Multi-Stage Android Malware Delivery Campaign

    Friday, October 17, 2025 In: Threat Research Print

    Date: 10/17/2025

    Severity: High

    Summary

    Sophisticated Android campaign that uses adult-content lures to distribute malicious APKs. Multi-stage architecture with obfuscated front-end lure sites and a separate backend; front pages use commercial JS obfuscation (jsjiami[.]com) and Triple DES to conceal backend URLs and config. Evasion techniques include deceptive loading messages and timing checks (e.g., test-image load time) to frustrate analysis. Resilient, dynamic backend design (stable IPs, rotating subdomains) and heavily obfuscated payloads (core logic hidden in a native .so, filenames vary) enable stealthy APK downloads. Post-install deception uses generic app names and CY51[.]TV branding while requesting aggressive permissions (phishing overlays, screen capture, install/FS manipulation); app becomes unstable or crashes if those permissions are denied, indicating malicious purpose.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    0122.org

    0125.org

    0126.org

    0131.org

    0142.org

    0147.org

    0148.org

    0150.org

    0153.org

    0154.org

    759zf6jimb6hqlz.xn--xkrs9bw60j.top

    chuye001.oss-accelerate.aliyuncs.com

    cy5151.tv

    eoeretnrlaxcrswj.top

    pkosjalge.xn--cjrrl00m3uo.top

    rjgjds.com

    <subdomain>.912233.shop

    https://192.250.245.109?channelCode=hxyd100214

    https://192.250.245.110?channelCode=hxyd100214

    https://192.250.245.111?channelCode=hxyd100214

    https://192.250.245.112?channelCode=hxyd100214

    https://192.250.245.113?channelCode=hxyd100214

    https://192.250.245.114?channelCode=hxyd100214

    https://192.250.245.115?channelCode=hxyd100214

    https://192.250.245.116?channelCode=hxyd100214

    https://192.250.245.109/chuye/cdn_domain.js

    https://759zf6jimb6hqlz.xn--xkrs9bw60j.top?channelCode=hxyd100214

    https://chuye001.oss-accelerate.aliyuncs.com/page389/body.js

    https://chuye001.oss-accelerate.aliyuncs.com/page389/conf/page0389.js

    https://pkosjalge.xn--cjrrl00m3uo.top?channelCode=hxyd100214

    https://rjaupwhep.eoeretnrlaxcrswj.top/index?key=c940de1950fd486180df688ad883aff2

    IP Address : 

    23.231.159.78

    192.250.245.109

    192.250.245.110

    192.250.245.111

    192.250.245.112

    192.250.245.113

    192.250.245.114

    192.250.245.115

    192.250.245.116

    Hash : 

    cb1f470dbb311fc5a43b5a74ebdcc5af3316932feecff0599201db9b9932ca98

    ded66571c267ff6b4633ef272480b822aaf509adf12010e3e38fc1f5201e48b0

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query  1:

