Roaming Mantis IoCs and Artifacts May Be Lurking in Your Phone | WhoisXML API

Threat Reports

Have You Seen These Roaming Mantis Connected Artifacts Wandering into Your Phone?

Roaming Mantis may have stolen the credentials or infected the devices of hundreds of thousands of people. The threat group did that through a smishing campaign targeting Android and iOS users. According to SEKOIA-IO,1 more than 90,000 unique IP addresses have requested XLoader from Roaming Mantis’s command-and-control (C&C) servers as of mid-July 2022.

WhoisXML API researchers analyzed and expanded the list of indicators of compromise (IoCs) to uncover more possible Roaming Mantis domains. Below are some of our findings.

  • We found 7,000+ connected domains sharing the same historic WHOIS details as one of the domain IoCs.
  • We also detected 1,100+ connected domains resolving to the IP addresses tagged as IoCs.
  • About 24% of the artifacts actively resolved to IP addresses, with several domains hosting news, gambling, adult, download, and login pages.
  • Dozens of artifacts have been flagged as malicious by different malware engines.
  • Several IP addresses on the IoC list continue to resolve to domain names.

Download a sample of the threat research materials now, or contact us to access the complete set of research materials.

  • [1] https://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/
Try our WhoisXML API for free
Get started