Hackers Target Phones of Military-Linked Individuals in South Asia Using New Spy Tools

Cyber threat actors have launched sophisticated phishing operations aimed at military and government personnel in South Asia, leveraging defense-related lures to distribute malicious archives and applications.

Recent detections include ZIP files like “Coordination of the Chief of Army Staff’s Visit to China.zip,” which contain compressed PDFs designed as phishing decoys.

These documents, upon extraction, redirect users to fraudulent domains hosted on platforms such as Netlify, mimicking legitimate entities like the Bangladesh Army, Directorate General of Defence Purchase (DGDP), and Turkish defense firms.

Analysis reveals embedded JavaScript that attempts to obstruct source code viewing, a tactic observed across multiple campaigns.

Pivoting on similar file names, MD5 hashes, and embedded URLs uncovers a cluster of phishing artifacts, including those themed around international defense fairs like IDEF 2025 and visits from Gulf countries.

These lures lead to credential-harvesting pages that spoof official email systems, such as mail-mod-gov-bd-account-conf-files.netlify.app, ultimately funneling stolen data to secondary command-and-control (C2) servers like mailbox3-inbox1-bd.com.

Modified Android RATs

The operation extends beyond phishing to mobile espionage, with actors deploying modified versions of the open-source Rafel RAT via APK files hosted on domains like updatemind52.com.

Samples such as Love_Chat.apk (MD5: 9a7510e780ef40d63ca5ab826b1e9dab) masquerade as chat or dating apps, incorporating decoys from sites like lovehabibi.com or isexychat.com to evade suspicion.

Decompilation shows these apps upload sensitive data including documents, SMS, contacts, and media from infected devices to C2 endpoints like quickhelpsolve.com/public/commands.php.

Permissions granted to the malware, such as ADD_DEVICE_ADMIN, READ_EXTERNAL_STORAGE, and READ_CONTACTS, allow for persistent access, remote command execution, and full device compromise.

Pivots on shared C2 infrastructure, including kutcat-rat.com, reveal a network of related APKs like PvtChat.apk and voting.apk, often using Unix timestamps (e.g., corresponding to March 28, 2025) in landing pages for synchronization.

WHOIS data links registrant emails like [email protected] across domains such as play-googyle.com and mailserver-lk.com, previously associated with prolific phishing.

The C2 panels, publicly indexed and now disabled, exposed stolen content from victims primarily in India, Bangladesh, Pakistan, and Nepal, with address books indicating military affiliations through ranks and duty stations.

Cross-Platform Overlaps

This campaign demonstrates cross-platform tactics, with Windows malware samples like EX_AMAN-2025.zip routing through the same C2s as the Android RATs, including updatemind52.com and play-googyle.com.

Vendor attributions, such as Proofpoint’s UNK_ArmyDrive, align with OSINT from sources like Hunt IO and Twitter analysts, pointing to actors resembling APT Sidewinder, known for targeting South Asian militaries.

Hunting leads include PDB paths like C:UsersAndroidDesktopfull working with all and url encryptx64ReleaseConsoleApplication1.pdb and network strings containing “ghijkl.”

The reuse of error messages, hardcoded timestamps, and registrant details facilitates clustering, highlighting a persistent threat to defense sectors.

As of August 22, 2025, these tools underscore the evolving use of commodity malware for targeted espionage, urging enhanced mobile security and phishing awareness in high-risk environments.

Key Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!