{ "Event": { "analysis": "1", "date": "2025-09-30", "extends_uuid": "", "info": "[Threat Intel] Datzbro: RAT Hiding Behind Senior Travel Scams", "protected": false, "publish_timestamp": "1780041239", "published": true, "threat_level_id": "3", "timestamp": "1772902060", "uuid": "8391fe48-3fc0-4fe0-a550-1e63c7f2f015", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b990dd", "local": false, "name": "misp-galaxy:target-information=\"Australia\"", "relationship_type": "" }, { "colour": "#1faf16", "local": false, "name": "misp-galaxy:target-information=\"Canada\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#7dbb86", "local": false, "name": "misp-galaxy:target-information=\"Singapore\"", "relationship_type": "" }, { "colour": "#35a578", "local": false, "name": "misp-galaxy:target-information=\"South Africa\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1513\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Abuse Accessibility Features - T1453\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Device Lockout - T1629.002\"", "relationship_type": "" }, { "colour": "#932961", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Video Capture - T1512\"", "relationship_type": "" }, { "colour": "#704a15", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Audio Capture - T1429\"", "relationship_type": "" }, { "colour": "#e931d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Capture SMS Messages - T1412\"", "relationship_type": "" }, { "colour": "#e1e5b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SMS Control - T1582\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SMS Messages - T1636.004\"", "relationship_type": "" }, { "colour": "#9c4b3a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1420\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Access Sensitive Data in Device Logs - T1413\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Access Software - T1663\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1660\"", "relationship_type": "" }, { "colour": "#9f9a68", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deliver Malicious App via Other Means - T1476\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Cybercrime\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3a00e0", "local": false, "name": "rectifyq:action-taken=\"x\"", "relationship_type": "" }, { "colour": "#3b00e2", "local": false, "name": "rectifyq:action-taken=\"linkedin\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1759321446", "to_ids": false, "type": "link", "uuid": "cb2f7166-6c3e-4e57-a3f1-11f4b85c346e", "value": "https://www.threatfabric.com/blogs/datzbro-rat-hiding-behind-senior-travel-scams" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1759321446", "to_ids": false, "type": "text", "uuid": "ee9a293f-eeb4-482b-a40d-504768c09ee0", "value": "A new Android Trojan named Datzbro has been discovered targeting seniors through fake Facebook groups promoting travel and social activities. The malware, which combines spyware and banking Trojan capabilities, is distributed via malicious APKs disguised as community apps. Datzbro features remote access, screen sharing, black overlay attacks, and keylogging, allowing attackers to perform financial fraud. It specifically targets banking and crypto-related apps, stealing credentials and sensitive information. The malware's origin appears to be Chinese-speaking developers, and its command-and-control application has been leaked, potentially making it a global threat. The campaign demonstrates the evolving sophistication of mobile threats, blending social engineering with advanced technical capabilities." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1759321446", "to_ids": false, "type": "text", "uuid": "7cde7597-014b-49de-868a-d4fac690433e", "value": "Name: Datzbro: RAT Hiding Behind Senior Travel Scams\nAuthor: AlienVault\nAdversary: \nTags: [\"android trojan\", \"facebook groups\", \"remote access\", \"banking malware\", \"zombinder\", \"social engineering\", \"datzbro\", \"senior scams\", \"spyware\"]\nTgtd countries: [\"Australia\", \"Canada\", \"Malaysia\", \"Singapore\", \"South Africa\"]\nMlwr families: []\nAttack_ids: []\nIndustries: [\"Finance\"]" }, { "category": "Payload delivery", "comment": "Application name: Lively Years No sample in VT\r\nLast check:01/10/2025 No sample in VT\r\nLast