blazefang

Blazefang is one of three main threat actors identified by Group-IB as targeting Telegram users in Uzbekistan in a wave of Android malware activity that began in October 2025, alongside TrickyWonders and Ajina. The group is associated with campaigns distributing malicious Android APKs via Telegram-based social engineering, using stolen Telegram access to message victims and propagate malware through victims’ contact lists. The activity is aimed at stealing money and credentials from infected Android devices. Group-IB reported the broader campaign used malware including SMS stealers and droppers such as Wonderland, MidnightDat, RoundRift, Ajina.Banker, and Qwizzserial. The infection chains used droppers that appeared benign while embedding stealers, helping them pass standard security checks and complicate early detection. Reported tactics in this activity include masquerading as legitimate applications such as Google Play, requesting permissions, displaying deceptive uninstall prompts, using obfuscation and anti-analysis functions, and frequently rotating domains and package names. Group-IB described the updated infection chain used by the Uzbekistan-targeting actors as a significant increase in operational maturity. No additional aliases or subgroup information for Blazefang were provided in the content.