Date: 06/27/2025
Severity: Medium
Summary
A variant of the Android-based Remote Access Trojan (RAT) known as SpyMax is currently being distributed through social engineering campaigns. Cybercriminals are targeting mobile users by spreading fake apps—such as counterfeit versions of Telegram or wedding invitation apps—via messaging platforms like WhatsApp. These malicious apps are disguised as legitimate software to trick users into granting extensive permissions. Once installed, the malware gives attackers full control over the infected device and exfiltrates sensitive data including contacts, SMS messages, banking OTPs, and notification content to a remote attacker-controlled server.
Indicators of Compromise (IOC) List
URL/Domain | https://telegroms.icu/assets/download/ready.apk http://154.213.65.28:7771 telegroms.icu |
IP Address | 154.213.65.28 104.234.167.145 |
Hash | c58b2bacd7c34ef998497032448e3095
66a7fd9bd39b1ba0c097698b68fd94a7
9C42A99693A2D68D7A19D7F090BD2977
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://telegroms.icu/assets/download/ready.apk" or siteurl like "https://telegroms.icu/assets/download/ready.apk" or url like "https://telegroms.icu/assets/download/ready.apk" or domainname like "http://154.213.65.28:7771" or siteurl like "http://154.213.65.28:7771" or url like "http://154.213.65.28:7771" or domainname like "telegroms.icu" or siteurl like "telegroms.icu" or url like "telegroms.icu" |
Detection Query 2 : | dstipaddress IN ("154.213.65.28","104.234.167.145") or srcipaddress IN ("154.213.65.28","104.234.167.145") |
Detection Query 3 : | md5hash IN ("9C42A99693A2D68D7A19D7F090BD2977","c58b2bacd7c34ef998497032448e3095","66a7fd9bd39b1ba0c097698b68fd94a7")
|
Reference:
https://www.csk.gov.in/alerts/SpyMax_android_malware.html
https://otx.alienvault.com/pulse/667ecd82548e727132558c15