Skip to content

ESET Research uncovers latest BladeHawk campaign: Android espionage against Kurds

The attackers spread malicious apps through six Facebook profiles, which were taken down after ESET notified Facebook

BRATISLAVA, KOŠICE — ESET researchers have investigated a targeted mobile espionage campaign against the Kurdish ethnic group. This campaign has been active since at least March 2020, distributing (via dedicated Facebook profiles) two Android backdoors known as 888 RAT and SpyNote, disguised as legitimate apps. These profiles appeared to be providing Android news in Kurdish, and news for the Kurds’ supporters. ESET Research identified six Facebook profiles distributing Android spying apps as part of this campaign, conducted by the BladeHawk group. The profiles shared the espionage apps to Facebook public groups, most of which were supporters of Masoud Barzani, former President of the Kurdistan Region, an autonomous region in northern Iraq. Altogether, the targeted Facebook groups have over 11,000 followers.

“We reported these profiles to Facebook and they have all been taken down. Two of the profiles were aimed at tech users while the other four posed as Kurd supporters,” says ESET researcher Lukáš Štefanko, who investigated this BladeHawk campaign.

ESET Research identified 28 unique Facebook posts as part of this BladeHawk campaign. Each of these posts contained fake app descriptions and links from which ESET researchers were able to download 17 unique APKs. Some of the APK web links pointed directly to the malicious app, whereas others pointed to the third-party upload service, which tracks the number of file downloads. The spying apps were downloaded 1,418 times.

Most of the malicious Facebook posts led to downloads of the commercial, multiplatform 888 RAT, which has been available on the black market since 2018. Android 888 RAT is capable of executing 42 commands received from its command and control (C&C) server. It can steal and delete files from a device, take screenshots, get device location, phish Facebook credentials, get a list of installed apps, steal user photos, take photos, record surrounding audio and phone calls, make calls, steal SMS messages, steal the device’s contact list, and send text messages.

This espionage activity discovered by ESET Research is directly connected to two cases publicly disclosed in 2020. In one case, the QiAnXin Threat Intelligence Center named the group behind the attacks BladeHawk, which ESET has adopted. Both campaigns were distributed via Facebook, using malware that was built with commercial, automated tools (888 RAT and SpyNote), with all samples of the malware using the same C&C servers. Since 2018, ESET products have identified hundreds of instances of Android devices where the 888 RAT was deployed.

For more technical details on the latest BladeHawk campaign, read the blog post “BladeHawk group: Android espionage against Kurdish ethnic group” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

Detection of Android 888 RAT by country

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.