= Android backdoor spies on employees of Russian businesses ― Indicators of compromise

== Samples

|===
| SHA-1 | Package name | Version | Thumberprint

| 38717aeeb365bcfe74760cb59ffcb4a92ab32604 | com.google.android | - | 81fba3e7821cdb38d8bb6767fef00dc7fab63ca6
| 8b4b205d7efef0f5f887f627c89629082927e4a9 | ru.safezone.safeguard | -  |e018304ee662319225bc32755eee149d8d7d9f2e
| f88410271b51ba751242e31384d50abf2d6165a8 | ru.next.secure | 1.15 | 31a2fd3c593b4a730430e0c0a689b4e28270f1b5
| 94d25cebb6ba408c7c45bd12fd8aca5293d5df21 | ru.next.secure | 1.16 |	31a2fd3c593b4a730430e0c0a689b4e28270f1b5
| d43f35feec33b473bbb78f2a467021f3484531eb | ru.next.secure | 1.16 | 31a2fd3c593b4a730430e0c0a689b4e28270f1b5
| 3c734b9c24087898cfbfb58b3a53c44592356389 | ru.next.secure | 1.16 | 31a2fd3c593b4a730430e0c0a689b4e28270f1b5
| eea0dbbced23ffe5d5086e520abf61d12395596a | ru.next.secure	| 1.16 | 31a2fd3c593b4a730430e0c0a689b4e28270f1b5
| 5f97d7aeb20d56df918b313520958eaa88ea6e52 | ru.safezone.safeguard | 1.12 | e018304ee662319225bc32755eee149d8d7d9f2e
| 5059c6dc5a657722e3c13f720cbf77e9b58ef515 | ru.safezone.safeguard | 2.07 |	e018304ee662319225bc32755eee149d8d7d9f2e
| e30e1e8218dc39be09df45192080357155eb5a29 | ru.safezone.safeguard | 2.11 | e018304ee662319225bc32755eee149d8d7d9f2e
| d8554d2fdbae21927f1f10f199b73dbc6b351ad3 | ru.safezone.safeguard | 2.11 | e018304ee662319225bc32755eee149d8d7d9f2e
| 4000d55e218b54eea9090b01d4a96d1410c6c4b1 | ru.next.secure | 2.12 | 31a2fd3c593b4a730430e0c0a689b4e28270f1b5
| 35c775748501bf3f57cddee44e3dfed1d6a41b87 | ru.next.secure | 2.12 | 31a2fd3c593b4a730430e0c0a689b4e28270f1b5
| 28ff8d630e4acbd809c4a2672f8fdc349173d6ff | ru.next.secure	| 2.12(tg) | 31a2fd3c593b4a730430e0c0a689b4e28270f1b5
| 28e5c478144088a1ce31a831354f042435e52ea6 | ru.next.secure	| 2.12(tg)	| 31a2fd3c593b4a730430e0c0a689b4e28270f1b5
| ced461fd540c6e558a75afaf1c0aeef25e001fc5 | ru.next.secure	| 2.12(tg) | 31a2fd3c593b4a730430e0c0a689b4e28270f1b5
|===


== Network indicators

==== AlekseevIPs:
----
alegriki[.]ru
pikiviki777[.]sbs
24biliberdiki[.]ru
83[.]147.255[.]228
80[.]85.154[.]134
193[.]124.33[.]196
192[.]145.28[.]67
45[.]67.231[.]139
94[.]130.255[.]132
213[.]218.212[.]25
----

==== BerdikIPs:
----
hugamuga[.]monster
cadabrabro[.]ru
twofish[.]pro
45[.]12.109[.]104
45[.]12.136[.]170
85[.]192.56[.]19
77[.]239.124[.]232
194[.]33.35[.]94
95[.]217.146[.]248
144[.]76.48[.]43
----

==== DneprIPs:
----
senechkau-creep[].]store
lunadev3[.]photography
tuzvladki[.]cfd
103[.]71.22[.]52
194[.]226.121[.]169
80[.]85.155[.]182
45[.]140.167[.]112
194[.]87.62[.]162
95[.]216.239[.]65
45[.]129.242[.]236
94[.]131.118[.]221
37[.]221.126[.]216
----

==== DpBoxIPs:
----
dpbots[.]online
dpblast[.]fun
dpbxtroj[.]xyz
79[.]137.192[.]33
80[.]85.154[.]249
194[.]226.121[.]112
192[.]145.28[.]179
45[.]140.147[.]41
144[.]76.48[.]45
213[.]218.212[.]200
----

