ResidentBat Android Spyware Linked to Belarusian KGB
A targeted Android spyware implant dubbed ResidentBat has been linked to Belarusian state surveillance operations, with reporting tying it to the Belarusian KGB and victimology focused on journalists and civil society. The implant is assessed to have been under development since at least 2021 and was publicly exposed in December 2025 via a joint investigation by Reporters Without Borders (RSF) and RESIDENT.NGO. Unlike mass-distributed mobile malware, ResidentBat is deployed through hands-on access: operators use Android Debug Bridge (ADB) to sideload an APK, manually grant permissions, and disable Google Play Protect, trading scale for high-confidence, deliberate targeting.
Post-compromise, ResidentBat supports broad device surveillance and data theft, including access to SMS and call logs, microphone audio recording, screenshots, and local files, and it is reported to be able to intercept traffic from encrypted messaging apps. Infrastructure analysis attributed to Censys described a consistent C2 fingerprint, including self-signed TLS certificates with the common name CN=server and control traffic over a narrow port range 7000–7257; observed hosting was concentrated in Europe and Russia (including the Netherlands, Germany, Switzerland, and Russia). The C2 is described as supporting data collection, operator tasking, and configuration updates to maintain persistent control over infected devices.
Timeline
Feb 26, 2026
Cybersecurity researchers detail ResidentBat capabilities
On February 26, 2026, reporting summarized ResidentBat's functionality, including collection of SMS and call logs, microphone recording, screenshots, file access, encrypted messaging traffic interception, and remote device wiping. The same reporting described its hands-on deployment via ADB sideloading, manual permission grants, and disabling of Google Play Protect.
Feb 1, 2026
Censys documents active ResidentBat infrastructure
By February 2026, analysts reported active ResidentBat command-and-control infrastructure across ten hosts concentrated in the Netherlands, Germany, Switzerland, and Russia. Researchers also characterized technical traits including self-signed TLS certificates, a narrow port range, and anti-forensics behavior on the servers.
Dec 1, 2025
RSF and RESIDENT.NGO publicly report ResidentBat
In December 2025, Reporters Without Borders and RESIDENT.NGO first publicly disclosed the ResidentBat Android spyware operation. Their investigation linked the spyware to highly targeted device compromise requiring physical access for installation.
Jan 1, 2021
ResidentBat spyware development began
Code history for the ResidentBat Android spyware indicates the operation's development dates back to 2021. The malware was later assessed as part of a Belarusian KGB-linked espionage effort targeting journalists and civil society members.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
Related Stories
Belarusian Authorities Deploy ResidentBat Spyware on Journalists' Phones
Belarusian authorities have been found to deploy a previously unknown spyware, dubbed **ResidentBat**, on the smartphones of local journalists during police interrogations. The spyware was discovered after a journalist, interrogated by the Belarusian KGB, received malware alerts on their device. Investigations by Reporters Without Borders (RSF) and RESIDENT.NGO revealed that the spyware can access call logs, SMS and encrypted app messages, record audio, capture screens, and exfiltrate local files. The infection process reportedly involved authorities observing the journalist unlock their phone, then installing the spyware while the device was out of the journalist's possession. ResidentBat's server infrastructure has been active since at least March 2021, coinciding with anti-government protests in Belarus. The use of ResidentBat highlights a broader trend of authoritarian regimes leveraging spyware to target journalists and suppress independent reporting. Similar tactics have been observed in countries such as Serbia and Kenya, where authorities install surveillance tools on detainees' devices during questioning. The discovery of ResidentBat underscores the ongoing risks faced by journalists in Belarus, where state surveillance is used as a tool of repression. Google has been notified and is expected to alert other users potentially affected by this spyware.
1 months ago
Telegram-Marketed Mobile RATs Sold as MaaS Target Android (and Claimed iOS) via Smishing and Surveillance Features
Researchers reported two **Telegram-marketed malware-as-a-service (MaaS)** offerings focused on mobile device compromise and surveillance. *ZeroDayRAT* is advertised as a subscription spyware platform claiming full monitoring of **Android and iOS** devices, with infections driven by **smishing** and other social-engineering lures that push victims to malicious links disguised as legitimate apps/updates; delivery chains reportedly use multi-stage redirects, URL shorteners, and in some cases trusted hosting such as *GitHub Pages* to evade reputation-based filtering. Once installed, the operator-facing web panel is advertised to provide extensive monitoring, including device profiling, app-usage timelines, GPS tracking, and remote activation of camera/microphone, plus screen recording and keystroke logging—capabilities consistent with credential theft and broad user surveillance. Separately, Cyble detailed ongoing development of *SURXRAT* (marketed as **SURXRAT V5**) as an Android RAT sold through a structured reseller/partner licensing model that enables affiliates to generate customized builds while the operator retains centralized control. The malware is described as a full-featured surveillance and device-control toolkit that abuses **Android Accessibility** permissions for persistent control and uses **Firebase-backed C2**; code similarities indicate lineage from **ArsinkRAT**. Recent samples were observed conditionally downloading a **large LLM module from Hugging Face**, which researchers assess as experimentation that could enable AI-assisted functionality, deliberate device performance impact, or new monetization approaches alongside established behaviors such as data exfiltration, remote command execution, and ransomware-style device locking.
1 months ago
ScarCruft Compromised sqgame.net to Deliver BirdCall Spyware on Android and Windows
North Korea-linked **ScarCruft** (also tracked as **APT37** and **Reaper**) compromised the gaming platform `sqgame[.]net` to distribute trojanized software carrying its **BirdCall** backdoor, according to reporting based on ESET research. The operation targeted users tied to the Yanbian Korean Autonomous Prefecture in China, a region associated with North Korean defector transit, and likely focused on defectors, activists, and related communities. Researchers said the campaign appears to have begun in late 2024, with attackers likely breaching the site’s web server and repackaging legitimate Android game APKs rather than stealing source code. The malicious Android apps deployed a mobile variant of BirdCall capable of stealing contacts, SMS messages, call logs, files, media, and private keys, while also taking screenshots and recording ambient audio. Reporting also said ScarCruft briefly trojanized a Windows desktop client update component: a malicious `mono.dll` fetched **RokRAT**, which then installed the Windows BirdCall payload. BirdCall is described as an evolution of RokRAT and supports surveillance features including keystroke logging, clipboard theft, shell execution, and screenshot capture on Windows, while its Android command-and-control traffic blended into normal network activity and could use cloud services such as **Zoho WorkDrive**, **pCloud**, and **Yandex Disk**.
Today