Skip to content

Hide Navigation Hide TOC

CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1)

CherryBlos is an Android malware that steals credentials and redirects cryptocurrency to adversary-controlled wallets. CherryBlos was labelled Robot 999 in its first appearance in April 2023; since then, various aliases have been used, including GPTalk, Happy Miner, and SynthNet. The threat actors behind CherryBlos uploaded the malware to different Google Play regions, such as Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.(Citation: TrendMicro_CherryBlos_July2023)

Cluster A Galaxy A Cluster B Galaxy B Level
Software Packing - T1406.002 (51636761-2e35-44bf-9e56-e337adf97174) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Process Discovery - T1424 (1b51f5bc-b97a-498a-8dbd-bc6b1901bf19) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Foreground Persistence - T1541 (648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8) Attack Pattern 1
Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df) Attack Pattern CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Abuse Accessibility Features - T1453 (2204c371-6100-4ae0-82f3-25c07c29772a) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2) Attack Pattern 1
CherryBlos - S1225 (3cf81957-489a-469f-b013-362d548a96c1) Malware Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern 1
Software Packing - T1406.002 (51636761-2e35-44bf-9e56-e337adf97174) Attack Pattern Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a) Attack Pattern 2
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673) Attack Pattern 2