{
	"id": "88b624c9-c269-4c31-a0e3-372d0f90b4d0",
	"created_at": "2026-04-06T00:22:21.024741Z",
	"updated_at": "2026-04-10T03:20:04.12431Z",
	"deleted_at": null,
	"sha1_hash": "f6cb4897eef16dddda00f0d0c190f678bf192d7c",
	"title": "Medusa Reborn: A New Compact Variant Discovered",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3131073,
	"plain_text": "Medusa Reborn: A New Compact Variant Discovered\r\nBy Simone Mattia, Federico Valentini\r\nArchived: 2026-04-02 10:53:24 UTC\r\nKey Points\r\nIn May 2024, the Cleafy Threat Intelligence team tracked new fraud campaigns involving the Medusa\r\n(TangleBot) banking trojan, which had been under the radar for almost a year.\r\nMedusa is a sophisticated malware family with RAT capabilities discovered in 2020. Its features include a\r\nkeylogger, screen controls, and the ability to read/write SMS. Those capabilities enable Threat Actors\r\n(TAs) to perform one of the riskiest fraud scenarios: On-Device Fraud (ODF).\r\nDuring these last months, it has been possible to identify some discrepancies between new Medusa samples\r\nand the previously known ones, including a lightweight permission set and new features, such as the\r\nability to display a full-screen overlay and remotely uninstall applications.  \r\nWe identified five different botnets operated by several affiliates that show distinct characteristics\r\nregarding geographical targeting and decoy used. The results confirm previously known country targets,\r\nsuch as Turkey and Spain, but also new ones, such as France and Italy.  \r\nWe observed an apparent shift in the distribution strategy among the detected campaigns. TAs have started\r\nexperimenting with “droppers” to distribute malware via fake update procedures.\r\nIntroduction\r\nIn late May 2024, Cleafy's Threat Intelligence team observed a surge in installations of a previously unknown app\r\ncalled \"4K Sports\", whose characteristics didn't perfectly align with known malware families.\r\nInitial investigations suggested a possible connection between the behaviour of the \"4K Sports\" app and the\r\nMedusa family. However, a more in-depth analysis revealed discrepancies between the app and previously\r\ndocumented variants. These differences highlighted an evolution in the Medusa malware, with significant changes\r\nin its command structure and overall capabilities.\r\nFigure 1 - Sports 4K Activities (Cleafy telemetries)\r\nAnalysing the evolution of Medusa samples over the past few months, it is clear that TAs aim to enhance the\r\nefficiency of the available features while simultaneously strengthening the botnet by refactoring the permissions\r\nhttps://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered\r\nPage 1 of 17\n\nrequired during the installation phase. Because of the MaaS (Malware-as-a-Service) model carried out by Medusa,\r\nthis phase of \"optimisation\" could be influenced by various factors. The entry of new affiliates has likely driven\r\ndevelopers to create less detectable variants, potentially to test their reliability in previously unexplored\r\ngeographical regions.\r\nIn this article, we will uncover the details of our findings and understand the full scope of Medusa's evolution, the\r\nlatest detected variant, and their implications.\r\nHistorical Overview\r\nFirst identified in 2020, the Turkish-linked Medusa banking Trojan has grown on the world stage to become a\r\nsignificant threat. Initially targeting Turkish financial institutions, Medusa's scope expanded rapidly by 2022,\r\nlaunching major campaigns in North America and Europe.