RESIDENT.NGO THREAT LAB

ResidentBat: Operational Report & Advisory on KGB spyware in Belarus in 2025

Written by

lab

in

Prepared by: RESIDENT.NGO ThreatLab & Reporters Without Borders (RSF) Digital Security Lab

Detection Date: Q3, 2025

Publication Date: December 16, 2025

RESIDENT.NGO has helped uncover a malware attack targeted at a Belarus-based journalist by the Belarusian secret service (KGB). This document serves as a short synopsis of the case, offering safety recommendations and indicators of compromise (IoCs). Please read the full technical analysis by our partners, Reporters Without Borders (RSF):
https://rsf.org/sites/default/files/medias/file/2025/12/report.pdf

The Incident

In Q3 2025, a Belarus-based journalist was invited for a “conversation” at a local KGB office. Upon entering, his phone was collected and placed in a locker. At one point during the interrogation, a KGB officer asked the journalist to retrieve and unlock the phone. The journalist then locked the screen again and returned the device to the locker.

After the visit, the journalist’s phone displayed a warning, suggesting that the phone was running an unwanted application. The journalist removed that application and approached RESIDENT.NGO for assistance. RESIDENT.NGO identified another malicious application installed and still present on the phone and sought help from the Digital Security Lab at Reporters Without Borders, who continued the investigation.The investigation concluded that two malicious applications were installed on the journalist’s phone during the visit. While one had been removed, the other – disguised as Adobe Reader – was a sophisticated piece of Android spyware named ResidentBat by the researchers.

How the Compromise Occurred

The infection relied on physical access to the device. We hypothesize that the KGB officers observed the device password or PIN as the journalist typed it in their presence during the conversation. Once the officers had the PIN and physical possession of the phone while it was in the locker, they enabled “Developer Mode” and “USB Debugging.” The spyware was then sideloaded onto the device, likely via ADB commands from a Windows PC.

Malware Capabilities & Behavior

ResidentBat is a modular spyware tool designed to turn a victim’s smartphone into a comprehensive surveillance device. It is able to access the following types of data on an infected device: 

  • Apps and messengers through screen monitoring capabilities of the included accessibility service.
    By abusing Accessibility Services, the malware can “read” the screen of the infected device. It is specifically configured to target popular communication apps (including Telegram, Signal, WhatsApp, and Viber), effectively bypassing end-to-end encryption by capturing messages as they are displayed to the user.
  • All SMS
  • Incoming and outgoing calls
  • Internal and external storage
  • Camera
  • Android browser bookmarks
  • Clipboard
  • Internal microphone
  • Can wipe (factory reset) the device and remove itself when the command is received

The collected data may be sent either immediately or at night when the phone is charging and connected to Wi-Fi; this depends on how exactly this instance of the program is configured.

The decoy message shown while recording a phone call
The media projection icon being displayed
Screenshot of the permissions of sample 07d392
The decoy message shown while recording a phone call. The media projection icon being displayed. Screenshot of the permissions.

Practical Recommendations

If you are facing an interrogation or need to visit a high-risk location such as a police station or secret service office:

  • Do not bring your primary device: If possible, leave your main device in a secure location. Use a secondary phone with minimal data when entering high-risk situations.
  • Use supported devices with latest security: Ensure your phone is still receiving official security updates. Outdated phones have known vulnerabilities that make them significantly easier for authorities to unlock or compromise using forensic tools. It is also critical to keep your operating system and applications fully updated, because these updates patch specific flaws that forensic software relies on to bypass device security.
  • Assume Compromise: If your phone was taken out of your sight for at least several minutes, assume it is infected. Do not use it for sensitive communication until it is forensically analyzed or factory reset.

Manual Self-Checks for Android Users

Disclaimer: The following checks can help identify if a device has been tampered with. However, finding no issues here does not guarantee that the device is clean. Sophisticated spyware can hide its traces or revert settings after installation. If you have strong reasons to believe your device was compromised (e.g., it was seized by authorities), seek professional forensic assistance.

