GREF

Threat Actor Profile Updated 25 days ago
Download STIX
Preview STIX
GREF, a China-aligned Advanced Persistent Threat (APT) group, has been identified as the orchestrator of two active Android malware campaigns. The campaigns have been distributing a malicious software called BadBazaar via two applications, Signal Plus Messenger and FlyGram, through the Google Play store, Samsung Galaxy Store, alternative app stores, and dedicated websites. The campaigns have been ongoing since July 2023, with the threat actors exploiting open-source code from popular communication apps Signal and Telegram to create counterfeit versions which host the BadBazaar espionage tool. Significant code similarities have been found between the Signal Plus Messenger and FlyGram samples and the BadBazaar malware family, which Lookout attributes to the GREF cluster of APT15. This aligns with the targeting of other Android trojans previously used by GREF, including BadBazaar, SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle. Furthermore, these campaigns are linked to the Chinese intelligence apparatus, which has operated under various names such as Winnti, PassCV, APT17, Axiom, LEAD, BARIUM, Wicked Panda, and GREF. The threat posed by the GREF APT group is significant, as evidenced by a recent Distributed Denial of Service (DDoS) attack described by Herman Gref, the CEO and chairman of the executive board of Sberbank, as the most powerful in their history. The cybersecurity company ESET identifies the threat actors behind the malicious tool as the China-aligned APT group GREF. These findings underscore the necessity for robust cybersecurity measures and vigilance against potential threats from sophisticated hacking groups like GREF.
What's your take? (Question 1 of 5)
9ab4cdf5-263d-4270-bd42-87a8ea86e8b4 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT15
2
APT15, also known as Vixen Panda, Nickel, Flea, KE3CHANG, Royal APT, and Playful Dragon, is a threat actor group suspected to be of Chinese origin. The group targets global sectors including trade, economic and financial, energy, and military, aligning with the interests of the Chinese government. I
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Telegram
Android
Signal
Apt
Eset
Spyware
Google
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Signal Plus MessengerUnspecified
2
Signal Plus Messenger and FlyGram are malware variants of a sophisticated espionage tool named BadBazaar, believed to be orchestrated by a China-linked threat actor known as Gref. These malicious applications were distributed through the Google Play store, Samsung Galaxy Store, and specific websites
Flygramhas used
2
FlyGram is a malicious software (malware) that first appeared on Google Play in July 2020 and was removed in January 2021. It was designed to exploit and damage users' devices by stealing sensitive data, including basic device information, contact lists, call logs, and Google Account data. The malwa
BadbazaarUnspecified
2
BadBazaar is a malicious software (malware) developed by EvilBamboo, a hacker group that primarily targets the Uyghur community in China and abroad, including Turkey and Afghanistan. This malware, along with two others named BADSIGNAL and BADSOLAR, is designed to exploit Android devices through dece
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the GREF Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
9 months ago
BadBazaar espionage tool targets Android users via trojanized Signal and Telegram apps
CERT-EU
9 months ago
BadBazaar: Chinese Spyware Shams Signal, Telegram Apps
DARKReading
9 months ago
Chinese Group Spreads Android Spyware Via Trojan Signal, Telegram Apps
BankInfoSecurity
9 months ago
Chinese APT Uses Fake Messenger Apps to Spy on Android Users
Securityaffairs
7 months ago
The largest Russian bank Sberbank hit by a massive DDoS attack
CERT-EU
9 months ago
Chinese GREF APT distributes spyware via trojanized Signal and Telegram apps on Google Play and Samsung Galaxy stores | IT Security News
CERT-EU
a year ago
Moving Toward a Global Empire: Humanity Sentenced to a Unipolar Prison and a Digital Gulag - Global Research
Securityaffairs
9 months ago
Chinese GREF APT distributes spyware via trojanized Signal and Telegram apps on Google Play and Samsung Galaxy stores
CERT-EU
9 months ago
Cyber Security Week in Review: September 1, 2023
CERT-EU
7 months ago
Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers
CERT-EU
9 months ago
Trojanized Signal and Telegram apps on Google Play delivered spyware
CERT-EU
9 months ago
New China-linked "BadBazaar" targets Android users via fake Signal, Telegram apps
CERT-EU
9 months ago
China-Linked BadBazaar Android Spyware Targeting Signal and Telegram Users – GIXtools
CERT-EU
9 months ago
Delete these 2-fake messaging apps tied to China-aligned hacking group before your personal information is stolen | Technology | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
InfoSecurity-magazine
9 months ago
Chinese APT Group GREF Use BadBazaar in Android Espionage
Securityaffairs
9 months ago
Security Affairs newsletter Round 435 by Pierluigi Paganini
CERT-EU
9 months ago
Android-Malware: Badbazaar wurde im Google Play Store und Samsung-Store verteilt
CERT-EU
9 months ago
Trojanized Android messaging apps used for BadBazaar spyware distribution
CERT-EU
9 months ago
BadBazaar Malware Attacking Android Users via Weaponized Telegram & Signal Apps
CERT-EU
9 months ago
BadBazaar Malware Attacking Android Users via Weaponized Telegram & Signal Apps | IT Security News