MalwareUsed by 1 actor

INFAMOUSCHISEL

INFAMOUSCHISEL is Android malware publicly reported as used by APT44, also known as Sandworm and FROZENBARENTS, a threat actor attributed by multiple governments to GRU Unit 74455. The malware is designed to collect information from Android devices, including system device information, commercial application information, and data from Ukrainian military applications, including battlefield management apps. Reporting in the provided content links its use to Russian cyber operations supporting military objectives in Ukraine, including targeting the personal devices of military personnel and attempts to steal information relevant to battlefield operations. The content also places INFAMOUSCHISEL alongside APT44 activity targeting secure messaging and battlefield-related data, and notes its use to steal information from Android devices in campaigns affecting Ukrainian military users.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Sandworm

Multiple governments have also reported on APT44's use of INFAMOUSCHISEL, malware designed to collect information from Android devices including system device information, commercial application information, and information from Ukrainian military apps.

via mandiant threat intelligencecloud.google.com

MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1200Hardware AdditionsEvidence1

"APT44 ... has attempted to exfiltrate information from Telegram and Signal ... likely via physical access to devices obtained during operations in Ukraine."

Collection

1 technique

T1213Data from Information RepositoriesEvidence1

“…including via attempts to exfiltrate locally stored databases of these apps…”

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

security affairsNews

Feb 14, 2026

Suspected Russian hackers deploy CANFAIL malware against Ukraine

Tool used by APT44 to steal information from Windows and Android devices, including data associated with secure messaging apps (as described in the content).

security online infoNews

Feb 11, 2026

Under Siege: GTIG Report Exposes North Korean Spies & Russian Drone Hacks in Defense Sector

Malware used to target personal devices of military personnel to steal data, including from battlefield management applications.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.