GhostBat RAT: Inside the Resurgence of RTO-Themed Android Malware

    Wednesday, October 15, 2025 In: Threat Research Print

    Date: 10/15/2025

    Severity: High

    Summary

    The team has detected a surge in Android malware posing as Indian RTO apps, targeting Indian users to steal sensitive data. The malware spreads via WhatsApp and SMS with shortened links redirecting to malicious APKs hosted on GitHub or compromised sites. Once installed, it uses phishing pages to steal banking credentials, UPI PINs, and intercepts SMS with financial data. Some variants also include cryptocurrency mining features. Device registration is done through a Telegram bot named GhostBatRat_bot, linking the threat to the "GhostBat RAT" campaign.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    https://raw.githubusercontent.com/Anb1212312/thu/refs/heads/main/Mparivahan.apk

    https://raw.githubusercontent.com/aman77383/2/refs/heads/main/mParivahan.apk

    https://www.x3mgolf.dk/wp-admin/network/.clone_SgLT9buH/mParivahan.apk

    http://adamfeibelman.com/wp-admin/network/.clone_asOlB0zY/mParivahan-eTicket.apk

    https://raw.githubusercontent.com/ChaIIan-94/ChaIIan-68/refs/heads/main/mParivahan.apk

    https://raw.githubusercontent.com/Lhasa1223/10-09-FINAL-mParivahan-/refs/heads/main/mParivahan.apk

    https://github.com/harshxcmf-dev/V1/releases/download/V1/NextGen_mparivahan.apk

    https://explore-delhi.github.io/Application/mParivahan.apk

    http://raw.githubusercontent.com/sagargupta104/kkos/refs/heads/main/mParivahan.apk

    https://raw.githubusercontent.com/Roni78555/alpha111/refs/heads/main/Mparivahan.apk

    https://raw.githubusercontent.com/vehichle-97/Check-your/refs/heads/main/mParivahan.apk

    https://fashionablyemployed.com/mParivahan.apk

    https://skincareanti-aging.com/mParivahan.apk

    https://raw.githubusercontent.com/a75892701-cmd/ALPHJA1111/refs/heads/main/mparivahan.apk

    https://klinikadentalclinic.ae/wp-content/themes/pridmag/mParivahan.apk

    https://raw.githubusercontent.com/a75892701-cmd/badabadaboor/refs/heads/main/mparivahan.apk

    https://raw.githubusercontent.com/Gramme-veichle/Veichle-67/refs/heads/main/mParivahan.apk

    https://github.com/Gramme-veichle/Veichle-67/raw/refs/heads/main/mParivahan.apk

    https://github.com/Gramme-veichle/Check/raw/refs/heads/main/mParivahan.apk

    https://raw.githubusercontent.com/chutmarike0987/Bhangbhosda/refs/heads/main/Mparivahan.apk

    https://raw.githubusercontent.com/alpha5681/besa/refs/heads/main/mParivahan.apk

    https://yxbu02.short.gy/Govt-Check-challan

    https://yxbu02.short.gy/paychallan

    http://tinyurl.com/jJMCW

    http://tinyurl.com/jjmcw

    http://tinyurl.com/0lziG

    https://tinyurl.com/Hxmveo

    https://tinyurl.com/mseva7

    https://cutlink.now/ChaIIan-82

    https://shorturl.at/YDFSq

    https://shorturl.at/YDFSq

    https://tinyurl.com/E-ChallanRTO

    https://tinyurl.com/Echallan2025

    https://tinyurl.com/Payfineonline08

    https://tinyurl.com/payEchallankl08

    https://tinyurl.com/Paychallankl08

    https://tinyurl.com/Tap-Here-For-Challan

    https://tinyurl.com/payEchallanOnline

    https://api.telegram.org/bot7756409072:AAFQGOT0vQ5gcV1wa2BnTEDsl6KJSBog18w/

    https://api.telegram.org/bot6751695148:AAHEYUWDN0BKvpvSycVHp_2kcXPhfeZk75o/

    https://jeuduc-c3310-default-rtdb.firebaseio.com/

    Hash : 

