ResidentBat Android Malware Provides Belarusian KGB with Persistent Access to Mobile Devices

A newly documented Android spyware called ResidentBat has been linked to the Belarusian KGB, giving state operators deep and persistent access to the mobile devices of journalists and civil society members.

First publicly reported in December 2025 through a joint investigation by Reporters Without Borders (RSF) and RESIDENT.NGO, the malware’s code history suggests it was quietly developed as far back as 2021 — meaning it may have been silently operating for years before being formally exposed.

What sets ResidentBat apart from typical mobile malware is its highly targeted deployment model.

Rather than spreading through malicious links or app stores, installation requires the attacker to have physical access to the target’s Android device.

The attacker uses the Android Debug Bridge (ADB) tool to sideload the spyware APK directly onto the device, manually grants the necessary permissions, and disables Google Play Protect to prevent detection.

This hands-on method keeps the infection rate low but ensures that every compromised device belongs to a person the Belarusian KGB has deliberately chosen to surveil.

Once installed, ResidentBat is capable of capturing a wide range of sensitive data. The malware reads SMS messages and call logs, records audio through the device’s microphone, takes screenshots, accesses files stored locally, and even intercepts traffic from encrypted messaging applications.

Censys analysts identified the malware’s command-and-control (C2) infrastructure and noted its consistent technical fingerprint — self-signed TLS certificates with the common name set to “CN=server,” operating across a narrow port range of 7000 to 7257.

The C2 is used only to receive stolen data, push operator commands, and deliver configuration updates, keeping the attacker firmly in control long after the initial installation.

The malware’s reach extends beyond data theft. ResidentBat also gives operators the ability to remotely wipe a compromised device using Android’s DevicePolicyManager.wipeData function — effectively destroying evidence or punishing a target with a single command.

As of February 2026, active ResidentBat infrastructure has been identified across ten hosts, concentrated in the Netherlands (5), Germany (2), Switzerland (2), and Russia (1), with Russian autonomous systems like AS29182 (RU-JSCIOT) playing a particularly notable role.

The malware’s C2 configuration is delivered in JSON format and includes parameters that control the server address, data upload timing, and an “upload data immediately” flag.

C2 Hardening and Detection Evasion

One of ResidentBat’s most technically notable traits is the deliberate hardening of its C2 servers, which makes traditional network-based detection unusually difficult.

When researchers actively probe these servers, every HTTP path returns a 200 OK response with a completely empty body, regardless of the request content or authentication headers submitted.

This catch-all response pattern provides no useful behavioral information to defenders analyzing HTTP traffic, pushing all meaningful detection toward TLS-layer indicators instead.

Adding to this evasion strategy, the C2 servers return a static or artificially set Date header in HTTP responses — for example, a fixed timestamp such as “Tue, 06 Jan 2026 01:00:00 GMT” — which is a deliberate anti-forensics technique designed to reduce fingerprintability.

The server architecture also appears to rely on client certificate authentication embedded directly within the APK, a proprietary communication protocol that does not follow standard REST patterns, and server-side device allowlisting, meaning only pre-approved devices can ever interact with the C2 meaningfully.

Across the probed infrastructure, five distinct certificate SHA-256 fingerprints were observed, with some certificates reused across multiple IP and port combinations — a pattern that actually helps security researchers cluster and track related infrastructure once a single endpoint is identified.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

Original article can be found here

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.