External threat landscape management platform Cyfirma reported that a malicious Android package has been targeting Indian defense personnel for quite a while. The threat actors used a Spymax RAT malware variant to control the victims' devices. 

Diving into details

  • The campaign has been ongoing since at least July 2021. The APK file masquerades as a promotion letter that promises ‘Subs Naik’ rank.
  • Upon installation, the app appears as a lookalike Adobe Reader icon. It asks for multiple permissions, including storage, camera, microphone, and internet.
  • The threat actors have been using the variant of Spymax RAT, whose source code is already available in underground forums in their attacks.
  • They used a Google Drive link with a PDF file that listed Indian defense personnel who were recently promoted to higher ranks. The link was propagated via WhatsApp.


  • As the campaign has been active for quite some time and is extremely targeted, researchers surmise that this is the act of a nation state threat actor, attempting to pilfer confidential information.
  • However, based on the analyzed data, the researchers couldn’t attribute the campaign to a particular nation state threat actor. 
  • Cyfirma concluded that the geopolitical situation in South Asia has resulted in India suffering multiple cyberattacks from its neighbors.

A bit on Spymax RAT

  • This Android RAT is capable, readily available, and does not require root privileges on the victim device. 
  • Spymax RAT provides several Android packages builds, with one of them having a web view feature that enables the attacker to inject any web link into the web view module.
  • Once it is installed, it pretends to be a full-fledged Android app. 

The bottom line

The campaign has been going on for more than a year and researchers have still not been able to attribute it to any threat actor. Thus, indicating that this elusive campaign is conducted by a pretty advanced nation state threat actor. Therefore, it is recommended to implement proper cyber defenses and refrain from opening links from untrusted sources.
Cyware Publisher