A sophisticated South Asian Advanced Persistent Threat (APT) group has been conducting an extensive espionage campaign targeting military personnel and defense organizations across Sri Lanka, Bangladesh, Pakistan, and Turkey.
The threat actors have deployed a multi-stage attack framework combining targeted phishing operations with novel Android malware to compromise the mobile devices of military-adjacent individuals.
The campaign demonstrates a high level of operational security and technical sophistication, utilizing legitimate cloud services and modified open-source tools to evade detection.
.webp "South Asian APT Hackers Using Novel Tools to Compromise Phones of Military-Adjacent Members 3")
The attack chain begins with highly targeted phishing emails containing malicious PDF attachments disguised as official military documents.
One notable sample, titled “Coordination of the Chief of Army Staff’s Visit to China.pdf” (MD5: cf9914eca9f8ae90ddd54875506459d6), exemplifies the group’s social engineering tactics.
These documents redirect victims to credential harvesting pages hosted on compromised Netlify domains, including mail-mod-gov-bd-account-conf-files.netlify.app and coordination-cas-visit.netlify.app, which closely mimic legitimate government and military email portals.
StrikeReady analysts identified the threat actor’s infrastructure through pivoting on shared code elements and domain registration patterns.
The researchers discovered a network of over 50 malicious domains spoofing various South Asian military and government organizations, including the Bangladesh Air Force, Directorate General of Defence Purchase (DGDP), and Turkish defense contractors like Roketsans and Aselsan.
The group’s most concerning capability involves the deployment of modified Android Remote Access Trojans (RATs) based on the open-source Rafel RAT framework.
The malware, distributed through APK files such as Love_Chat.apk (MD5: 9a7510e780ef40d63ca5ab826b1e9dab), masquerades as legitimate chat applications while establishing persistent backdoor access to compromised devices.
Analysis of the decompiled application reveals extensive data exfiltration capabilities, with the malware programmed to upload various document types to command-and-control servers.
Android RAT Infrastructure
The Android component represents a significant evolution in the group’s capabilities, demonstrating sophisticated mobile malware development skills.
The threat actors modified the original Rafel RAT source code, removing attribution credits and implementing custom command-and-control communications through domains like quickhelpsolve.com and kutcat-rat.com.
.webp "South Asian APT Hackers Using Novel Tools to Compromise Phones of Military-Adjacent Members 4")
The malware requests dangerous permissions including ADD_DEVICE_ADMIN, READ_EXTERNAL_STORAGE, MANAGE_APP_ALL_FILES_ACCESS_PERMISSION, and READ_CONTACTS, enabling comprehensive device compromise.
The C2 infrastructure utilizes base64-encoded communication channels, with the primary command endpoint located at https://quickhelpsolve.com/public/commands.php.
This centralized control mechanism allows operators to issue arbitrary commands to compromised devices, collect stolen data, and maintain persistent access to victim networks.
Security researchers discovered that the threat actors had successfully compromised military personnel across multiple countries, with stolen data including SMS messages, contact lists containing military ranks and duty stations, and sensitive organizational documents.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
