{
	"id": "f1308429-d0ab-4339-b603-1bd90d1205dc",
	"created_at": "2026-04-06T00:12:52.393198Z",
	"updated_at": "2026-04-10T03:34:16.43513Z",
	"deleted_at": null,
	"sha1_hash": "ffd3f5128d64fb0e2484b75b822ac0897ef9d363",
	"title": "Hacking group updates Furball Android spyware to evade detection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1738583,
	"plain_text": "Hacking group updates Furball Android spyware to evade detection\r\nBy Bill Toulas\r\nPublished: 2022-10-20 · Archived: 2026-04-05 23:47:44 UTC\r\nA new version of the 'FurBall' Android spyware has been found targeting Iranian citizens in mobile surveillance campaigns\r\nconducted by the Domestic Kitten hacking group, also known as APT-C-50.\r\nThe spyware is deployed in a mass-surveillance operation that has been underway since at least 2016. In addition, multiple\r\ncybersecurity firms have reported on Domestic Kitten, which they believe is an Iranian state-sponsored hacking group.\r\nThe newest FurBall malware version was sampled and analyzed by ESET researchers, who report it has many similarities\r\nwith earlier versions, but now comes with obfuscation and C2 updates.\r\nhttps://www.bleepingcomputer.com/news/security/hacking-group-updates-furball-android-spyware-to-evade-detection/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hacking-group-updates-furball-android-spyware-to-evade-detection/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nAlso, this discovery confirms that 'Domestic Kitten' is still ongoing in its sixth year, which further backs the hypothesis that\r\nthe operators are tied to the Iranian regime, enjoying immunity from law enforcement.\r\nNew FurBall details\r\nThe new version of FurBall is distributed via fake websites that are visually clones of real ones, where victims end up after\r\ndirect messages, social media posts, emails, SMS, black SEO, and SEO poisoning.\r\nIn one case spotted by ESET, the malware is hosted on a fake website mimicking an English-to-Persian translation service\r\npopular in the country.\r\nFake site on the left, real site on the right (ESET)\r\nIn the fake version, there’s a Google Play button that supposedly lets users download an Android version of the translator,\r\nbut instead of landing on the app store, they are sent an APK file  named ‘sarayemaghale.apk.’.\r\nDepending on what permissions are defined in the Android app's AndroidManifest.xml file, the spyware is capable of\r\nstealing the following information:\r\nClipboard contents\r\nDevice location\r\nSMS messages\r\nContact list\r\nCall logs\r\nRecord calls\r\nContent of notifications\r\nInstalled and running apps\r\nDevice info\r\nHowever, ESET says that the sample it analyzed has limited functionality, only requesting access to contacts and storage\r\nmedia.\r\nhttps://www.bleepingcomputer.com/news/security/hacking-group-updates-furball-android-spyware-to-evade-detection/\r\nPage 3 of 5\n\nPermissions requested upon installation\r\n(ESET)\r\nThese permissions are still powerful if abused, and at the same time, won't raise suspicions to the targets, which is likely\r\nwhy the hacking group restricted FurBall's potential.\r\nIf needed, the malware can receive commands to execute directly from its command and control (C2) server, which is\r\ncontacted via an HTTP request every 10 seconds.\r\nC2 response returning no command for execution (ESET)\r\nIn terms of the new obfuscation layer, ESET says it includes class names, strings, logs, and server URI paths, attempting to\r\nevade detection from anti-virus tools.\r\nPrevious versions of Furball didn’t feature any obfuscation at all. Hence, VirusTotal detects the malware on four AV engines,\r\nwhereas previously, it was flagged by 28 products.\r\nhttps://www.bleepingcomputer.com/news/security/hacking-group-updates-furball-android-spyware-to-evade-detection/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hacking-group-updates-furball-android-spyware-to-evade-detection/\r\nhttps://www.bleepingcomputer.com/news/security/hacking-group-updates-furball-android-spyware-to-evade-detection/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/hacking-group-updates-furball-android-spyware-to-evade-detection/"
	],
	"report_names": [
		"hacking-group-updates-furball-android-spyware-to-evade-detection"
	],
	"threat_actors": [
		{
			"id": "44d5df14-6a25-41d6-a54c-7c7ebac358cf",
			"created_at": "2023-01-06T13:46:38.817312Z",
			"updated_at": "2026-04-10T02:00:03.111227Z",
			"deleted_at": null,
			"main_name": "Domestic Kitten",
			"aliases": [
				"Bouncing Golf",
				"APT-C-50"
			],
			"source_name": "MISPGALAXY:Domestic Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "30f6ddb3-f5aa-4b78-a1a5-e37c42b2c560",
			"created_at": "2022-10-25T16:07:23.544297Z",
			"updated_at": "2026-04-10T02:00:04.64999Z",
			"deleted_at": null,
			"main_name": "Domestic Kitten",
			"aliases": [
				"APT-C-50",
				"Bouncing Golf",
				"G0097"
			],
			"source_name": "ETDA:Domestic Kitten",
			"tools": [
				"FurBall",
				"GolfSpy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434372,
	"ts_updated_at": 1775792056,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ffd3f5128d64fb0e2484b75b822ac0897ef9d363.pdf",
		"text": "https://archive.orkl.eu/ffd3f5128d64fb0e2484b75b822ac0897ef9d363.txt",
		"img": "https://archive.orkl.eu/ffd3f5128d64fb0e2484b75b822ac0897ef9d363.jpg"
	}
}