OSINT - Lookout Discovers Two Russian Android Spyware Families from Gamaredon APT
OSINT - Lookout Discovers Two Russian Android Spyware Families from Gamaredon APT
AI Analysis
Technical Summary
The threat involves two newly discovered Android spyware families attributed to the Russian Gamaredon APT group, as identified through OSINT by Lookout. Gamaredon is a known Russian state-sponsored threat actor group historically targeting Ukrainian entities and related interests. The spyware families are designed to operate on Android devices, likely aiming to conduct espionage by collecting sensitive information from infected mobile devices. Although specific technical details about the spyware capabilities, infection vectors, or payloads are not provided, the association with Gamaredon suggests these spyware families could be used for targeted surveillance, data exfiltration, and persistent access on compromised devices. The discovery is based on open-source intelligence with a moderate certainty level (50%), and no known exploits or patches are currently available. The campaign is categorized under network activity and payload delivery, indicating that the spyware is likely distributed through network-based vectors or social engineering. The severity is currently assessed as low, reflecting limited available details and no confirmed widespread exploitation. However, the presence of such spyware families highlights ongoing mobile threats from nation-state actors targeting Android platforms, which are widely used across Europe.
Potential Impact
For European organizations, the impact of these spyware families could be significant if targeted, especially for entities involved in government, defense, critical infrastructure, or geopolitical affairs related to Russia and Ukraine. Compromise of Android devices could lead to leakage of sensitive communications, credentials, and intellectual property, undermining confidentiality and operational security. The spyware could also facilitate further network intrusion if mobile devices are used as pivot points. While the current threat level is low and no widespread exploitation is reported, the persistent nature of Gamaredon’s campaigns and their focus on espionage means European organizations should remain vigilant. The impact is particularly relevant for organizations with employees or partners using Android devices in sensitive roles, as mobile platforms often have less stringent security controls compared to traditional endpoints.
Mitigation Recommendations
Specific mitigation recommendations include: 1) Implementing mobile device management (MDM) solutions to enforce security policies and monitor for suspicious app installations or behaviors on Android devices. 2) Educating users about the risks of installing apps from untrusted sources and the dangers of phishing or social engineering campaigns that could deliver spyware payloads. 3) Applying network-level protections such as DNS filtering and intrusion detection systems to identify and block command-and-control communications associated with known Gamaredon infrastructure. 4) Conducting regular threat intelligence updates and monitoring OSINT feeds for indicators of compromise related to these spyware families. 5) Encouraging the use of endpoint detection and response (EDR) tools that extend to mobile devices to detect anomalous activities. 6) Restricting permissions for apps on Android devices to minimize data exposure and potential spyware capabilities. 7) Collaborating with national cybersecurity agencies for timely alerts and guidance on emerging threats from Russian APT groups.
Affected Countries
Ukraine, Poland, Germany, France, United Kingdom, Estonia, Lithuania, Latvia
Indicators of Compromise
- domain: llkeyvost.ddns.net
- domain: fiordmoss.ddns.net
- domain: winterknowing.ddns.net
- domain: weeklyoptional.ddns.net
- domain: ltkwark.ddns.net
- domain: ollymap.pw
- domain: wleak.pw
- domain: goos.pw
- hash: 2c7827f92a103db1b299f334043fbdc73805bbee11f4bfac195f672ba0464d22
- hash: 114d2a25bb4c296f8ef5bfca4e8192b5aca9b169099ac6291139e68cfc7e37dc
