Home > List all groups > List all tools > List all groups using tool PhantomLance

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: PhantomLance

TypeReconnaissance, Backdoor, Info stealer, Downloader, Exfiltration
Description(Dr.Web) The backdoor communicates with several command and control servers to receive commands from the attackers and send the collected data. The cybercriminals can also control the trojan via the Firebase Cloud Messaging service. Android.Backdoor.736.origin is capable of:
• sending information on contacts from the contact list to the server;
• sending information on text messages to the server (the investigated version of the trojan did not have the permissions for this);
• sending the phone call history to the server;
• sending the device location to the server;
• downloading and launching an APK or a DEX file using the DexClassLoader class;
• sending the information on the installed software to the server;
• downloading and launching a specified executable file;
• downloading a file from the server;
• uploading a specified file to the server;
• transmitting information on files in the specified directory or a memory card to the server;
• executing a shell command;
• launching the activity specified in a command;
• downloading and installing an Android application;
• displaying a notification specified in a command;
• requesting permission specified in a command;
• sending the list of permissions granted to the trojan to the server;
• not letting the device go into sleep mode for a specified time period.

Last change to this tool card: 29 April 2020

Download this tool card in JSON format

Previous: PhanDoor
Next: PhantomNet

All groups using tool PhantomLance


APT groups

XAPT 32, OceanLotus, SeaLotusVietnam2013-Dec 2020 HOTX

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key