Belarusian Authorities Deploy ResidentBat Spyware on Journalists' Phones
Belarusian authorities have been found to deploy a previously unknown spyware, dubbed ResidentBat, on the smartphones of local journalists during police interrogations. The spyware was discovered after a journalist, interrogated by the Belarusian KGB, received malware alerts on their device. Investigations by Reporters Without Borders (RSF) and RESIDENT.NGO revealed that the spyware can access call logs, SMS and encrypted app messages, record audio, capture screens, and exfiltrate local files. The infection process reportedly involved authorities observing the journalist unlock their phone, then installing the spyware while the device was out of the journalist's possession. ResidentBat's server infrastructure has been active since at least March 2021, coinciding with anti-government protests in Belarus.
The use of ResidentBat highlights a broader trend of authoritarian regimes leveraging spyware to target journalists and suppress independent reporting. Similar tactics have been observed in countries such as Serbia and Kenya, where authorities install surveillance tools on detainees' devices during questioning. The discovery of ResidentBat underscores the ongoing risks faced by journalists in Belarus, where state surveillance is used as a tool of repression. Google has been notified and is expected to alert other users potentially affected by this spyware.
Timeline
Dec 17, 2025
RSF notifies Google about ResidentBat infections
After confirming the spyware, RSF notified Google about the ResidentBat case. Google said it planned to alert affected users about the compromise.
Dec 17, 2025
RSF and RESIDENT.NGO identify and analyze ResidentBat
The infection was discovered after antivirus software flagged suspicious components on the journalist's phone, prompting forensic analysis by Reporters Without Borders and RESIDENT.NGO. Their investigation identified the malware as a previously unknown spyware family dubbed ResidentBat and documented its surveillance capabilities.
Dec 17, 2025
Belarusian journalist's phone infected after KGB detention and interrogation
A Belarusian journalist's Android phone was infected with ResidentBat after the journalist was detained and interrogated by the Belarusian KGB. The case fit a broader pattern in which authorities allegedly install spyware on journalists' devices while they are in custody.
Jan 1, 2021
ResidentBat spyware begins targeting seized phones in Belarus
Forensic analysis by Reporters Without Borders indicated the previously unknown Android spyware later named ResidentBat had been in use since at least 2021. The malware was designed to extract call logs, SMS, encrypted app messages, files, microphone recordings, and screen captures from compromised devices.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Sources
Related Stories
ResidentBat Android Spyware Linked to Belarusian KGB
A targeted Android spyware implant dubbed **ResidentBat** has been linked to Belarusian state surveillance operations, with reporting tying it to the **Belarusian KGB** and victimology focused on journalists and civil society. The implant is assessed to have been under development since at least **2021** and was publicly exposed in **December 2025** via a joint investigation by Reporters Without Borders (RSF) and RESIDENT.NGO. Unlike mass-distributed mobile malware, ResidentBat is deployed through **hands-on access**: operators use **Android Debug Bridge (ADB)** to sideload an APK, manually grant permissions, and disable *Google Play Protect*, trading scale for high-confidence, deliberate targeting. Post-compromise, ResidentBat supports broad device surveillance and data theft, including access to **SMS and call logs**, **microphone audio recording**, **screenshots**, and **local files**, and it is reported to be able to **intercept traffic from encrypted messaging apps**. Infrastructure analysis attributed to **Censys** described a consistent C2 fingerprint, including **self-signed TLS certificates** with the common name `CN=server` and control traffic over a narrow port range **7000–7257**; observed hosting was concentrated in **Europe and Russia** (including the Netherlands, Germany, Switzerland, and Russia). The C2 is described as supporting data collection, operator tasking, and configuration updates to maintain persistent control over infected devices.
1 months ago
Hack-for-Hire Spyware Campaign Targeted Journalists in the Middle East and North Africa
Access Now, Lookout, and SMEX reported a suspected **hack-for-hire espionage campaign** targeting journalists and activists across the Middle East and North Africa through spearphishing, fake social media personas, messaging apps, and sustained social engineering. Researchers said the operation used infrastructure linked to the APT group **Bitter** and likely deployed **ProSpy** Android spyware, which can steal files, contacts, messages, and geolocation data, activate microphones and cameras, and install malicious apps. The activity has reportedly been ongoing since at least 2022, with broader targeting that may have included civil society figures and possibly government officials. Two Egyptian journalists, **Mostafa Al-A’sar** and **Ahmed Eltantawy**, were among the identified targets in an elaborate campaign that ran between October 2023 and January 2024 and spoofed trusted services including Apple and Signal. A prominent Lebanese journalist was also reportedly targeted, and researchers said the attackers relied on overlapping infrastructure with possible ties to Asia, though Access Now said it lacked enough evidence to definitively name a sponsor. Neither Egyptian journalist’s accounts were ultimately compromised, but press freedom groups warned that surveillance of reporters endangers their safety, sources, and ability to work.
3 weeks ago
Predator Spyware Infection of Angolan Journalist via WhatsApp Links
Amnesty International reported that the iPhone of Angolan journalist and press freedom advocate **Teixeira Cândido** was infected with **Intellexa’s Predator spyware** after he received multiple **malicious links via WhatsApp** in 2024. According to the investigation, Cândido was messaged from an unknown Angolan number over several weeks; he clicked one link on **May 4, 2024**, after which Predator was installed, and the spyware was later removed the same day when the device was restarted. Amnesty described this as the **first documented Predator case in Angola**, and said attribution remains unclear, though the activity is consistent with use by a government customer. The reporting underscores continued alleged abuse of commercial spyware against civil society despite international pressure on Intellexa. Intellexa and associated individuals have faced U.S. actions including placement on the **Entity List** and subsequent **sanctions** (with later changes to some designations noted in coverage), yet Predator has been repeatedly linked to targeting of journalists and officials in multiple countries. Amnesty’s findings add to prior public reporting on Predator’s use in places such as **Greece, Egypt, and Vietnam**, reinforcing the ongoing risk posed by link-based mobile spyware delivery through common messaging platforms like WhatsApp.
1 months ago