Unmasking State-Sponsored Mobile Surveillance Malware from Russia, China, and North Korea
Contents
Unmasking State-Sponsored Mobile
Surveillance Malware from Russia,
China, and North Korea
Threat Actors, Tactics, and
Defense Strategies
Kyle Schmittle
Alemdar Islamoglu
Kristina Balaam
1
Who We Are
Kristina Balaam
Kyle Schmittle
●
●
●
Senior Security Intelligence
Researcher
Russia & Iran
BouldSpy, GuardZoo
Threat intelligence,
reverse engineering
https://www.linkedin.com/in
/kyle-s-b851ab151/
●
●
●
Senior Staff Security Intelligence
Researcher
Campaigns initiated by Chinese
threat actors.
DragonEgg/WyrmSpy, MOONSHINE
& Android BadBazaar
Passion for uncovering threats that
target marginalized populations
within mainland China and abroad.
Alemdar Islamoglu
Senior Staff Security Intelligence
●
●
●
Researcher
North Korea and Middle East.
Hermit, BouldSpy and GuardZoo
Reverse engineering, penetration
testing, and security software
development.
https://www.linkedin.com/in/alemdarh/
https://linkedin.com/in/kebalaam
#BHEU @BlackHatEvents
Agenda
▪ I - Overview of the Mobile APT Landscape
▪ Russia, China, North Korea
▪ II - APTs and Their Tricks
▪ Accessing Devices
▪ Detection Countermeasures
▪ Who’s Under Attack
▪ How We Attribute Activity
3
#BHEU @BlackHatEvents
Agenda
▪ III - Takeaways
▪ Fingerprints of State-Backed Surveillance
▪ Mitigation Techniques
▪ Call to Action
4
#BHEU @BlackHatEvents
I - Overview of the
Mobile APT Landscape
Russia, China, North Korea
5
Mobile APT Groups:
Russia
Mobile APT Groups: Russia
2019
Monokle
2022
BoneSpy
2023
Infamous Chisel
2024
PlainGnome
#BHEU @BlackHatEvents
Mobile APT Groups: Russia
2019
Monokle
2022
BoneSpy
2023
Infamous Chisel
2024
PlainGnome
Developer - STC
Used by Likely Turla
(FSB Center 16)
#BHEU @BlackHatEvents
Mobile APT Groups: Russia
2019
2022
Monokle
BoneSpy
Developer - STC
Based on
DroidWatcher
Used by …
Surveillance Malware from Russia,
China, and North Korea
Threat Actors, Tactics, and
Defense Strategies
Kyle Schmittle
Alemdar Islamoglu
Kristina Balaam
1
Who We Are
Kristina Balaam
Kyle Schmittle
●
●
●
Senior Security Intelligence
Researcher
Russia & Iran
BouldSpy, GuardZoo
Threat intelligence,
reverse engineering
https://www.linkedin.com/in
/kyle-s-b851ab151/
●
●
●
Senior Staff Security Intelligence
Researcher
Campaigns initiated by Chinese
threat actors.
DragonEgg/WyrmSpy, MOONSHINE
& Android BadBazaar
Passion for uncovering threats that
target marginalized populations
within mainland China and abroad.
Alemdar Islamoglu
Senior Staff Security Intelligence
●
●
●
Researcher
North Korea and Middle East.
Hermit, BouldSpy and GuardZoo
Reverse engineering, penetration
testing, and security software
development.
https://www.linkedin.com/in/alemdarh/
https://linkedin.com/in/kebalaam
#BHEU @BlackHatEvents
Agenda
▪ I - Overview of the Mobile APT Landscape
▪ Russia, China, North Korea
▪ II - APTs and Their Tricks
▪ Accessing Devices
▪ Detection Countermeasures
▪ Who’s Under Attack
▪ How We Attribute Activity
3
#BHEU @BlackHatEvents
Agenda
▪ III - Takeaways
▪ Fingerprints of State-Backed Surveillance
▪ Mitigation Techniques
▪ Call to Action
4
#BHEU @BlackHatEvents
I - Overview of the
Mobile APT Landscape
Russia, China, North Korea
5
Mobile APT Groups:
Russia
Mobile APT Groups: Russia
2019
Monokle
2022
BoneSpy
2023
Infamous Chisel
2024
PlainGnome
#BHEU @BlackHatEvents
Mobile APT Groups: Russia
2019
Monokle
2022
BoneSpy
2023
Infamous Chisel
2024
PlainGnome
Developer - STC
Used by Likely Turla
(FSB Center 16)
#BHEU @BlackHatEvents
Mobile APT Groups: Russia
2019
2022
Monokle
BoneSpy
Developer - STC
Based on
DroidWatcher
Used by …
IoC
http://llkeyvost.ddns.net
https://www.linkedin.com/in
http://detroito.ru
http://bashaardi.ru
https://interlab.or.kr/archives/2567
https://www.linkedin.com/in/alemdarh/
http://buckso.ru
http://vasifgo.ru
http://47.112.137.199
https://linkedin.com/in/kebalaam
http://loperto.ru
http://hitrovana.ru
http://secure-bdf.com
http://molotiras.ru
http://secure-qonto-pro.com
http://drowrang.ru
http://milashto.ru
http://baloglandi.ru
http://binace.homes
http://dsp2formulaire-bdf.net
http://89.185.84.81
47.112.137.199
89.185.84.81
https://www.linkedin.com/in
http://detroito.ru
http://bashaardi.ru
https://interlab.or.kr/archives/2567
https://www.linkedin.com/in/alemdarh/
http://buckso.ru
http://vasifgo.ru
http://47.112.137.199
https://linkedin.com/in/kebalaam
http://loperto.ru
http://hitrovana.ru
http://secure-bdf.com
http://molotiras.ru
http://secure-qonto-pro.com
http://drowrang.ru
http://milashto.ru
http://baloglandi.ru
http://binace.homes
http://dsp2formulaire-bdf.net
http://89.185.84.81
47.112.137.199
89.185.84.81