\r\nThis RAT (Remote Access Trojan) grants TAs complete control of compromised devices by exploiting VNC for\r\nreal-time screen sharing and accessibility services for interaction. These capabilities provide TAs the ability to\r\nperform On-Device Fraud (ODF). ODF is one of the most dangerous types of banking fraud since wire transfers\r\nare initiated from the victim’s device and can be adapted for manual or automatic approaches, such as Account\r\nTakeover (ATO) or Automatic Transfer System (ATS).\r\nFigure 2 - VNC Service Routine\r\nBy exploiting accessibility services, Medusa extends its functionality beyond simple remote control. This allows\r\nthe Trojan to automate several features commonly associated with modern banking Trojans, including continuous\r\nKey-Logging and Dynamic Overlay Attacks.\r\nThe following Figure represents a high-level overview of the network communications between an infected device\r\n(bot) and the assigned C2 infrastructure, taking the Key-Logging feature as an example:\r\nhttps://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered\r\nPage 2 of 17\n\nFigure 3 - Key-logging in Action\r\nThe malware coordinates its functionalities through a Web Secure Socket connection to the TA's infrastructure.\r\nThe C2 server URL is dynamically fetched from public social media profiles like Telegram, Twitter, and ICQ for\r\nenhanced obfuscation. This dynamic retrieval allows attackers to update the C2 server without modifying the\r\nmalware, increasing its resilience against takedown attempts. Additionally, the malware employs backup channels\r\non these social media platforms for further redundancy.\r\nFigure 4 - C2 extracted from Social Media profiles (e.g., Telegram)\r\nRecent Campaigns\r\nSince July 2023, Medusa campaigns have been reborn with a new variant, changing TTPs and country targets.\r\nThe following table represents all the high-level TTPs retrieved from recent analysis:\r\nhttps://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered\r\nPage 3 of 17\n\nFirst Evidence July 2023\r\nState Active (June 2024)\r\nAffected Entities Data not available\r\nTarget OSs Android Devices\r\nTarget Countries CA, ES, FR, IT, UK, US, TK\r\nInfected Chain Social Engineering (smishing) and Dropper -\u003e Side-loading\r\nFraud Scenario On-Device Fraud (ODF)\r\nPreferred Cash-Out Data not available\r\nAmount handled (per transfer) Data not available\r\nFigure 5 - Most used icons/names in recent Medusa campaigns\r\nA characteristic of Medusa's campaigns has always been a high degree of adaptability: the malware's backend\r\ninfrastructure is designed to support multiple botnets simultaneously, each differentiated by specific tags and\r\noperational goals.\r\nThis was confirmed in recent campaigns: Cleafy's investigations revealed five different active botnets, differing\r\nin the types of decoy used, distributional strategy, and geographical targets. In-depth analyses made it possible to\r\nobtain the identifiers of the botnets used by the affiliates, the countries targeted, and the decoys most frequently\r\nused in the campaigns:\r\nhttps://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered\r\nPage 4 of 17\n\nFigure 6 - Characteristics of the five botnets\r\nAnalysis revealed two distinct Medusa botnet clusters, each with different operational characteristics:\r\nCluster 1 (AFETZEDE, ANAKONDA, PEMBE, TONY): these botnets primarily targeted users in\r\nTurkey, with some campaigns extending to Canada and the United States. They follow Medusa's traditional\r\nmodus operandi, relying on methods like phishing campaigns to spread the malware. Interestingly, these\r\nvariants often shared decoys, C2 servers, and campaign names, suggesting a potential connection to the\r\nsame TAs.