Skip to main content
Threat Radar animated logo
DashboardThreatsMapFeedsAPILifetime Access
reconnecting
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

OSINT - ResidentBat: A new spyware family used by Belarusian KGB

0
Medium
Unknownmisp-galaxy:country="belarus"type:osintosint:lifetime="perpetual"osint:certainty="50"tlp:whitetlp:clear
Published: Wed Dec 17 2025 (12/17/2025, 00:00:00 UTC)
Source: CIRCL OSINT Feed
Vendor/Project: type
Product: osint

Description

OSINT - ResidentBat: A new spyware family used by Belarusian KGB

AI-Powered Analysis

AILast updated: 01/10/2026, 00:20:11 UTC

Technical Analysis

ResidentBat is a newly discovered spyware family linked to the Belarusian KGB, identified through open-source intelligence (OSINT) sources. This spyware is designed for covert surveillance, involving network activity that facilitates payload delivery and the dropping of artifacts on compromised systems. While detailed technical specifics are sparse, the spyware's operational profile suggests it is used for persistent espionage, likely targeting entities of strategic interest to Belarusian intelligence. The lack of affected software versions and absence of patches indicate that ResidentBat may be a custom or targeted tool rather than a widespread exploit of common vulnerabilities. The medium severity rating reflects moderate confidence in its impact, with potential to compromise confidentiality and integrity of sensitive data. No known exploits in the wild have been reported, which may indicate limited deployment or recent discovery. The spyware's persistence mechanisms and network behaviors necessitate focused detection strategies. Given its attribution to a state actor, the threat underscores the importance of monitoring geopolitical adversaries' cyber operations. European organizations involved in political, diplomatic, or civil society domains related to Belarus or Eastern Europe should be particularly vigilant. The spyware's presence in network traffic and artifact creation on hosts requires advanced threat hunting and incident response capabilities to detect and mitigate.

Potential Impact

For European organizations, ResidentBat poses a significant espionage risk, particularly to governmental, diplomatic, and civil society entities engaged with Belarus or Eastern European affairs. The spyware's ability to deliver payloads and maintain persistence can lead to unauthorized access to sensitive information, undermining confidentiality and potentially compromising strategic decision-making. The integrity of data may also be at risk if the spyware manipulates or exfiltrates information. Although availability impact appears limited, prolonged undetected presence could facilitate further attacks or data leakage. The medium severity suggests that while the threat is not currently widespread, targeted attacks could have substantial consequences. European organizations with Belarusian connections or those involved in intelligence sharing may face increased targeting. The geopolitical tensions involving Belarus and neighboring countries amplify the risk of cyber espionage campaigns leveraging ResidentBat. Additionally, the spyware could be used to monitor dissidents or activists within Europe, raising privacy and human rights concerns. Overall, the threat could erode trust in digital communications and complicate diplomatic relations if exploited successfully.

Mitigation Recommendations

To mitigate the threat posed by ResidentBat, European organizations should implement enhanced network monitoring focused on detecting unusual payload delivery and artifact creation behaviors. Deploying advanced endpoint detection and response (EDR) solutions capable of identifying persistence mechanisms and suspicious network activity is critical. Organizations should conduct threat hunting exercises using indicators of compromise (IoCs) as they become available, and maintain up-to-date threat intelligence feeds related to Belarusian cyber activities. Network segmentation and strict access controls can limit lateral movement if an infection occurs. Employee awareness training about spear-phishing and social engineering tactics, which are common initial infection vectors for spyware, should be reinforced. Regular audits of system integrity and logs can help identify anomalies indicative of spyware presence. Collaboration with national cybersecurity centers and information sharing with European CERTs can enhance detection and response capabilities. Given the lack of patches, proactive defense and rapid incident response are essential. Finally, organizations should review and harden their supply chain and third-party relationships to reduce exposure to targeted espionage campaigns.

