2024-02-01 VajraSpy A Patchwork of espionage apps| Threat Intelligence Malaysia

📃Title: VajraSpy: A Patchwork of espionage apps
📅Date: 2024-02-01
🔗References:

https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/

Description

ESET researchers have identified 12 Android espionage apps that were available on Google Play between 2021 and 2023 and are still available in the wild, but not on alternative app stores, as previously thought.

🔖Rectifyq Taxonomies:

relevancy: 🟡 Somewhat Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: targeted
MY-relevancy: somewhat-relevant
topic: mobile-attack
topic: geopolitical

🔖MISP Galaxies:

producer= ESET
target-information=“Pakistan”
target-information=“Malaysia”
target-information=“India”
threat-actor= QUILTED-TIGER
malpedia=“VajraSpy”
mitre-attack-pattern=[‘T1398’, ‘T1417’, ‘T1418’, ‘T1420’, ‘T1422’, ‘T1426’, ‘T1429’, ‘T1430’, ‘T1437’, ‘T1481’, ‘T1512’, ‘T1517’, ‘T1533’, ‘T1553’, ‘T1566’, ‘T1082’, ‘T1636.002’, ‘T1636.003’, ‘T1641’, ‘T1646’, ‘T1417.001’, ‘T1481.003’, ‘T1636.004’, ‘T1437.001’]

MISP event uuid: 7b7d8d69-d72f-4a5d-afd9-03ddc2ec3843

Indicator of Compromise (IoCs)

type,value,comment
md5, e95c7b7d33ffa747dc9dea6701fc1159, 'VajraSpy trojan'
md5, 21e996e74ed60a618413c4d703906f74, 'VajraSpy trojan'
md5, 259035caab78d2f18fb022dc30552470, 'VajraSpy trojan'
md5, b62e21c2a7091da95bd8c345b4e963bf, 'VajraSpy trojan'
md5, eb3e7d94069786eceb34b683e671eec2, 'VajraSpy trojan'
md5, 195a6f2c703375a90a614f7a25c962d4, 'VajraSpy trojan'
md5, 84504c2f077b1c73ec3a64bfa4429cf4, 'VajraSpy trojan'
md5, 666ca68e8a21ae09ed20722d06a06a0b, 'VajraSpy trojan'
md5, 07f106d4ce4845ad26e89688d7ed2552, 'VajraSpy trojan'
md5, 432316e6d85a3b4cec9cd196d7d79916, 'VajraSpy trojan'
md5, 33859968406795496cc3df2cfc638104, 'VajraSpy trojan'
md5, 44c2b688516999ae61351988dbedd893, 'VajraSpy trojan'
sha1, bcd639806a143bd52f0c3892fa58050e0eeef401, 'VajraSpy trojan No sample in VT\r\nLast check:22/02/2025'
ip-dst, 34.120.160.131, 'VajraSpy C&C servers'
hostname, hello-chat-c47ad-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
hostname, chit-chat-e9053-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
hostname, meetme-abc03-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
hostname, chatapp-6b96e-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
hostname, tiktalk-2fc98-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
hostname, wave-chat-e52fe-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
hostname, privchat-6cc58-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
hostname, glowchat-33103-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
hostname, letschat-5d5e3-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
hostname, quick-chat-1d242-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
hostname, yooho-c3345-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
ip-dst, 35.186.236.207, 'VajraSpy C&C servers'
hostname, rafaqat-d131f-default-rtdb.asia-southeast1.firebasedatabase.app, 'VajraSpy C&C servers'
ip-dst, 160.20.147.67, 'VajraSpy C&C servers'

Full IOCs available in Rectifyq’s MISP

Rectifyq

Explorer

2024-02-01 VajraSpy A Patchwork of espionage apps

Indicator of Compromise (IoCs)

🔴 Latest Relevant 🇲🇾 Threat Articles

2026-04-30 Inside Shadow-Earth-053 A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

2026-04-29 Phoenix Rising Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns

2026-04-21 GhostCargo, a 5-years campaign

Graph View