    74ad795f95cf6a4f9135698c912c4a862b89121e32b8297f1f1b794db92aefd5

    98991cd9557116b7942925d9c96378b224ad12e2746ac383752b261c31e02a1f

    fdb81133b158d3850cd29e8cb78e6328e53c6ac3918819f32cf2e8c780edfb02

    17076b53b38cc7cc2a6d2f4434291bbd08c7281660fa8dfea56ccdfd40d75c34

    d3bfcb0fc5cb22a4ba033a38d0cf402bf82bbbc2ab6c8c7481096edd0ccf1563

    a75e6ad26c74458fe05686aa0cd88b4cd0b1be3ad5ac6192f3b8a1943ed5b6f7

    b100aac64134b3f794daac47888728765cf748af14dd200d92d231ce22c4dea

    37cf078555db17187620167ae5cf42635732a08dcf84ca571ec1ce5c2ab3df68

    63af5fec17b54a3ad460aac86c30158a4c825158e1af4988a40baf69094abca1

    9d05e7ab460ee8e4b542e23f54402f75a820481e94a3ef8a279693d9a040a07b

    aaee01a0a38190f013f06db4cabcd7b3398b7eb336d3aef19c2c259688097355

    4e54023534c99b586f4253c25a83d18234393ac72d411462689e24982dab49e3

    6c775e2ce7de008f2373e99175f669acfd5e72d728151769cfe5fe464f19aa6e

    ccd7756c30763c1074f754b61f98a55a1ffa4a743b3c198c72ef2b1b15436b5c

    ff3181ed289fcabd244e946073199dbfc98599552ff8ed4fd5224aa5c684e0a2

    4327033fce088b26c7811462d15d825efaf51bf638f7eeec2c813646254c1ae0

    f380ebf824402072752b34b45d4e8847969810954d3ce702d3438c5fd7200cd9

    5de7af8e82889a983a935693892df8739bdeb887c903b6df84bce0da5e508ddf

    29a5f916350d94b67edfd099fa03a043f758be01e6d54e8339586509ab2d6432

    69c9e691619a6888c4fc71588bcf42220881c3fd37d2e685bb6c8547585b83ae

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "https://explore-delhi.github.io/Application/mParivahan.apk" or url like "https://explore-delhi.github.io/Application/mParivahan.apk" or siteurl like "https://explore-delhi.github.io/Application/mParivahan.apk" or domainname like "https://shorturl.at/YDFSq" or url like "https://shorturl.at/YDFSq" or siteurl like "https://shorturl.at/YDFSq" or domainname like "http://raw.githubusercontent.com/sagargupta104/kkos/refs/heads/main/mParivahan.apk" or url like "http://raw.githubusercontent.com/sagargupta104/kkos/refs/heads/main/mParivahan.apk" or siteurl like "http://raw.githubusercontent.com/sagargupta104/kkos/refs/heads/main/mParivahan.apk" or domainname like "https://skincareanti-aging.com/mParivahan.apk" or url like "https://skincareanti-aging.com/mParivahan.apk" or siteurl like "https://skincareanti-aging.com/mParivahan.apk" or domainname like "http://adamfeibelman.com/wp-admin/network/.clone_asOlB0zY/mParivahan-eTicket.apk" or url like "http://adamfeibelman.com/wp-admin/network/.clone_asOlB0zY/mParivahan-eTicket.apk" or siteurl like "http://adamfeibelman.com/wp-admin/network/.clone_asOlB0zY/mParivahan-eTicket.apk" or domainname like "https://cutlink.now/ChaIIan-82" or url like "https://cutlink.now/ChaIIan-82" or siteurl like "https://cutlink.now/ChaIIan-82" or domainname like "https://raw.githubusercontent.com/Anb1212312/thu/refs/heads/main/Mparivahan.apk" or url like "https://raw.githubusercontent.com/Anb1212312/thu/refs/heads/main/Mparivahan.apk" or siteurl like "https://raw.githubusercontent.com/Anb1212312/thu/refs/heads/main/Mparivahan.apk" or domainname like "https://raw.githubusercontent.com/aman77383/2/refs/heads/main/mParivahan.apk" or url like "https://raw.githubusercontent.com/aman77383/2/refs/heads/main/mParivahan.apk" or siteurl like "https://raw.githubusercontent.com/aman77383/2/refs/heads/main/mParivahan.apk" or domainname like "https://www.x3mgolf.dk/wp-admin/network/.clone_SgLT9buH/mParivahan.apk" or url like "https://www.x3mgolf.dk/wp-admin/network/.clone_SgLT9buH/mParivahan.apk" or siteurl like "https://www.x3mgolf.dk/wp-admin/network/.clone_SgLT9buH/mParivahan.apk" or domainname like "https://raw.githubusercontent.com/ChaIIan-94/ChaIIan-68/refs/heads/main/mParivahan.apk" or url like "https://raw.githubusercontent.com/ChaIIan-94/ChaIIan-68/refs/heads/main/mParivahan.apk" or siteurl like "https://raw.githubusercontent.com/ChaIIan-94/ChaIIan-68/refs/heads/main/mParivahan.apk" or domainname like "https://raw.githubusercontent.com/Lhasa1223/10-09-FINAL-mParivahan-/refs/heads/main/mParivahan.apk" or url like "https://raw.githubusercontent.com/Lhasa1223/10-09-FINAL-mParivahan-/refs/heads/main/mParivahan.apk" or siteurl like "https://raw.githubusercontent.com/Lhasa1223/10-09-FINAL-mParivahan-/refs/heads/main/mParivahan.apk" or domainname like "https://github.com/harshxcmf-dev/V1/releases/download/V1/NextGen_mparivahan.apk" or url like "https://github.com/harshxcmf-dev/V1/releases/download/V1/NextGen_mparivahan.apk" or siteurl like "https://github.com/harshxcmf-dev/V1/releases/download/V1/NextGen_mparivahan.apk" or domainname like "https://raw.githubusercontent.com/Roni78555/alpha111/refs/heads/main/Mparivahan.apk" or url like "https://raw.githubusercontent.com/Roni78555/alpha111/refs/heads/main/Mparivahan.apk" or siteurl like "https://raw.githubusercontent.com/Roni78555/alpha111/refs/heads/main/Mparivahan.apk" or domainname like "https://raw.githubusercontent.com/vehichle-97/Check-your/refs/heads/main/mParivahan.apk" or url like "https://raw.githubusercontent.com/vehichle-97/Check-your/refs/heads/main/mParivahan.apk" or siteurl like "https://raw.githubusercontent.com/vehichle-97/Check-your/refs/heads/main/mParivahan.apk"

    Detection Query 2 :

