Wonderland
Wonderland is an Android SMS-stealer malware family, formerly known as WretchedCat, associated with the financially motivated TrickyWonders cybercriminal group. It has been observed targeting users in Uzbekistan and the broader Central Asia region, with reporting also noting similar tactics in neighboring countries, Turkey, and India. Group-IB described it as a major mobile threat in the region and reported large-scale infections in Uzbekistan.
Wonderland is distributed primarily through Telegram-based social engineering and sideloaded APKs, often via fake apps, fake Google Play pages, social media ads, dating apps, fake websites, and highly obfuscated dropper malware such as MidnightDat and the AES-based RoundRift. Attackers also abuse stolen Telegram sessions to message victims’ contacts and propagate the malware. The operation has been described as using an affiliate model in which core developers and affiliates distribute malware for profit.
Its core capability is theft of SMS messages, including one-time passwords used for banking and authentication. Reported functionality also includes hijacking Telegram accounts by intercepting authentication codes, retrieving phone numbers, exfiltrating contact lists, sending arbitrary SMS messages, suppressing push notifications to hide security alerts and OTPs, and facilitating unauthorized financial transactions. Group-IB reported that Wonderland supports bidirectional command-and-control over WebSocket, enabling real-time command execution, arbitrary USSD requests, call-forwarding abuse, and other fraud-enabling actions on infected Android devices.
The malware uses heavy code obfuscation and anti-analysis techniques, including emulator, rooted-device, and sandbox detection, and may terminate itself when analysis environments are detected. Reporting also notes that each APK build may be tied to a unique, frequently rotated C2 domain to complicate blacklisting and monitoring. Wonderland has been described as masquerading as legitimate applications, including Google Play, and as part of multi-stage infection chains in which droppers silently deploy the SMS-stealing payload.
The campaign is financially motivated, with monetization centered on intercepting banking OTPs, draining victims’ bank accounts or cards, and reselling compromised Telegram sessions. Victims are primarily Android users who rely on Telegram, banking apps, and social media, especially in Uzbekistan.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"The attackers were observed using the SMS stealer Wonderland, dropper malware MidnightDat, the AES-based dropper RoundRift, money stealing malware Ajina.Banker, and SMS stealer Qwizzserial."
"The attackers were observed using the SMS stealer Wonderland, dropper malware MidnightDat, the AES-based dropper RoundRift, money stealing malware Ajina.Banker, and SMS stealer Qwizzserial."
"The attackers were observed using the SMS stealer Wonderland, dropper malware MidnightDat, the AES-based dropper RoundRift, money stealing malware Ajina.Banker, and SMS stealer Qwizzserial."
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as one of 17 Android malware families detected in the wild over four months.
Android SMS-stealing malware delivered via droppers; supports bidirectional C2 for real-time command execution, including arbitrary USSD requests and SMS theft.
Android SMS-stealing malware delivered via malicious dropper apps masquerading as legitimate apps; observed targeting users in Uzbekistan.
Wonderland is a modular Android SMS stealer malware that exfiltrates SMS messages (including OTPs), hijacks Telegram accounts, suppresses security notifications, and enables unauthorized financial transactions. It is distributed via obfuscated droppers and uses rapidly rotating C2 infrastructure and real-time control channels.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.