RedHook Returns with a Dangerous Upgrade
RedHook is an Android Remote Access Trojan that has re-emerged with significant enhancements, particularly in privilege abuse capabilities. The malware autonomously exploits Android's ADB Wireless Debugging features to obtain shell-level access, integrating the Shizuku framework to execute protected system APIs. Recent activity shows expansion beyond Vietnam to Indonesia, targeting Southeast Asian users through spoofed government and financial websites. Malicious APKs are hosted on trusted platforms like AWS S3 and GitHub repositories. The current version supports 53 distinct server-issued commands and employs sophisticated persistence mechanisms including foreground activity spoofing, silent media playback, and cross-process monitoring. Distribution relies on social engineering via phone calls and messaging applications, tricking victims into downloading malicious APKs and enabling Accessibility services under false pretenses.
AI Analysis
Technical Summary
RedHook is an Android RAT that autonomously abuses ADB Wireless Debugging features to escalate privileges and gain shell-level access. It integrates the Shizuku framework to execute protected system APIs, enhancing its control capabilities. The malware uses sophisticated persistence mechanisms including foreground activity spoofing, silent media playback, and cross-process monitoring to maintain presence on infected devices. It is distributed through social engineering tactics involving phone calls and messaging apps, convincing victims to download malicious APKs and enable Accessibility services under false pretenses. Recent campaigns have expanded from Vietnam to Indonesia, targeting Southeast Asian users via spoofed government and financial websites hosted on trusted platforms such as AWS S3 and GitHub. The malware supports 53 distinct server-issued commands, indicating a broad range of remote control functions.
Potential Impact
The malware can gain shell-level access on Android devices by exploiting ADB Wireless Debugging and abusing protected system APIs via the Shizuku framework. This allows attackers to execute a wide range of commands remotely, potentially compromising device confidentiality, integrity, and availability. Its advanced persistence mechanisms make removal difficult, and social engineering distribution increases infection risk. The targeting of Southeast Asian users through trusted platforms and spoofed websites increases the likelihood of successful infections in that region.
Mitigation Recommendations
No official patch or fix is available for this malware. Mitigation relies on user awareness to avoid social engineering traps such as unsolicited phone calls or messages prompting APK downloads or enabling Accessibility services. Users should disable ADB Wireless Debugging unless explicitly needed and avoid installing APKs from untrusted sources, even if hosted on reputable platforms. Monitoring and restricting Accessibility service permissions can reduce attack surface. Organizations should educate users in affected regions about this threat and encourage cautious behavior regarding app installations and permissions.
Indicators of Compromise
- hash: 453333bffdd1850ea2e0647f7c805530b578919978a01b1e2be52d6eb2add946
- url: http://sktv.3n7wj.com/ws/device?menberId=
- url: https://api.3n7wj.com
- domain: api.3n7wj.com
- domain: skt.3n7wj.com
- domain: sktv.3n7wj.com
RedHook Returns with a Dangerous Upgrade
Description
RedHook is an Android Remote Access Trojan that has re-emerged with significant enhancements, particularly in privilege abuse capabilities. The malware autonomously exploits Android's ADB Wireless Debugging features to obtain shell-level access, integrating the Shizuku framework to execute protected system APIs. Recent activity shows expansion beyond Vietnam to Indonesia, targeting Southeast Asian users through spoofed government and financial websites. Malicious APKs are hosted on trusted platforms like AWS S3 and GitHub repositories. The current version supports 53 distinct server-issued commands and employs sophisticated persistence mechanisms including foreground activity spoofing, silent media playback, and cross-process monitoring. Distribution relies on social engineering via phone calls and messaging applications, tricking victims into downloading malicious APKs and enabling Accessibility services under false pretenses.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
RedHook is an Android RAT that autonomously abuses ADB Wireless Debugging features to escalate privileges and gain shell-level access. It integrates the Shizuku framework to execute protected system APIs, enhancing its control capabilities. The malware uses sophisticated persistence mechanisms including foreground activity spoofing, silent media playback, and cross-process monitoring to maintain presence on infected devices. It is distributed through social engineering tactics involving phone calls and messaging apps, convincing victims to download malicious APKs and enable Accessibility services under false pretenses. Recent campaigns have expanded from Vietnam to Indonesia, targeting Southeast Asian users via spoofed government and financial websites hosted on trusted platforms such as AWS S3 and GitHub. The malware supports 53 distinct server-issued commands, indicating a broad range of remote control functions.
Potential Impact
The malware can gain shell-level access on Android devices by exploiting ADB Wireless Debugging and abusing protected system APIs via the Shizuku framework. This allows attackers to execute a wide range of commands remotely, potentially compromising device confidentiality, integrity, and availability. Its advanced persistence mechanisms make removal difficult, and social engineering distribution increases infection risk. The targeting of Southeast Asian users through trusted platforms and spoofed websites increases the likelihood of successful infections in that region.
Mitigation Recommendations
No official patch or fix is available for this malware. Mitigation relies on user awareness to avoid social engineering traps such as unsolicited phone calls or messages prompting APK downloads or enabling Accessibility services. Users should disable ADB Wireless Debugging unless explicitly needed and avoid installing APKs from untrusted sources, even if hosted on reputable platforms. Monitoring and restricting Accessibility service permissions can reduce attack surface. Organizations should educate users in affected regions about this threat and encourage cautious behavior regarding app installations and permissions.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.group-ib.com/blog/redhook-android-rat-upgraded/"]
- Adversary
- null
- Pulse Id
- 6a4fa023bcc8675bb1b91cfc
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash453333bffdd1850ea2e0647f7c805530b578919978a01b1e2be52d6eb2add946 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://sktv.3n7wj.com/ws/device?menberId= | — | |
urlhttps://api.3n7wj.com | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainapi.3n7wj.com | — | |
domainskt.3n7wj.com | — | |
domainsktv.3n7wj.com | — |
Threat ID: 6a50a01268715ace433595c2
Added to database: 07/10/2026, 07:32:34 UTC
Last enriched: 07/10/2026, 07:47:41 UTC
Last updated: 07/10/2026, 20:09:59 UTC
Views: 23
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.