Hydra
Hydra is an Android banking trojan, also referred to in the provided content as BianLian, and was described as one of the most active mobile banking malware families in 2022. Its primary purpose is credential theft from banking and cryptocurrency applications. Hydra uses overlays/injections against targeted apps, abuses Android Accessibility Services for keylogging and interaction capture, steals SMS messages to obtain OTPs, collects installed application lists, and can steal the device unlock code. It also includes a screencast capability that sends screenshots to its command-and-control (C2) server and can receive commands to simulate Accessibility events such as clicks and text entry, enabling remote device manipulation and helping operators bypass antifraud controls tied to IP or device checks.
The content also describes a Hydra Android sample that was packed with JsonPacker and used DexClassLoader for dynamic code loading. In that analysis, the malware contained anti-emulation checks for common Android emulator artifacts including generic, unknown, goldfish, ranchu, google_sdk, Emulator, Android SDK built for x86, Genymotion, sdk_x86, vbox86p, emulator, and simulator, which could suppress C2 communication during analysis. That sample’s reported primary C2 was http://lalabanda.com, with a mirrors endpoint at http://lalabanda.com/api/mirrors and related infrastructure including http://cslon.com, http://cariciu-carilas.com, http://carilas-carilas.net, and http://carilas-carilas.top. It downloaded a ZIP archive from http://lalabanda.com/storage/zip/jk5xWNYPKnTh4e7LP6vPG8z4YiBmoQYtKefRNId1.zip containing overlay templates for 360 targeted applications.
Beyond credential theft via overlays, the provided content attributes additional capabilities to Hydra including WebView-based cookie theft, notification interception and exfiltration, contact theft, bulk SMS/smishing, premium-rate USSD abuse, and call-forwarding manipulation. Around June 2022, Hydra reportedly added cookie-stealing functionality that used official login pages in a WebView and exfiltrated resulting session cookies after login. Initial cookie-theft targets included Google Mail and BBVA Spain, later expanding to Facebook and Davivienda. The analyzed sample also included a component that could read cookies via CookieManager, steal cookies from applications such as Facebook and Google, exfiltrate keylogging data to a device/kl endpoint, and upload intercepted notification contents to a device/push endpoint.
Researchers identified three Hydra variants based on C2 discovery: one retrieving a Base64-encoded JSON list of servers from a Tor .onion /api/mirrors endpoint, one using a GitHub-hosted file containing Base64-encoded C2 data, and one with a hardcoded C2 that may still query /api/mirrors for updates. The content states Hydra is rented on underground forums, with different operators using either default target lists or region-specific targeting such as LATAM and Spanish banks. Observed C2 hosting was concentrated in the Netherlands, the United States, and Ukraine, with fewer servers in Russia and none observed in China.
Hydra is referenced in broader reporting as an active Android banking malware family alongside threats such as Sharkbot, Flubot, Anubis, and Cerberus, and as one of the top mobile malware families in April 2025. The content also notes a bespoke version of the Hydra banking trojan named GREYBATTLE used by UNC5125 (FlyingYeti/UAC-0149) in campaigns targeting Ukrainian drone operators and military-related victims, where it was used to steal credentials and data. Reported sample hashes from one Hydra analysis are APK SHA-256 8b321553f1a269ee4b68a02162ba2d14c71a92907b6001ff3db0fe5bae6b3430 and decrypted payload SHA-256 fd87c4f7c8ece0448dab67a0b689c4a417a153081059750295fbed29a1422b03.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...GREYBATTLE, a bespoke version of the Hydra banking trojan..."
"...GREYBATTLE, a bespoke version of the Hydra banking trojan..."
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
1 technique
Execution
Persistence
2 techniques
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
"Hydra is sample code of a kernel extension that will intercept process creation, suspend, and communicate it to a userland daemon that will be in charge of patching the application. It uses the process hijacking technique... Instead of injecting a library it leaves the process in a suspended state and makes its PID available for the userland daemon. This daemon will be responsible for patching and resuming the process after."
Stealth
7 techniques
Stealth
OS X Kernel Rootkits (duh!). ... Zombie rootkits! ... Install rootkit code. Fix mem permissions and offsets. Redirect execution to zombie. Create kernel memory leak. Return KERN_FAILURE.
"Hydra is sample code of a kernel extension that will intercept process creation, suspend, and communicate it to a userland daemon that will be in charge of patching the application. It uses the process hijacking technique... Instead of injecting a library it leaves the process in a suspended state and makes its PID available for the userland daemon. This daemon will be responsible for patching and resuming the process after."
The malware will intercept the comming notifications and hide them from the user. Then push/upload the content of the notification to the C2 server.
Hydra successfully identified Bob’s password. Now I had valid credentials.
BRAND Generates a (d)efault (p)assword (l)ist from the local file ... limiting the output to BRAND systems, using the format username:password
Defense Impairment
1 technique
Defense Impairment
Credential Access
9 techniques
Credential Access
Keylogging: Hydra abuses the Accessibility permissions to set up an Accessibility service that receives every Accessibility event happening on the infected device. This way the malware receives change events for TextFields (to steal usernames and passwords) and button clicks.
Overlays/Injections: At the beginning of the infection, it sends a few requests to the C2 server, and receives a list of targeted applications and a URL that points to a ZIP file which contains the corresponding injections... Hydra saves these injections locally and shows them as soon as it detects a user opening a banking application.
В MITRE ATT&CK обе техники живут под T1110 (Brute Force): credential stuffing - T1110.004, password spraying - T1110.003.
The analytics rule in Sentinel — High severity, MITRE T1110.001, runs every 5 minutes. Query results confirm detection logic works against real attack data. T1110.001 Brute Force: Password Guessing — mapped directly in the analytics rule.
Dragonfly has dropped and executed tools used for password cracking, including Hydra and CrackMapExec.
Default Credential Attack ... Launching Hydra ... Result: [5001] [http-post-form] host: 10.48 . 176.143 login: admin password: 12345
В MITRE ATT&CK обе техники живут под T1110 (Brute Force): credential stuffing - T1110.004, password spraying - T1110.003.
Around June 2022 we found new samples introducing this new feature used to steal cookies from sessions after the victims log in to their accounts... after the victim successfully logs in to his account, the cookies of the loaded website in the WebView are forwarded to the C2 server.
Discovery
3 techniques
Discovery
Hydra implements features to steal other information from the infected device... such as... a list of installed applications...
Lateral Movement
2 techniques
Lateral Movement
Collection
3 techniques
Collection
Keylogging: Hydra abuses the Accessibility permissions to set up an Accessibility service that receives every Accessibility event happening on the infected device. This way the malware receives change events for TextFields (to steal usernames and passwords) and button clicks.
Overlays/Injections: At the beginning of the infection, it sends a few requests to the C2 server, and receives a list of targeted applications and a URL that points to a ZIP file which contains the corresponding injections... Hydra saves these injections locally and shows them as soon as it detects a user opening a banking application.
Command and Control
7 techniques
Command and Control
When we download mirrors file from http://lalabanda.com/api/mirrors , we will find encoded domains. I guess when the main C2 server is down, the malware will communicate with the mirrors or domains that we downloaded.
Hydra creates a POST request to send credentials or cookies to the C2 server.
Using Tor: This variant includes a Tor (.onion) URL to the endpoint ‘/api/mirrors’. As response, it will receive a Base64-encoded JSON with the list of C2 servers to use. This variant includes code to download Tor native libraries in order to connect to this ‘backup C2’ using the Tor network.
This variant includes code to download Tor native libraries in order to connect to this ‘backup C2’ using the Tor network.
Hydra includes a screencast component that sends screenshots to the C2 server and receives commands used to simulate Accessibility events (click buttons, enter text in TextFields, etc.). This way the TAs can manipulate the target application on the victim’s device to monetize the account associated with that application.
Using Tor: This variant includes a Tor (.onion) URL to the endpoint ‘/api/mirrors’. As response, it will receive a Base64-encoded JSON with the list of C2 servers to use... Using GitHub: This variant includes a GitHub repository file containing a Base64-encoded JSON object with the list of C2 servers... Hardcoded C2 server: This variant includes the C2 server in the binary itself and eventually sends a request to the path ‘/api/mirrors’ in order to get a new list of C2 servers.
IOCs tracked for this family
47 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Banking trojan family referenced as the base code/family for the bespoke Android malware GREYBATTLE.
A banking trojan family referenced as part of ongoing financially motivated campaigns targeting banking and financial credentials.
Mobile malware family listed among top mobile threats; described at a high level as increasingly sophisticated (remote access, ransomware capabilities, MFA interception mentioned generally).
Android banking trojan family name referenced via AV signatures; described as enabling device takeover and man-in-the-browser capabilities to intercept/manipulate banking sessions and defeat MFA, leading to account takeover and fraud.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.