execution:\r\nBroadcast Receivers\r\nXploitSPY registers to receive the\r\nBOOT_COMPLETED broadcast intent to activate\r\non device startup.\r\nDefense\r\nevasion\r\nT1575 Native API\r\nXploitSPY uses a native library to hide its C\u0026C\r\nservers.\r\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 19 of 21\n\nTactic ID Name Description\r\nT1633.001\r\nVirtualization/Sandbox\r\nEvasion: System Checks\r\nXploitSPY can detect whether it is running in an\r\nemulator and adjust its behavior accordingly.\r\nDiscovery\r\nT1418 Software Discovery\r\nXploitSPY can obtain a list of installed\r\napplications.\r\nT1420 File and Directory Discovery\r\nXploitSPY can list files and directories on external\r\nstorage.\r\nT1426\r\nSystem Information\r\nDiscovery\r\nXploitSPY can extract information about the device\r\nincluding device model, device ID, and common\r\nsystem information.\r\nCollection\r\nT1533 Data from Local System XploitSPY can exfiltrate files from a device.\r\nT1517 Access Notifications XploitSPY can collect messages from various apps.\r\nT1429 Audio Capture XploitSPY can record audio from the microphone.\r\nT1414 Clipboard Data XploitSPY can obtain clipboard contents.\r\nT1430 Location Tracking XploitSPY tracks device location.\r\nT1636.002\r\nProtected User Data: Call\r\nLogs\r\nXploitSPY can extract call logs.\r\nT1636.003\r\nProtected User Data: Contact\r\nList\r\nXploitSPY can extract the device’s contact list.\r\nT1636.004\r\nProtected User Data: SMS\r\nMessages\r\nXploitSPY can extract SMS messages.\r\nCommand and\r\nControl\r\nT1437.001\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nXploitSPY uses HTTPS to communicate with its\r\nC\u0026C server.\r\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 20 of 21\n\nTactic ID Name Description\r\nT1509 Non-Standard Port\r\nXploitSPY communicates with its C\u0026C server\r\nusing HTTPS requests over port 21,572, 28,213, or\r\n21,656.\r\nExfiltration T1646 Exfiltration Over C2 Channel XploitSPY exfiltrates data using HTTPS.\r\nSource: https://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nhttps://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/" ], "report_names": [ "exotic-visit-campaign-tracing-footprints-virtual-invaders" ], "threat_actors": [ { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434803, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ec66e792edddf3f22a066d7e07d0c0aef7d52a78.pdf", "text": "https://archive.orkl.eu/ec66e792edddf3f22a066d7e07d0c0aef7d52a78.txt", "img": "https://archive.orkl.eu/ec66e792edddf3f22a066d7e07d0c0aef7d52a78.jpg" } }