OSINT - Godfather Trojan IOCs
The Godfather Trojan is a high-severity mobile malware threat that delivers malicious applications via authorized app stores and exfiltrates data over command-and-control (C2) channels. It targets mobile phones and uses stealthy techniques to avoid detection by masquerading as legitimate apps. Although no patches or known exploits in the wild are currently reported, the Trojan's capability to deliver payloads through trusted sources and perform data exfiltration poses significant risks. European organizations with mobile device usage are at risk, especially those in countries with high mobile penetration and strategic sectors such as finance and government. Mitigation requires enhanced mobile app vetting, network monitoring for unusual C2 traffic, and user awareness to detect suspicious app behaviors. Countries like Germany, France, the UK, Italy, and Spain are most likely affected due to their large mobile user bases and critical infrastructure. Given the ease of delivery via authorized app stores and the potential for data loss, the threat severity is assessed as high. Defenders should prioritize detection of malicious apps in official stores and monitor network exfiltration channels to mitigate impact.
AI Analysis
Technical Summary
The Godfather Trojan is a mobile malware threat identified through open-source intelligence (OSINT) feeds, characterized by its delivery method and data exfiltration capabilities. It leverages the tactic of delivering malicious applications via authorized app stores (MITRE ATT&CK T1475), which allows it to bypass traditional security controls that rely on app source reputation. Once installed on a mobile device, the Trojan establishes a command-and-control (C2) channel to exfiltrate sensitive data (MITRE ATT&CK T1646). The malware targets mobile phones, exploiting the trust users place in official app stores to propagate. Although no specific affected versions or patches are noted, the Trojan's persistence and stealth make it a perpetual threat. The lack of known exploits in the wild suggests it may be in early stages or under limited deployment, but the high severity rating indicates significant potential impact. Indicators of compromise (IOCs) are not provided, which complicates detection efforts. The Trojan's ability to operate covertly within authorized app ecosystems and communicate over C2 channels underscores the sophistication of this threat and the challenges in defending against it.
Potential Impact
For European organizations, the Godfather Trojan poses a substantial risk primarily through the compromise of mobile devices, which are widely used for corporate communications, access to sensitive data, and multi-factor authentication. The Trojan's delivery via authorized app stores increases the likelihood of infection, as users may inadvertently install compromised apps believing them to be legitimate. Data exfiltration over C2 channels threatens confidentiality, potentially leading to leakage of intellectual property, personal data, or credentials. This can result in financial losses, reputational damage, and regulatory penalties under GDPR. The Trojan's stealthy nature complicates detection and response, increasing dwell time and the potential scope of compromise. Sectors such as finance, government, and critical infrastructure are particularly vulnerable due to the value of the data and the strategic importance of mobile communications. The absence of patches means organizations must rely on detection and prevention rather than remediation, increasing operational risk.
