OSINT - ResidentBat: A new spyware family used by Belarusian KGB
OSINT - ResidentBat: A new spyware family used by Belarusian KGB
AI Analysis
Technical Summary
ResidentBat is a newly discovered spyware family linked to the Belarusian KGB, identified through open-source intelligence (OSINT) sources. This spyware is designed for persistent surveillance and intelligence collection, involving network activity that facilitates payload delivery and artifact dropping on compromised systems. Although specific technical details such as infection vectors, command and control infrastructure, or payload capabilities are not fully disclosed, the association with a state-sponsored actor implies a high level of operational security and targeted use. The spyware likely operates covertly to maintain long-term access to victim systems, enabling continuous data exfiltration or monitoring. No patches or mitigations are currently available, and no known exploits have been observed in the wild, indicating either a new or tightly controlled deployment. The medium severity rating reflects the spyware's potential to compromise confidentiality and privacy of targeted entities, with moderate implications for system integrity and availability. The lack of detailed indicators and technical specifics limits the ability to fully assess the threat landscape, but the presence of network activity and payload delivery suggests the need for vigilant network and endpoint security monitoring. The spyware's perpetual lifetime tag suggests ongoing or repeated use in espionage campaigns. This threat is particularly relevant for organizations involved in political, diplomatic, or economic activities related to Belarus or its geopolitical interests.
Potential Impact
For European organizations, ResidentBat poses a significant threat to confidentiality, especially for entities involved in political, diplomatic, or economic sectors with Belarus or Eastern European interests. The spyware's ability to deliver payloads and drop artifacts on systems can lead to unauthorized data access, espionage, and potential compromise of sensitive communications. While the direct impact on system integrity and availability appears moderate, persistent access could enable further exploitation or lateral movement within networks. The lack of known exploits in the wild suggests limited current spread, but the association with a state actor indicates targeted, high-value attacks rather than broad opportunistic campaigns. European organizations with Belarusian connections or those operating in countries with tense geopolitical relations with Belarus may be at elevated risk. The spyware could undermine trust in digital communications and complicate diplomatic relations if used against government or critical infrastructure entities. Additionally, the absence of patches or direct mitigation tools increases the challenge of defense, necessitating proactive threat hunting and network monitoring.
Mitigation Recommendations
European organizations should implement advanced network traffic analysis to detect unusual outbound connections or payload delivery attempts potentially linked to ResidentBat. Deploy endpoint detection and response (EDR) solutions capable of identifying and quarantining suspicious artifacts or behaviors associated with spyware. Strengthen email and web filtering to reduce the risk of initial infection vectors, even though specific delivery methods are not detailed. Conduct regular threat hunting exercises focusing on indicators of compromise related to Belarusian state-sponsored activities. Enforce strict access controls and segmentation to limit lateral movement if a system is compromised. Maintain up-to-date backups and incident response plans tailored to espionage and spyware scenarios. Collaborate with national cybersecurity agencies and information sharing groups to receive timely intelligence updates. Given the lack of patches, prioritize detection and containment over remediation. Educate staff on spear-phishing and social engineering tactics that may be used to deploy spyware payloads. Finally, monitor geopolitical developments to anticipate shifts in targeting that may affect organizational risk profiles.