Affected Countries

BelarusBelarus
PolandPoland
LithuaniaLithuania
LatviaLatvia
EstoniaEstonia
GermanyGermany
FranceFrance
United KingdomUnited Kingdom
Need more detailed analysis?Upgrade to Pro Console

Technical Details

Uuid
e94861b3-fefa-4bd2-8113-fa20adeff51d
Original Timestamp
1765976935

Indicators of Compromise

Ip

ValueDescriptionCopy
ip121.37.196.157
C2 / Infrastructure
ip62.109.11.98
C2 / Infrastructure
ip38.180.100.160
C2 / Infrastructure
ip5.129.213.114
C2 / Infrastructure
ip5.253.63.176
C2 / Infrastructure
ip5.253.61.156
C2 / Infrastructure
ip62.109.26.144
C2 / Infrastructure
ip47.106.191.231
C2 / Infrastructure
ip91.240.87.211
C2 / Infrastructure
ip83.220.169.120
C2 / Infrastructure
ip124.71.223.135
C2 / Infrastructure
ip114.55.148.87
C2 / Infrastructure
ip37.46.128.62
C2 / Infrastructure
ip62.109.19.123
C2 / Infrastructure
ip62.109.12.75
C2 / Infrastructure
ip79.132.136.191
C2 / Infrastructure
ip79.132.141.31
C2 / Infrastructure
ip5.129.231.158
C2 / Infrastructure
ip91.192.102.69
C2 / Infrastructure
ip37.46.133.87
C2 / Infrastructure
ip159.138.2.127
C2 / Infrastructure
ip83.147.244.189
C2 / Infrastructure
ip49.87.133.33
C2 / Infrastructure
ip91.228.152.4
C2 / Infrastructure
ip83.220.172.164
C2 / Infrastructure
ip42.62.11.37
C2 / Infrastructure
ip185.18.54.246
C2 / Infrastructure
ip5.129.230.104
C2 / Infrastructure
ip185.248.103.85
C2 / Infrastructure
ip82.157.146.82
C2 / Infrastructure
ip185.248.103.247
C2 / Infrastructure
ip176.10.124.158
C2 / Infrastructure
ip185.248.100.180
C2 / Infrastructure
ip185.248.103.128
C2 / Infrastructure
ip188.120.230.46
C2 / Infrastructure
ip123.60.136.114
C2 / Infrastructure

Hash

ValueDescriptionCopy
hash02dc81ea172e45f0a6fd7241fffd1042f6925c52d2f91dee36085634207be4f1
APK Hashes
hash07d39205f9ba159236477a02cdb3350fac4f158e0dbf26576bb50604339b1f42
APK Hashes
hash0ed73428c7729806be57989f340a09a323af914f197cc0cbb5509316ca5baf7b
APK Hashes
hash48e87bfcaa665bfbfcb027227384905878f090bbc19d02f74c41ade3cafb0950
APK Hashes
hash77126e749a9c1144ae3cebb8deb0b72fc90d4eb73d1072a69a1248b4f518bb47
APK Hashes
hash820c394b22b950335eb5cf21bc7df5c7a33081169f41440c74d67e7a8f196960
APK Hashes
hashc3b92d05b105465881c0f68f5cf6c3edb24d2e5317ffd1256cb68c7921fe0721
APK Hashes
hashfe05ba40f2d4b15db83524c169d030d097abc6713139ce6068969d97a24aa195
APK Hashes
hash0ee925c49c085189c01ce9c6b56f0252
hash54094c857769a1d5270edff809ce4a143d230c6e
hashfe05ba40f2d4b15db83524c169d030d097abc6713139ce6068969d97a24aa195
hash0d56707f7d78e835ac8d7e61f6400367
hash2cf2234f0b8d17a711113812f689f833bf4f46b7
hashc3b92d05b105465881c0f68f5cf6c3edb24d2e5317ffd1256cb68c7921fe0721
hash2769f4a40e38c023ef6f0c342b6c37ce
hashf6f6da59962bf44175849138382e8fc497d95645
hash820c394b22b950335eb5cf21bc7df5c7a33081169f41440c74d67e7a8f196960
hashb6f4a71b68a9e28457b1021288695321
hash2a0949e405c0675382febf22094028f2c5418604
hash77126e749a9c1144ae3cebb8deb0b72fc90d4eb73d1072a69a1248b4f518bb47
hash943102f89056ed58f4324a961b4ea0b5
hash9e0d79918606632ff35acd6c7e261af5d9bd05f5
hash48e87bfcaa665bfbfcb027227384905878f090bbc19d02f74c41ade3cafb0950
hashbcc9c677bf611e7143fd1ac5bfbcee77
hashfc922595083d0b8d48c1e98aca99d30ed041be89
hash0ed73428c7729806be57989f340a09a323af914f197cc0cbb5509316ca5baf7b
hash46e14db360c15dd3d778a0c297f5eaca
hash8bbaba18392d858ab28a0c8857b85d3e433f123f
hash07d39205f9ba159236477a02cdb3350fac4f158e0dbf26576bb50604339b1f42
hash1cdb8fc15c859dac8700ea7abcea7ded
hashed2cb23fec745c2fb109792b35833a98fce3f6fc
hash02dc81ea172e45f0a6fd7241fffd1042f6925c52d2f91dee36085634207be4f1

