Skip to main content
Mallory
Back to malware
MalwareUsed by 3 actors

ResidentBat

ResidentBat is an Android spyware implant publicly documented in December 2025 by Reporters Without Borders (RSF) and RESIDENT.NGO and assessed to have been used by Belarus’s State Security Committee (KGB) since at least 2021. Reporting links it to surveillance operations against detained activists, journalists, and broader civil society in Belarus. The malware is described as being installed after authorities confiscate or seize phones during interrogations, using physical access and ADB sideloading of an APK, with operators manually granting permissions and disabling Google Play Protect. ResidentBat is not described as being initially delivered through its command-and-control infrastructure.

High-confidence reported capabilities include access to call logs, SMS messages, encrypted messenger traffic or app data, microphone recordings, screenshots or screen captures, and locally stored files. It supports remote commands and operator tasking from its C2, can query device status, enforce operator-defined policies, and can remotely wipe the device via DevicePolicyManager.wipeData. Configuration is delivered in JSON and includes parameters such as server address, upload period, and an upload-immediately flag.

ResidentBat communicates with C2 infrastructure over HTTPS/TLS. Reported infrastructure characteristics include control ports primarily in the 7000–7257 range, with some endpoints on port 4022; self-signed TLS certificates with subject CN=server and roughly three-year validity; and a consistent banner hash of 6f6676d369e99d61ce152e1e2b2eb6f5e26a4331f4008b5d6fe567edefdbeaca. Active probing reportedly showed catch-all HTTP 200 OK responses with empty bodies, and some reporting assessed the C2 may rely on client certificate authentication embedded in the APK. As of February 2026, reported ResidentBat-associated hosts were concentrated in the Netherlands, Germany, Switzerland, and Russia, including infrastructure in Russian ASNs. Google was reportedly notified and planned to send threat notifications to identified targets.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Belarus’s KGB

Belarus’s KGB was linked to ResidentBat, active since at least 2021, used to pull call logs and stored files from detained activists.

via cyber security newscybersecuritynews.com
Belarus State Security Committee (KGB)

In December 2025, Reporters Without Borders (RSF) identified a previously unknown spyware called ResidentBat, which it assessed Belarus’s State Security Committee (KGB) had used since at least 2021 to access call logs, SMS messages, and locally stored files on the devices of detained activists and journalists.

via recorded future blogrecordedfuture.com
belarusian_kgb

ResidentBat is an Android spyware implant used by the Belarusian KGB for surveillance operations against journalists and civil society.

via ctoatncsc substackctoatncsc.substack.com
MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Collection

3 techniques
T1005Data from Local SystemEvidence3

Belarus’s KGB was linked to ResidentBat, active since at least 2021, used to pull call logs and stored files from detained activists.

T1113Screen CaptureEvidence1

"screen captures"; "Real-time or on-demand recording and screenshots"

T1123Audio CaptureEvidence1

"Microphone and screen capture: Real-time or on-demand recording"; "microphone recordings"

Command and Control

2 techniques
T1071.001Web ProtocolsEvidence1

"catch-all 200 response pattern: all HTTP paths return 200 OK with an empty body"; "suggesting anti-forensics and minimal fingerprintability beyond TLS."

T1571Non-Standard PortEvidence1

“ResidentBat-associated infrastructure… using a narrow port range (7000-7257) for control traffic.”

Impact

1 technique
T1490Inhibit System RecoveryEvidence1

"Remote wipe: Ability to trigger DevicePolicyManager.wipeData to erase the device"

Other

1 technique
T1562Impair DefensesEvidence1

"Google Play Protect disabled by the attacker"

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app
cyber security newsNews
Jun 19, 2026
AI-Powered Public Surveillance and Biometric Data Collection Expand Government Monitoring

Spyware linked to Belarus’s KGB that extracts call logs and stored files from detained activists’ devices.

Read more
recorded future blogNews
Jun 17, 2026
State Digital Surveillance Risk Landscape

Previously unknown spyware used to access call logs, SMS messages, and locally stored files on targeted devices.

Read more
ctoatncsc substackNews
Feb 28, 2026
CTO at NCSC Summary: week ending March 1st

Android spyware/implant reportedly deployed via physical access and ADB sideloading; enables surveillance and data theft including call logs, microphone recordings, SMS, encrypted messenger traffic, screen captures, and local file access.

Read more
risky biz rssNews
Feb 27, 2026
Russian man investigated for extorting Conti ransomware group

Android spyware implant; content notes identification of C2 servers and attributes usage to the Belarusian KGB.

Read more
+7 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.