MalwareUsed by 2 actors

Dcpro

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Transparent Tribe

基于应用使用的Firebase数据库地址,我们将此新恶意家族命名为Dcpro。该家族仅具备少量的基本信息窃取功能,包含的恶意功能如下: 窃取联系人、窃取通话记录、窃取短信、窃取指定WhatsApp目录媒体文件、窃取设备外部存储文件。

via ctfiotctfiot.com

APT-C-56

via ctfiotctfiot.com

MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566PhishingEvidence1

攻击者使用伪装成Google Play页面的钓鱼网站来分发恶意聊天软件。

Execution

1 technique

T1072Software Deployment ToolsEvidence1

在分析样本过程中发现,样本的自更新地址和其下载地址不同,使用了新的地址进行应用自更新。

Stealth

1 technique

T1036MasqueradingEvidence1

在2023年8月发现了一起伪装成聊天软件进行窃密活动的攻击事件……攻击者利用多个钓鱼网站进行载荷投递……所有网站均伪装成同一聊天应用的虚假Google Play官方下载页面。

Credential Access

1 technique

T1528Steal Application Access TokenEvidence1

窃取指定WhatsApp目录媒体文件

Lateral Movement

1 technique

T1072Software Deployment ToolsEvidence1

在分析样本过程中发现,样本的自更新地址和其下载地址不同,使用了新的地址进行应用自更新。

Collection

1 technique

T1005Data from Local SystemEvidence1

该家族仅具备少量的基本信息窃取功能,包含的恶意功能如下: 窃取联系人窃取通话记录窃取短信窃取指定WhatsApp目录媒体文件窃取设备外部存储文件

Command and Control

2 techniques

T1071Application Layer ProtocolEvidence1

该聊天应用的部分聊天功能和窃密功能使用的是同一个服务器地址,在聊天功能中还使用了Firebase Realtime Database(实时数据库)进行数据存储。 | 通过溯源样本C&C信息……样本的C&C和下载、更新地址解析的IP位于同一个网段内

T1105Ingress Tool TransferEvidence1

攻击者利用多个钓鱼网站进行载荷投递……并且下载的是同一个恶意样本。

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

ctfiotNews

Jan 1, 2026

影聊计划:APT-C-56(透明部落)组织使用新恶意软件进行持久攻击 | CTF导航

A newly named Android malicious chat application family disguised as a secure messaging app. It steals contacts, call logs, SMS messages, selected WhatsApp media files, and files from external storage, while also providing chat-like functionality to reduce suspicion.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.