- hash: 8af63d7aa2142701116207f61e3e01c9e0239731e5bbbdf79114889b56ca46ea
- hash: ce6e5838f3ada452b64ffc6261e9bf74479bd31e83f77c7409c89564846db6a3
- hash: 8407fed605805f0e7ef9628767d0aff1014e7231549b09f3c0d0cb723f07c48a
- hash: cb648ba5cce810e5ba17b89ca2c346bd3f0ad612834c225ec7b55871c4acc085
- hash: 39cb17cb03a794e69eb4f0694e90e41a8cfb8480b82da82fcbd4a88dfe49930d
- hash: fd5fa718a7411b18845b76d7007db6b4431b1a2ce2f8b2cc047c0fff7c46161f
- hash: f0acf9558b7a4fcdaa119731ad5fb5bbdf5a704c9be9e929735a4679735989db
- hash: 7de055018723b612dfa66a90c83a69afce7db918fb7fa88619833557c4fc61c3
- hash: 551b8917f57c5cf8cd0a34c1d500db1dd4aed8ec8f31d28a5fabc4720e5b89a3
- hash: 533ff7ba5eb5329cb860486a952259a4dfc0d74654831eb08dbcadc1ae5ca333
- hash: acede5fa46e09803adf9de5e731ca690dc7b02b69a63bacd4836429d289ec4f0
- hash: a3b0c178ab5e6e4b3442d358a78df7409461fa48f6ca8e63b730b0a455a89b18
- hash: 7a8ec25f3d4a5c6b4fbdb1002ce22ff0352ce65c0f4ddc9567458e8fcb964845
- hash: 86e51f1cc8213e173e47080ab45577e922e624006954de73ebae531589c912f4
- hash: 2ef72c67cf76e8162f5e4bf0a743ac4ed756e153593c430cedf2043a310b24e8
- hash: 5b7b5a2995c102121695225797f12f0b860500150472126b3b465b51ccad07bd
- hash: 9dd73c9caa547358b6fe5acddf59443d7bf0ffc5b92867e9b67edd5bb2a9f786
- hash: 3b5794ca6051740fff6e1b449db06f169df2749f81aaf4c329e18b12afb9a5c7
- hash: dfaa47ed20021c4f84bf68820a618f9e8a2e077d36b6d7281e8724b2124c7825
- hash: f948b650bdc63cf9b1781d651974a9c54d2b2981d3bf4b882f48c3a406272470
- hash: c82f0a1546bf7025993f2e7da33d1a741d91c78b01268a2d44afa31e66eb2fe8
- hash: de3a0b30b8976da933fe6bf88e6e7ab2386a967ada2599ef1dc1b12100a37694
- hash: bd65dbd61f27a90c0770d5f8cc02cfa7d9552f0fb300868611d69972b42d3f1c
- hash: bed2cf8758d86daaf25475cc6ed1c71fd3f9a922247c42fe246f8542c76d8c15
- hash: 255996e1aa2a7514b167d9c940d7c8ff3c34393e97e43bda319eb92ea626c4eb
- hash: 46b10de13887c36d61517125bec87c4557f325114221291a3ac7142cbc15de29
- hash: 6bfdc285dee8ae3e3dade52a34f5d178163e4a08904b651ff5c906e78ddccec0
- hash: e0c5656ca9877b37e92f5208caf9c65365e9d35ea6eb351915eb3efee235db31
- hash: 30429e95b9318816709e23488c77e364a294b6f5f7e3ee414a6a2bef74620ca6
- hash: 278c9819583ce64913882d425c1d7634307b290709e0143e9268f8f999dacfba
- hash: 3a4fa698536111f377030a5d794851d2e23b18d67e6d440ce883b9906d65037d
- hash: 629ca39d2c90ff8b343ba1f4cfae11bbc2f61ca6bae80bd093f22efbcf4e4770
- hash: 633875ce353391ea8bd4c92d8f3f57a525ff0abf9eba8d78528de616b1ee7118
- hash: eadd9c3e3f7a1c5e008ca157cb850aa72d283f702da2ab4daf0e4af4d926ab3e
- ip: 194.87.216.136
- ip: 34.98.99.30
- domain: waltermanage.ddns.net
- ip: 185.247.184.63
- domain: tokyoprepared.ddns.net
- ip: 195.133.88.3
- domain: tacticsnovelty.ddns.net
- ip: 89.185.84.46
- domain: sonic-needed.ddns.net
- ip: 212.192.14.34
- domain: warrantiesford.ddns.net
- ip: 194.87.31.3
- domain: threateningdealer.ddns.net
- ip: 89.185.84.81
- domain: twentymicrophone.ddns.net
- domain: slopepainting.ddns.net
- domain: rogermayor.ddns.net
- domain: stocksharbour.ddns.net
- domain: wivespassed.ddns.net
- domain: savageprozac.ddns.net
- domain: rhythmfunky.ddns.net
- domain: sauce-patio.ddns.net
- domain: skinpublishing.ddns.net
- domain: yields-drew.ddns.net
- domain: inspiredflow.ddns.net
- domain: rakinal.ru
- domain: sabipro.ru
- domain: roomsecuador.ddns.net
- domain: savagelouisiana.ddns.net
- domain: walletdimension.ddns.net
- domain: whiteeligible.ddns.net
- domain: wenticdss.ddns.net
- domain: spoken-object.ddns.net
- domain: spreadingearning.ddns.net
- domain: televisionshandle.ddns.net
- domain: tongue-forms.ddns.net
- domain: throwingcoupons.ddns.net
- domain: shakecostume.ddns.net
- domain: tabs-iowa.ddns.net
- domain: saferexpansys.ddns.net
- domain: stringscrap.ddns.net
- domain: sony-high.ddns.net
- domain: seasonalfamily.ddns.net
- domain: soilentirely.ddns.net
- domain: seeklemon.ddns.net
- domain: spacesknowledge.ddns.net
- domain: rendercounting.ddns.net
- domain: regimapessive.ddns.net
- domain: standardfebruary.ddns.net
- domain: towerextraordinary.ddns.net
- domain: ruleglance.ddns.net
- domain: twistedfaces.ddns.net
- domain: vasifgo.ru
