PJobRAT makes a comeback, takes another crack at chat apps

March 27, 2025, 10:24 p.m.

Description

In the latest campaign, X-Ops researchers found PJobRAT samples disguising themselves as instant messaging apps. In our telemetry, all the victims appeared to be based in Taiwan.

External References

https://news.sophos.com/en-us/2025/03/27/pjobrat-makes-a-comeback-takes-another-crack-at-chat-apps/
https://otx.alienvault.com/pulse/67e5c8abe70b87d810a5b6c6
Tags
android
infostealer
c2 server
github
2025-03-27
code issues
pull
breadcrumbs
history
pjobrat package
pjobrat domain
pjobrat
eio4
domain hosting

Date

  • Created: March 27, 2025, 9:52 p.m.
  • Published: March 27, 2025, 9:52 p.m.
  • Modified: March 27, 2025, 10:24 p.m.

Indicators

  • 44a05d1e36938c0d6039e0986de91744482d86d641d1d981f3e8a61385fb33a3
  • 37c390ff137ac71004223c73b99a9d8eec8ae2e879dee679bda29c09e1b11a37
  • 0ebcfbcda27b84b8f0db6d50abb1b0ff7831938913912156d27880704e69f1f2
  • 0ad9cd56764ef70bdfbd3b2d269020557135f075d63327dbaab1bf0e9d816fb5
  • http://westvist.myftp.org:8181
  • http://westvist.myftp.org:3574/notification/chat_notification_v2.php
  • http://westvist.myftp.org:8181/socket.io/?EIO=4&transport=websocket
  • http://westvist.myftp.org:3574
  • http://westvist.myftp.org:3574/m_chowa_srv/main.php
  • westvist.myftp.org
  • itechcube.xyz
  • toolkitapi.xyz
Download all indicators here!

Attack Patterns

  • PJobRAT
  • T1119
  • T1021
  • T1036
  • T1204
  • T1041

Additional Informations

  • Taiwan