Wyrmspy

Malware updated 4 months ago (2024-05-04T21:18:34.940Z)

Download STIX

Preview STIX

WyrmSpy is a sophisticated malware attributed to the Chinese espionage group APT41, also known as Double Dragon, BARIUM, and Winnti. This harmful software, designed to exploit and damage computer systems or devices, infects systems through suspicious downloads, emails, or websites, often without user knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The malware, along with another called DragonEgg, provides threat actors with advanced surveillance capabilities and access to sensitive data, particularly on mobile devices. Cybersecurity firm Lookout linked WyrmSpy and DragonEgg to APT41 in a report published after their Threat Lab researchers analyzed these two mobile malware families. Discovered in July 2023, WyrmSpy (also known as AndroidControl) was found to share the same infrastructure as LightSpy and is believed by ThreatFabric researchers to be its successor. These malware variants were used by APT41 to target over 100 public and private sector organizations, primarily targeting Android mobile devices. Notably, unique strings—win10 + microsoft and andropwn—were found in two of the WyrmSpy Indicators of Compromise (IoCs), suggesting connections to Microsoft and Android ownership. Further analysis revealed other connected artifacts that could put organizations at risk. Similarities between APT41 and DragonEgg were also found through DNS searches, indicating close ties between them. This highlights the evolving threat landscape and the increasing sophistication of malicious actors in leveraging malware for cyber espionage.

Description last updated: 2024-05-04T20:41:57.312Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
DragonEgg	4	DragonEgg is a malware associated with the notorious Chinese Advanced Persistent Threat (APT) group, APT41. This malicious software was developed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. The malware has been linked to surveillance
APT41	4	APT41, a threat actor attributed to China, has been actively targeting organizations in at least 14 countries since 2012. The group is known for its use of an extensive range of malware, with at least 46 different code families and tools observed in their operations. They are associated with various

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Android

Spyware

Malware

Apt

Espionage

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Winnti	Unspecified	2	The Winnti Group is a sophisticated threat actor that has been active since at least 2007, first identified by Kaspersky in 2013. This collective of Chinese nation-state hackers is known for its advanced cyberespionage capabilities and its unique strategy of targeting legitimate software supply chai
Barium	Unspecified	2	Barium, also known as BRONZE ATLAS or APT41, is a threat actor that has been associated with various malicious activities. Originating from China and active since at least 2007, this group has been implicated in cyberespionage efforts targeting multiple sectors across the globe. In 2017, according t

Source Document References

Information about the Wyrmspy Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	6 months ago	Lookout \| Webinar: Analyzing Scattered Spider and APT41 Attacks \| Lookout Webinar
CERT-EU	a year ago	Chinese APT Actors Target WeChat Users
CERT-EU	a year ago	LightSpy iPhone Spyware Linked to Chinese APT41 Group
BankInfoSecurity	a year ago	Chinese APT Actors Target WeChat Users
CERT-EU	a year ago	Finding WyrmSpy and DragonEgg Ties to APT41 in the DNS
CERT-EU	a year ago	Why Should You Care About Chinese APTs and Nation State Attacks? \| Lookout
CERT-EU	a year ago	Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware \| IT Security News
CERT-EU	a year ago	In Other News: Military Emails Leaked, Google Restricts Internet Access, Chinese Spyware
CERT-EU	a year ago	Cyber Security Week In Review: July 21, 2023
BankInfoSecurity	a year ago	Chinese Threat Group APT41 Linked To Android Malware Attacks
CERT-EU	a year ago	Experts attribute WyrmSpy and DragonEgg spyware to the Chinese APT41 group \| IT Security News
Securityaffairs	a year ago	Experts attribute WyrmSpy and DragonEgg spyware to the Chinese APT41 group
DARKReading	a year ago	China's APT41 Linked to WyrmSpy, DragonEgg Mobile Spyware
CERT-EU	a year ago	Chinese APT41 Linked to WyrmSpy and DragonEgg Surveillanceware