2 malware families

Kasablanka

Also known asKasablanka

Kasablanka is a threat actor associated in the provided reporting with the development and use of the Android malware LodaRAT, also referred to in ESET reporting as Android 888 RAT. ESET linked Android 888 RAT to a campaign by the Kasablanka Group and noted that the group referred to the malware as LodaRAT, while BladeHawk referred to the same Android RAT as Gaza007. The malware provides extensive Android surveillance capabilities, including file theft and deletion, screenshots, device location tracking, Facebook credential phishing, installed-app discovery, photo theft, camera capture, ambient audio and phone-call recording, call placement, SMS theft, contact theft, and SMS sending. Reported ATT&CK-mapped behaviors include masquerading as legitimate applications, persistence via broadcast receivers, suppressing the application icon, deleting device data, credential phishing, application and file discovery, collection of call logs, location, contacts, audio, camera images, SMS messages, local files, screenshots, use of uncommon ports for command and control, and SMS control. Cisco Talos separately stated there were no relevant overlaps between YoroTrooper and Kasablanka, describing Kasablanka as the group behind development of LodaRat4Android, and assessed that LodaRAT is used by multiple distinct campaigns, meaning Kasablanka is not the sole operator of LodaRAT.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

888 RATThis campaign has been active since at least March 2020, distributing (via dedicated Facebook profiles) two Android backdoors known as 888 RAT and SpyNote, disguised as legitimate apps.1May 31, 2026

LodaRATYoroTrooper has relied heavily on the use of primarily two commodity malware families, AveMaria/Warzone RAT and LodaRAT, especially in October and November 2022.1Mar 18, 2026

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

talos intelligence blogNews

Mar 14, 2023

Talos uncovers espionage campaigns targeting CIS countries, embassies and EU health care agency

Referenced as the developer (and sometimes operator) historically attributed with LodaRAT/Loda4Android; the report argues LodaRAT is used by multiple distinct operators and that YoroTrooper’s LodaRAT variants deviate from versions previously associated with Kasablanka.

eset welivesecurity blogNews

Sep 7, 2021

BladeHawk group: Android espionage against Kurdish ethnic group

Threat group linked in the report to use of Android 888 RAT in an organized campaign, referring to the malware as LodaRAT.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.