Affected Countries
Belarus, Poland, Lithuania, Latvia, Estonia, Germany, France, United Kingdom
Indicators of Compromise
- ip: 121.37.196.157
- ip: 62.109.11.98
- ip: 38.180.100.160
- ip: 5.129.213.114
- ip: 5.253.63.176
- ip: 5.253.61.156
- ip: 62.109.26.144
- ip: 47.106.191.231
- ip: 91.240.87.211
- ip: 83.220.169.120
- ip: 124.71.223.135
- ip: 114.55.148.87
- ip: 37.46.128.62
- ip: 62.109.19.123
- ip: 62.109.12.75
- ip: 79.132.136.191
- ip: 79.132.141.31
- ip: 5.129.231.158
- ip: 91.192.102.69
- ip: 37.46.133.87
- ip: 159.138.2.127
- ip: 83.147.244.189
- ip: 49.87.133.33
- ip: 91.228.152.4
- ip: 83.220.172.164
- ip: 42.62.11.37
- ip: 185.18.54.246
- ip: 5.129.230.104
- ip: 185.248.103.85
- ip: 82.157.146.82
- ip: 185.248.103.247
- ip: 176.10.124.158
- ip: 185.248.100.180
- ip: 185.248.103.128
- ip: 188.120.230.46
- ip: 123.60.136.114
- hash: 02dc81ea172e45f0a6fd7241fffd1042f6925c52d2f91dee36085634207be4f1
- hash: 07d39205f9ba159236477a02cdb3350fac4f158e0dbf26576bb50604339b1f42
- hash: 0ed73428c7729806be57989f340a09a323af914f197cc0cbb5509316ca5baf7b
- hash: 48e87bfcaa665bfbfcb027227384905878f090bbc19d02f74c41ade3cafb0950
- hash: 77126e749a9c1144ae3cebb8deb0b72fc90d4eb73d1072a69a1248b4f518bb47
- hash: 820c394b22b950335eb5cf21bc7df5c7a33081169f41440c74d67e7a8f196960
- hash: c3b92d05b105465881c0f68f5cf6c3edb24d2e5317ffd1256cb68c7921fe0721
- hash: fe05ba40f2d4b15db83524c169d030d097abc6713139ce6068969d97a24aa195
- x509-fingerprint-sha256: 18afc5c6bfaee504a26291f6bf3e6f823dbedd54bba0c4acac2e7c2414b3e24d
- x509-fingerprint-sha256: c1884e617348ebbdfe7cfe5fc99945b37296d6ebc6059bb74fbaeea277d32941
- x509-fingerprint-sha256: e5016f3cfb937d502dabedc32ca3bdef3bbcce032fb3b1bff3b9c6482895f4fd
- x509-fingerprint-sha256: d12616542268d32329f1c4357b5d5a57e954e13d2338d27bb8439794291b8c6d
- x509-fingerprint-sha256: 3e9f1192e33cb851b48479629c93d29770a4f76af00f1e42a3c6e7f97db62c79
- x509-fingerprint-sha256: 6782039a81a85264acdc6af0973b225ada6009f76faae7f948a1de040bb32f0c
- x509-fingerprint-sha256: a6a067b0d899fb514b7b4597d4fe16fcd4d7e5c361f6c84b3d45ed7e394036c7
- x509-fingerprint-sha256: 6d6278ffc80ad9dd1b1c6b445847ce108f3ea5ce349f232689e9b8c1fd10801e
- url: https://188.120.230.46:7003
- port: 7003
- domain: 188.120.230.46
- url: https://45.155.7.166:7035
- port: 7035
- domain: 45.155.7.166
- url: https://79.132.136.191:7007
- port: 7007
- domain: 79.132.136.191
- url: https://79.132.136.191:7017
- port: 7017
- domain: 79.132.136.191
- url: https://mtcat.info:7007
- text: info
- port: 7007
- domain: mtcat.info
- text: mtcat
- domain: mtcat.info
- url: https://mtcat.info:7017
- text: info
- port: 7017
- domain: mtcat.info
- text: mtcat
- domain: mtcat.info
- text: com.google.android.service
- text: com.google.bat
- text: com.huaweisettingsapp.mkz
- text: com.linkedln.service
- text: com.oneplussync.bat
- text: com.android.framework.safety
- text: com.hihonor.core.service
- text: cm.google.android.apps.assistant
- hash: 0ee925c49c085189c01ce9c6b56f0252
- hash: 54094c857769a1d5270edff809ce4a143d230c6e
- hash: fe05ba40f2d4b15db83524c169d030d097abc6713139ce6068969d97a24aa195
