Skip to content

Hide Navigation Hide TOC

VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)

VajraSpy is Android malware distributed via trojanized messaging and news applications. It has been used to target individuals in Pakistan and India since at least 2021 and has been delivered through the Google Play Store, malicious domains, and other uncontrolled distribution channels. VajraSpy is attributed with high confidence to Patchwork which has used the malware to conduct targeted espionage, primarily against devices in Pakistan. (Citation: ESET_VajraSpy_Feb2024)(Citation: ArcticWolf_DroppingElephant_July2025)(Citation: K7Dhanalakshmi_VajraSpy_April2022)

Cluster A Galaxy A Cluster B Galaxy B Level
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Bidirectional Communication - T1481.002 (939808a7-121d-467a-b028-4441ee8b7cee) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Access Notifications - T1517 (39dd7871-f59b-495f-a9a5-3cb8cc50c9b2) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Abuse Accessibility Features - T1453 (2204c371-6100-4ae0-82f3-25c07c29772a) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Call Control - T1616 (351ddf79-2d3a-41b4-9bef-82ea5d3ccd69) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Exfiltration Over Unencrypted Non-C2 Protocol - T1639.001 (37047267-3e56-453c-833e-d92b68118120) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Lockscreen Bypass - T1461 (dfe29258-ce59-421c-9dee-e85cb9fa90cd) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160) Attack Pattern 1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2) Attack Pattern 1
Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380) Attack Pattern Bidirectional Communication - T1481.002 (939808a7-121d-467a-b028-4441ee8b7cee) Attack Pattern 2
Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747) Attack Pattern 2
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad) Attack Pattern Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47) Attack Pattern 2
Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80) Attack Pattern System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern 2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 2
Exfiltration Over Unencrypted Non-C2 Protocol - T1639.001 (37047267-3e56-453c-833e-d92b68118120) Attack Pattern Exfiltration Over Alternative Protocol - T1639 (3e091a89-a493-4a6c-8e88-d57be19bb98d) Attack Pattern 2
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2