Roaming Mantis may have stolen the credentials or infected the devices of hundreds of thousands of people. The threat group did that through a smishing campaign targeting Android and iOS users. According to SEKOIA-IO,1 more than 90,000 unique IP addresses have requested XLoader from Roaming Mantis’s command-and-control (C&C) servers as of mid-July 2022.
WhoisXML API researchers analyzed and expanded the list of indicators of compromise (IoCs) to uncover more possible Roaming Mantis domains. Below are some of our findings.
- We found 7,000+ connected domains sharing the same historic WHOIS details as one of the domain IoCs.
- We also detected 1,100+ connected domains resolving to the IP addresses tagged as IoCs.
- About 24% of the artifacts actively resolved to IP addresses, with several domains hosting news, gambling, adult, download, and login pages.
- Dozens of artifacts have been flagged as malicious by different malware engines.
- Several IP addresses on the IoC list continue to resolve to domain names.
Download a sample of the threat research materials now, or contact us to access the complete set of research materials.
—
- [1] https://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/