==== GeneveIPs:
----
gevena-best[.]com
gevena-bh[.]com
geneva-it-otdel[.]com
103[.]71.22[.]68
80[.]85.155[.]41
80[.]85.154[.]250
45[.]159.248[.]6
212[.]87.223[.]192
136[.]243.209[.]196
62[.]192.174[.]151
----

==== KabanovIPs:
----
kabanosiki[.]ru
kaban1488[.]ru
silakabana[.]cfd
45[.]134.12[.]13
80[.]85.154[.]70
194[.]87.252[.]163
194[.]147.35[.]45
85[.]209.153[.]229
157[.]90.14[.]184
213[.]218.212[.]19
----

==== KievIPs:
----
bountyhunter[.]pro
138[.]124.182[.]198
83[.]217.210[.]91
193[.]32.179[.]113
83[.]217.210[.]163
83[.]217.210[.]129
185[.]255.178[.]199
----

==== NikoIPs:
----
nikolas[.]sbs
nikolas[.]quest
nikolas[.]monster
nikolas[.]icu
nikolas[.]cfd
nikolas[.]lol
nikolas[.]pics
83[.]147.255[.]202
80[.]85.155[.]141
80[.]85.154[.]246
45[.]159.248[.]236
195[.]58.50[.]187
136[.]243.209[.]194
62[.]192.174[.]87
----

==== OdessaIPs:
----
asasdffgasd[.]online
nasdaad[.]ru
advasd[.]ru
103[.]71.22[.]206
80[.]85.155[.]185
80[.]85.156[.]13
45[.]140.167[.]148
212[.]87.223[.]248
148[.]251.240[.]92
62[.]192.174[.]132
----

==== OsnovaIPs:
----
osnovium[.]it[.]com
profitala[.]it[.]com
nluxor[.]pro
80[.]85.155[.]179
77[.]239.124[.]215
194[.]226.121[.]245
138[.]124.15[.]61
138[.]124.31[.]191
31[.]172.75[.]46
89[.]42.142[.]29
----

==== PoltavaIPs:
----
pilitavki[.]ru
pikiviki777[.]cyou
biliberdiki[.]ru
103[.]71.22[.]100
80[.]85.154[.]90
194[.]190.152[.]200
194[.]147.35[.]129
88[.]218.93[.]20
157[.]90.14[.]191
213[.]218.212[.]23
----

==== SixFlorIPs:
----
spydroid[.]dad
speroid6six[.]ru
speroidsix6[.]ru
83[.]147.255[.]86
80[.]85.157[.]114
194[.]87.252[.]51
194[.]147.35[.]86
45[.]67.231[.]215
94[.]130.255[.]149
62[.]192.174[.]219
----

==== SkovorodkaIps:
----
lunadev1[.]rehab
zifirwera[.]ru
pikabueim[.]cfd
194[.]190.152[.]39
89[.]169.15[.]54
31[.]192.237[.]132
80[.]85.155[.]132
45[.]85.93[.]206
2[.]59.183[.]215
45[.]67.230[.]151
----

==== TeslaIPs:
----
retrojins[.]ru
example2[.]cyou
lunadev2[.]legal
176[.]124.192[.]155
194[.]226.121[.]95
5[.]39.249[.]107
45[.]12.129[.]171
45[.]82.253[.]185
45[.]129.242[.]58
85[.]192.56[.]90
----

==== TeslaTwoIPs:
----
repkasv[.]ru
vetervgolov[.]icu
77[.]239.124[.]95
80[.]85.155[.]32
80[.]85.154[.]113
77[.]91.101[.]27
194[.]87.35[.]52
5[.]9.133[.]189
62[.]192.174[.]142
----

==== TwoFlorIPs:
----
panopti[.]ru
pancum[.]ru
optipan[.]ru
opticun[.]ru
212[.]193.31[.]126
193[.]124.33[.]230
91[.]207.183[.]142
95[.]164.38[.]35
94[.]131.122[.]189
138[.]124.31[.]177
84[.]21.172[.]65
----

==== UvelirIPs:
----
24lasofyu[.]ru
dertels[.]ru
kingwqeq[.]ru
77[.]110.104[.]235
80[.]85.154[.]222
194[.]87.252[.]7
192[.]145.28[.]144
95[.]164.86[.]41
188[.]40.171[.]100
213[.]218.212[.]55
----