MalwareUsed by 2 actors

HenBox

HenBox is an Android malware family first publicly described by Unit 42 in early 2018, with more than 400 related samples tracked dating back to late 2015. It often masquerades as legitimate Android applications and has been reported targeting Uyghurs and Xiaomi devices running MIUI. Documented capabilities include intercepting SMS messages; stealing data from chat, communication, and social media applications; collecting device information and checking whether the device is a Xiaomi handset running MIUI; accessing the device contact list; accessing the device camera; and collecting outgoing phone numbers that start with the +86 country code. An older variant was reportedly downloaded from uyghurapps[.]net while masquerading as DroidVPN. HenBox has also been associated with PKPLUG-related cyber espionage activity, which Unit 42 linked with high confidence to actors sharing origins similar to Chinese nation-state adversaries. Overlapping infrastructure tied to related activity includes cdncool[.]com.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

PKPLUG

In early 2018, Unit 42 discovered a new Android malware family that we named “HenBox” and is tracking over 400 related samples dating back as far as late 2015, and continuing to present day.

via palo alto networks unit 42 blogunit42.paloaltonetworks.com

Ke3chang

HenBox, which targets Xiaomi devices running MIUI

via ptsecurity globalglobal.ptsecurity.com

MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1587.001MalwareEvidence1

APT15 developed its own malware, allowing it to persist within victim networks (T1587.001).

Initial Access

1 technique

T1195Supply Chain CompromiseEvidence1

The Playbook contains several Plays ... HenBox has two Plays -- one for the known attack compromising a third-party app store to deliver the malware

Stealth

1 technique

T1036MasqueradingEvidence1

HenBox often masquerades as legitimate Android apps ... HenBox was masquerading as an another app -- DroidVPN

Collection

3 techniques

T1005Data from Local SystemEvidence2

AbstractEmu can collect files from or inspect the device’s filesystem. AhRat can find and exfiltrate files with certain extensions, such as .jpg, .mp4, .html, .docx, and .pdf. BOULDSPY can access browser history and bookmarks, and can list all files and folders on the device.

T1123Audio CaptureEvidence1

Once installed, HenBox steals information from a myriad of sources on the device including ... accessing the device microphone

T1125Video CaptureEvidence1

Once installed, HenBox steals information from a myriad of sources on the device including ... accessing the device microphone and cameras.

Command and Control

1 technique

T1071Application Layer ProtocolEvidence1

The C2 infrastructure blogged by Blue Coat Labs ... Domain microsoftwarer[.]com ... logitechwkgame[.]com was documented by Unit 42 ... as the C2 for the 9002 Trojans analyzed.

ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app

ptsecurity globalNews

Oct 26, 2024

Analytics

Android malware targeting Xiaomi MIUI devices, used by APT15.

web archiveNews

May 17, 2022

Space Pirates: analyzing the tools and connections of a new hacker group

Android malware referenced only as the context where Zupdax was first publicly mentioned due to shared infrastructure; no further HenBox analysis provided here.

mitre attack websiteNews

Oct 21, 2021

Capture Camera, Technique T1512 - Mobile | MITRE ATT&CK®

Android malware that can access the device camera.

mitre attack websiteNews

Apr 1, 2021

Data from Local System, Technique T1533 - Mobile | MITRE ATT&CK®

Android malware that steals data from chat, communication, and social media applications.

+10 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.