MalwareUsed by 1 actor

MMRat

MMRat is an Android remote access trojan used in mobile banking fraud campaigns attributed in the provided reporting to the financially motivated Chinese-speaking group GoldFactory. It has been deployed in attacks targeting users in Indonesia, Thailand, and Vietnam, where victims are socially engineered via phone calls and messaging apps such as Zalo, impersonating government or public-service entities and redirecting targets to fake Google Play Store pages. These lures lead to installation of malware including Gigabud, MMRat, and Remo.

In the described campaigns, the malware is delivered through modified legitimate banking applications and abuses Android accessibility services to enable remote control and fraudulent activity while preserving normal app functionality. The broader toolset used in these operations employs runtime hooking frameworks and malware families such as FriHook, SkyHook, and PineHook to bypass security controls and conceal malicious behavior. Reported capabilities in the campaign ecosystem include hiding accessibility-enabled apps, preventing screencast detection, spoofing app signatures, hiding installation sources, implementing custom integrity tokens, and obtaining account balances. High-confidence reporting directly ties MMRat to GoldFactory’s Android-focused operations and to fake banking-app distribution infrastructure affecting Southeast Asian mobile users.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

GoldFactory

...resulting in the deployment of a remote access trojan like Gigabud, MMRat, or Remo, which surfaced earlier this year using the same tactics as GoldFactory.

via the hacker newsthehackernews.com

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

the hacker newsNews

Dec 8, 2025

⚡ Weekly Recap: USB Malware, React2Shell, WhatsApp Worms, AI IDE Bugs & More

A remote access trojan for Android, distributed via fake banking apps, enabling remote control and abuse of accessibility services.

the hacker newsNews

Dec 4, 2025

GoldFactory Hits Southeast Asia with Modified Banking Apps Driving 11,000+ Infections

Android remote access trojan used for device control and data theft, distributed via fake app listings.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.