Wyrmspy

Malware updated 5 months ago (2024-05-04T21:18:34.940Z)
Download STIX
Preview STIX
WyrmSpy is a sophisticated malware attributed to the Chinese espionage group APT41, also known as Double Dragon, BARIUM, and Winnti. This harmful software, designed to exploit and damage computer systems or devices, infects systems through suspicious downloads, emails, or websites, often without user knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The malware, along with another called DragonEgg, provides threat actors with advanced surveillance capabilities and access to sensitive data, particularly on mobile devices. Cybersecurity firm Lookout linked WyrmSpy and DragonEgg to APT41 in a report published after their Threat Lab researchers analyzed these two mobile malware families. Discovered in July 2023, WyrmSpy (also known as AndroidControl) was found to share the same infrastructure as LightSpy and is believed by ThreatFabric researchers to be its successor. These malware variants were used by APT41 to target over 100 public and private sector organizations, primarily targeting Android mobile devices. Notably, unique strings—win10 + microsoft and andropwn—were found in two of the WyrmSpy Indicators of Compromise (IoCs), suggesting connections to Microsoft and Android ownership. Further analysis revealed other connected artifacts that could put organizations at risk. Similarities between APT41 and DragonEgg were also found through DNS searches, indicating close ties between them. This highlights the evolving threat landscape and the increasing sophistication of malicious actors in leveraging malware for cyber espionage.
Description last updated: 2024-05-04T20:41:57.312Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
DragonEgg is a possible alias for Wyrmspy. DragonEgg is a malware associated with the notorious Chinese Advanced Persistent Threat (APT) group, APT41. This malicious software was developed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. The malware has been linked to surveillance
4
APT41 is a possible alias for Wyrmspy. APT41, also known as Winnti, Wicked Panda, and Brass Typhoon, is a significant threat actor attributed to China. This group has been active since at least 2012 and has targeted organizations in over 14 countries. It uses a wide range of malware, with at least 46 different code families and tools obs
4
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Android
Spyware
Telegram
Malware
Apt
Espionage
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Winnti Threat Actor is associated with Wyrmspy. Winnti, a notorious threat actor group, has been linked to several sophisticated cyber-espionage activities. First identified by Kaspersky in 2013, it is believed that the group has been active since at least 2007, primarily targeting software supply chains to spread malware. Winnti is part of the AUnspecified
2
The Barium Threat Actor is associated with Wyrmspy. Barium, also known as BRONZE ATLAS or APT41, is a threat actor that has been associated with various malicious activities. Originating from China and active since at least 2007, this group has been implicated in cyberespionage efforts targeting multiple sectors across the globe. In 2017, according tUnspecified
2