Ricochet Chollima Using KoSpy Android Spyware
Contents
Executive Summary
KoSpy is a sophisticated Android spyware linked to North Korean threat actor Ricochet Chollima. It has been targeting Korean and English-speaking users since March 2022.
Key Takeaways
- KoSpy spyware, attributed to Ricochet Chollima, masquerades as utility apps and uses Firebase Firestore for initial configuration, enhancing operational flexibility.
- The spyware collects extensive data, including SMS, call logs, location, and audio, via plugins downloaded from its C2.
- Targeting focuses on Korean and English-speaking users, with samples distributed through Google Play and third-party stores like Apkpure.
What is KoSpy?
KoSpy is a sophisticated Android spyware linked to North Korean threat actor Ricochet Chollima. It has been targeting Korean and English-speaking users since March 2022. KoSpy remains active, with recent samples still publicly hosted. This spyware exemplifies Ricochet Chollima’s evolving tactics, blending mobile espionage with resilient infrastructure. Lookout reported on KoSpy.
KoSpy disguises itself as legitimate utility applications, such as file managers and security software, to evade …
KoSpy is a sophisticated Android spyware linked to North Korean threat actor Ricochet Chollima. It has been targeting Korean and English-speaking users since March 2022.
Key Takeaways
- KoSpy spyware, attributed to Ricochet Chollima, masquerades as utility apps and uses Firebase Firestore for initial configuration, enhancing operational flexibility.
- The spyware collects extensive data, including SMS, call logs, location, and audio, via plugins downloaded from its C2.
- Targeting focuses on Korean and English-speaking users, with samples distributed through Google Play and third-party stores like Apkpure.
What is KoSpy?
KoSpy is a sophisticated Android spyware linked to North Korean threat actor Ricochet Chollima. It has been targeting Korean and English-speaking users since March 2022. KoSpy remains active, with recent samples still publicly hosted. This spyware exemplifies Ricochet Chollima’s evolving tactics, blending mobile espionage with resilient infrastructure. Lookout reported on KoSpy.
KoSpy disguises itself as legitimate utility applications, such as file managers and security software, to evade …
IoC
http://mailcorp.center
http://naverfiles.com
http://27.255.79.225
http://nidlogon.com
http://st0746.net
27.255.79.225
da56b0416b205b36337af22738967445ff310ca0f6051b243f00b83baa67aa09
http://naverfiles.com
http://27.255.79.225
http://nidlogon.com
http://st0746.net
27.255.79.225
da56b0416b205b36337af22738967445ff310ca0f6051b243f00b83baa67aa09