- domain: baloglandi.ru
- domain: bucks0.ru
- domain: bashardi.ru
- domain: detroit0.ru
- domain: lopert0.ru
- domain: dowrang.ru
- domain: hitrovana.ru
- domain: molotras.ru
- domain: milashto.ru
- domain: quyenz0.ru
- domain: drivento.ru
- domain: ihsnal.ru
- domain: antropa.ru
- domain: ibragim0.ru
- domain: witchdors.ru
- domain: cavaliers0.ru
- domain: vilitord.ru
- domain: phoenix0.ru
- domain: pistons0.ru
- domain: makdart.ru
- domain: bishotent.ru
- domain: forensit.ru
- domain: hornets0.ru
- domain: miltras.ru
- domain: flashik0.ru
- domain: vipertos.ru
- domain: batterlas.ru
- domain: snipotas.ru
- domain: bartop1.ru
- domain: exportan.ru
- domain: chromat0.ru
- domain: volnaps.ru
- domain: bilodon.ru
- domain: silentar.ru
- domain: intigm.ru
- domain: skymagra.ru
- domain: gayad0.ru
- domain: vezirgo.ru
- domain: savit1.ru
- domain: tilofol.ru
- domain: kramatl.ru
- domain: plumbum0.ru
- domain: ziyaft.ru
- domain: hydrargyrumo.ru
- domain: aghsinsa.ru
- domain: hersopa.ru
- domain: kistrop0n.ru
- domain: militrar.ru
- domain: minhzo.ru
- domain: kaelos.ru
- domain: lugarto.ru
- domain: cicind.ru
- link: https://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware
- text: Lookout has discovered BoneSpy and PlainGnome Android surveillance families and attributed them to the Russian Gamaredon (Primitive Bear, Shuckworm) APT group associated with the Federal Security Service (FSB). BoneSpy has been in use since at least 2021, while PlainGnome first appeared in 2024. Both families are still active at the time of writing. BoneSpy and PlainGnome target former Soviet states and focus on Russian-speaking victims. Lookout assesses this targeting may be related to worsening relations between these countries and Russia since the outbreak of the Ukraine invasion. Both BoneSpy and PlainGnome collect data such as SMS messages, call logs, phone call audio, photos from device cameras, device location, and contact lists. PlainGnome acts as a dropper for a surveillance payload, stored within the dropper package, while BoneSpy is deployed as a standalone application.
- text: Blog
- text: Extracted IOCs via GPT4o
- text: Blog
- file: 67589a71c3f613ce4d7c74ee_67589a5b5ab2144c3b220bec_Screenshot_202024-12-10_20at_202.44.41_E2_80_AFPM.png
- file: 67589a71c3f613ce4d7c751c_67589a4dea143dc3466b8c8d_Screenshot_202024-12-10_20at_202.44.25_E2_80_AFPM.png
- file: 67589a71c3f613ce4d7c7516_67589a36e09031426f9eb27e_Screenshot_202024-12-10_20at_202.44.12_E2_80_AFPM.png
- file: Extracted_IOC_List.csv
OSINT - Lookout Discovers Two Russian Android Spyware Families from Gamaredon APT
Description
OSINT - Lookout Discovers Two Russian Android Spyware Families from Gamaredon APT
AI-Powered Analysis
Technical Analysis
The threat involves two newly discovered Android spyware families attributed to the Russian Gamaredon APT group, as identified through OSINT by Lookout. Gamaredon is a known Russian state-sponsored threat actor group historically targeting Ukrainian entities and related interests. The spyware families are designed to operate on Android devices, likely aiming to conduct espionage by collecting sensitive information from infected mobile devices. Although specific technical details about the spyware capabilities, infection vectors, or payloads are not provided, the association with Gamaredon suggests these spyware families could be used for targeted surveillance, data exfiltration, and persistent access on compromised devices. The discovery is based on open-source intelligence with a moderate certainty level (50%), and no known exploits or patches are currently available. The campaign is categorized under network activity and payload delivery, indicating that the spyware is likely distributed through network-based vectors or social engineering. The severity is currently assessed as low, reflecting limited available details and no confirmed widespread exploitation. However, the presence of such spyware families highlights ongoing mobile threats from nation-state actors targeting Android platforms, which are widely used across Europe.