- tlsh: t12aa42356c2018c07d9f4237e949ea50962fc090badc0fb4da74a532d2f2eb9151ddfae
- vhash: 209777f95128ad4f4da510c963776ebe
- ssdeep: 12288:JsUmbr9ixH+XbQyEXQaaSwbl57OXk7FRbyIgrjEjdU6:Jki0X0yEXQP3b71CEjL
- hash: 0d56707f7d78e835ac8d7e61f6400367
- hash: 2cf2234f0b8d17a711113812f689f833bf4f46b7
- hash: c3b92d05b105465881c0f68f5cf6c3edb24d2e5317ffd1256cb68c7921fe0721
- tlsh: t1cce42387af0fb0a2c6f38833179312529a570ca51973d0d3de8a56695d9afc0cf1bad4
- vhash: 5e5e1c95ecff402cc4c8945a83401732
- ssdeep: 12288:bbK+Qe2LHgcQ0pnSrFn0guEdd3iNWxdkdzpoa7vAzM7qmCIXf3hJ456o8WTdjEjP:bge27BJcKgVdxGzua74zD9of3hJ4wWTC
- hash: 2769f4a40e38c023ef6f0c342b6c37ce
- hash: f6f6da59962bf44175849138382e8fc497d95645
- hash: 820c394b22b950335eb5cf21bc7df5c7a33081169f41440c74d67e7a8f196960
- tlsh: t11bb4235642006c07e8f9273ed4ae955992e4090b6dc5ff0e6b1e532c2d2efa290dcf9d
- vhash: 209777f95128ad4f4da510c963776ebe
- ssdeep: 12288:F2nsUmbr9ixH+XbQyEXQaaSwbl57OXk7FRbyjZk8vjEjdUK:Di0X0yEXQP3b7oZkmEjT
- hash: b6f4a71b68a9e28457b1021288695321
- hash: 2a0949e405c0675382febf22094028f2c5418604
- hash: 77126e749a9c1144ae3cebb8deb0b72fc90d4eb73d1072a69a1248b4f518bb47
- tlsh: t177741243ab10eecdcdb72335c2722094c2719d79599beee3891d90fa25b23e5d7809e0
- vhash: f87cc874e24829eef63b376bc9d3a735
- ssdeep: 6144:cG7ae85i04BA7Qv0uPZH9QyWT+z1gu3g3/J++7C1EGdyKFgjEjd1pIk:f7PGR3W0ul9HWT+hN3g0vdMKyjEjdUk
- hash: 943102f89056ed58f4324a961b4ea0b5
- hash: 9e0d79918606632ff35acd6c7e261af5d9bd05f5
- hash: 48e87bfcaa665bfbfcb027227384905878f090bbc19d02f74c41ade3cafb0950
- tlsh: t111b42243eb9ba9d0e9a379768bab4041913347553b63c69b2f41f4b80a73fc4c71a9c4
- vhash: 8d7c8e4216e592fc80240476f4cece81
- ssdeep: 12288:FOwH5tnx79C+XU2uCp2sEXtu7Y0+cmu4uuNuM4FLSbO71HPQpgajEjdUH:FOwHfxZT3p2sEs+3Zv48i7BPQpgIEjU
- hash: bcc9c677bf611e7143fd1ac5bfbcee77
- hash: fc922595083d0b8d48c1e98aca99d30ed041be89
- hash: 0ed73428c7729806be57989f340a09a323af914f197cc0cbb5509316ca5baf7b
- tlsh: t117d42387ef0be061c6f7893353d35262809708995c72e0f3dd8796652daeb90db07e94
- vhash: 5e5e1c95ecff402cc4c8945a83401732
- ssdeep: 12288:cQHK+Qe2LHgcQ0pnSrFn0guEdd3iNWxdkdzpoj7vAzM7qmCIXf3hJ456oOVjEjdd:cXe27BJcKgVdxGzuj74zD9of3hJ4CRE7
- link: https://www.virustotal.com/gui/file/07d39205f9ba159236477a02cdb3350fac4f158e0dbf26576bb50604339b1f42
- text: 18/67
- hash: 46e14db360c15dd3d778a0c297f5eaca
- hash: 8bbaba18392d858ab28a0c8857b85d3e433f123f
- hash: 07d39205f9ba159236477a02cdb3350fac4f158e0dbf26576bb50604339b1f42
- tlsh: t119a423ae3f29a729d55d99fedafd623140b21e461b44721d4c0c31d8796e3ba27c0de0
- vhash: 209777f95128ad4f4da510c963776ebe
- ssdeep: 12288:mI+lcyeXAl4W5CF8XqxgLrIFhhBSvnCyGX2JhdH8cRm2ZOjEjdU1:9ScivFaxgCgvnCyGX2Jhdfd6Ejk
- hash: 1cdb8fc15c859dac8700ea7abcea7ded
- hash: ed2cb23fec745c2fb109792b35833a98fce3f6fc
- hash: 02dc81ea172e45f0a6fd7241fffd1042f6925c52d2f91dee36085634207be4f1
- tlsh: t11fe423833663d680dafbd473ab6223b1607759b654f3c4e79681b078b5a66a0df03dc0
- vhash: 5e5e1c95ecff402cc4c8945a83401732
- ssdeep: 12288:XeRkaATjRiM8mYgXgxH9pcDr4Mht7vAzM7qmCIXf3hJ456oYSXjjEjdU7:bv/N8hgwVLcDr4e74zD9of3hJ48SX3Ew
- link: https://rsf.org/sites/default/files/medias/file/2025/12/report_0.pdf
