Researchers have spotted an Android surveillance malware being used by the government of Kazakhstan to track the activities of its own people. The spyware, named Hermit, is believed to be created by Italian firms RCS Lab S.p.A and Tykelab Srl.

The Hermit deployment

According to researchers, an entity of the national government of Kazakhstan is likely behind the campaign deploying Hermit.
  • The researchers first discovered Hermit samples from this campaign in April. They were named oppo[.]service and impersonated Oppo, an electronic manufacturer in China.
  • The website used to mask spyware's activity is an official Oppo support page in the Kazakh language, which is now offline. Additionally, other samples impersonate Samsung and Vivo as well.

Is Tykelab working with RCS Lab?

Researchers have found multiple pieces of evidence linking the Tykelab to RCS Lab. For example, an existing Tykelab employee’s LinkedIn profile indicates to be working at RCS Lab.
  • One of the job postings for a security engineer of the Tykelab has mentioned their desired skills that would have direct application to surveillance of mobile networks and devices.
  • One of the IP addresses used for C2 in Hermit was revealed to be an SSL certificate. The shared certificate mentioned Milan in the locality field, where RCS Lab is headquartered.
  • Another IP address using an SSL certificate named RCS as the organization and Tykelab as the organization unit. The referenced location was Rome, where the headquarter of Tykelab is located.

Deployment in other nations 

  • Before detecting Kazakhstan samples, researchers found a reference to Rojava, a Kurdish-speaking region in northern Syria, in passive DNS records of Hermit.
  • Additionally, Hermit was deployed in Italy according to a document released by the Italian lower house in 2021.


Nowadays, smartphones have become a perfect target for surveillance as it holds various types of sensitive information. Users should stay cautious with fraudulent websites and not install unknown apps, especially from untrusted sources.
Cyware Publisher