### #MoqHaoMalware #RoamingMantis #MobilePhishing
Summary: MoqHao, a mobile malware family associated with the Roaming Mantis group, utilizes SMS phishing (smishing) to deliver malicious payloads targeting both Android and iOS users. This analysis reveals the sophisticated tactics employed in their campaigns, including localized phishing pages and the use of trusted services for malware distribution.
Threat Actor: Roaming Mantis | Roaming Mantis
Victim: Mobile Users | mobile users
Key Point :
- MoqHao campaigns often begin with smishing messages, tricking users into clicking malicious links.
- Phishing pages are tailored to the user’s language and region, enhancing the deception.
- The malware is distributed through legitimate services, such as Apple’s iCloud, making detection challenging.
- Operators utilize dynamic DNS and multiple hosting providers to maintain resilience against takedowns.
- Users are advised to be cautious with unsolicited messages and to use trusted app stores for downloads.
MoqHao, also known as Wroba and XLoader, is a mobile malware family linked to Roaming Mantis, a cybercrime group believed to be operating out of China. Malicious payloads are usually delivered through “Smishing” attacks or SMS phishing targeting mobile devices.
This analysis began when one of our researchers received a suspicious text message in Japanese warning of a missed delivery attempt, accompanied by a shortened URL. What was initially believed to be another spam message was part of a MoqHao campaign.
In this post, we’ll examine the delivery mechanisms and infrastructure used in this operation and offer insights into how MoqHao continues to target mobile users employing tactics not previously associated with the group.
Missed Delivery, Found Malware
Spam messages are annoying and easy to ignore. We usually delete them without a second thought. However, curiosity got the best of us in this case, and we decided to take a closer look.
The message received on November 21st was written in Japanese and claimed a failed package delivery attempt. With no supposed company name or tracking number, the text was generic and lacked any elements to lend credibility. After rereading the message, we noticed linguistic inconsistencies–hiragana was used for words typically written in Kanji, suggesting the composer is not a native Japanese speaker.
The supposed delivery notification was accompanied by a shortened URL: https://t[.]co/MQN7PEGZn2, hosted on X/Twitter.
Figure 1: The initial text message received by one of our researchers containing the suspicious shortened URL.
These details pointed to what seemed like everyday spam being part of a more organized campaign linked to the MoqHao malware. A closer analysis of the included URL revealed how the operators targeted Android and iOS users, leading to a deeper understanding of this campaign’s methods and tactics.
URL & Infrastructure Analysis
We would never advise analyzing a suspicious URL directly on your mobile device, even if you have advanced security features enabled, so we opted to leverage urlscan.io to assist our research. Using the default settings (User Agent–Google Chrome, Windows 10), our initial scan led to a 404 error page. However, within the error message was our first clue to the link’s true destination: http://zmptwh.hvhrg[.]xyz.
Not to be deterred, we decided to switch user agents and emulate an iPhone, mirroring the device that received the text message. Conducting the scan from Japan, the results revealed a phishing page mimicking an Apple ID login portal. The title of the page, “お客様のApple ID – Appleを管理,” translates to “Your Apple ID” or “Customer Apple ID – Manage Apple.”
This webpage intended to steal user credentials was hosted at http://nhcwtnidxz[.]duckdns.org/ja, resolving to the IP address 103.80.134[.]11. Interestingly, scans from different countries adjusted the URL to match the respective language, appending the appropriate country code (e.g., /en for the United States).
After inputting the Apple ID, the user is prompted to enter their password. The first attempt is set to always result in an error message indicating the password was incorrect. On the second try, the user is redirected to the legitimate Apple account page, likely to create an illusion of legitimacy while the credentials are captured.
So far, this infrastructure demonstrates the operators’ efforts to localize their malicious web pages based on the user’s region rather than relying on a single, static page in one language for all visitors.
The inclusion of country-specific URLs, such as those listed above, in addition to using a 404 response for desktop operating systems while serving phishing content to mobile devices, highlights a deliberate attempt to tailor the campaign while avoiding unnecessary scrutiny.
To further explore, we again adjusted the user agent–this time emulating an Android device–to observe any differences in response.
When we access the link as an Android device, we are served not only a blank webpage but a direct download of a file: Chrome_up1732156036129.apk (SHA256: 958c51388770404cf1ddb320263125b5694a0691c5c6755e21ea61db968bef63). The file name, designed to mimic a legitimate Google Chrome update, is flagged as malicious by 12 vendors on VirusTotal at the time of writing.