    domainname like "0122.org" or siteurl like "0122.org" or url like "0122.org" or domainname like "0125.org" or siteurl like "0125.org" or url like "0125.org" or domainname like "0126.org" or siteurl like "0126.org" or url like "0126.org" or domainname like "0131.org" or siteurl like "0131.org" or url like "0131.org" or domainname like "0142.org" or siteurl like "0142.org" or url like "0142.org" or domainname like "0147.org" or siteurl like "0147.org" or url like "0147.org" or domainname like "0148.org" or siteurl like "0148.org" or url like "0148.org" or domainname like "0150.org" or siteurl like "0150.org" or url like "0150.org" or domainname like "0153.org" or siteurl like "0153.org" or url like "0153.org" or domainname like "0154.org" or siteurl like "0154.org" or url like "0154.org" or domainname like "759zf6jimb6hqlz.xn--xkrs9bw60j.top" or siteurl like "759zf6jimb6hqlz.xn--xkrs9bw60j.top" or url like "759zf6jimb6hqlz.xn--xkrs9bw60j.top" or domainname like "chuye001.oss-accelerate.aliyuncs.com" or siteurl like "chuye001.oss-accelerate.aliyuncs.com" or url like "chuye001.oss-accelerate.aliyuncs.com" or domainname like "cy5151.tv" or siteurl like "cy5151.tv" or url like "cy5151.tv" or domainname like "eoeretnrlaxcrswj.top" or siteurl like "eoeretnrlaxcrswj.top" or url like "eoeretnrlaxcrswj.top" or domainname like "pkosjalge.xn--cjrrl00m3uo.top" or siteurl like "pkosjalge.xn--cjrrl00m3uo.top" or url like "pkosjalge.xn--cjrrl00m3uo.top" or domainname like "rjgjds.com" or siteurl like "rjgjds.com" or url like "rjgjds.com" or domainname like "<subdomain>.912233.shop" or siteurl like "<subdomain>.912233.shop" or url like "<subdomain>.912233.shop" or domainname like "https://192.250.245.109?channelCode=hxyd100214" or siteurl like "https://192.250.245.109?channelCode=hxyd100214" or url like "https://192.250.245.109?channelCode=hxyd100214" or domainname like "https://192.250.245.110?channelCode=hxyd100214" or siteurl like "https://192.250.245.110?channelCode=hxyd100214" or url like "https://192.250.245.110?channelCode=hxyd100214" or domainname like "https://192.250.245.111?channelCode=hxyd100214" or siteurl like "https://192.250.245.111?channelCode=hxyd100214" or url like "https://192.250.245.111?channelCode=hxyd100214" or domainname like "https://192.250.245.112?channelCode=hxyd100214" or siteurl like "https://192.250.245.112?channelCode=hxyd100214" or url like "https://192.250.245.112?channelCode=hxyd100214" or domainname like "https://192.250.245.113?channelCode=hxyd100214" or siteurl like "https://192.250.245.113?channelCode=hxyd100214" or url like "https://192.250.245.113?channelCode=hxyd100214" or domainname like "https://192.250.245.114?channelCode=hxyd100214" or siteurl like "https://192.250.245.114?channelCode=hxyd100214" or url like "https://192.250.245.114?channelCode=hxyd100214" or domainname like "https://192.250.245.115?channelCode=hxyd100214" or siteurl like "https://192.250.245.115?channelCode=hxyd100214" or url like "https://192.250.245.115?channelCode=hxyd100214" or domainname like "https://192.250.245.116?channelCode=hxyd100214" or siteurl like "https://192.250.245.116?channelCode=hxyd100214" or url like "https://192.250.245.116?channelCode=hxyd100214" or domainname like "https://192.250.245.109/chuye/cdn_domain.js" or siteurl like "https://192.250.245.109/chuye/cdn_domain.js" or url like "https://192.250.245.109/chuye/cdn_domain.js" or domainname like "https://759zf6jimb6hqlz.xn--xkrs9bw60j.top?channelCode=hxyd100214" or siteurl like "https://759zf6jimb6hqlz.xn--xkrs9bw60j.top?channelCode=hxyd100214" or url like "https://759zf6jimb6hqlz.xn--xkrs9bw60j.top?channelCode=hxyd100214" or domainname like "https://chuye001.oss-accelerate.aliyuncs.com/page389/body.js" or siteurl like "https://chuye001.oss-accelerate.aliyuncs.com/page389/body.js" or url like "https://chuye001.oss-accelerate.aliyuncs.com/page389/body.js" or domainname like "https://chuye001.oss-accelerate.aliyuncs.com/page389/conf/page0389.js" or siteurl like "https://chuye001.oss-accelerate.aliyuncs.com/page389/conf/page0389.js" or url like "https://chuye001.oss-accelerate.aliyuncs.com/page389/conf/page0389.js" or domainname like "https://pkosjalge.xn--cjrrl00m3uo.top?channelCode=hxyd100214" or siteurl like "https://pkosjalge.xn--cjrrl00m3uo.top?channelCode=hxyd100214" or url like "https://pkosjalge.xn--cjrrl00m3uo.top?channelCode=hxyd100214" or domainname like "https://rjaupwhep.eoeretnrlaxcrswj.top/index?key=c940de1950fd486180df688ad883aff2" or siteurl like "https://rjaupwhep.eoeretnrlaxcrswj.top/index?key=c940de1950fd486180df688ad883aff2" or url like "https://rjaupwhep.eoeretnrlaxcrswj.top/index?key=c940de1950fd486180df688ad883aff2"

    Detection Query 2 :

    dstipaddress IN ("23.231.159.78","192.250.245.109","192.250.245.110","192.250.245.111","192.250.245.112","192.250.245.113","192.250.245.114","192.250.245.115","192.250.245.116") or srcipaddress IN ("23.231.159.78","192.250.245.109","192.250.245.110","192.250.245.111","192.250.245.112","192.250.245.113","192.250.245.114","192.250.245.115","192.250.245.116")

    Detection Query 3 :

    sha256hash IN ("cb1f470dbb311fc5a43b5a74ebdcc5af3316932feecff0599201db9b9932ca98","ded66571c267ff6b4633ef272480b822aaf509adf12010e3e38fc1f5201e48b0")

    Reference: 

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-10-16-Multi-Stage-Android-Malware-Campaign.md


    Tags

    Android MalwareCY51Phishing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.