{ "Event": { "analysis": "1", "date": "2026-03-03", "extends_uuid": "", "info": "[Threat Intel] RedAlert Trojan Campaign: Fake Emergency Alert App Spread via SMS Spoofing Israeli Home Front Command", "protected": false, "publish_timestamp": "1772824055", "published": true, "threat_level_id": "2", "timestamp": "1772824054", "uuid": "99c6b4ab-d10a-464e-befa-30bdc9cac7c5", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#7bf409", "local": false, "name": "misp-galaxy:producer=\"CloudSEK\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#26fab6", "local": false, "name": "misp-galaxy:target-information=\"Israel\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#170059", "local": false, "name": "rectifyq:topic=\"mobile-attack\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772593227", "to_ids": false, "type": "link", "uuid": "4682b7c3-3ac3-4283-a020-b04a29b9aa87", "value": "https://www.cloudsek.com/blog/redalert-trojan-campaign-fake-emergency-alert-app-spread-via-sms-spoofing-israeli-home-front-command" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1772593227", "to_ids": false, "type": "text", "uuid": "d45e6dc0-0124-48ff-b56a-c2a77d099189", "value": "A malicious SMS spoofing campaign is spreading a fake version of Israel's 'Red Alert' emergency app amid ongoing conflict. The trojanized Android app, disguised as a trusted warning platform, can steal SMS, contacts, and location data while appearing legitimate. The campaign exploits public fear during crises to deploy mobile spyware. The malware uses sophisticated techniques to bypass security checks, including package manager hooking and dynamic payload loading. It mirrors the official app's interface but requests high-risk permissions. The malware continuously tracks GPS coordinates and exfiltrates data to attacker-controlled infrastructure, posing severe strategic and physical security risks. This campaign erodes trust in emergency response systems and could potentially be used for targeted attacks or to optimize missile targeting." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1772593227", "to_ids": false, "type": "text", "uuid": "e63dee9c-0af8-43d5-b992-ab79265740c9", "value": "Name: RedAlert Trojan Campaign: Fake Emergency Alert App Spread via SMS Spoofing Israeli Home Front Command\nAuthor: AlienVault\nAdversary: \nTags: [\"gps tracking\", \"sms spoofing\", \"android malware\", \"redalert\", \"data theft\", \"israel-iran conflict\", \"trojan\", \"geopolitical conflict\"]\nTgtd countries: [\"Israel\"]\nMlwr families: [\"RedAlert\"]\nAttack_ids: []\nIndustries: [\"Government\", \"Defense\"]" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772810277", "to_ids": true, "type": "url", "uuid": "54f7b130-70c6-4ffe-ac58-59a41f89e58e", "value": "https://api.ra-backup.com/analytics/submit.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772810299", "to_ids": true, "type": "hostname", "uuid": "632eb0ed-d636-4868-8bbd-04b7f7be81c5", "value": "api.ra-backup.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772810321", "to_ids": true, "type": "url", "uuid": "87abe375-b3b3-4c92-af96-86f150087630", "value": "https://www.shirideitch.com/wp-content/uploads/2022/06/RedAlert.apk", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772810343", "to_ids": true, "type": "ip-dst", "uuid": "0474793c-8a69-42de-aceb-b3b8bb7fffc3", "value": "216.45.58.148", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772810365", "to_ids": true, "type": "ip-dst", "uuid": "213911a5-a116-477a-82fe-48a7378c84b5", "value": "44.208.242.141", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772810387", "to_ids": true, "type": "hostname", "uuid": "8828ed90-adec-40b4-b00c-c5391f31a142", "value": "api.pushy.me", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772810409", "to_ids": true, "type": "ip-dst", "uuid": "04581afc-c33a-4e06-b024-ab747cc2d125", "value": "44.200.176.254", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772810431", "to_ids": true, "type": "ip-dst", "uuid": "42928a76-f03b-4331-ada9-24afef715f90", "value": "104.21.64.137", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772810454", "to_ids": true, "type": "ip-dst", "uuid": "1c69a309-b25f-4d09-8602-7a1d7623d42f", "value": "172.67.137.156", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772810476", "to_ids": true, "type": "domain", "uuid": "f09b75a0-d4a3-4817-bf9e-3f147b8dc507", "value": "redalert.me", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772810498", "to_ids": true, "type": "url", "uuid": "a11db549-d00f-4c92-a08c-ee60dd26ec1c", "value": "http://bit.ly/3Ozydsn", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772810521", "to_ids": true, "type": "url", "uuid": "9149499b-66c9-4639-9314-9d7905d90789", "value": "https://bit.ly/2O3fHEX", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772810543", "to_ids": true, "type": "url", "uuid": "d3055e4d-5b28-4ffd-9249-c35314e9514e", "value": "https://bit.ly/3GfZoys", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772810565", "uuid": "cc5c5050-d886-4c60-bfa9-f6fc30cd7e83", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772810565", "to_ids": true, "type": "md5", "uuid": "74f30331-5f86-4849-a850-529960981a06", "value": "9c6c67344fecd8ff8dbbee877aad7efc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772809621", "to_ids": true, "type": "sha1", "uuid": "4bc8b8c5-c0f0-40df-8d92-caa8ae876fc6", "value": "04ee8594b5101505b92e14777466a62a2f4a2ceb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772809621", "to_ids": true, "type": "sha256", "uuid": "fec012dc-3009-4073-9c4a-d5f51646a339", "value": "83651b0589665b112687f0858bfe2832ca317ba75e700c91ac34025ee6578b72", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772807977", "to_ids": true, "type": "ssdeep", "uuid": "f454ca8f-d189-48c8-bb8f-ec615523006c", "value": "393216:IQNNTdIbeNstoGDcrz1RfPz3tSfygZ4Cgy7AJknQ7pAnQIBY:IY12tCrfrdSfVcEhdY" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772807977", "to_ids": false, "type": "size-in-bytes", "uuid": "7945782c-1385-4920-9190-bbaebb036265", "value": "23240876" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772807977", "to_ids": true, "type": "vhash", "uuid": "1c47d2bf-3282-4280-a1fb-5306d7638d5a", "value": "730c180d7c495e9d6022cbe718d29b9a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772807977", "to_ids": true, "type": "filename", "uuid": "4246fd4f-5bf3-46e0-8c2e-6cc88675bbae", "value": "83651b0589665b112687f0858bfe2832ca317ba75e700c91ac34025ee6578b72.apk" }, { "category": "Other", "comment": "Checked: 06/03/2026\nLast-scan\t: 06/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772807977", "to_ids": false, "type": "text", "uuid": "5a6f559c-bbef-45bf-9113-43faa60070f0", "value": "Type Description: Android\nMicrosoft: None\nVT Total Detection:16/65\nFirst Submission:2026-03-01T12:44:22.000000+00:00\nLast Submission:2026-03-05T08:06:30.000000+00:00" } ] } ] } }