Mitigation Recommendations
To mitigate the Godfather Trojan threat, European organizations should implement a multi-layered mobile security strategy. First, enforce strict mobile application management policies that restrict installation to vetted apps and utilize enterprise app stores or mobile threat defense solutions to scan apps for malicious behavior before deployment. Second, enhance network monitoring to detect anomalous outbound traffic indicative of C2 communications, employing behavioral analytics and threat intelligence feeds to identify suspicious patterns. Third, educate users on the risks of installing apps from unauthorized sources and encourage vigilance even with apps from official stores. Fourth, deploy endpoint detection and response (EDR) tools capable of monitoring mobile devices for unusual activities and potential indicators of compromise. Fifth, implement strong access controls and multi-factor authentication to limit the impact of credential theft. Finally, collaborate with app store providers and cybersecurity communities to share intelligence and rapidly respond to emerging threats. Regular audits of mobile device security posture and incident response readiness are also critical.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium
Indicators of Compromise
- url: http://168.100.9.86/
- url: http://45.61.138.60/
- url: http://50.18.3.26/
- url: http://heikenmorgan.com/
- url: https://banerrokutepera.com/
- url: https://henkormerise.com/
- ip: 168.100.9.86
- ip: 45.61.138.60
- ip: 50.18.3.26
- url: heikenmorgan.com
- url: banerrokutepera.com
- domain: henkormerise.com
- hash: 0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8
- hash: 38386f4fabd0bc7f7065eaee818717e89772fb3b1a3744df754c45778e353f70
- hash: 7664293fc1dde797940d857d1f16eb1e12a15b9126d704854f97df1bedc18758
- hash: 9815ba07d0a2528c11d377b583243df24218a48c6a4f839f40769ea290555070
- hash: 9dfb5b4ad9aac36c2d7fbb93f8668faa819cb0df16f4a55d00f1cdda89c9a6d2
- hash: a14aad1265eb307fbe71a3a5f6e688408ce153ff19838b3c5229f26ee3ece5dd
- hash: b6249fa996cb4046bdab37bab5e3b4d43c79ea537f119040c3b3e138149897fd
- hash: c3dadb9a593523d1bf3fe76dabf375578119aff3110d92a1a4ee6db06742263a
- hash: c4bace10849f23e9972e555ac2e30ac128b7a90017a0f76c197685a0c60def6d
- hash: c79857015dbf220111e7c5f47cf20a656741a9380cc0faecd486b517648eb199
- hash: d652ac528102de3ebb42a973db639ae27f13738e005172e5ff8aac6e91f3f760
- user-agent: Mozilla/5.0 (Linux; Android 9; SM-J730F Build/PPR12.180610.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.181 Mobile Safari/537.36
- domain: banerrokutepera.com
- domain: heikenmorgan.com
- domain: pluscurrencyconverter.com
- link: https://1275.ru/ioc/1192/godfather-trojan-iocs/
- text: Group-IB обнаружили в официальном магазине Google Play банковского трояна Godfather, где вредонос маскируется под легальные криптоприложения. География его жертв охватывает 16 стран мира, а список целей насчитывает более 400 различных банков, криптовалютных бирж и электронных кошельков.
- text: Blog
- link: https://www.virustotal.com/gui/file/0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8
- text: 29/66
- hash: ec9f857999b4fc3dd007fdb786b7a8d1
- hash: 3fa48a36d22d848ad111b246ca94fa58088dbb7a
- hash: 0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8
- tlsh: t1cb76125af718a86fc1f792324679522a66074c268743ea875968727c0dbbdc04f4bfcc
- vhash: ede26ab6fd89266ae46ad188b676ce54
- ssdeep: 98304:vDdInEpAOdLl2DfGjOmP34z09nmw3xAZMV8JiDQeZgUGdh0fr33dmh++0oEHi6Pz:5gE7tf3u09nmiOZmDid9h+CFZMXmwfXR
- link: https://www.virustotal.com/gui/file/9815ba07d0a2528c11d377b583243df24218a48c6a4f839f40769ea290555070
- text: 22/66
- link: https://blog.group-ib.com/godfather-trojan
- text: The Android banking Trojan Godfather is currently being utilized by cybercriminals to attack users of popular financial services across the globe. Godfather is designed to allow threat actors to harvest login credentials for banking applications and other financial services, and drain the accounts. To date, its victims include users of over 400 international targets, including banking applications, cryptocurrency wallets, and crypto exchanges. Few people realize that hiding under Godfather’s hood is an old banking Trojan called Anubis, whose functionality has become outdated due to Android updates and the efforts of malware detection and prevention providers.
- text: Blog
OSINT - Godfather Trojan IOCs
Description
The Godfather Trojan is a high-severity mobile malware threat that delivers malicious applications via authorized app stores and exfiltrates data over command-and-control (C2) channels. It targets mobile phones and uses stealthy techniques to avoid detection by masquerading as legitimate apps. Although no patches or known exploits in the wild are currently reported, the Trojan's capability to deliver payloads through trusted sources and perform data exfiltration poses significant risks. European organizations with mobile device usage are at risk, especially those in countries with high mobile penetration and strategic sectors such as finance and government. Mitigation requires enhanced mobile app vetting, network monitoring for unusual C2 traffic, and user awareness to detect suspicious app behaviors. Countries like Germany, France, the UK, Italy, and Spain are most likely affected due to their large mobile user bases and critical infrastructure. Given the ease of delivery via authorized app stores and the potential for data loss, the threat severity is assessed as high. Defenders should prioritize detection of malicious apps in official stores and monitor network exfiltration channels to mitigate impact.
