{ "Event": { "analysis": "1", "date": "2026-03-19", "extends_uuid": "", "info": "[Threat Intel] DTO malware that takes notes", "protected": false, "publish_timestamp": "1775231570", "published": true, "threat_level_id": "3", "timestamp": "1775231570", "uuid": "09b457ef-945f-41b0-aef8-cbdf7bedd346", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#15ccfd", "local": false, "name": "misp-galaxy:target-information=\"France\"", "relationship_type": "" }, { "colour": "#5ed128", "local": false, "name": "misp-galaxy:target-information=\"Germany\"", "relationship_type": "" }, { "colour": "#4cea11", "local": false, "name": "misp-galaxy:target-information=\"Italy\"", "relationship_type": "" }, { "colour": "#809a25", "local": false, "name": "misp-galaxy:target-information=\"Poland\"", "relationship_type": "" }, { "colour": "#c70b8f", "local": false, "name": "misp-galaxy:target-information=\"Portugal\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#170059", "local": false, "name": "rectifyq:topic=\"mobile-attack\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Download New Code at Runtime - T1407\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Impair Defenses - T1629\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1417\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Input Injection - T1516\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1513\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Stored Application Data - T1409\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1633\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773975608", "to_ids": false, "type": "link", "uuid": "fa75684a-7509-4bbf-9fc9-152e355f7b6d", "value": "https://www.threatfabric.com/blogs/perseus-dto-malware-that-takes-notes", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773975608", "to_ids": false, "type": "text", "uuid": "6d73ab32-1798-4a90-baad-24c4ae972087", "value": "Perseus is a new Android threat that builds upon earlier malware families like Cerberus and Phoenix. It enables real-time monitoring and interaction with infected devices through Accessibility-based remote sessions, allowing full Device Takeover. The malware focuses on extracting high-value personal information, including monitoring user notes. It employs strong anti-analysis measures to evade detection. Perseus is primarily distributed through IPTV applications, targeting users in Turkey and Italy. Its capabilities include overlay attacks, keylogging, and systematic exploration of note-taking apps. The malware performs extensive environment checks to detect analysis conditions and assess device risk. Perseus represents the ongoing evolution of mobile malware, adapting to remain effective in an increasingly secure mobile environment." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773975608", "to_ids": false, "type": "text", "uuid": "87704e07-48e4-4926-a05e-0c307788c265", "value": "Name: DTO malware that takes notes\nAuthor: AlienVault\nAdversary: Perseus\nTags: [\"dto\", \"anti-analysis\", \"overlay attacks\", \"perseus\", \"phoenix\", \"notes monitoring\", \"iptv\", \"cerberus\", \"klopatra\", \"ermac\", \"remote control\", \"medusa\", \"android\", \"accessibility service\"]\nTgtd countries: [\"France\", \"Germany\", \"Italy\", \"Poland\", \"Portugal\"]\nMlwr families: [\"Perseus\", \"Cerberus\", \"Phoenix\", \"Ermac\", \"Klopatra\", \"Medusa\"]\nAttack_ids: []\nIndustries: [\"Finance\", \"Cryptocurrency\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1773975608", "to_ids": false, "type": "threat-actor", "uuid": "29ee40cc-00ff-4430-b401-9d692cd50f29", "value": "Perseus" }, { "category": "Payload delivery", "comment": "Perseus Payload (Turkish Fork) No sample in VT\r\nLast check:03/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775227059", "to_ids": true, "type": "sha256", "uuid": "357cf231-7f66-4aaa-a989-63f6328f5a66", "value": "56d3bb5e8771b41b11d368e70ddd26fe6f1e7bd00b3aafcfd4c34ef62f87093d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230043", "uuid": "390f7837-6c2a-461f-89d9-0ddd2ec82b4a", "Attribute": [ { "category": "Payload delivery", "comment": "Perseus Dropper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230043", "to_ids": true, "type": "md5", "uuid": "b800359e-fc37-4eed-b5f8-355d9392d4a3", "value": "d8081fe3a360d6957829ea2c66b966c2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Perseus Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227057", "to_ids": true, "type": "sha1", "uuid": "7155cfab-877c-4b12-901b-ae85ba877177", "value": "245c0ce14ccab1e6569275ff36556f19f4da453a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Perseus Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227058", "to_ids": true, "type": "sha256", "uuid": "8a33ef88-4fed-426d-bcac-df84ac3940ab", "value": "1ea8360c4d3b7ccea50e9f19630be9d23df26ac713799e2f8457520c0d29bdda", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226164", "to_ids": true, "type": "ssdeep", "uuid": "ad231000-39ac-4da0-8751-0c2c4f71dbf3", "value": "98304:7VigrIRFPqhvpinPnrb3EfO9Et05L6lSBdywSJeWgDNo50qk27vcjJsl39CDb:7ViM0Pf3/3L6l6YtJLgDNucJsDCDb" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226164", "to_ids": false, "type": "size-in-bytes", "uuid": "4d8ce5e0-fb1a-49aa-89a3-2392f5e9d18e", "value": "6332640" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226164", "to_ids": true, "type": "vhash", "uuid": "999d9ded-44d5-4e63-a121-8aa20df33893", "value": "0c8ec111659cda0546052ddd76f9ce3e" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 31/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226164", "to_ids": false, "type": "text", "uuid": "d8b4158c-6b05-405a-b1ee-350805e7c8e1", "value": "Perseus Dropper\r\nType Description: Android\nMicrosoft: Trojan:AndroidOS/AVerseFalc!rfn\nVT Total Detection:28/66\nFirst Submission:2026-03-24T17:09:34.000000+00:00\nLast Submission:2026-03-24T17:09:34.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230064", "uuid": "74291f16-3939-4b3d-b1dc-2d72a745a656", "Attribute": [ { "category": "Payload delivery", "comment": "Perseus Payload (English Fork)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230064", "to_ids": true, "type": "md5", "uuid": "ede0417c-725d-4a95-ae65-b9f4e07191df", "value": "e0e427d6dd2f8fa088a1d8a400a64620", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Perseus Payload (English Fork)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227059", "to_ids": true, "type": "sha1", "uuid": "60ed5fd7-b381-4fdc-913a-4c24c829ef41", "value": "b5ba10ae9b17f99915e456d236c0ea5177c0cbe4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Perseus Payload (English Fork)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227059", "to_ids": true, "type": "sha256", "uuid": "d04f5dc0-e740-431e-8530-ea54da64755c", "value": "2524e9d5ed1e55332fe2d1cc0e7ad4e2656ad5ca624199e6f619325979b3529a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226186", "to_ids": true, "type": "ssdeep", "uuid": "b9312801-c7db-4e9b-b98d-9c93f8552c42", "value": "196608:yRDtw1n+l9f/3nanc51L5isSaVvAWJFK8roRUbAF:6c2B/qcD5rSaxJFK8SyAF" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226186", "to_ids": false, "type": "size-in-bytes", "uuid": "026a8fcc-11fc-4062-b83d-d65693ccaa15", "value": "6851929" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226186", "to_ids": true, "type": "vhash", "uuid": "53f423c0-774e-4f94-811e-419f48940349", "value": "621d8b9f7c8581f5fdceae7e80a47104" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226186", "to_ids": true, "type": "filename", "uuid": "2cf4e744-41b6-419b-922e-ee442819a7b9", "value": "ncvpkjuupt.apk" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226186", "to_ids": false, "type": "text", "uuid": "4b6a9a00-0e56-4624-83fd-e42675e7f3f6", "value": "Perseus Payload (English Fork)\r\nType Description: Android\nMicrosoft: None\nVT Total Detection:26/67\nFirst Submission:2026-01-08T03:24:04.000000+00:00\nLast Submission:2026-01-08T03:24:04.000000+00:00" } ] } ] } }