Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

GhostBat RAT

GhostBat RAT is an Android remote access trojan observed in campaigns targeting users across India. It has been distributed via malicious APK files delivered through hacked websites, WhatsApp, and SMS messages, with the apps masquerading as Indian Regional Transport Office applications, including a counterfeit mParivahan app. Reported capabilities include theft of sensitive data from compromised devices, exfiltration of UPI PINs, and harvesting of SMS messages containing banking-related keywords. Infected devices are registered through a Telegram bot identified as "GhostBatRat_bot." Reported evasion and anti-analysis techniques include ZIP header manipulation, extensive string obfuscation, native code execution, and anti-emulation. Researchers also identified more advanced variants that execute encrypted payloads using a native C/C++-based packer. Cyble and iVerify described GhostBat RAT as one of two Android malware families capable of stealing sensitive data from compromised devices.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques
T1189Drive-by CompromiseEvidence1

"Hacked websites, WhatsApp, and SMS messages have been used by threat actors to deliver illicit APK files"

T1566PhishingEvidence1

"Hacked websites, WhatsApp, and SMS messages have been used... to deliver illicit APK files"

T1566.001Spearphishing AttachmentEvidence1

"...WhatsApp, and SMS messages have been used by threat actors to deliver illicit APK files"

Stealth

4 techniques
T1027Obfuscated Files or InformationEvidence1

"...extensive string obfuscation..." and "...encrypted payload execution through a native C/C++-based packer"

T1036MasqueradingEvidence1

"...download of spoofed versions of Indian Regional Transport Office apps, including mParivahan"

T1497Virtualization/Sandbox EvasionEvidence1

"...anti-emulation tactics to bypass detection"

T1620Reflective Code LoadingEvidence1

"...native code execution..." and "...native C/C++-based packer"

Credential Access

1 technique
T1056Input CaptureEvidence1

"Installation of the counterfeit mParivahan app enabled not only the exfiltration of UPI PINs"

Discovery

1 technique
T1497Virtualization/Sandbox EvasionEvidence1

"...anti-emulation tactics to bypass detection"

Collection

2 techniques
T1056Input CaptureEvidence1

"Installation of the counterfeit mParivahan app enabled not only the exfiltration of UPI PINs"

T1114Email CollectionEvidence1

"...exfiltration of SMS messages with banking-related keywords"

Command and Control

1 technique
T1102Web ServiceEvidence1

"Infected devices are also concurrently registered using the Telegram bot 'GhostBatRat_bot'"

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
scworldNews
Oct 16, 2025
Reemergent GhostBat RAT malware targets India

Android remote access trojan delivered via malicious APKs masquerading as Indian RTO apps (e.g., mParivahan). It exfiltrates UPI PINs and SMS messages containing banking-related keywords, registers infected devices via a Telegram bot, and uses evasion/packing techniques (string obfuscation, anti-emulation, native code execution, ZIP header manipulation, and a native C/C++ packer enabling encrypted payload execution).

Read more
the hacker newsNews
Oct 16, 2025
ThreatsDay Bulletin: $15B Crypto Bust, Satellite Spying, Billion-Dollar Smishing, Android RATs & More

Android RAT targeting Indian users, distributed via bogus apps and phishing, capable of stealing banking credentials, UPI PINs, SMS, and can mine cryptocurrency.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.