\r\nCluster 2 (UNKN): this botnet marks a shift in Medusa’s operational strategy. It mainly targets European\r\nusers, with specific campaigns focusing on Italy and France. Unlike traditional variants, some instances of\r\nthe innovative cluster were installed via droppers downloaded from untrusted sources. This suggests the\r\nTAs behind this botnet are experimenting with novel distribution methods beyond traditional phishing\r\ntactics.\r\nRefer to the appendix for detailed information on botnet names, associated campaigns, dates, and decoy names.\r\nOne of the most intriguing aspects of these new campaigns is the strategic use of samples that employ a\r\nlightweight permission set, requiring only essential functionality for its core operations. Cleafy's investigations\r\ntracked the evolution of the permissions used over time for the most active botnets. As depicted in Figure 7, a\r\nnegative trend was observed in all cases, especially in the botnets belonging to Cluster 1.\r\nhttps://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered\r\nPage 5 of 17\n\nFigure 7 - Evolution of permission over time\r\nFrom a Threat Intelligence and malware analysis perspective, examining the refactoring of permissions at the\r\nManifest level is crucial. This analysis can reveal significant insights into the TTPs employed by TAs. By\r\nreducing the number of permissions, the malware becomes less conspicuous during initial analysis,\r\npotentially bypassing automated security checks and manual inspections. This stealthier approach can\r\nsignificantly lower detection rates, allowing the malware to persist undetected for extended periods.\r\nThis refactoring of permissions indicates that TAs continuously evolve their methodologies to stay ahead of\r\ndetection technologies. By understanding these changes, security researchers and practitioners can better\r\nanticipate future threats and develop more effective countermeasures.\r\nIn-depth analyses of the early Medusa campaigns indicated the presence of valuable permissions to perform\r\ncomplementary malware functionality, such as:\r\nCamera and Microphone\r\nGPS Location\r\nPhone Call\r\nRead and Send SMS\r\nRead Contacts\r\nRead Phone State\r\nWrite Settings\r\nInstead, summarising all recent campaigns, we noticed that only permissions related to the malware's core\r\nfunctionality were requested. The minimum set of permissions is:\r\nAccessibility Services\r\nBroadcast SMS\r\nInternet\r\nForeground Service\r\nQuery and Delete Packages\r\nhttps://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered\r\nPage 6 of 17\n\nThe following Figure depicts a side-by-side comparison of the Android manifest files from early and recent\r\nMedusa campaigns. On the left, the manifest from an early Medusa campaign illustrates the extensive set of\r\npermissions requested. On the right, the manifest from a more recent Medusa campaign shows a streamlined\r\npermissions set.\r\nFigure 8 - Comparison of permissions required in early and recent campaigns\r\nCapability Evolution\r\nCleafy's analysis revealed a significant change in the set of commands available in this new Medusa variant.\r\nAlthough the exact number of commands may vary, our investigation identified that 17 commands in the previous\r\nvariant have been removed. This strategic reduction aligns with the earlier observed trend of minimising\r\npermissions in the manifest file, a move aimed at decreasing detectability and enhancing the overall stealth and\r\nreliability of the malware.