Roaming Mantis

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Roaming Mantis, also known as Shaoye, is a financially motivated threat actor first reported in 2017. The group primarily targets mobile device users across several countries, with a particular focus on the Asian region, including Japan, South Korea, and Taiwan. This long-term cyberattack campaign uses malicious Android package (APK) files to control infected Android devices and steal data. It also employs phishing pages to pilfer user credentials. The Roaming Mantis campaign was initially observed using SMS to distribute its malware to Android devices based in South Korea. From 2019 to 2022, cybersecurity firm Kaspersky noted that the Roaming Mantis campaign predominantly used smishing, a form of phishing involving deceptive text messages, to deliver a malicious URL to their landing page. In 2018, Kaspersky first detected Roaming Mantis activities targeting the Asian region. The structure of the Roaming Mantis campaign was closely observed in March and June 2022, revealing the sophisticated tactics employed by this threat actor. A significant aspect of the Roaming Mantis campaign in 2022 involved spreading an Android app capable of modifying DNS settings on Wi-Fi routers through the administration interface. This tactic added a new level of potential disruption and data theft to their arsenal. Studying and understanding these evolving tactics and techniques is critical in mitigating threats from groups like Roaming Mantis, allowing for proactive blocking of threats before they are even recognized as malware.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Shaoye
3
Shaoye, also known as Roaming Mantis, is a well-known threat actor in the cybersecurity landscape. This entity has been implicated in long-term cyberattack campaigns that primarily focus on Android devices. The modus operandi of Shaoye involves the use of malicious Android package (APK) files to gai
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Android
Malware
DNS
Kaspersky
Phishing
Decoy
Smishing
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Decoy DogUnspecified
1
Decoy Dog is a notorious malware that utilizes DNS tunneling for Command and Control (C2) operations, similar to well-known campaigns like DarkHydrus, OilRig, xHunt, and SUNBURST. This malware uses the underlying tunneling tool Pupy, which applies the character '9' as padding when encoding data. Fir
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Roaming Mantis Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Decoy Dog Malware Upgraded to Include New Features
CERT-EU
a year ago
Subdomain Reputation: Detecting Malicious Subdomains of Public Apex Domains
MITRE
a year ago
The Spring Dragon APT
Securelist
a year ago
Roaming Mantis implements new DNS changer in its malicious mobile app in 2022
CERT-EU
10 months ago
Overview of IoT threats in 2023 – GIXtools
MITRE
a year ago
APT trends report Q1 2020
MITRE
a year ago
Project TajMahal – a sophisticated new APT framework | Securelist
MITRE
a year ago
Minidionis – one more APT with a usage of cloud drives
CERT-EU
10 months ago
IoT threats in 2023