Potential Impact
For European organizations, the impact of these spyware families could be significant if targeted, especially for entities involved in government, defense, critical infrastructure, or geopolitical affairs related to Russia and Ukraine. Compromise of Android devices could lead to leakage of sensitive communications, credentials, and intellectual property, undermining confidentiality and operational security. The spyware could also facilitate further network intrusion if mobile devices are used as pivot points. While the current threat level is low and no widespread exploitation is reported, the persistent nature of Gamaredon’s campaigns and their focus on espionage means European organizations should remain vigilant. The impact is particularly relevant for organizations with employees or partners using Android devices in sensitive roles, as mobile platforms often have less stringent security controls compared to traditional endpoints.
Mitigation Recommendations
Specific mitigation recommendations include: 1) Implementing mobile device management (MDM) solutions to enforce security policies and monitor for suspicious app installations or behaviors on Android devices. 2) Educating users about the risks of installing apps from untrusted sources and the dangers of phishing or social engineering campaigns that could deliver spyware payloads. 3) Applying network-level protections such as DNS filtering and intrusion detection systems to identify and block command-and-control communications associated with known Gamaredon infrastructure. 4) Conducting regular threat intelligence updates and monitoring OSINT feeds for indicators of compromise related to these spyware families. 5) Encouraging the use of endpoint detection and response (EDR) tools that extend to mobile devices to detect anomalous activities. 6) Restricting permissions for apps on Android devices to minimize data exposure and potential spyware capabilities. 7) Collaborating with national cybersecurity agencies for timely alerts and guidance on emerging threats from Russian APT groups.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Uuid
- 7cf90d8d-61f0-4e36-8083-15f66e3556ad
- Original Timestamp
- 1734382956
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainllkeyvost.ddns.net | — | |
domainfiordmoss.ddns.net | — | |
domainwinterknowing.ddns.net | — | |
domainweeklyoptional.ddns.net | — | |
domainltkwark.ddns.net | — | |
domainollymap.pw | — | |
domainwleak.pw | — | |
domaingoos.pw | — | |
domainwaltermanage.ddns.net | — | |
domaintokyoprepared.ddns.net | — | |
domaintacticsnovelty.ddns.net | — | |
domainsonic-needed.ddns.net | — | |
domainwarrantiesford.ddns.net | — | |
domainthreateningdealer.ddns.net | — | |
domaintwentymicrophone.ddns.net | — | |
domainslopepainting.ddns.net | — | |
domainrogermayor.ddns.net | — | |
domainstocksharbour.ddns.net | — | |
domainwivespassed.ddns.net | — | |
domainsavageprozac.ddns.net | — | |
domainrhythmfunky.ddns.net | — | |
domainsauce-patio.ddns.net | — | |
domainskinpublishing.ddns.net | — | |
domainyields-drew.ddns.net | — | |
domaininspiredflow.ddns.net | — | |
domainrakinal.ru | — | |
domainsabipro.ru | — | |
domainroomsecuador.ddns.net | — | |
domainsavagelouisiana.ddns.net | — | |
domainwalletdimension.ddns.net | — | |
domainwhiteeligible.ddns.net | — | |
domainwenticdss.ddns.net | — | |
domainspoken-object.ddns.net | — | |