    domainname like "https://fashionablyemployed.com/mParivahan.apk" or url like "https://fashionablyemployed.com/mParivahan.apk" or siteurl like "https://fashionablyemployed.com/mParivahan.apk" or domainname like "https://raw.githubusercontent.com/a75892701-cmd/ALPHJA1111/refs/heads/main/mparivahan.apk" or url like "https://raw.githubusercontent.com/a75892701-cmd/ALPHJA1111/refs/heads/main/mparivahan.apk" or siteurl like "https://raw.githubusercontent.com/a75892701-cmd/ALPHJA1111/refs/heads/main/mparivahan.apk" or domainname like "https://klinikadentalclinic.ae/wp-content/themes/pridmag/mParivahan.apk" or url like "https://klinikadentalclinic.ae/wp-content/themes/pridmag/mParivahan.apk" or siteurl like "https://klinikadentalclinic.ae/wp-content/themes/pridmag/mParivahan.apk" or domainname like "https://raw.githubusercontent.com/a75892701-cmd/badabadaboor/refs/heads/main/mparivahan.apk" or url like "https://raw.githubusercontent.com/a75892701-cmd/badabadaboor/refs/heads/main/mparivahan.apk" or siteurl like "https://raw.githubusercontent.com/a75892701-cmd/badabadaboor/refs/heads/main/mparivahan.apk" or domainname like "https://raw.githubusercontent.com/Gramme-veichle/Veichle-67/refs/heads/main/mParivahan.apk" or url like "https://raw.githubusercontent.com/Gramme-veichle/Veichle-67/refs/heads/main/mParivahan.apk" or siteurl like "https://raw.githubusercontent.com/Gramme-veichle/Veichle-67/refs/heads/main/mParivahan.apk" or domainname like "https://github.com/Gramme-veichle/Veichle-67/raw/refs/heads/main/mParivahan.apk" or url like "https://github.com/Gramme-veichle/Veichle-67/raw/refs/heads/main/mParivahan.apk" or siteurl like "https://github.com/Gramme-veichle/Veichle-67/raw/refs/heads/main/mParivahan.apk" or domainname like "https://github.com/Gramme-veichle/Check/raw/refs/heads/main/mParivahan.apk" or url like "https://github.com/Gramme-veichle/Check/raw/refs/heads/main/mParivahan.apk" or siteurl like "https://github.com/Gramme-veichle/Check/raw/refs/heads/main/mParivahan.apk" or domainname like "https://raw.githubusercontent.com/chutmarike0987/Bhangbhosda/refs/heads/main/Mparivahan.apk" or url like "https://raw.githubusercontent.com/chutmarike0987/Bhangbhosda/refs/heads/main/Mparivahan.apk" or siteurl like "https://raw.githubusercontent.com/chutmarike0987/Bhangbhosda/refs/heads/main/Mparivahan.apk" or domainname like "https://raw.githubusercontent.com/alpha5681/besa/refs/heads/main/mParivahan.apk" or url like "https://raw.githubusercontent.com/alpha5681/besa/refs/heads/main/mParivahan.apk" or siteurl like "https://raw.githubusercontent.com/alpha5681/besa/refs/heads/main/mParivahan.apk" or domainname like "https://yxbu02.short.gy/Govt-Check-challan" or url like "https://yxbu02.short.gy/Govt-Check-challan" or