- text: There seems to be a growing trend in surveillance of civil society where no remote attacks against the phone are used to install spyware, but rather physical access. Surveillance of journalists, lawyers and other members of civil society is on the rise, with the use of spyware such as NoviSpy, Massistant and Monokle. This kind of tactical spyware requires physical rather than remote access to install spyware on a target’s phone. What we document in this report follows this trend. In the third quarter of 2025(Q3 of 2025), RESIDENT.NGO identified a malware sample found on a journalist’s phone shortly after the journalist had met with the Belarusian KGB (secret service). Following an initial analysis, RESIDENT.NGO escalated the case to the Digital Security Lab (DSL) at Reporters Without Borders. The results presented in this report stem from our joint research. This previously unknown spyware, which we detected, is used by the Belarusian KGB to track and surveil targets. As the malware contains the strings “bat” and “resident”, we call this spyware ResidentBat. Reporters Without Borders is grateful to Amnesty International’s Security Lab for forensic and technical support during this investigation, and for peer-reviewing an earlier draft of this research.
- text: ResidentBat: A new spyware family used by Belarusian KGB
- file: report_0.pdf
OSINT - ResidentBat: A new spyware family used by Belarusian KGB
Description
OSINT - ResidentBat: A new spyware family used by Belarusian KGB
AI-Powered Analysis
Technical Analysis
ResidentBat is a newly discovered spyware family linked to the Belarusian KGB, identified through open-source intelligence (OSINT) sources. This spyware is designed for persistent surveillance and intelligence collection, involving network activity that facilitates payload delivery and artifact dropping on compromised systems. Although specific technical details such as infection vectors, command and control infrastructure, or payload capabilities are not fully disclosed, the association with a state-sponsored actor implies a high level of operational security and targeted use. The spyware likely operates covertly to maintain long-term access to victim systems, enabling continuous data exfiltration or monitoring. No patches or mitigations are currently available, and no known exploits have been observed in the wild, indicating either a new or tightly controlled deployment. The medium severity rating reflects the spyware's potential to compromise confidentiality and privacy of targeted entities, with moderate implications for system integrity and availability. The lack of detailed indicators and technical specifics limits the ability to fully assess the threat landscape, but the presence of network activity and payload delivery suggests the need for vigilant network and endpoint security monitoring. The spyware's perpetual lifetime tag suggests ongoing or repeated use in espionage campaigns. This threat is particularly relevant for organizations involved in political, diplomatic, or economic activities related to Belarus or its geopolitical interests.