\r\nWhile many commands were removed, this new variant also introduces five new commands, showcasing an\r\nevolution in its capabilities:\r\nCommand Description\r\ndestroyo Uninstall Specific Application\r\npermdrawover Request Drawing Over Permission\r\nsetoverlay Set Black Screen Overlay\r\ntake_scr Take Screenshot\r\nhttps://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered\r\nPage 7 of 17\n\nCommand Description\r\nupdate_sec Update User Secret\r\nThe removal of certain functionalities, alongside the introduction of these new commands, reflects a deliberate\r\neffort by the TAs to streamline Medusa's operations. By focusing on essential and more impactful features, they\r\ncan ensure the malware remains effective while evading detection. This approach mirrors the earlier strategy of\r\nreducing the number of permissions requested during installation, further solidifying the botnet's robustness and\r\nadaptability.\r\nIn particular, commands like “set overlay” emphasise controlling the victim's device screen, facilitating more\r\nsophisticated phishing and social engineering attacks. This command allows the malware to display a black\r\nscreen overlay on the victim's device. While the exact purpose remains under investigation, this functionality\r\npresents a potential threat: by obscuring the underlying screen content, the attacker can use this overlay to mask\r\nother malicious activities.\r\nFigure 9 - Command “setoverlay” in action\r\nInterestingly, all the original functionalities have remained implemented even in campaigns without associated\r\npermissions. For example, commands such as “sendsms” or “getcontacts” are present in all samples (also in the\r\nrecent ones), but their execution is blocked by Android in the case of missing permissions.\r\nhttps://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered\r\nPage 8 of 17\n\nFigure 10 - Get Contacts Blocked\r\nThe following table shows the differences between the command sets of the previous version and those of the new\r\nversion.\r\nMedusa V2 Medusa V3\r\nactallinj -\r\nactinj\r\nactpro -\r\nactvnc\r\nallsms\r\nbloapp\r\nblocall -\r\nblonot -\r\nblosms -\r\ncall\r\ncopyclip\r\nhttps://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered\r\nPage 9 of 17\n\nMedusa V2 Medusa V3\r\ndeactinj\r\ndestroy\r\n- destroyo\r\ndisplaypro -\r\nendcall -\r\nfillfocus\r\nforcedisplaypro -\r\ngetcontacts\r\nghost\r\nhb -\r\nini\r\ninstapps\r\nkeylog\r\nlockscr\r\nlog\r\nmutesound\r\npermadmin -\r\npermbat\r\n- permdrawover\r\npermnotify -\r\npermperm\r\npermvnc -\r\npermwrite\r\nreg\r\nremjob\r\nremprot\r\nhttps://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered\r\nPage 10 of 17\n\nMedusa V2 Medusa V3\r\nrunapp\r\nsendpresms -\r\nsendsms\r\nsetbright\r\n- setoverlay\r\nshowalert -\r\nshownot -\r\nsinglelock\r\n- take_scr\r\ntranot -\r\ntrasms\r\ntraussd -\r\nunbloapp\r\n- update_sec\r\nupdateinfo\r\nConclusion\r\nIn conclusion, the latest Medusa variant demonstrates a strategic shift towards a lightweight approach. Minimising\r\nthe required permissions evades detection and appears more benign, enhancing its ability to operate undetected for\r\nextended periods. Geographically, the malware is expanding into new regions, such as Italy and France, indicating\r\na deliberate effort to diversify its victim pool and broaden its attack surface.\r\nThe recent adoption of droppers as a distribution method signals a significant evolution in Medusa's threat\r\ncapabilities. While we have yet to observe these droppers on the Google Play Store, this does not preclude the\r\npossibility of future deployments via this channel. This distribution strategy, shared among other banking malware\r\nfamilies like TeaBot and SharkBot, leverages the inherent trust associated with official app stores, resulting in\r\nbroader distribution and higher infection rates.