X509 fingerprint-sha256

ValueDescriptionCopy
x509-fingerprint-sha25618afc5c6bfaee504a26291f6bf3e6f823dbedd54bba0c4acac2e7c2414b3e24d
APK Certificate Hashes
x509-fingerprint-sha256c1884e617348ebbdfe7cfe5fc99945b37296d6ebc6059bb74fbaeea277d32941
APK Certificate Hashes
x509-fingerprint-sha256e5016f3cfb937d502dabedc32ca3bdef3bbcce032fb3b1bff3b9c6482895f4fd
APK Certificate Hashes
x509-fingerprint-sha256d12616542268d32329f1c4357b5d5a57e954e13d2338d27bb8439794291b8c6d
APK Certificate Hashes
x509-fingerprint-sha2563e9f1192e33cb851b48479629c93d29770a4f76af00f1e42a3c6e7f97db62c79
APK Certificate Hashes
x509-fingerprint-sha2566782039a81a85264acdc6af0973b225ada6009f76faae7f948a1de040bb32f0c
APK Certificate Hashes
x509-fingerprint-sha256a6a067b0d899fb514b7b4597d4fe16fcd4d7e5c361f6c84b3d45ed7e394036c7
APK Certificate Hashes
x509-fingerprint-sha2566d6278ffc80ad9dd1b1c6b445847ce108f3ea5ce349f232689e9b8c1fd10801e
APK Certificate Hashes

Url

ValueDescriptionCopy
urlhttps://188.120.230.46:7003
urlhttps://45.155.7.166:7035
urlhttps://79.132.136.191:7007
urlhttps://79.132.136.191:7017
urlhttps://mtcat.info:7007
urlhttps://mtcat.info:7017

Port

ValueDescriptionCopy
port7003
port7035
port7007
port7017
port7007
port7017

Domain

ValueDescriptionCopy
domain188.120.230.46
domain45.155.7.166
domain79.132.136.191
domain79.132.136.191
domainmtcat.info
domainmtcat.info
domainmtcat.info
domainmtcat.info

Text

ValueDescriptionCopy
textinfo
textmtcat
textinfo
textmtcat
textcom.google.android.service
textcom.google.bat
textcom.huaweisettingsapp.mkz
textcom.linkedln.service
textcom.oneplussync.bat
textcom.android.framework.safety
textcom.hihonor.core.service
textcm.google.android.apps.assistant
text18/67
textThere seems to be a growing trend in surveillance of civil society where no remote attacks against the phone are used to install spyware, but rather physical access. Surveillance of journalists, lawyers and other members of civil society is on the rise, with the use of spyware such as NoviSpy, Massistant and Monokle. This kind of tactical spyware requires physical rather than remote access to install spyware on a target’s phone. What we document in this report follows this trend. In the third quarter of 2025(Q3 of 2025), RESIDENT.NGO identified a malware sample found on a journalist’s phone shortly after the journalist had met with the Belarusian KGB (secret service). Following an initial analysis, RESIDENT.NGO escalated the case to the Digital Security Lab (DSL) at Reporters Without Borders. The results presented in this report stem from our joint research. This previously unknown spyware, which we detected, is used by the Belarusian KGB to track and surveil targets. As the malware contains the strings “bat” and “resident”, we call this spyware ResidentBat. Reporters Without Borders is grateful to Amnesty International’s Security Lab for forensic and technical support during this investigation, and for peer-reviewing an earlier draft of this research.
textResidentBat: A new spyware family used by Belarusian KGB

