Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

RedHook Returns with a Dangerous Upgrade

0
Medium
Published: 07/09/2026 (07/09/2026, 13:20:35 UTC)
Source: AlienVault OTX General

Description

RedHook is an Android Remote Access Trojan that has re-emerged with significant enhancements, particularly in privilege abuse capabilities. The malware autonomously exploits Android's ADB Wireless Debugging features to obtain shell-level access, integrating the Shizuku framework to execute protected system APIs. Recent activity shows expansion beyond Vietnam to Indonesia, targeting Southeast Asian users through spoofed government and financial websites. Malicious APKs are hosted on trusted platforms like AWS S3 and GitHub repositories. The current version supports 53 distinct server-issued commands and employs sophisticated persistence mechanisms including foreground activity spoofing, silent media playback, and cross-process monitoring. Distribution relies on social engineering via phone calls and messaging applications, tricking victims into downloading malicious APKs and enabling Accessibility services under false pretenses.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/10/2026, 07:47:41 UTC

Technical Analysis

RedHook is an Android RAT that autonomously abuses ADB Wireless Debugging features to escalate privileges and gain shell-level access. It integrates the Shizuku framework to execute protected system APIs, enhancing its control capabilities. The malware uses sophisticated persistence mechanisms including foreground activity spoofing, silent media playback, and cross-process monitoring to maintain presence on infected devices. It is distributed through social engineering tactics involving phone calls and messaging apps, convincing victims to download malicious APKs and enable Accessibility services under false pretenses. Recent campaigns have expanded from Vietnam to Indonesia, targeting Southeast Asian users via spoofed government and financial websites hosted on trusted platforms such as AWS S3 and GitHub. The malware supports 53 distinct server-issued commands, indicating a broad range of remote control functions.

Potential Impact

The malware can gain shell-level access on Android devices by exploiting ADB Wireless Debugging and abusing protected system APIs via the Shizuku framework. This allows attackers to execute a wide range of commands remotely, potentially compromising device confidentiality, integrity, and availability. Its advanced persistence mechanisms make removal difficult, and social engineering distribution increases infection risk. The targeting of Southeast Asian users through trusted platforms and spoofed websites increases the likelihood of successful infections in that region.

Mitigation Recommendations

No official patch or fix is available for this malware. Mitigation relies on user awareness to avoid social engineering traps such as unsolicited phone calls or messages prompting APK downloads or enabling Accessibility services. Users should disable ADB Wireless Debugging unless explicitly needed and avoid installing APKs from untrusted sources, even if hosted on reputable platforms. Monitoring and restricting Accessibility service permissions can reduce attack surface. Organizations should educate users in affected regions about this threat and encourage cautious behavior regarding app installations and permissions.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.group-ib.com/blog/redhook-android-rat-upgraded/"]
Adversary
null
Pulse Id
6a4fa023bcc8675bb1b91cfc
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hash453333bffdd1850ea2e0647f7c805530b578919978a01b1e2be52d6eb2add946

Url

ValueDescriptionCopy
urlhttp://sktv.3n7wj.com/ws/device?menberId=
urlhttps://api.3n7wj.com

Domain

ValueDescriptionCopy
domainapi.3n7wj.com
domainskt.3n7wj.com
domainsktv.3n7wj.com

Threat ID: 6a50a01268715ace433595c2

Added to database: 07/10/2026, 07:32:34 UTC

Last enriched: 07/10/2026, 07:47:41 UTC

Last updated: 07/10/2026, 20:09:59 UTC

Views: 23

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses