BladeHawk

BladeHawk is a threat actor name adopted by ESET from prior QiAnXin Threat Intelligence Center reporting for a targeted Android espionage campaign against the Kurdish ethnic group. The activity has been active since at least March 2020 and used dedicated Facebook profiles and pro-Kurd Facebook groups to distribute Android backdoors disguised as legitimate applications. Reported malware used by BladeHawk includes 888 RAT and SpyNote, with both publicly disclosed campaigns distributed via Facebook and all malware samples using the same command-and-control servers. ESET identified six Facebook profiles involved in the campaign; two targeted tech users and four posed as supporters of the Kurds. The operation used at least 28 malicious Facebook posts and 17 unique APKs, with observed downloads from hosted apps totaling at least 1,481 in one measured subset. The group’s tooling provided extensive surveillance capability. 888 RAT could steal and delete files, take screenshots, obtain device location, phish Facebook credentials, list installed apps, steal photos, take pictures, record ambient audio and phone calls, make calls, steal SMS messages, steal contacts, and send text messages. ESET also observed one attempt to steal Snapchat credentials through a phishing website. The malware masqueraded as legitimate Android applications and was promoted through fake app descriptions and download links. The campaign targeted Android users. The content also notes that Android 888 RAT associated with BladeHawk has been referred to as Gaza007 by BladeHawk. BladeHawk is mentioned as one of several groups that have targeted the Kurdish community. No nation-state attribution is directly established in the provided content.