Potential Impact
For European organizations, ResidentBat poses a significant threat to confidentiality, especially for entities involved in political, diplomatic, or economic sectors with Belarus or Eastern European interests. The spyware's ability to deliver payloads and drop artifacts on systems can lead to unauthorized data access, espionage, and potential compromise of sensitive communications. While the direct impact on system integrity and availability appears moderate, persistent access could enable further exploitation or lateral movement within networks. The lack of known exploits in the wild suggests limited current spread, but the association with a state actor indicates targeted, high-value attacks rather than broad opportunistic campaigns. European organizations with Belarusian connections or those operating in countries with tense geopolitical relations with Belarus may be at elevated risk. The spyware could undermine trust in digital communications and complicate diplomatic relations if used against government or critical infrastructure entities. Additionally, the absence of patches or direct mitigation tools increases the challenge of defense, necessitating proactive threat hunting and network monitoring.
Mitigation Recommendations
European organizations should implement advanced network traffic analysis to detect unusual outbound connections or payload delivery attempts potentially linked to ResidentBat. Deploy endpoint detection and response (EDR) solutions capable of identifying and quarantining suspicious artifacts or behaviors associated with spyware. Strengthen email and web filtering to reduce the risk of initial infection vectors, even though specific delivery methods are not detailed. Conduct regular threat hunting exercises focusing on indicators of compromise related to Belarusian state-sponsored activities. Enforce strict access controls and segmentation to limit lateral movement if a system is compromised. Maintain up-to-date backups and incident response plans tailored to espionage and spyware scenarios. Collaborate with national cybersecurity agencies and information sharing groups to receive timely intelligence updates. Given the lack of patches, prioritize detection and containment over remediation. Educate staff on spear-phishing and social engineering tactics that may be used to deploy spyware payloads. Finally, monitor geopolitical developments to anticipate shifts in targeting that may affect organizational risk profiles.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Uuid
- e94861b3-fefa-4bd2-8113-fa20adeff51d
- Original Timestamp
- 1765976935
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip121.37.196.157 | C2 / Infrastructure | |
ip62.109.11.98 | C2 / Infrastructure | |
ip38.180.100.160 | C2 / Infrastructure | |
ip5.129.213.114 | C2 / Infrastructure | |
ip5.253.63.176 | C2 / Infrastructure | |
ip5.253.61.156 | C2 / Infrastructure | |
ip62.109.26.144 | C2 / Infrastructure | |
ip47.106.191.231 | C2 / Infrastructure | |
ip91.240.87.211 | C2 / Infrastructure | |
ip83.220.169.120 | C2 / Infrastructure | |
ip124.71.223.135 | C2 / Infrastructure | |
ip114.55.148.87 | C2 / Infrastructure | |