\r\nThe combination of reduced permissions, geographical diversification, and sophisticated distribution methods\r\nunderscores Medusa's evolving nature. As the TAs refine their tactics, cyber-security experts and anti-fraud\r\nanalysts must stay vigilant and adapt their defences to counter these emerging threats. The detailed findings\r\nhttps://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered\r\nPage 11 of 17\n\npresented in this article offer valuable insights into Medusa's current state, providing a foundation for continued\r\nmonitoring and analysis.\r\nAppendix 1: Active campaigns\r\nBotnet Campaign C2 URL\r\nFirst\r\nSeen\r\nApp Name\r\nPEMBE\r\nGuncelke\r\na2a2a2a[.]life\r\n2023-07-\r\n05\r\nAidat İadesi\r\nSONVERS\r\n2023-07-\r\n31\r\nYoutube Premium\r\nreklam\r\n2023-08-\r\n08\r\nCimer Aidat İadesi\r\nreklam2\r\n2023-08-\r\n15\r\nİnat TV PRO Video\r\nOynatici\r\nAvastV1\r\n2023-09-\r\n25\r\nAvast Premium\r\n17 Agustos\r\nreklami\r\n2023-10-\r\n24\r\nİnat TV Video Oynatici\r\nreklam 3\r\n2023-10-\r\n24\r\nİnat TV PRO\r\npropeller android\r\npemmbebebebebebe[.]info\r\n2024-03-\r\n20\r\nAndroid 14 Guncellemesi\r\nMart19\r\n2024-03-\r\n20\r\nlnat Tv Video Oynatici\r\nUNKN\r\nPUROFR1\r\na4a4a4a[.]life\r\n2023-07-\r\n22\r\nPurolator\r\nTestTag\r\n2023-07-\r\n22\r\nPurolator\r\nPURO1\r\n2023-07-\r\n22\r\nPurolator\r\nFR-PURO\r\n2023-07-\r\n22\r\nPurolator\r\nhttps://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered\r\nPage 12 of 17\n\nBotnet Campaign C2 URL\r\nFirst\r\nSeen\r\nApp Name\r\nFFPR\r\nunkunknunkkkkk[.]info\r\n2023-11-\r\n22\r\nPurolator\r\n99-CHR\r\n2024-01-\r\n25\r\nActualizacion de Chrome\r\nLin-CHR\r\n2024-02-\r\n01\r\nChrome\r\nFFPR\r\ncincincintopcin[.]info\r\n2024-03-\r\n05\r\nPurolator\r\nIT\r\n2024-05-\r\n31\r\n4K Sports\r\nAFETZEDE ALEX-2 pembe1303sock[.]top\r\n2024-03-\r\n14\r\nİnat TV PRO\r\nANAKONDA\r\ndrop1\r\ntony1303sock[.]top\r\n2024-03-\r\n15\r\nlnat Tv Video Oynaticisi\r\ninat1\r\n2024-03-\r\n19\r\nlnat Tv Video Oynaticisi\r\n22mart\r\n2024-03-\r\n23\r\nlnat Tv Video Oynaticisi\r\nTONY\r\nChrome tony1303sock[.]top\r\n2024-03-\r\n23\r\nChrome Güncelleme\r\nChrome baahhhs21[.]info\r\n2024-05-\r\n03\r\nChrome Güncelleme\r\nAppendix 2: Indicator of Compromise (IoC)\r\nMedusa Variant\r\nC2 URL App Name MD5\r\ncincincintopcin[.]info 4K Sport b9ee66c96b110622f4608581e77b0e4d\r\n5G 7031c88ea3a306c4e4d786d3b0625a20\r\nPurolator 432cd820424c1a9ae0abac63a4f130c7\r\nhttps://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered\r\nPage 13 of 17\n\nC2 URL App Name MD5\r\nae53e2d732523c460d31e2805989e480\r\nc6153acefb8d3724f7defc177cff9ca9\r\ndb097d837681d059a63725bc4ad93515\r\ntonymayisayininfilancagunu[.]info lnat Tv Video Oynaticisi\r\n1db5ce9cbb3932ce2e11e5b3cd900ee2\r\n811bcc33027f3784d800e75dea81f277\r\ntonyttnnntnn1704[.]top lnat Tv Video Oynaticisi\r\n97abc0aa3819e161ca1f7f3e78025e15\r\n8468c1cda925021ed911fd9c17915eec\r\na6a6a6a6a6a6a6[.]info - -\r\npembe1303sock[.]top\r\nChrome\r\nfb3d3bdc13f445df3f4dd55f547aa92a\r\nb6bbf8ed1cf8ec67b25bbcf26de483b4\r\n1ed0d97491afd5c2d27f74f18e254cc3\r\nİnat TV PRO 469dfea6446a8bb5fada116bd28483d7\r\npembemayisayininfilancazamani[.]info - -\r\npemmbebebebebebe[.]info\r\nChrome 62faff68d6e3957973e91810a0abf166\r\nAndroid 14\r\nGuncellemesi\r\ne501752247d32e908e4db70f457ced42\r\nlnat Tv Video Oynatici\r\nbbecdd2513981eb9573b163151747e3b\r\n08344a2575efed552f2688b371ebac67\r\nbaahhhs21[.]info Chrome Güncelleme 185f8c23fd680cae560aad220e137886\r\nbimtambir[.]top - -\r\ntony1303sock[.]top\r\nChrome Güncelleme\r\n3b7df8e68eca9a4bcc559d79a2c5a4c7\r\n6b05a1e9faf5b77bad1826bacf322b24\r\nlnat Tv Video Oynaticisi 4c12987ac5d56a35258b3b7cdc87f038\r\n3fbe1323bdef176a6011a534e15a80f0\r\n0e7c37e28871f439539b3d87242def55\r\n646077aaf1ced1b32ae6519beced080f\r\nhttps://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered\r\nPage 