AI-Powered Analysis
Technical Analysis
The Godfather Trojan is a mobile malware threat identified through open-source intelligence (OSINT) feeds, characterized by its delivery method and data exfiltration capabilities. It leverages the tactic of delivering malicious applications via authorized app stores (MITRE ATT&CK T1475), which allows it to bypass traditional security controls that rely on app source reputation. Once installed on a mobile device, the Trojan establishes a command-and-control (C2) channel to exfiltrate sensitive data (MITRE ATT&CK T1646). The malware targets mobile phones, exploiting the trust users place in official app stores to propagate. Although no specific affected versions or patches are noted, the Trojan's persistence and stealth make it a perpetual threat. The lack of known exploits in the wild suggests it may be in early stages or under limited deployment, but the high severity rating indicates significant potential impact. Indicators of compromise (IOCs) are not provided, which complicates detection efforts. The Trojan's ability to operate covertly within authorized app ecosystems and communicate over C2 channels underscores the sophistication of this threat and the challenges in defending against it.
Potential Impact
For European organizations, the Godfather Trojan poses a substantial risk primarily through the compromise of mobile devices, which are widely used for corporate communications, access to sensitive data, and multi-factor authentication. The Trojan's delivery via authorized app stores increases the likelihood of infection, as users may inadvertently install compromised apps believing them to be legitimate. Data exfiltration over C2 channels threatens confidentiality, potentially leading to leakage of intellectual property, personal data, or credentials. This can result in financial losses, reputational damage, and regulatory penalties under GDPR. The Trojan's stealthy nature complicates detection and response, increasing dwell time and the potential scope of compromise. Sectors such as finance, government, and critical infrastructure are particularly vulnerable due to the value of the data and the strategic importance of mobile communications. The absence of patches means organizations must rely on detection and prevention rather than remediation, increasing operational risk.
Mitigation Recommendations
To mitigate the Godfather Trojan threat, European organizations should implement a multi-layered mobile security strategy. First, enforce strict mobile application management policies that restrict installation to vetted apps and utilize enterprise app stores or mobile threat defense solutions to scan apps for malicious behavior before deployment. Second, enhance network monitoring to detect anomalous outbound traffic indicative of C2 communications, employing behavioral analytics and threat intelligence feeds to identify suspicious patterns. Third, educate users on the risks of installing apps from unauthorized sources and encourage vigilance even with apps from official stores. Fourth, deploy endpoint detection and response (EDR) tools capable of monitoring mobile devices for unusual activities and potential indicators of compromise. Fifth, implement strong access controls and multi-factor authentication to limit the impact of credential theft. Finally, collaborate with app store providers and cybersecurity communities to share intelligence and rapidly respond to emerging threats. Regular audits of mobile device security posture and incident response readiness are also critical.