ip37.46.128.62 | C2 / Infrastructure | |
ip62.109.19.123 | C2 / Infrastructure | |
ip62.109.12.75 | C2 / Infrastructure | |
ip79.132.136.191 | C2 / Infrastructure | |
ip79.132.141.31 | C2 / Infrastructure | |
ip5.129.231.158 | C2 / Infrastructure | |
ip91.192.102.69 | C2 / Infrastructure | |
ip37.46.133.87 | C2 / Infrastructure | |
ip159.138.2.127 | C2 / Infrastructure | |
ip83.147.244.189 | C2 / Infrastructure | |
ip49.87.133.33 | C2 / Infrastructure | |
ip91.228.152.4 | C2 / Infrastructure | |
ip83.220.172.164 | C2 / Infrastructure | |
ip42.62.11.37 | C2 / Infrastructure | |
ip185.18.54.246 | C2 / Infrastructure | |
ip5.129.230.104 | C2 / Infrastructure | |
ip185.248.103.85 | C2 / Infrastructure | |
ip82.157.146.82 | C2 / Infrastructure | |
ip185.248.103.247 | C2 / Infrastructure | |
ip176.10.124.158 | C2 / Infrastructure | |
ip185.248.100.180 | C2 / Infrastructure | |
ip185.248.103.128 | C2 / Infrastructure | |
ip188.120.230.46 | C2 / Infrastructure | |
ip123.60.136.114 | C2 / Infrastructure |
Hash
| Value | Description | Copy |
|---|---|---|
hash02dc81ea172e45f0a6fd7241fffd1042f6925c52d2f91dee36085634207be4f1 | APK Hashes | |
hash07d39205f9ba159236477a02cdb3350fac4f158e0dbf26576bb50604339b1f42 | APK Hashes | |
hash0ed73428c7729806be57989f340a09a323af914f197cc0cbb5509316ca5baf7b | APK Hashes | |
hash48e87bfcaa665bfbfcb027227384905878f090bbc19d02f74c41ade3cafb0950 | APK Hashes | |
hash77126e749a9c1144ae3cebb8deb0b72fc90d4eb73d1072a69a1248b4f518bb47 | APK Hashes | |
hash820c394b22b950335eb5cf21bc7df5c7a33081169f41440c74d67e7a8f196960 | APK Hashes | |
hashc3b92d05b105465881c0f68f5cf6c3edb24d2e5317ffd1256cb68c7921fe0721 | APK Hashes | |
hashfe05ba40f2d4b15db83524c169d030d097abc6713139ce6068969d97a24aa195 | APK Hashes | |
hash0ee925c49c085189c01ce9c6b56f0252 | — | |
hash54094c857769a1d5270edff809ce4a143d230c6e | — | |
hashfe05ba40f2d4b15db83524c169d030d097abc6713139ce6068969d97a24aa195 | — | |
hash0d56707f7d78e835ac8d7e61f6400367 | — | |
hash2cf2234f0b8d17a711113812f689f833bf4f46b7 | — | |
hashc3b92d05b105465881c0f68f5cf6c3edb24d2e5317ffd1256cb68c7921fe0721 | — | |
hash2769f4a40e38c023ef6f0c342b6c37ce | — | |
hashf6f6da59962bf44175849138382e8fc497d95645 | — | |
hash820c394b22b950335eb5cf21bc7df5c7a33081169f41440c74d67e7a8f196960 | — | |
hashb6f4a71b68a9e28457b1021288695321 | — | |
hash2a0949e405c0675382febf22094028f2c5418604 | — | |
hash77126e749a9c1144ae3cebb8deb0b72fc90d4eb73d1072a69a1248b4f518bb47 | — | |
hash943102f89056ed58f4324a961b4ea0b5 | — | |
hash9e0d79918606632ff35acd6c7e261af5d9bd05f5 | — | |
hash48e87bfcaa665bfbfcb027227384905878f090bbc19d02f74c41ade3cafb0950 | — | |
hashbcc9c677bf611e7143fd1ac5bfbcee77 | — | |
hashfc922595083d0b8d48c1e98aca99d30ed041be89 | — | |
hash0ed73428c7729806be57989f340a09a323af914f197cc0cbb5509316ca5baf7b | — | |
hash46e14db360c15dd3d778a0c297f5eaca | — | |
hash8bbaba18392d858ab28a0c8857b85d3e433f123f | — | |
hash07d39205f9ba159236477a02cdb3350fac4f158e0dbf26576bb50604339b1f42 | — | |
hash1cdb8fc15c859dac8700ea7abcea7ded | — | |
hashed2cb23fec745c2fb109792b35833a98fce3f6fc | — | |
hash02dc81ea172e45f0a6fd7241fffd1042f6925c52d2f91dee36085634207be4f1 | — |
