Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 3 actors

Qwizzserial

Qwizzserial is an Android SMS-stealer observed in campaigns targeting users in Uzbekistan. Group-IB reported roughly 100,000 infections, with most victims in Uzbekistan, where SMS is commonly used for two-factor authentication. The malware has been described as harvesting SMS inbox contents, intercepting SMS messages, collecting phone numbers, bank card data, and enumerating installed financial or banking apps. Reported exfiltration methods include Telegram bots and HTTP POST requests. Qwizzserial has been distributed through Telegram-based social engineering, including Telegram channels posing as government agencies and fake financial-aid applications, and has also been found disguised as seemingly benign media files. It has been observed alongside broader Uzbekistan-focused Android malware activity involving other families such as Wonderland, and is described as part of campaigns abusing sideloaded APKs delivered via Telegram. High-confidence reporting links Qwizzserial to theft of sensitive financial and authentication-related data from Android users in Uzbekistan.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
ajina

"...and SMS stealer Qwizzserial."

via dark readingdarkreading.com
blazefang

"...and SMS stealer Qwizzserial."

via dark readingdarkreading.com
trickywonders

"...and SMS stealer Qwizzserial."

via dark readingdarkreading.com
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
rescana blogNews
Dec 23, 2025
Uzbekistan Android Users Targeted: Wonderland SMS Stealer Malware Campaign Exposes Banking and Telegram Accounts

Qwizzserial is an Android malware that harvests phone numbers, bank card data, SMS inbox contents, and details of installed banking apps, exfiltrating data via Telegram bots or HTTP POST requests. It is distributed through Telegram channels posing as government agencies, often using fake financial aid apps as lures.

Read more
the hacker newsNews
Dec 22, 2025
Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale

Obfuscated Android malware strain distributed as benign media files.

Read more
dark readingNews
Dec 22, 2025
Uzbek Users Under Attack by Android SMS Stealers

Android SMS stealer used in Telegram-propagated APK campaigns targeting users in Uzbekistan.

Read more
risky biz rssNews
Jul 4, 2025
Risky Bulletin: Hunters International ransomware shuts down and releases decryption keys

Android malware designed to collect information on financial apps and intercept SMS messages, targeting users in Uzbekistan.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.