  • Check “Play Protect”: The attackers often disable Google Play Protect to prevent the malware from being flagged. Go to the Play Store -> Profile Icon -> Play Protect. If it is disabled and you did not do it yourself, this is a red flag.
  • Block installation from unknown sources: Ensure your phone is restricted to installing apps only from the Google Play Store. Go to Settings -> Apps -> Special app access -> Install unknown apps and ensure no app is allowed to do this. If you find this enabled for a browser or file manager you did not configure, it is a strong indicator that someone modified your device.
  • Check Accessibility Services: Go to Settings -> Accessibility. This spyware relies heavily on Accessibility Services to be able e.g. to read the phone’s screen and keystrokes. If an unusual app is enabled here, the device may be compromised.

Check other critical permissions: the microphone, camera, location, access to all files or specific folders, access to the contacts list and calendar, as well as any apps that can operate as device administrators. If you see anything suspicious here, the device may be compromised.

Attribution

We attribute this campaign with High Confidence to the Belarusian KGB.

  • Context: The infection timeline perfectly aligns with the custodial interrogation of the target by KGB officers.
  • Methodology: The specific vector (physical seizure during interrogation) is consistent with known KGB tactics.

Historical Context While this specific incident occurred in Q3 2025, forensic analysis indicates that this is not a new operation. By analyzing the digital certificates used to sign the malware and its Command and Control (C2) servers, we identified links to infrastructure active since at least March 2021. This suggests that ResidentBat is part of a sustained, long-term surveillance campaign deployed by Belarusian actors for several years.

MITRE ATT&CK for Mobile Classification

The following matrix maps the capabilities of ResidentBat to the MITRE ATT&CK framework:

IDTacticDescription
T1458Initial AccessPhysical Access: The adversary obtained the device physically to install the malware.
T1626Defense EvasionMasquerading: The malware uses the name of a legitimate app (Adobe Reader) to hide itself.
T1516Credential AccessInput Capture: Uses Accessibility Services to log keystrokes and capture screen content.
T1430CollectionLocation Tracking: Tracks the device’s physical location.
T1429CollectionAudio Capture: Records audio via the microphone.
T1432CollectionAccess Data from Common Applications: targets specific messengers (Telegram, Signal, WhatsApp) via screen scraping.

Indicators of Compromise (IoCs)

File Hashes (SHA-256)

The following APK hashes have been identified with medium to high confidence as versions of ResidentBat:

  • 02dc81ea172e45f0a6fd7241fffd1042f6925c52d2f91dee36085634207be4f1
  • 07d39205f9ba159236477a02cdb3350fac4f158e0dbf26576bb50604339b1f42
  • 0ed73428c7729806be57989f340a09a323af914f197cc0cbb5509316ca5baf7b
  • 48e87bfcaa665bfbfcb027227384905878f090bbc19d02f74c41ade3cafb0950
  • 77126e749a9c1144ae3cebb8deb0b72fc90d4eb73d1072a69a1248b4f518bb47
  • 820c394b22b950335eb5cf21bc7df5c7a33081169f41440c74d67e7a8f196960
  • c3b92d05b105465881c0f68f5cf6c3edb24d2e5317ffd1256cb68c7921fe0721
  • fe05ba40f2d4b15db83524c169d030d097abc6713139ce6068969d97a24aa195

Command and Control (C2) Infrastructure

This version of the malware used following domains as Command and Contol:

  • msim[.]info
  • mtcat[.]info

Additionally, the following IP addresses have been identified with medium to high confidence as versions of ResidentBat:

IP Addresses:

  • 121.37.196.157
  • 62.109.11.98
  • 38.180.100.160
  • 5.129.213.114
  • 5.253.63.176
  • 5.253.61.156
  • 62.109.26.144
  • 47.106.191.231
  • 91.240.87.211
  • 83.220.169.120
  • 124.71.223.135
  • 114.55.148.87
  • 37.46.128.62
  • 62.109.19.123
  • 62.109.12.75
  • 79.132.136.191
  • 79.132.141.31
  • 5.129.231.158
  • 91.192.102.69
  • 37.46.133.87
  • 159.138.2.127
  • 83.147.244.189
  • 49.87.133.33
  • 91.228.152.4
  • 83.220.172.164
  • 42.62.11.37
  • 185.18.54.246
  • 5.129.230.104
  • 185.248.103.85
  • 82.157.146.82
  • 185.248.103.247
  • 176.10.124.158
  • 185.248.100.180
  • 185.248.103.128
  • 188.120.230.46
  • 123.60.136.114

More posts