X509 fingerprint-sha256
| Value | Description | Copy |
|---|---|---|
x509-fingerprint-sha25618afc5c6bfaee504a26291f6bf3e6f823dbedd54bba0c4acac2e7c2414b3e24d | APK Certificate Hashes | |
x509-fingerprint-sha256c1884e617348ebbdfe7cfe5fc99945b37296d6ebc6059bb74fbaeea277d32941 | APK Certificate Hashes | |
x509-fingerprint-sha256e5016f3cfb937d502dabedc32ca3bdef3bbcce032fb3b1bff3b9c6482895f4fd | APK Certificate Hashes | |
x509-fingerprint-sha256d12616542268d32329f1c4357b5d5a57e954e13d2338d27bb8439794291b8c6d | APK Certificate Hashes | |
x509-fingerprint-sha2563e9f1192e33cb851b48479629c93d29770a4f76af00f1e42a3c6e7f97db62c79 | APK Certificate Hashes | |
x509-fingerprint-sha2566782039a81a85264acdc6af0973b225ada6009f76faae7f948a1de040bb32f0c | APK Certificate Hashes | |
x509-fingerprint-sha256a6a067b0d899fb514b7b4597d4fe16fcd4d7e5c361f6c84b3d45ed7e394036c7 | APK Certificate Hashes | |
x509-fingerprint-sha2566d6278ffc80ad9dd1b1c6b445847ce108f3ea5ce349f232689e9b8c1fd10801e | APK Certificate Hashes |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://188.120.230.46:7003 | — | |
urlhttps://45.155.7.166:7035 | — | |
urlhttps://79.132.136.191:7007 | — | |
urlhttps://79.132.136.191:7017 | — | |
urlhttps://mtcat.info:7007 | — | |
urlhttps://mtcat.info:7017 | — |
Port
| Value | Description | Copy |
|---|---|---|
port7003 | — | |
port7035 | — | |
port7007 | — | |
port7017 | — | |
port7007 | — | |
port7017 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domain188.120.230.46 | — | |
domain45.155.7.166 | — | |
domain79.132.136.191 | — | |
domain79.132.136.191 | — | |
domainmtcat.info | — | |
domainmtcat.info | — | |
domainmtcat.info | — | |
domainmtcat.info | — |
Text
| Value | Description | Copy |
|---|---|---|
textinfo | — | |
textmtcat | — | |
textinfo | — | |
textmtcat | — | |
textcom.google.android.service | — | |
textcom.google.bat | — | |
textcom.huaweisettingsapp.mkz | — | |
textcom.linkedln.service | — | |
textcom.oneplussync.bat | — | |
textcom.android.framework.safety | — | |
textcom.hihonor.core.service | — | |
textcm.google.android.apps.assistant | — | |
text18/67 | — | |
textThere seems to be a growing trend in surveillance of civil society where no remote attacks against the phone are
used to install spyware, but rather physical access. Surveillance of journalists, lawyers and other members of
civil society is on the rise, with the use of spyware such as NoviSpy, Massistant and Monokle. This kind of tactical
spyware requires physical rather than remote access to install spyware on a target’s phone.
What we document in this report follows this trend. In the third quarter of 2025(Q3 of 2025), RESIDENT.NGO
identified a malware sample found on a journalist’s phone shortly after the journalist had met with the Belarusian
KGB (secret service). Following an initial analysis, RESIDENT.NGO escalated the case to the Digital Security Lab (DSL)
at Reporters Without Borders. The results presented in this report stem from our joint research. This previously
unknown spyware, which we detected, is used by the Belarusian KGB to track and surveil targets. As the malware
contains the strings “bat” and “resident”, we call this spyware ResidentBat.