domainspreadingearning.ddns.net | — | |
domaintelevisionshandle.ddns.net | — | |
domaintongue-forms.ddns.net | — | |
domainthrowingcoupons.ddns.net | — | |
domainshakecostume.ddns.net | — | |
domaintabs-iowa.ddns.net | — | |
domainsaferexpansys.ddns.net | — | |
domainstringscrap.ddns.net | — | |
domainsony-high.ddns.net | — | |
domainseasonalfamily.ddns.net | — | |
domainsoilentirely.ddns.net | — | |
domainseeklemon.ddns.net | — | |
domainspacesknowledge.ddns.net | — | |
domainrendercounting.ddns.net | — | |
domainregimapessive.ddns.net | — | |
domainstandardfebruary.ddns.net | — | |
domaintowerextraordinary.ddns.net | — | |
domainruleglance.ddns.net | — | |
domaintwistedfaces.ddns.net | — | |
domainvasifgo.ru | — | |
domainbaloglandi.ru | — | |
domainbucks0.ru | — | |
domainbashardi.ru | — | |
domaindetroit0.ru | — | |
domainlopert0.ru | — | |
domaindowrang.ru | — | |
domainhitrovana.ru | — | |
domainmolotras.ru | — | |
domainmilashto.ru | — | |
domainquyenz0.ru | — | |
domaindrivento.ru | — | |
domainihsnal.ru | — | |
domainantropa.ru | — | |
domainibragim0.ru | — | |
domainwitchdors.ru | — | |
domaincavaliers0.ru | — | |
domainvilitord.ru | — | |
domainphoenix0.ru | — | |
domainpistons0.ru | — | |
domainmakdart.ru | — | |
domainbishotent.ru | — | |
domainforensit.ru | — | |
domainhornets0.ru | — | |
domainmiltras.ru | — | |
domainflashik0.ru | — | |
domainvipertos.ru | — | |
domainbatterlas.ru | — | |
domainsnipotas.ru | — | |
domainbartop1.ru | — | |
domainexportan.ru | — | |
domainchromat0.ru | — | |
domainvolnaps.ru | — | |
domainbilodon.ru | — | |
domainsilentar.ru | — | |
domainintigm.ru | — | |
domainskymagra.ru | — | |
domaingayad0.ru | — | |
domainvezirgo.ru | — | |
domainsavit1.ru | — | |
domaintilofol.ru | — | |
domainkramatl.ru | — | |
domainplumbum0.ru | — | |
domainziyaft.ru | — | |
domainhydrargyrumo.ru | — | |
domainaghsinsa.ru | — | |
domainhersopa.ru | — | |
domainkistrop0n.ru | — | |
domainmilitrar.ru | — | |
domainminhzo.ru | — | |
domainkaelos.ru | — | |
domainlugarto.ru | — | |
domaincicind.ru | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash2c7827f92a103db1b299f334043fbdc73805bbee11f4bfac195f672ba0464d22 | — | |
hash114d2a25bb4c296f8ef5bfca4e8192b5aca9b169099ac6291139e68cfc7e37dc | — | |
hash8af63d7aa2142701116207f61e3e01c9e0239731e5bbbdf79114889b56ca46ea | — | |
hashce6e5838f3ada452b64ffc6261e9bf74479bd31e83f77c7409c89564846db6a3 | — | |
hash8407fed605805f0e7ef9628767d0aff1014e7231549b09f3c0d0cb723f07c48a | — | |
hashcb648ba5cce810e5ba17b89ca2c346bd3f0ad612834c225ec7b55871c4acc085 | — | |
hash39cb17cb03a794e69eb4f0694e90e41a8cfb8480b82da82fcbd4a88dfe49930d | — | |
hashfd5fa718a7411b18845b76d7007db6b4431b1a2ce2f8b2cc047c0fff7c46161f | — | |
hashf0acf9558b7a4fcdaa119731ad5fb5bbdf5a704c9be9e929735a4679735989db | — | |
hash7de055018723b612dfa66a90c83a69afce7db918fb7fa88619833557c4fc61c3 | — | |
hash551b8917f57c5cf8cd0a34c1d500db1dd4aed8ec8f31d28a5fabc4720e5b89a3 | — | |
hash533ff7ba5eb5329cb860486a952259a4dfc0d74654831eb08dbcadc1ae5ca333 | — | |
hashacede5fa46e09803adf9de5e731ca690dc7b02b69a63bacd4836429d289ec4f0 | — | |
hasha3b0c178ab5e6e4b3442d358a78df7409461fa48f6ca8e63b730b0a455a89b18 | — | |
hash7a8ec25f3d4a5c6b4fbdb1002ce22ff0352ce65c0f4ddc9567458e8fcb964845 | — | |
hash86e51f1cc8213e173e47080ab45577e922e624006954de73ebae531589c912f4 | — | |
hash2ef72c67cf76e8162f5e4bf0a743ac4ed756e153593c430cedf2043a310b24e8 | — | |
