Over 600 Domains Distributing the Android Trojan DeliveryRAT Blocked
Specialists from F6 and RuStore report that they have discovered and blocked 604 domains tied to infrastructure used by hackers to spread the DeliveryRAT Trojan. The malware was disguised as popular food delivery apps, online marketplaces, banking services, and package tracking applications.
Origins of DeliveryRAT
In the summer of 2024, F6 analysts identified a new Android Trojan, later named DeliveryRAT. Its primary purpose was to:
- Steal confidential data to apply for loans from microfinance organizations
- Extract money through online banking platforms
Soon after, researchers found a Telegram bot called “Bonvi Team”, which distributed DeliveryRAT under a Malware-as-a-Service (MaaS) model. Attackers could obtain a sample of the Trojan for free, but were responsible for delivering it to victims’ devices themselves.
The bot’s operators offered two delivery options:
- Download a pre-built APK
- Receive a link to a fake website, presumably generated uniquely for each “worker”
Methods of Infection
Attackers used several well-crafted social engineering tactics to lure victims:
- Fake Marketplace Listings
Criminals posted ads for discounted goods in online marketplaces or fake shops. Pretending to be sellers or managers, they contacted victims through Telegram or WhatsApp, collecting personal details such as full name, delivery address, and phone number. Victims were then asked to download a malicious “order tracking” app. - Fake Job Postings
Scammers created ads for remote jobs with attractive conditions and high pay. After moving communication to messengers, they collected sensitive data such as SNILS (Russian insurance number), bank card details, phone numbers, and dates of birth. Victims were then persuaded to install a malicious “work-related” application. - Promotional Campaigns
Attackers also spread posts on Telegram offering apps with “discounts and promo codes,” which in reality contained the DeliveryRAT Trojan.
According to Evgeny Egorov, Lead Analyst at F6’s Digital Risk Protection department:
“In order to attack a victim, the attackers used various cunning scenarios: they created fake buy/sell ads or fake job listings for high-paying remote work. Then, they moved the dialogue with the victim to messengers and persuaded them to install a malicious application.”
Scale of the Fraud
Researchers highlighted that the scheme spread rapidly because generating phishing links through Telegram bots requires no special technical knowledge, and much of the process is highly automated.
At least three groups have been identified as actively luring victims to these malicious resources. In total, 604 domains linked to the campaign have now been blocked. Many of the domains were registered with similar keyword combinations such as “store,” “id,” “download,” and “app.”