Reporters Without Borders is grateful to Amnesty International’s Security Lab for forensic and technical support
during this investigation, and for peer-reviewing an earlier draft of this research. | — | |
textResidentBat: A new spyware family
used by Belarusian KGB | — |
Tlsh
| Value | Description | Copy |
|---|---|---|
tlsht12aa42356c2018c07d9f4237e949ea50962fc090badc0fb4da74a532d2f2eb9151ddfae | — | |
tlsht1cce42387af0fb0a2c6f38833179312529a570ca51973d0d3de8a56695d9afc0cf1bad4 | — | |
tlsht11bb4235642006c07e8f9273ed4ae955992e4090b6dc5ff0e6b1e532c2d2efa290dcf9d | — | |
tlsht177741243ab10eecdcdb72335c2722094c2719d79599beee3891d90fa25b23e5d7809e0 | — | |
tlsht111b42243eb9ba9d0e9a379768bab4041913347553b63c69b2f41f4b80a73fc4c71a9c4 | — | |
tlsht117d42387ef0be061c6f7893353d35262809708995c72e0f3dd8796652daeb90db07e94 | — | |
tlsht119a423ae3f29a729d55d99fedafd623140b21e461b44721d4c0c31d8796e3ba27c0de0 | — | |
tlsht11fe423833663d680dafbd473ab6223b1607759b654f3c4e79681b078b5a66a0df03dc0 | — |
Vhash
| Value | Description | Copy |
|---|---|---|
vhash209777f95128ad4f4da510c963776ebe | — | |
vhash5e5e1c95ecff402cc4c8945a83401732 | — | |
vhash209777f95128ad4f4da510c963776ebe | — | |
vhashf87cc874e24829eef63b376bc9d3a735 | — | |
vhash8d7c8e4216e592fc80240476f4cece81 | — | |
vhash5e5e1c95ecff402cc4c8945a83401732 | — | |
vhash209777f95128ad4f4da510c963776ebe | — | |
vhash5e5e1c95ecff402cc4c8945a83401732 | — |
Ssdeep
| Value | Description | Copy |
|---|---|---|
ssdeep12288:JsUmbr9ixH+XbQyEXQaaSwbl57OXk7FRbyIgrjEjdU6:Jki0X0yEXQP3b71CEjL | — | |
ssdeep12288:bbK+Qe2LHgcQ0pnSrFn0guEdd3iNWxdkdzpoa7vAzM7qmCIXf3hJ456o8WTdjEjP:bge27BJcKgVdxGzua74zD9of3hJ4wWTC | — | |
ssdeep12288:F2nsUmbr9ixH+XbQyEXQaaSwbl57OXk7FRbyjZk8vjEjdUK:Di0X0yEXQP3b7oZkmEjT | — | |
ssdeep6144:cG7ae85i04BA7Qv0uPZH9QyWT+z1gu3g3/J++7C1EGdyKFgjEjd1pIk:f7PGR3W0ul9HWT+hN3g0vdMKyjEjdUk | — | |
ssdeep12288:FOwH5tnx79C+XU2uCp2sEXtu7Y0+cmu4uuNuM4FLSbO71HPQpgajEjdUH:FOwHfxZT3p2sEs+3Zv48i7BPQpgIEjU | — | |
ssdeep12288:cQHK+Qe2LHgcQ0pnSrFn0guEdd3iNWxdkdzpoj7vAzM7qmCIXf3hJ456oOVjEjdd:cXe27BJcKgVdxGzuj74zD9of3hJ4CRE7 | — | |
ssdeep12288:mI+lcyeXAl4W5CF8XqxgLrIFhhBSvnCyGX2JhdH8cRm2ZOjEjdU1:9ScivFaxgCgvnCyGX2Jhdfd6Ejk | — | |
ssdeep12288:XeRkaATjRiM8mYgXgxH9pcDr4Mht7vAzM7qmCIXf3hJ456oYSXjjEjdU7:bv/N8hgwVLcDr4e74zD9of3hJ48SX3Ew | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://www.virustotal.com/gui/file/07d39205f9ba159236477a02cdb3350fac4f158e0dbf26576bb50604339b1f42 | — | |
linkhttps://rsf.org/sites/default/files/medias/file/2025/12/report_0.pdf | — |
File
| Value | Description | Copy |
|---|---|---|
filereport_0.pdf | — |
Threat ID: 694325fbfab815a9fc24fb0e
Added to database: 12/17/2025, 9:51:55 PM
Last enriched: 12/17/2025, 10:08:19 PM
Last updated: 12/18/2025, 12:37:42 PM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2025-12-17
MediumThreatFox IOCs for 2025-12-16
MediumThreatFox IOCs for 2025-12-15
MediumKunai Analysis Report - Malware Sample Abusing Open Recursive DNS for Exfiltration
MediumThreatFox IOCs for 2025-12-14
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.