<
https://resident.ngo/lab/writeups/residentbat-android-kgb-spyware-in-belarus-2025/>
"RESIDENT.NGO has helped uncover a malware attack targeted at a Belarus-based
journalist by the Belarusian secret service (KGB). This document serves as a
short synopsis of the case, offering safety recommendations and indicators of
compromise (IoCs). Please read the full technical analysis by our partners,
Reporters Without Borders (RSF):
https://rsf.org/sites/default/files/medias/file/2025/12/report1.pdf
The Incident
In Q3 2025, a Belarus-based journalist was invited for a “conversation” at a
local KGB office. Upon entering, his phone was collected and placed in a
locker. At one point during the interrogation, a KGB officer asked the
journalist to retrieve and unlock the phone. The journalist then locked the
screen again and returned the device to the locker.
After the visit, the journalist’s phone displayed a warning, suggesting that
the phone was running an unwanted application. The journalist removed that
application and approached RESIDENT.NGO for assistance. RESIDENT.NGO identified
another malicious application installed and still present on the phone and
sought help from the Digital Security Lab at Reporters Without Borders, who
continued the investigation.The investigation concluded that two malicious
applications were installed on the journalist’s phone during the visit. While
one had been removed, the other – disguised as
Adobe Reader – was a
sophisticated piece of Android spyware named
ResidentBat by the researchers."
Via Violet Blue’s
Threat Model - Cybersecurity: December 23, 2025
https://www.patreon.com/posts/cybersecurity-23-146483756
Cheers,
*** Xanni ***
--
mailto:xanni@xanadu.net Andrew Pam
http://xanadu.com.au/ Chief Scientist, Xanadu
https://glasswings.com.au/ Partner, Glass Wings
https://sericyb.com.au/ Manager, Serious Cybernetics
