PJobRAT makes a comeback, takes another crack at chat apps

    Friday, March 28, 2025 In: Threat Research Print

    Date: 03/28/2025

    Severity: High

    Summary

    In 2021, researchers reported that PJobRAT, an Android RAT first seen in 2019, targeted Indian military personnel by mimicking dating and messaging apps. Since then, little has been reported—until a recent threat hunt uncovered a now-concluded campaign targeting users in Taiwan. PJobRAT can steal SMS messages, contacts, device details, documents, and media files from infected Android devices. In this latest campaign, researchers found PJobRAT samples posing as instant messaging apps, with all identified victims based in Taiwan.

    Indicators of Compromise (IOC) List

    Domain\URL :

    org.complexy.hard

    com.happyho.app

    sa.aangal.lite

    net.over.simple

    westvist.myftp.org

    westvist.myftp.org:8181

    westvist.myftp.org:3574

    http://westvist.myftp.org:8181/socket.io/?EIO=4&transport=websocket

    http://westvist.myftp.org:3574/notification/chat_notification_v2.php

    http://westvist.myftp.org:3574/m_chowa_srv/main.php

    toolkitapi.xyz

    itechcube.xyz

    dependablework.wordpress.com

    lifestylespractice.wordpress.com

    Hash :

    0ad9cd56764ef70bdfbd3b2d269020557135f075d63327dbaab1bf0e9d816fb5

0ebcfbcda27b84b8f0db6d50abb1b0ff7831938913912156d27880704e69f1f2

37c390ff137ac71004223c73b99a9d8eec8ae2e879dee679bda29c09e1b11a37

44a05d1e36938c0d6039e0986de91744482d86d641d1d981f3e8a61385fb33a3

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domain\URL :

    userdomainname like "itechcube.xyz" or url like "itechcube.xyz" or userdomainname like "toolkitapi.xyz" or url like "toolkitapi.xyz" or userdomainname like "http://westvist.myftp.org:8181/socket.io/?EIO=4&transport=websocket" or url like "http://westvist.myftp.org:8181/socket.io/?EIO=4&transport=websocket" or userdomainname like "westvist.myftp.org" or url like "westvist.myftp.org" or userdomainname like "lifestylespractice.wordpress.com" or url like "lifestylespractice.wordpress.com" or userdomainname like "dependablework.wordpress.com" or url like "dependablework.wordpress.com" or userdomainname like "org.complexy.hard" or url like "org.complexy.hard" or userdomainname like "com.happyho.app" or url like "com.happyho.app" or userdomainname like "sa.aangal.lite" or url like "sa.aangal.lite" or userdomainname like "net.over.simple" or url like "net.over.simple" or userdomainname like "http://westvist.myftp.org:3574/notification/chat_notification_v2.php" or url like "http://westvist.myftp.org:3574/notification/chat_notification_v2.php" or userdomainname like "http://westvist.myftp.org:3574/m_chowa_srv/main.php" or url like "http://westvist.myftp.org:3574/m_chowa_srv/main.php" or userdomainname like "westvist.myftp.org:8181" or url like "westvist.myftp.org:8181" or userdomainname like "westvist.myftp.org:3574" or url like "westvist.myftp.org:3574"

    Hash :

    sha256hash IN ("0ebcfbcda27b84b8f0db6d50abb1b0ff7831938913912156d27880704e69f1f2","0ad9cd56764ef70bdfbd3b2d269020557135f075d63327dbaab1bf0e9d816fb5","44a05d1e36938c0d6039e0986de91744482d86d641d1d981f3e8a61385fb33a3","37c390ff137ac71004223c73b99a9d8eec8ae2e879dee679bda29c09e1b11a37")

    Reference:    

    https://news.sophos.com/en-us/2025/03/27/pjobrat-makes-a-comeback-takes-another-crack-at-chat-apps/ 


    Tags

    MalwarePJobRATRATTaiwan

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.