ajina

Ajina is one of three main threat actors identified by Group-IB as targeting Telegram users in Uzbekistan in a wave of Android malware attacks that began in October 2025, alongside TrickyWonders and Blazefang. The group is associated in the reporting with Ajina.Banker, a money-stealing Android malware family observed in the campaign. The activity relies on Telegram-based social engineering to distribute malicious APKs, steal credentials and money from infected Android devices, and propagate by using compromised Telegram accounts to message victims’ contacts. Group-IB reported that the broader campaign used malware presented as safe apps for sideloading or delivery via Telegram, including apps masquerading as legitimate software such as Google Play or custom apps that immediately launch preset websites. Once installed, the malware requests permissions, may display deceptive uninstall prompts, and can repeatedly withdraw funds from victims’ cards until attacker access is lost. The campaign also used droppers and stealers including Wonderland, MidnightDat, RoundRift, and Qwizzserial. Group-IB reported that the operators improved distribution and obfuscation tactics, shifted from directly distributing stealers to using seemingly benign droppers that embed the stealer deeper inside, used deliberately confusing code and anti-analysis functions to hinder sandboxing and research, and regularly changed domains and package names to complicate monitoring and blacklisting. No nation-state attribution was stated in the provided content.