hash5b7b5a2995c102121695225797f12f0b860500150472126b3b465b51ccad07bd | — | |
hash9dd73c9caa547358b6fe5acddf59443d7bf0ffc5b92867e9b67edd5bb2a9f786 | — | |
hash3b5794ca6051740fff6e1b449db06f169df2749f81aaf4c329e18b12afb9a5c7 | — | |
hashdfaa47ed20021c4f84bf68820a618f9e8a2e077d36b6d7281e8724b2124c7825 | — | |
hashf948b650bdc63cf9b1781d651974a9c54d2b2981d3bf4b882f48c3a406272470 | — | |
hashc82f0a1546bf7025993f2e7da33d1a741d91c78b01268a2d44afa31e66eb2fe8 | — | |
hashde3a0b30b8976da933fe6bf88e6e7ab2386a967ada2599ef1dc1b12100a37694 | — | |
hashbd65dbd61f27a90c0770d5f8cc02cfa7d9552f0fb300868611d69972b42d3f1c | — | |
hashbed2cf8758d86daaf25475cc6ed1c71fd3f9a922247c42fe246f8542c76d8c15 | — | |
hash255996e1aa2a7514b167d9c940d7c8ff3c34393e97e43bda319eb92ea626c4eb | — | |
hash46b10de13887c36d61517125bec87c4557f325114221291a3ac7142cbc15de29 | — | |
hash6bfdc285dee8ae3e3dade52a34f5d178163e4a08904b651ff5c906e78ddccec0 | — | |
hashe0c5656ca9877b37e92f5208caf9c65365e9d35ea6eb351915eb3efee235db31 | — | |
hash30429e95b9318816709e23488c77e364a294b6f5f7e3ee414a6a2bef74620ca6 | — | |
hash278c9819583ce64913882d425c1d7634307b290709e0143e9268f8f999dacfba | — | |
hash3a4fa698536111f377030a5d794851d2e23b18d67e6d440ce883b9906d65037d | — | |
hash629ca39d2c90ff8b343ba1f4cfae11bbc2f61ca6bae80bd093f22efbcf4e4770 | — | |
hash633875ce353391ea8bd4c92d8f3f57a525ff0abf9eba8d78528de616b1ee7118 | — | |
hasheadd9c3e3f7a1c5e008ca157cb850aa72d283f702da2ab4daf0e4af4d926ab3e | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip194.87.216.136 | — | |
ip34.98.99.30 | — | |
ip185.247.184.63 | — | |
ip195.133.88.3 | — | |
ip89.185.84.46 | — | |
ip212.192.14.34 | — | |
ip194.87.31.3 | — | |
ip89.185.84.81 | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware | — |
Text
| Value | Description | Copy |
|---|---|---|
textLookout has discovered BoneSpy and PlainGnome Android surveillance families and attributed them to the Russian Gamaredon (Primitive Bear, Shuckworm) APT group associated with the Federal Security Service (FSB).
BoneSpy has been in use since at least 2021, while PlainGnome first appeared in 2024. Both families are still active at the time of writing.
BoneSpy and PlainGnome target former Soviet states and focus on Russian-speaking victims. Lookout assesses this targeting may be related to worsening relations between these countries and Russia since the outbreak of the Ukraine invasion.
Both BoneSpy and PlainGnome collect data such as SMS messages, call logs, phone call audio, photos from device cameras, device location, and contact lists.
PlainGnome acts as a dropper for a surveillance payload, stored within the dropper package, while BoneSpy is deployed as a standalone application. | — | |
textBlog | — | |
textExtracted IOCs via GPT4o | — | |
textBlog | — |
File
| Value | Description | Copy |
|---|---|---|
file67589a71c3f613ce4d7c74ee_67589a5b5ab2144c3b220bec_Screenshot_202024-12-10_20at_202.44.41_E2_80_AFPM.png | — | |
file67589a71c3f613ce4d7c751c_67589a4dea143dc3466b8c8d_Screenshot_202024-12-10_20at_202.44.25_E2_80_AFPM.png | — | |
file67589a71c3f613ce4d7c7516_67589a36e09031426f9eb27e_Screenshot_202024-12-10_20at_202.44.12_E2_80_AFPM.png | — | |
fileExtracted_IOC_List.csv | — |
Threat ID: 68367c0d182aa0cae23126f3
Added to database: 5/28/2025, 2:59:25 AM
Last enriched: 6/27/2025, 11:23:09 AM
Last updated: 8/1/2025, 1:07:27 PM
Views: 21
Related Threats
Actions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.