Affected Countries
Technical Details
- Uuid
- f6098894-bbc6-4ee8-adbb-fc99b4c86f04
- Original Timestamp
- 1673365597
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://168.100.9.86/ | — | |
urlhttp://45.61.138.60/ | — | |
urlhttp://50.18.3.26/ | — | |
urlhttp://heikenmorgan.com/ | — | |
urlhttps://banerrokutepera.com/ | — | |
urlhttps://henkormerise.com/ | — | |
urlheikenmorgan.com | — | |
urlbanerrokutepera.com | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip168.100.9.86 | — | |
ip45.61.138.60 | — | |
ip50.18.3.26 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainhenkormerise.com | — | |
domainbanerrokutepera.com | — | |
domainheikenmorgan.com | — | |
domainpluscurrencyconverter.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8 | — | |
hash38386f4fabd0bc7f7065eaee818717e89772fb3b1a3744df754c45778e353f70 | — | |
hash7664293fc1dde797940d857d1f16eb1e12a15b9126d704854f97df1bedc18758 | — | |
hash9815ba07d0a2528c11d377b583243df24218a48c6a4f839f40769ea290555070 | — | |
hash9dfb5b4ad9aac36c2d7fbb93f8668faa819cb0df16f4a55d00f1cdda89c9a6d2 | — | |
hasha14aad1265eb307fbe71a3a5f6e688408ce153ff19838b3c5229f26ee3ece5dd | — | |
hashb6249fa996cb4046bdab37bab5e3b4d43c79ea537f119040c3b3e138149897fd | — | |
hashc3dadb9a593523d1bf3fe76dabf375578119aff3110d92a1a4ee6db06742263a | — | |
hashc4bace10849f23e9972e555ac2e30ac128b7a90017a0f76c197685a0c60def6d | — | |
hashc79857015dbf220111e7c5f47cf20a656741a9380cc0faecd486b517648eb199 | — | |
hashd652ac528102de3ebb42a973db639ae27f13738e005172e5ff8aac6e91f3f760 | — | |
hashec9f857999b4fc3dd007fdb786b7a8d1 | — | |
hash3fa48a36d22d848ad111b246ca94fa58088dbb7a | — | |
hash0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8 | — |
User agent
| Value | Description | Copy |
|---|---|---|
user-agentMozilla/5.0 (Linux; Android 9; SM-J730F Build/PPR12.180610.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.181 Mobile Safari/537.36 | %KEY% is the key sent as a parameter in the requests mentioned above. %LOCALE% is the system language. The user-agent used when the request is executed is: |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://1275.ru/ioc/1192/godfather-trojan-iocs/ | — | |
linkhttps://www.virustotal.com/gui/file/0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8 | — | |
linkhttps://www.virustotal.com/gui/file/9815ba07d0a2528c11d377b583243df24218a48c6a4f839f40769ea290555070 | — | |
linkhttps://blog.group-ib.com/godfather-trojan | — |
Text
| Value | Description | Copy |
|---|---|---|
textGroup-IB обнаружили в официальном магазине Google Play банковского трояна Godfather, где вредонос маскируется под легальные криптоприложения. География его жертв охватывает 16 стран мира, а список целей насчитывает более 400 различных банков, криптовалютных бирж и электронных кошельков. | — | |
textBlog | — | |
text29/66 | — | |
text22/66 | — | |
textThe Android banking Trojan Godfather is currently being utilized by cybercriminals to attack users of popular financial services across the globe. Godfather is designed to allow threat actors to harvest login credentials for banking applications and other financial services, and drain the accounts. To date, its victims include users of over 400 international targets, including banking applications, cryptocurrency wallets, and crypto exchanges.
Few people realize that hiding under Godfather’s hood is an old banking Trojan called Anubis, whose functionality has become outdated due to Android updates and the efforts of malware detection and prevention providers. | — | |
textBlog | — |
Tlsh
| Value | Description | Copy |
|---|---|---|
tlsht1cb76125af718a86fc1f792324679522a66074c268743ea875968727c0dbbdc04f4bfcc | — |
Vhash
| Value | Description | Copy |
|---|---|---|
vhashede26ab6fd89266ae46ad188b676ce54 | — |
Ssdeep
| Value | Description | Copy |
|---|---|---|
ssdeep98304:vDdInEpAOdLl2DfGjOmP34z09nmw3xAZMV8JiDQeZgUGdh0fr33dmh++0oEHi6Pz:5gE7tf3u09nmiOZmDid9h+CFZMXmwfXR | — |
Threat ID: 68359c9d5d5f0974d01f8086
Added to database: 5/27/2025, 11:06:05 AM
Last enriched: 12/24/2025, 6:12:05 AM
Last updated: 2/6/2026, 9:56:56 AM
Views: 78
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.