14 of 17\n\nC2 URL App Name MD5\r\n8d232fd0bfc9e1e4e77b8d719f24b48f\r\nd98386401edf18ddbf45a40febf80c40\r\ntopisbim[.]top - -\r\ntonyyyyyyyyyy[.]info - -\r\nunkunknunkkkkk[.]info\r\nChrome 5a807cb36fdb3eaa50004351cb83a348\r\nPurolator\r\n3ccb77a10497a32efcaa42ac646ca6cf\r\nda92fc812b84137cef1571fb6c0285f0\r\n2fb098a1868c7162aff9aa84fcc45071\r\nac7741bca86793d28659b358f734a65e\r\ne8ab402124e19af08d5ddc924d463991\r\ne65f01591ae40802748b09f9964bc61e\r\nGoogle Chrome 8a4928ac9089adc4a153741d2f1c784a\r\n5G cffad0170fc13756cab142d3989c26a9\r\nActualizacion de\r\nChrome\r\n29dd2f61f1d402ab46d963ed25c591d5\r\na6157e3e5e1aef93ae71b3cff3ec9d80\r\na2a2a2a[.]life\r\nİnat TV Video Oynatici\r\n2ecce74a26fe3f76252d0fc29cdc3ed3\r\nb9f3782c3d6034cdd12b6854e49b5fcf\r\n2a94a9157e7cb3259531cfb1bf9f1f83\r\n25139a3dde2d6b9ded29de97452a8774\r\n9437ea7aa931bfed9e6cdd76fe27d811\r\nİnat TV PRO b2ae7eb30163c8b004dc354ebb973e49\r\nİnat TV PRO Video\r\nOynatici\r\ndf29a4a16af5da6e24aa3361b204a664\r\n5d3958940abab05acee4b9dbab6bc4c3\r\nDilan Polat Resimleri 0f83a144483ba17f4e3154d717361381\r\nCimer Aidat İadesi\r\n59735a4123c664f1795fb7154c95af67\r\n920bdb47c0c060ecc5a06461c9715e26\r\nhttps://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered\r\nPage 15 of 17\n\nC2 URL App Name MD5\r\nAvast Premium 3dac7bb95b01676d24cb194c3c47029f\r\nYoutube Premium d8e8eb2714c91b9968ffd409f771e7e1\r\nAidat İadesi\r\n53970ff7dd8edaec7fc0cdd030c0b038\r\ne69248a7308436d8c6dde803c22821cb\r\na4a4a4a[.]life Purolator\r\ncb1280f6e63e4908d52b5bee6f65ec63\r\na5aeb6ccc48fea88cf6c6bcc69940f8a\r\nbd7b9dd5ca8c414ff2c4744df41e7031\r\n9ceef4129ea27388018c0d1bb8554bcc\r\n3e0ee083fa9fce493383d75db1c69eee\r\n776b5b3c18a10b7e04f238478408f057\r\n4bace6e0b61f5169bb0ca7f48c38aea2\r\nc9f30775469ef4ba09b1c09fdb13fd2d\r\n2580f696f903b11f4ca06754fa82b5a7\r\ndbf7b5f6faeacbed7adb0880d50380b4\r\nf7deb4066b016df32e8cd47b7ad44225\r\n02c7e63ffa0c5488dd080b64bc297852\r\nAppendix 3: Social media profile\r\nSocial URL Target Apps\r\nicq[.]im/AoLH58pXY8ejJTQiWg8 Inat TV, Avast\r\nicq[.]im/AoLH58xYS0_leBOpXFI 4K Sports, Purolator, Chrome\r\nicq[.]im/AoLH5bRXfAE6eCtbw1I Inat TV\r\nt[.]me/anbsh26 Inat TV\r\nt[.]me/anbshaa Inat TV\r\nt[.]me/anbshbb Inat TV\r\nt[.]me/bntona123 Chrome\r\nhttps://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered\r\nPage 16 of 17\n\nSocial URL Target Apps\r\nt[.]me/kalnbsb Chrome\r\nt[.]me/pempeppepepep Inat TV, Avast\r\nt[.]me/unk22k2k2k2 4K Sports, Purolator, Chrome\r\nt[.]me/unkppapeppappe 4K Sports, Purolator, Chrome\r\nt[.]me/utabsg23 Chrome\r\nt[.]me/xpembeppep2p2 Inat TV, Avast\r\nt[.]me/zedezededeed Inat TV\r\ntwitter[.]com/doplghas Inat TV\r\nAppendix 4: Dropper\r\nPackage Name Target App\r\nappcodetest.stufioa.sporrrtv 4K Sports\r\nbvxba.poiuytt.nbbvcf 4K Sports\r\ncvxb.dhshuw.xnxbxvvxvxvxvxvxhzhs 4K Sports\r\nhxbx.cisisis.sjsusus 4K Sports\r\ngetm.psks.sjshxh 4K Sports\r\ngsgs.pwow.mpow 4K Sports\r\nsportvv.iptvon.tvlock 4K Sports\r\nvczbz.sksjs.fieoe 4K Sports\r\nvontoner.pontoner.montoner 4K Sports\r\nvxnxn.oeiue.dhow 4K Sports\r\nSource: https://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered\r\nhttps://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered"
	],
	"report_names": [
		"medusa-reborn-a-new-compact-variant-discovered"
	],
	"threat_actors": [],
	"ts_created_at": 1775434941,
	"ts_updated_at": 1775791204,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f6cb4897eef16dddda00f0d0c190f678bf192d7c.pdf",
		"text": "https://archive.orkl.eu/f6cb4897eef16dddda00f0d0c190f678bf192d7c.txt",
		"img": "https://archive.orkl.eu/f6cb4897eef16dddda00f0d0c190f678bf192d7c.jpg"
	}
}