Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
5 malware families

trickywonders

Also known astrickywonders

TrickyWonders is a financially motivated cybercriminal threat actor associated with Android banking trojan and SMS-stealer activity targeting users in Uzbekistan, particularly Telegram users. Group-IB identified it as one of the three main threat actors targeting Uzbekistan alongside Ajina and Blazefang. The group is behind the Wonderland SMS stealer, formerly known as WretchedCat, and is also attributed to the dropper malware families MidnightDat and RoundRift. The group operates a hierarchical, profit-driven affiliate model. Owners and core developers maintain the malware codebase and command-and-control infrastructure, while affiliates or "workers" distribute malicious APKs in exchange for a share of stolen funds. Telegram is used as the primary coordination platform, and malicious APKs are generated and distributed through this ecosystem. TrickyWonders distributes malware through Telegram, social engineering, fake websites, fake Google Play pages, Facebook ads, dating apps, and sideloaded Android APKs masquerading as legitimate applications. The group abuses stolen Telegram sessions to message victims and propagate malware through victims' contact lists. Lures are tailored to local language, culture, and themes such as financial aid programs and local events. Wonderland is used to exfiltrate SMS messages, including banking one-time passwords, hijack Telegram accounts by intercepting authentication codes, retrieve phone numbers, exfiltrate contact lists, hide push notifications, send SMS for lateral movement, and enable unauthorized financial transactions. Group-IB reported that the malware can repeatedly withdraw funds from victims' cards until access to the device is lost. Wonderland supports bidirectional command-and-control for real-time attacker control, including remote USSD requests and SMS theft. TrickyWonders uses heavily obfuscated droppers and anti-analysis techniques to conceal payloads and evade detection. The group shifted from directly distributing stealers to using droppers that appear benign while embedding the stealer deeper inside, allowing samples to pass many standard security checks. The operation also rotates infrastructure domains and malicious package names frequently to complicate monitoring and blacklisting. Group-IB described this as a significant increase in operational maturity. Known associated malware and related activity mentioned in the content include Wonderland/WretchedCat, MidnightDat, RoundRift, and Qwizzserial. TrickyWonders was first discovered in November 2023.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Ajina.Banker"...money stealing malware Ajina.Banker..."1Mar 18, 2026
MidnightDat"The attackers were observed using the SMS stealer Wonderland, dropper malware MidnightDat, the AES-based dropper RoundRift..."1Mar 18, 2026
Qwizzserial"...and SMS stealer Qwizzserial."1Mar 18, 2026
RoundRift"...the AES-based dropper RoundRift..."1Mar 18, 2026
Wonderland"The attackers were observed using the SMS stealer Wonderland, dropper malware MidnightDat, the AES-based dropper RoundRift, money stealing malware Ajina.Banker, and SMS stealer Qwizzserial."1Mar 18, 2026
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
risky biz rssNews
Dec 25, 2025
Risky Bulletin: Georgia arrests ex-security chief over bribes from scam call centers

TrickyWonders is a threat actor group targeting Uzbekistan with Android banking trojans for financial theft.

Read more
rescana blogNews
Dec 23, 2025
Uzbekistan Android Users Targeted: Wonderland SMS Stealer Malware Campaign Exposes Banking and Telegram Accounts

TrickyWonders is orchestrating a large-scale, financially motivated Android malware campaign targeting users in Uzbekistan and Central Asia. They use an affiliate model to distribute advanced SMS stealer malware (Wonderland), focusing on banking fraud, SMS-based authentication bypass, and resale of compromised Telegram sessions.

Read more
the hacker newsNews
Dec 22, 2025
Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale

TrickyWonders is conducting financially motivated mobile malware campaigns targeting users in Uzbekistan, using sophisticated Android droppers to deliver the Wonderland SMS stealer and steal funds from victims' bank cards.

Read more
dark readingNews
Dec 22, 2025
Uzbek Users Under Attack by Android SMS Stealers

Part of a set of threat groups targeting Telegram users in Uzbekistan with Android SMS-stealer campaigns delivered via sideloaded APKs and Telegram-based propagation to steal credentials and money.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.

trickywonders | Mallory