siteurl like "https://yxbu02.short.gy/Govt-Check-challan" or domainname like "https://yxbu02.short.gy/paychallan" or url like "https://yxbu02.short.gy/paychallan" or siteurl like "https://yxbu02.short.gy/paychallan" or domainname like "http://tinyurl.com/jJMCW" or url like "http://tinyurl.com/jJMCW" or siteurl like "http://tinyurl.com/jJMCW" or domainname like "http://tinyurl.com/jjmcw" or url like "http://tinyurl.com/jjmcw" or siteurl like "http://tinyurl.com/jjmcw" or domainname like "http://tinyurl.com/0lziG" or url like "http://tinyurl.com/0lziG" or siteurl like "http://tinyurl.com/0lziG" or domainname like "https://tinyurl.com/Hxmveo" or url like "https://tinyurl.com/Hxmveo" or siteurl like "https://tinyurl.com/Hxmveo" or domainname like "https://tinyurl.com/mseva7" or url like "https://tinyurl.com/mseva7" or siteurl like "https://tinyurl.com/mseva7" or domainname like "https://tinyurl.com/E-ChallanRTO" or url like "https://tinyurl.com/E-ChallanRTO" or siteurl like "https://tinyurl.com/E-ChallanRTO" or domainname like "https://tinyurl.com/Echallan2025" or url like "https://tinyurl.com/Echallan2025" or siteurl like "https://tinyurl.com/Echallan2025" or domainname like "https://tinyurl.com/Payfineonline08" or url like "https://tinyurl.com/Payfineonline08" or siteurl like "https://tinyurl.com/Payfineonline08" or domainname like "https://tinyurl.com/payEchallankl08" or url like "https://tinyurl.com/payEchallankl08" or siteurl like "https://tinyurl.com/payEchallankl08" or domainname like "https://tinyurl.com/Paychallankl08" or url like "https://tinyurl.com/Paychallankl08" or siteurl like "https://tinyurl.com/Paychallankl08" or domainname like "https://tinyurl.com/Tap-Here-For-Challan" or url like "https://tinyurl.com/Tap-Here-For-Challan" or siteurl like "https://tinyurl.com/Tap-Here-For-Challan" or domainname like "https://tinyurl.com/payEchallanOnline" or url like "https://tinyurl.com/payEchallanOnline" or siteurl like "https://tinyurl.com/payEchallanOnline" or domainname like "https://api.telegram.org/bot7756409072:AAFQGOT0vQ5gcV1wa2BnTEDsl6KJSBog18w/" or url like "https://api.telegram.org/bot7756409072:AAFQGOT0vQ5gcV1wa2BnTEDsl6KJSBog18w/" or siteurl like "https://api.telegram.org/bot7756409072:AAFQGOT0vQ5gcV1wa2BnTEDsl6KJSBog18w/" or domainname like "https://api.telegram.org/bot6751695148:AAHEYUWDN0BKvpvSycVHp_2kcXPhfeZk75o/" or url like "https://api.telegram.org/bot6751695148:AAHEYUWDN0BKvpvSycVHp_2kcXPhfeZk75o/" or siteurl like "https://api.telegram.org/bot6751695148:AAHEYUWDN0BKvpvSycVHp_2kcXPhfeZk75o/" or domainname like "https://jeuduc-c3310-default-rtdb.firebaseio.com/" or url like "https://jeuduc-c3310-default-rtdb.firebaseio.com/" or siteurl like "https://jeuduc-c3310-default-rtdb.firebaseio.com/"

