Berlin
Berlin is a Telegram-linked threat actor/persona associated with Android reverse engineering and Indian fintech fraud, identified in the content as using the handle @Syntext_Erorr and the alias Berlin, with @Berlin_Market also referenced. The actor is attributed with development and/or operation of the malicious LSPosed module "Digital Lutera," which targets SIM-binding workflows in India’s UPI/mobile payment ecosystem. The tooling uses OS-level runtime manipulation rather than modified payment APKs, including hooks on SmsManager and TelephonyManager APIs to intercept registration or 2FA tokens, spoof phone-number identity, suppress real SMS transmission, and insert forged SMS records into the device’s sent SMS database. The module also uses Telegram for exfiltration and Socket.IO-based command-and-control, including a reported connection to https://noob-production.up.railway.app. The content states Berlin advertised "UPI bypass" and "cashout" services and referenced PIN reset capability in Telegram communications. Reported targeting includes Indian payment and banking applications, including Axis Mobile, and attempts to bypass the Protectt.ai anti-fraud SDK. The activity is described as dependent on previously compromised victim devices infected via trojanized APK lures such as fake "Vahan Chalan" and "Wedding Invitation" apps that can read, forward, and delete SMS. The report assesses with high confidence that the actor is of Indian origin based on language use and operational focus on India’s mobile payment ecosystem.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Banks
Where they target
Geographies tied to known operations.
- 🇮🇳 India
Where they're from
Attributed origin per open-source reporting.
- IN
Tradecraft
10 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
1 malware family attributed to this actor across reporting.
Observables
2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Developer and service provider for Android-based fintech fraud focused on bypassing mobile payment SIM-binding, enabling account takeover, PIN reset, and cashout operations against Indian banking/payment users using the Digital Lutera LSPosed module and Telegram-based coordination.
Android/fintech fraud actor developing and operating an LSPosed module (“Digital Lutera”) to bypass UPI SIM-binding by hooking Android telephony/SMS APIs, exfiltrating OTP/registration tokens to Telegram, and using Socket.IO C2 to inject forged SMS records—enabling account takeover, UPI PIN reset, and cashout/fraud-as-a-service against Indian banking/payment apps.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.