Home > List all groups > List all tools > List all groups using tool DoubleAgent

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: DoubleAgent

TypeReconnaissance, Backdoor, Info stealer, Exfiltration
Description(Lookout) In 2013 Citizen Lab reported on a compromised version of KakaoTalk, which had been used to target a prominent individual in the Tibetan community. This app was the first publicly exposed sample of a malware family called DoubleAgent. When Lookout initially investigated DoubleAgent in 2015, it was already an advanced Android remote access tool (RAT). Early versions of this family trojanized apps such as Voxer and TalkBox, as well as Amaq News, the official Daesh news application. The extent of this malware family and its connections to other campaigns has not been publicly reported on until now. Lookout researchers have seen DoubleAgent used exclusively against groups with contentious relationships with the Chinese government.

Although Lookout has been tracking this malware family for many years, new samples discovered in the last year indicated that the actors behind DoubleAgent were continuing to evolve the surveillanceware and use new infrastructure. However, they maintained the same targeting, as well as several key malware characteristics, such as similar decryption keys for configuration files.

These recent samples, discovered in late 2019, are the focus of this section on DoubleAgent. A decryption of the configuration files from these samples revealed a direct overlap in C2 infrastructure between the operators of DoubleAgent and SilkBean at a time when both malware families appeared to be active.
AlienVault OTX<>

Last change to this tool card: 23 April 2021

Download this tool card in JSON format

All groups using tool DoubleAgent


APT groups

 Ke3chang, Vixen Panda, APT 15, GREF, Playful DragonChina2010-May 2020 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key