VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)

VajraSpy is Android malware distributed via trojanized messaging and news applications. It has been used to target individuals in Pakistan and India since at least 2021 and has been delivered through the Google Play Store, malicious domains, and other uncontrolled distribution channels. VajraSpy is attributed with high confidence to Patchwork which has used the malware to conduct targeted espionage, primarily against devices in Pakistan. (Citation: ESET_VajraSpy_Feb2024)(Citation: ArcticWolf_DroppingElephant_July2025)(Citation: K7Dhanalakshmi_VajraSpy_April2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	1
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Exfiltration Over Unencrypted Non-C2 Protocol - T1639.001 (37047267-3e56-453c-833e-d92b68118120)	Attack Pattern	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	1
Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	1
Lockscreen Bypass - T1461 (dfe29258-ce59-421c-9dee-e85cb9fa90cd)	Attack Pattern	VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	1
Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160)	Attack Pattern	VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	1
Bidirectional Communication - T1481.002 (939808a7-121d-467a-b028-4441ee8b7cee)	Attack Pattern	VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848)	Attack Pattern	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Access Notifications - T1517 (39dd7871-f59b-495f-a9a5-3cb8cc50c9b2)	Attack Pattern	1
Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747)	Attack Pattern	VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df)	Attack Pattern	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Call Control - T1616 (351ddf79-2d3a-41b4-9bef-82ea5d3ccd69)	Attack Pattern	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Abuse Accessibility Features - T1453 (2204c371-6100-4ae0-82f3-25c07c29772a)	Attack Pattern	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6)	Attack Pattern	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80)	Attack Pattern	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	1
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
Exfiltration Over Unencrypted Non-C2 Protocol - T1639.001 (37047267-3e56-453c-833e-d92b68118120)	Attack Pattern	Exfiltration Over Alternative Protocol - T1639 (3e091a89-a493-4a6c-8e88-d57be19bb98d)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	2
Bidirectional Communication - T1481.002 (939808a7-121d-467a-b028-4441ee8b7cee)	Attack Pattern	Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	2
Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	2
Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80)	Attack Pattern	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	2