Roaming Mantis

Threat Actor updated a month ago (2024-11-29T13:31:12.250Z)

Download STIX

Preview STIX

Roaming Mantis, also known as Shaoye, is a financially motivated threat actor first reported in 2017. The group primarily targets mobile device users across several countries, with a particular focus on the Asian region, including Japan, South Korea, and Taiwan. This long-term cyberattack campaign uses malicious Android package (APK) files to control infected Android devices and steal data. It also employs phishing pages to pilfer user credentials. The Roaming Mantis campaign was initially observed using SMS to distribute its malware to Android devices based in South Korea. From 2019 to 2022, cybersecurity firm Kaspersky noted that the Roaming Mantis campaign predominantly used smishing, a form of phishing involving deceptive text messages, to deliver a malicious URL to their landing page. In 2018, Kaspersky first detected Roaming Mantis activities targeting the Asian region. The structure of the Roaming Mantis campaign was closely observed in March and June 2022, revealing the sophisticated tactics employed by this threat actor. A significant aspect of the Roaming Mantis campaign in 2022 involved spreading an Android app capable of modifying DNS settings on Wi-Fi routers through the administration interface. This tactic added a new level of potential disruption and data theft to their arsenal. Studying and understanding these evolving tactics and techniques is critical in mitigating threats from groups like Roaming Mantis, allowing for proactive blocking of threats before they are even recognized as malware.

Description last updated: 2024-05-05T00:28:01.133Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Shaoye is a possible alias for Roaming Mantis. Shaoye, also known as Roaming Mantis, is a well-known threat actor in the cybersecurity landscape. This entity has been implicated in long-term cyberattack campaigns that primarily focus on Android devices. The modus operandi of Shaoye involves the use of malicious Android package (APK) files to gai	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Android

Malware

DNS

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Roaming Mantis Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Decoy Dog Malware Upgraded to Include New Features
CERT-EU	2 years ago	Subdomain Reputation: Detecting Malicious Subdomains of Public Apex Domains
MITRE	2 years ago	The Spring Dragon APT
Securelist	2 years ago	Roaming Mantis implements new DNS changer in its malicious mobile app in 2022
CERT-EU	a year ago	Overview of IoT threats in 2023 – GIXtools
MITRE	2 years ago	APT trends report Q1 2020
MITRE	2 years ago	Project TajMahal – a sophisticated new APT framework \| Securelist
MITRE	2 years ago	Minidionis – one more APT with a usage of cloud drives
CERT-EU	a year ago	IoT threats in 2023