check:18/10/2025", "deleted": false, "disable_correlation": false, "timestamp": "1760776837", "to_ids": true, "type": "sha256", "uuid": "4e729de0-2fce-4ad4-874a-16d3ea352b50", "value": "453b0a62e414e9b40185c63842546fc96e8e1ab3f77d3230b02988dd8834c555", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Application name: Senior Group No sample in VT\r\nLast check:01/10/2025 No sample in VT\r\nLast check:18/10/2025", "deleted": false, "disable_correlation": false, "timestamp": "1760776859", "to_ids": true, "type": "sha256", "uuid": "f1d6fd67-37ea-407e-b121-0ddd41a5f78c", "value": "a57d70b2873d9a3672eda76733c5b2fb96dca502958064fab742cfc074bf0feb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Application name: DanceWave No sample in VT\r\nLast check:01/10/2025 No sample in VT\r\nLast check:18/10/2025", "deleted": false, "disable_correlation": false, "timestamp": "1760776880", "to_ids": true, "type": "sha256", "uuid": "77880254-afe0-49e8-8f6d-9f0a227dadbe", "value": "fac119c569ba7dd19df9154f22f928cf3f0b0165bbe7d6b11a77215bdfc2a11a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1760776796", "uuid": "4a63b8e6-9e20-414c-be8e-e48acdfa4efa", "Attribute": [ { "category": "Payload delivery", "comment": "Application name: ActiveSenior", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1759328840", "to_ids": true, "type": "md5", "uuid": "6e822af6-986a-4cdc-bf0a-0987ab68aec0", "value": "1d6131755bc1a5ec334d4e2ad641888b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Application name: ActiveSenior", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1759328117", "to_ids": true, "type": "sha1", "uuid": "6ec8408f-b1f3-4091-92d7-61e17588a7f3", "value": "9a632d442b462e80b6e28380ce7de2f441410ab8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Application name: ActiveSenior", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1759328118", "to_ids": true, "type": "sha256", "uuid": "0cbfa08c-29f0-4a8b-8e01-733360a21c4b", "value": "ed2313bfebe03ff29a7c802ddd471583cc8da76bf5cb9f418ae7d999d6a0b9fb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1759327580", "to_ids": true, "type": "ssdeep", "uuid": "c9242145-074c-449e-85a2-c8698ac9da92", "value": "98304:ytYv5LVWXDRBlcv3/qdFr55jUJTrooAjtoIB//O7Ug/D7CNJzoO6C+oTYrVK:FvDWXFBlcHcVUJ4hoIBU7rOTz5" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1759327580", "to_ids": false, "type": "size-in-bytes", "uuid": "f900cf38-bb48-4465-9886-f2f265e69d9a", "value": "5815131" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1759327580", "to_ids": true, "type": "vhash", "uuid": "795759e8-8543-4f7c-b43d-abe03beffc7d", "value": "963a05c3eb76a36f0a5dd2266ee5708d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1759327580", "to_ids": true, "type": "filename", "uuid": "f3f655bc-4069-472a-864f-4182ca83dced", "value": "ActiveSenior.apk" }, { "category": "Other", "comment": "Checked: 01/10/2025\nLast-scan\t: 01/10/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1759327580", "to_ids": false, "type": "text", "uuid": "0dad11d1-dfc0-488c-a469-a86edd4765b6", "value": "Application name: ActiveSenior\r\nType Description: Android\nMicrosoft: Spyware:AndroidOS/Multiverze!rfn\nVT Total Detection:30/67\nFirst Submission:2025-08-22T02:39:57.000000+00:00\nLast Submission:2025-08-26T00:13:45.000000+00:00" }, { "category": "Other", "comment": "Checked: 18/10/2025\nLast-scan\t: 08/10/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1760776796", "to_ids": false, "type": "text", "uuid": "a6f64e67-9d98-4790-b915-5a6a6fa68f2e", "value": "Type Description: Android\nMicrosoft: Spyware:AndroidOS/Multiverze!rfn\nVT Total Detection:31/67" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1760776796", "to_ids": true, "type": "ssdeep", "uuid": "74b79a87-fbb5-4f92-ae2d-12912795f9c6", "value": "98304:ytYv5LVWXDRBlcv3/qdFr55jUJTrooAjtoIB//O7Ug/D7CNJzoO6C+oTYrVK:FvDWXFBlcHcVUJ4hoIBU7rOTz5" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1760776796", "to_ids": false, "type": "size-in-bytes", "uuid": "e437da57-6beb-4a85-aa9f-e156b5fc4296", "value": "5815131" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1760776796", "to_ids": true, "type": "vhash", "uuid": "3f05c243-8203-45e8-8c1a-8b026068ad21", "value": "963a05c3eb76a36f0a5dd2266ee5708d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1760776796", "to_ids": true, "type": "filename", "uuid": "7e75097b-eec6-46f4-9ec7-9b2ac12e3002", "value": "ActiveSenior.apk" } ] } ] } }