ResidentBat is a custom Android spyware implant used by the Belarusian KGB to turn seized smartphones into long‑lived surveillance platforms against journalists and civil society targets.
Operating outside the Play Store ecosystem and requiring hands‑on installation, it combines deep data collection with remote control features, including the ability to wipe a device on demand.
RSF’s Digital Security Lab attributes the tool to the Belarusian KGB, assessing that it has likely been in use since at least 2021 based on code lineage and older sample timestamps.
ResidentBat was first publicly disclosed in December 2025, as part of a joint investigation by Reporters Without Borders (RSF) and RESIDENT.NGO, after analysts examined the phone of a Belarusian journalist.
Unlike commercial spyware that relies on exploit chains or malicious links, ResidentBat is deployed only after security forces obtain physical access to a device.
This profile aligns with Belarusian security services’ history of device seizures at borders, during arrests, and in raids on independent media and NGOs.
ResidentBat Android Malware
ResidentBat is not delivered via its command‑and‑control (C2) infrastructure, but instead sideloaded using Android Debug Bridge (ADB) once an attacker has the phone in hand.
The observed deployment flow includes enabling USB debugging, sideloading the APK, manually granting extensive permissions, and disabling Google Play Protect to avoid automated detection.
Because every infected device requires physical access, the operation trades scale for precision, focusing on high‑value targets such as journalists, activists, and civil society organizers.
The C2 servers for exfiltration, tasking, configuration updates, and keeping the spyware resident and responsive over time.
Once active, ResidentBat provides a broad spectrum of collection and control functions that effectively remove any expectation of privacy on a compromised handset.
Collected data includes SMS, call logs, audio recordings via the microphone, screen captures, encrypted messenger content, and files stored locally on the device.
Operators can push commands from the C2 to adjust configuration, pull fresh data, or query device health and policy compliance using JSON‑based tasking parameters.
Critically, ResidentBat can invoke Android’s DevicePolicyManager.wipeData API, enabling remote factory resets that destroy local evidence or retaliate against at‑risk users.
This blend of communications interception and device takeover makes it particularly dangerous in repressive environments where digital evidence can be weaponized against journalists.
C2 Fingerprint and Internet‑Scale Visibility
Censys research highlights a distinctive ResidentBat network fingerprint that allows infrastructure to be tracked at the internet scale.
Network defenders can hunt for ResidentBat activity with TLS‑focused telemetry, flagging outbound HTTPS sessions to self‑signed CN=server endpoints on ports 7000–7257 or matching the documented banner hash.
Known C2 servers speak HTTPS on a narrow port range (primarily 7000–7257, with some use of port 4022), present self‑signed TLS certificates with the subject CN=server, and share a stable TLS/HTTP banner hash (banner_hash_sha256 6f6676d3…dbeaca).
For high‑risk Android users, enabling Android Advanced Protection Mode designed to block sideloading and enforce stricter security policies adds a strong layer of protection against ResidentBat’s hands‑on installation model.
As of February 2026, a recent Censys Platform view shows at least 10 ResidentBat‑associated hosts, concentrated in the Netherlands (5), Germany (2), Switzerland (2), and Russia (1).
Many of these servers sit in data‑center and VPS networks, including Russian ASN AS29182 (RU‑JSCIOT) and European providers such as AS210976 (TWC‑EU) and others.
Across this footprint, operators harden C2s by returning catch‑all HTTP 200 responses with empty bodies, static or fake Date headers, and likely relying on client certificate authentication and server‑side allowlists rather than REST‑style endpoints.
Certificate reuse across multiple IP:port combinations gives defenders an additional pivot for clustering related infrastructure and expanding blocklists.
For malware analysts, APK hashes published in the RSF report provide anchor points to correlate new samples in VirusTotal, MalwareBazaar, and similar repositories with known ResidentBat C2 endpoints.
For organizations supporting at‑risk users, ResidentBat underlines the importance of physical device security, USB debugging controls, and sideloading policies.
On devices, security teams should monitor for ADB usage, unauthorized sideloaded packages, suspicious “system‑like” apps with broad permissions, and signs that Google Play Protect has been disabled.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
