DarkNights
DarkNights is malware targeting Android that ESET tracks as DarkNights and Trend Micro refers to as DarkNimbus. ESET reported that infrastructure associated with the China-aligned threat actor TheWizards was configured to serve DarkNights to Android applications during software update hijacking, including an Android Tencent QQ update flow that delivered plugin-audiofirstpiece.ml from 43.155.62[.]54. ESET also listed 103.243.181[.]120 associated with assetsqq[.]com as DarkNights command-and-control infrastructure. The malware is discussed in the context of links between TheWizards and Sichuan Dianke Network Security Technology Co., Ltd. (UPSEC), which ESET assessed may act as a “digital quartermaster” and which was identified as the supplier of DarkNimbus. Trend Micro attributed DarkNimbus to a separate Chinese threat group tracked as Earth Minotaur, while ESET assessed TheWizards and Earth Minotaur as distinct operators based on differences in tooling, infrastructure, and targeting. High-confidence details in the provided content are limited; beyond its Android targeting, delivery via hijacked update infrastructure, and the cited infrastructure and actor associations, specific capabilities, persistence mechanisms, or additional infection behavior are not described in the source material.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“Another noteworthy tool… is DarkNights, which is also called DarkNimbus by Trend Micro…”
“Another noteworthy tool… is DarkNights, which is also called DarkNimbus by Trend Micro…”
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android malware associated in reporting with infrastructure overlaps; served as a malicious update for Android Tencent QQ from infrastructure also used by TheWizards.
Malware (also referred to as DarkNimbus) attributed to Earth Minotaur; described as being served to updating Android applications via a hijacking server, with UPSEC (Sichuan Dianke Network Security Technology) identified as supplier.
Android (and also referenced as Windows) malware family delivered via hijacked update instructions; observed as a malicious Android plugin (ZIP containing classes.dex) served to Tencent QQ Android update mechanism from attacker infrastructure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.