Universe Browser
Universe Browser (寰宇浏览器) is a custom browser promoted as a privacy-friendly, censorship-bypassing tool, including for users accessing online gambling platforms, but the provided reporting describes it as functioning like malware and exhibiting behavior consistent with a remote access trojan (RAT). It routes all user traffic through attacker-controlled infrastructure and servers in China, covertly installs persistent background programs, makes surreptitious connections, alters network configurations, and includes keylogging capability. Reported Windows installer behaviors include anti-VM checks, code injection, persistence, and keylogging. The Windows variant is described as rarely detected by antivirus engines and designed to evade analysis; additional reported behaviors include disabling Chrome developer tools and settings, modifying the user agent, and adding custom extensions for screenshotting and proxy management. The browser is reported as distributed for Windows, Android, and iOS, with millions of users, and is associated with the Vault Viper cybercriminal infrastructure operated by Baoying Group (BBIN), which is linked in the reporting to illegal gambling platforms and broader organized crime activity in Southeast Asia. The infrastructure supporting Universe Browser reportedly includes thousands of domains, its own ASN (WOODSNET-PH, AS55547), and C2-related hosting on providers including AWS and Alibaba. The content also notes that the browser and related infrastructure have previously been contaminated by other malware families including RAMNIT, PARITE, and ALMAN. High-confidence concerns directly stated in the content include credential theft, persistent access, surveillance, and monetization of victims.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malicious browser distributed as a privacy tool, but actually functions as a remote access trojan. Installs persistent background programs, alters network configurations, supports credential theft and surveillance, and routes all traffic through attacker-controlled infrastructure. Used in large-scale cybercrime operations tied to illegal gambling and organized crime.
Trojanized/modified browser distributed by iGaming-linked ecosystem; routes traffic via China-based servers and includes covert background components with RAT-like capabilities (keylogging, location collection, screenshots, network config modification) and reduced user inspection features.
Universe Browser is a custom Chromium-based browser distributed by the Baoying Group (BBIN) to facilitate access to illegal online gambling platforms. It masquerades as a privacy tool but covertly installs persistent background programs, modifies network settings, disables security features, and routes all user traffic through actor-controlled proxies. It exhibits behaviors typical of malware, including keylogging, code injection, anti-analysis techniques, and the ability to download and execute additional payloads. Its infrastructure is tightly integrated with criminal networks, enabling credential theft, surveillance, and monetization of user data.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.