Dracarys
Dracarys is an Android malware/spyware family active by 2022 and linked by multiple researchers to the South Asian threat group BITTER, also tracked as T-APT-17 and APT-Q-37. Reporting tied Dracarys to an espionage campaign that used fake websites impersonating trusted services including YouTube, Signal, Telegram, and WhatsApp to distribute the malware. Infrastructure associated with the campaign included youtubepremiumapp[.]com, which Cyble and Meta previously linked to a BITTER operation distributing Dracarys. Lookout later connected newer Android spyware activity to BITTER in part through code similarities between ProSpy and the earlier Dracarys malware, noting similarly named worker classes and the use of the same numbered command-and-control commands to control infected phones; Lookout also noted that Dracarys was implemented in Java, while ProSpy used Kotlin. The broader BITTER activity described in the reporting has historically targeted military, energy, and government organizations in China, Pakistan, and Saudi Arabia, and later expanded to activists and journalists in Egypt, Lebanon, Bahrain, and the UAE. High-confidence capabilities explicitly described for Dracarys in the provided content are limited; however, it is directly described as Android malware used in an espionage operation and as a predecessor closely related in code and command structure to later BITTER-linked Android spyware.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Lookout has linked this campaign to a South Asian group known as BITTER (also called T-APT-17, APT-Q-37) because the code in ProSpy is similar to an older virus called Dracarys from 2022. Both, reportedly, use the same numbered commands to control the phone.
Lookout has linked this campaign to a South Asian group known as BITTER (also called T-APT-17, APT-Q-37) because the code in ProSpy is similar to an older virus called Dracarys from 2022. Both, reportedly, use the same numbered commands to control the phone.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueSpecifically, the domain "encryption-plug-in-signal.com-ae[.]net" was used as an initial access vector for ProSpy by claiming to be a non-existent encryption plugin for Signal.
Stealth
1 techniqueSome of the domains used in these phishing attacks are listed below - signin-apple.com-en-uk[.]co id-apple.com-en[.]io facetime.com-en[.]io secure-signal.com-en[.]io telegram.com-en[.]io verify-apple.com-ae[.]net
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Older malware from 2022 whose code and command structure reportedly resemble ProSpy, helping researchers link the campaign to BITTER.
Android malware used in espionage campaigns and distributed through fake websites impersonating trusted services. It shares structural similarities with ProSpy, including worker logic and numbered C2 commands.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.