    Detection Query 3 :

    sha256hash IN ("9d05e7ab460ee8e4b542e23f54402f75a820481e94a3ef8a279693d9a040a07b","a75e6ad26c74458fe05686aa0cd88b4cd0b1be3ad5ac6192f3b8a1943ed5b6f7","4327033fce088b26c7811462d15d825efaf51bf638f7eeec2c813646254c1ae0","98991cd9557116b7942925d9c96378b224ad12e2746ac383752b261c31e02a1f","6c775e2ce7de008f2373e99175f669acfd5e72d728151769cfe5fe464f19aa6e","29a5f916350d94b67edfd099fa03a043f758be01e6d54e8339586509ab2d6432","fdb81133b158d3850cd29e8cb78e6328e53c6ac3918819f32cf2e8c780edfb02","4e54023534c99b586f4253c25a83d18234393ac72d411462689e24982dab49e3","f380ebf824402072752b34b45d4e8847969810954d3ce702d3438c5fd7200cd9","d3bfcb0fc5cb22a4ba033a38d0cf402bf82bbbc2ab6c8c7481096edd0ccf1563","aaee01a0a38190f013f06db4cabcd7b3398b7eb336d3aef19c2c259688097355","74ad795f95cf6a4f9135698c912c4a862b89121e32b8297f1f1b794db92aefd5","17076b53b38cc7cc2a6d2f4434291bbd08c7281660fa8dfea56ccdfd40d75c34","37cf078555db17187620167ae5cf42635732a08dcf84ca571ec1ce5c2ab3df68","5de7af8e82889a983a935693892df8739bdeb887c903b6df84bce0da5e508ddf","b100aac64134b3f794daac47888728765cf748af14dd200d92d231ce22c4dea","63af5fec17b54a3ad460aac86c30158a4c825158e1af4988a40baf69094abca1","ccd7756c30763c1074f754b61f98a55a1ffa4a743b3c198c72ef2b1b15436b5c","ff3181ed289fcabd244e946073199dbfc98599552ff8ed4fd5224aa5c684e0a2","69c9e691619a6888c4fc71588bcf42220881c3fd37d2e685bb6c8547585b83ae")

    Reference:    

    https://cyble.com/blog/ghostbat-rat-inside-the-resurgence-of-rto-themed-android-malware/ 


    Tags

    MalwareGhostBatRATAndroid MalwareIndian RTOIndiaPhishingCryptocurrency MiningTelegramWhatsappBotnetData StealerFinancial Services

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.