Reviewing the HTTP traffic reveals an additional DuckDNS domain, https://jwvijnxshs.duckdns[.]org/?tyhyfzy, resolving to 91.240.226[.]171. Users accessing the link are redirected multiple times, including through the previously observed domain zmptwh.hvhrg[.]xyz, now with a different path: /?lHZrP. Combined with a dynamic payload delivery, these redirections indicate a layered approach to distributing the malware and using multiple servers to keep defenders guessing.
Querying 91.240.226[.]171 in Hunt shows that it is hosted on the LG DACOM Corporation network in South Korea. The IP is also associated with several DuckDNS subdomains and at least one .xyz domain, exposing the operator’s reliance on dynamic DNS services and disposable infrastructure to facilitate their campaign.
Dynamic DNS services allow the operators to quickly replace or update domains as needed, ensuring continued operation even if specific domains are flagged or blocked. The randomized subdomain names and varying top-level domains (TLDs) further obscure attribution efforts and complicate network-based defenses.
With a malicious APK identified, the next section will explore its delivery mechanisms and network communications, shedding light on how it interacts with the target device and the command and control infrastructure.
Network Communications
As shown in Figure 4, the malicious APK file is downloaded from cvws.icloud-content[.]com. This is not a spoofed domain but legitimate Apple infrastructure, which the operators abuse to host and distribute the malware.
Notably, a payload targeting Android devices—a long-standing focus of Roaming Mantis campaigns—is being delivered through Apple’s services, further highlighting the group’s adaptability to testing out new techniques and hiding from defenders.
The full download URL is:
https://cvws.icloud-content[.]com/B/Af0EuTgWpFmatpizAFV4JbyCGRaWAfRSlrRzELSIKdZnY571fbYBaccN/Chrome_up1732156036129.apk?o=AqmizYalfRfu35XmqKqHpY8BHoTn_7tIVbrU2toKX2p6&v=1&x=3&a=CAogmVM7aE69-Xg4frwc9xGuEqKPcWhKETM-8QdFv2Y86O4SaxD2maTytDIY9vb_87QyIgEAUgSCGRaWWgQBaccNaiXytrCUgu-AX1Yxl4C2BCLtIRTzOCvFvHZdZeJ3oCq2s2SLNwOJciWfZaTWZet7wNA1XMTDo4MCN4VvZQKrWDhnAksqNeoeDkG2iDbP&e=1732188830&fl=&r=9ec11f15-70ca-4b63-bd7d-6d320fd35e67-1&k=M09nF93_LE9B3NNe5Zd-Rw&ckc=com.apple.clouddocs&ckz=com.apple.CloudDocs&p=122&s=myCbWNxTHqFARpZHuE0J01eS9CE
As previously reported in other MoqHao campaigns, the operators encode the actual command-and-control (C2) address within a user profile page on a social media platform. In this instance, an HTTP GET request is made to m.vk[.]com/id730149630?act=info. VK, a Russian social media and networking platform, is being abused as an intermediary to obscure the C2 server.
Figure 7: Malicious VK user profile page obfuscating the real C2 address.
Analyzing the sample in Triage reveals that, after contacting VK, the malware initiates communication with 91.204.226[.]54 on port 28899. This IP is strikingly similar to the previously identified malware staging server, suggesting a connection between the two. While also hosted in South Korea, this server is on the HDTIDC LIMITED network rather than LG DACOM, indicating the use of multiple hosting providers to support the campaign’s infrastructure.
Conclusion
MoqHao continues to evolve, employing tactics that span SMS phishing, malicious APK delivery, and localized Apple ID phishing pages. The operators demonstrate adaptability and a focus on resilience by abusing trusted services like Apple’s iCloud and VK alongside dynamic infrastructure such as DuckDNS subdomains. Their ability to target Android and iOS users with tailored methods underscores the importance of vigilance when handling unsolicited messages.
To stay safe, users should remain cautious of unsolicited messages, avoid clicking on unknown links, and rely on trusted app stores for downloads. Installing reputable security software can add an extra layer of protection to detect and block malicious activities on mobile devices.
Network Observables
| IP Address | ASN | Domains | Notes |
|---|---|---|---|
| 91.204.226[.]54 | HDTIDC LIMITED. | N/A | MoqHao Command-and-Control Server. |
| 103.80.134[.]11 | LG DACOM Corporation | nhcwtnidxz.duckdns[.]org | Apple ID Phishing Infrastructure. |
| 91.204.226.166 | LUCIDACLOUD LIMITED | zmptwh.hvhrg[.]xyz | HTTP 404 page & redirect to payload download. |
| 91.204.226[.]171 | HDTIDC LIMITED | jwvijnxshs.duckdns[.]org | Downloads MoqHao from iCloud account. |
Source: https://hunt.io/blog/moqhao-icloud-vk-targets-apple-android