Tlsh

ValueDescriptionCopy
tlsht12aa42356c2018c07d9f4237e949ea50962fc090badc0fb4da74a532d2f2eb9151ddfae
tlsht1cce42387af0fb0a2c6f38833179312529a570ca51973d0d3de8a56695d9afc0cf1bad4
tlsht11bb4235642006c07e8f9273ed4ae955992e4090b6dc5ff0e6b1e532c2d2efa290dcf9d
tlsht177741243ab10eecdcdb72335c2722094c2719d79599beee3891d90fa25b23e5d7809e0
tlsht111b42243eb9ba9d0e9a379768bab4041913347553b63c69b2f41f4b80a73fc4c71a9c4
tlsht117d42387ef0be061c6f7893353d35262809708995c72e0f3dd8796652daeb90db07e94
tlsht119a423ae3f29a729d55d99fedafd623140b21e461b44721d4c0c31d8796e3ba27c0de0
tlsht11fe423833663d680dafbd473ab6223b1607759b654f3c4e79681b078b5a66a0df03dc0

Vhash

ValueDescriptionCopy
vhash209777f95128ad4f4da510c963776ebe
vhash5e5e1c95ecff402cc4c8945a83401732
vhash209777f95128ad4f4da510c963776ebe
vhashf87cc874e24829eef63b376bc9d3a735
vhash8d7c8e4216e592fc80240476f4cece81
vhash5e5e1c95ecff402cc4c8945a83401732
vhash209777f95128ad4f4da510c963776ebe
vhash5e5e1c95ecff402cc4c8945a83401732

Ssdeep

ValueDescriptionCopy
ssdeep12288:JsUmbr9ixH+XbQyEXQaaSwbl57OXk7FRbyIgrjEjdU6:Jki0X0yEXQP3b71CEjL
ssdeep12288:bbK+Qe2LHgcQ0pnSrFn0guEdd3iNWxdkdzpoa7vAzM7qmCIXf3hJ456o8WTdjEjP:bge27BJcKgVdxGzua74zD9of3hJ4wWTC
ssdeep12288:F2nsUmbr9ixH+XbQyEXQaaSwbl57OXk7FRbyjZk8vjEjdUK:Di0X0yEXQP3b7oZkmEjT
ssdeep6144:cG7ae85i04BA7Qv0uPZH9QyWT+z1gu3g3/J++7C1EGdyKFgjEjd1pIk:f7PGR3W0ul9HWT+hN3g0vdMKyjEjdUk
ssdeep12288:FOwH5tnx79C+XU2uCp2sEXtu7Y0+cmu4uuNuM4FLSbO71HPQpgajEjdUH:FOwHfxZT3p2sEs+3Zv48i7BPQpgIEjU
ssdeep12288:cQHK+Qe2LHgcQ0pnSrFn0guEdd3iNWxdkdzpoj7vAzM7qmCIXf3hJ456oOVjEjdd:cXe27BJcKgVdxGzuj74zD9of3hJ4CRE7
ssdeep12288:mI+lcyeXAl4W5CF8XqxgLrIFhhBSvnCyGX2JhdH8cRm2ZOjEjdU1:9ScivFaxgCgvnCyGX2Jhdfd6Ejk
ssdeep12288:XeRkaATjRiM8mYgXgxH9pcDr4Mht7vAzM7qmCIXf3hJ456oYSXjjEjdU7:bv/N8hgwVLcDr4e74zD9of3hJ48SX3Ew

Link

ValueDescriptionCopy
linkhttps://www.virustotal.com/gui/file/07d39205f9ba159236477a02cdb3350fac4f158e0dbf26576bb50604339b1f42
linkhttps://rsf.org/sites/default/files/medias/file/2025/12/report_0.pdf

File

ValueDescriptionCopy
filereport_0.pdf

Threat ID: 694325fbfab815a9fc24fb0e

Added to database: 12/17/2025, 9:51:55 PM

Last enriched: 1/10/2026, 12:20:11 AM

Last updated: 2/7/2026, 12:12:51 AM

Views: 88

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Related Threats

KRVTZ-NET IDS alerts for 2026-02-06

Low
UnknownFri Feb 06 2026

ThreatFox IOCs for 2026-02-05

Medium
MalwareFri Feb 06 2026

KRVTZ-NET IDS alerts for 2026-02-05

Low
UnknownThu Feb 05 2026

ThreatFox IOCs for 2026-02-04

Medium
MalwareThu Feb 05 2026

KRVTZ-NET IDS alerts for 2026-02-04

Low
UnknownWed Feb 04 2026

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need more coverage?

Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats