Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

Infamous Chisel

Infamous Chisel is an Android malware family attributed to Sandworm, the Russian state-sponsored threat actor linked to GRU Unit 74455 and also tracked as APT44 / Seashell Blizzard. Public reporting from the NCSC and Five Eyes partners described it in August 2023 as a mobile malware strain targeting Android devices used by the Ukrainian military, including Ukrainian armed forces devices. Reported capabilities include enabling unauthorized access to compromised devices, scanning files, monitoring traffic, and periodically stealing sensitive information. The malware is described as an advanced Android implant with several persistence mechanisms and an unusual command-and-control system, and it searches for mobile applications specific to the Ukrainian military. Reporting also notes Sandworm targeted cryptocurrencies in its Infamous Chisel tooling. High-confidence context ties the malware to Sandworm’s broader mobile operations against Ukraine.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Sandworm

Also, Sandworm APT targeted cryptocurrencies in their Infamous Chisel tooling which targeted Ukrainian armed forces’ Android devices.

via lookout bloglookout.com
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
lookout blogNews
Mar 18, 2026
Attackers Wielding DarkSword Threaten iOS Users | Threat Intel

Android-focused tooling associated in the content with Sandworm APT and cryptocurrency targeting against Ukrainian armed forces’ devices.

Read more
infosec writeupsNews
Mar 7, 2026
CTI Research: Sandworm / APT44. Evidence-Labeled Threat Intelligence… | by Andrey Pautov | Mar, 2026 | InfoSec Write-ups

Malware family attributed to Sandworm and documented in a Five Eyes malware analysis report; used for post-compromise access and data collection on infected devices.

Read more
bushidotoken blogNews
Sep 1, 2024
Examining Mobile Threats from Russia

Android malware/backdoor with advanced persistence, C2 via Tor and SSH, network monitoring, local scanning, and exfiltration capabilities. Used for targeting Ukrainian military devices.

Read more
the hacker newsNews
Jan 5, 2026
Search results for Security | Breaking Cybersecurity News | The Hacker News

Infamous Chisel is Android malware used for cyber espionage, enabling unauthorized access, file scanning, traffic monitoring, and data exfiltration from compromised devices, primarily targeting the Ukrainian military.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.