MalwareUsed by 2 actors

DocSwap

DocSwap is an Android malware family first documented in 2025 that masquerades as legitimate mobile applications, including a document-viewing authentication app and later delivery/security-themed apps such as CJ Logistics lures. The malware has been linked in reporting to the North Korean threat actor Kimsuky, while S2W assessed the early sample as likely tied to a North Korea-linked cluster it tracks as puNK-004. Distribution has been observed via QR-code phishing and phishing/smishing infrastructure, including fake logistics sites and mobile-optimized lure pages. One reported package name was com.security.library, and later campaign reporting identified a malicious APK named SecDelivery.apk downloaded from 27.102.137[.]181.

Technically, DocSwap decrypts an embedded payload and dynamically loads it. Early reporting described XOR decryption of an embedded file named security.db followed by DEX loading; later reporting described an encrypted embedded APK/security.dat decrypted via a native library using a multi-step routine. The malware communicates with command-and-control infrastructure over sockets; one reported C2 was 27.102.137[.]181:50005. Reporting states the RAT supports up to 57 commands.

Observed capabilities include keylogging via Android Accessibility Services; SMS theft including sender/receiver, message body, and timestamp; collection of messages, calls, files, contacts, call logs, and device/network information; camera and microphone recording; screenshot and audio/video capture; file upload/download and deletion; remote command execution; and location tracking. Mentioned permissions include READ_SMS, RECEIVE_SMS, WRITE_EXTERNAL_STORAGE, LOCAL_MAC_ADDRESS, and READ_PRIVILEGED_PHONE_STATE, with broader reporting also noting requests for storage, phone, and location access.

The malware appears primarily aimed at South Korean mobile users based on Korean-language strings, Korean-themed lures, and impersonation of South Korean brands such as CJ Logistics, Naver, and Kakao. Infrastructure observations included CoinSwap-themed phishing content on a C2 address, which contributed to the DocSwap name, and later Naver-themed elements plus the string "Million OK !!!!," noted as resembling prior Kimsuky phishing infrastructure. Reported sample hashes include MD5 3ccfe58b8e0b5ca96cac4e9394567515 and SHA256 bf134495142d704f9009a7d325fb9546db407971ade224e3718a84254e9ff03e for an early sample.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Kimsuky

On January 21, 2025, a malicious app named “문서열람 인증 앱” (Document Viewing Authentication App) was identified. This app, a new type of malware not previously observed, impersonates a Document-viewing authentication app. Additionally, a phishing page masquerading as CoinSwap was found at the C2 address, leading to the app being named DocSwap.

via s2w researchs2w.inc

puNK-004

via s2w researchs2w.inc

MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566PhishingEvidence3

A phishing page impersonating CoinSwap was found at the C2 Infrastructure, leading to its designation as DocSwap.

Stealth

3 techniques

T1027Obfuscated Files or InformationEvidence1

It decrypts the “security.db” file within the package using an XOR operation and dynamically loads a DEX file.

T1027.007Dynamic API ResolutionEvidence1

It decrypts the “security.db” file within the package using an XOR operation and dynamically loads a DEX file.

T1036MasqueradingEvidence2

This malware represents a previously unidentified type of threat, masquerading as a Document-viewing authentication app.

Credential Access

1 technique

T1056.001KeyloggingEvidence1

The malicious app performs keylogging through accessibility services.

Discovery

3 techniques

T1069Permission Groups DiscoveryEvidence1

DocSwap has checked for the WRITE_EXTERNAL_STORAGE permission. Drinik can request the READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE Android permissions. TangleBot can request permission to view files and media. VajraSpy has also requested for android.permission.WRITE_EXTERNAL_STORAGE and android.permission.READ_EXTERNAL_STORAGE.

T1083File and Directory DiscoveryEvidence1

Via socket communication with the C2 server, it receives malicious commands to carry out information theft functions such as camera recording, microphone recording, file downloading and deletion, among others.

T1518Software DiscoveryEvidence1

DocSwap has checked for the READ_SMS and RECEIVE_SMS permissions... GodFather has requested for the Read_SMS permission to access SMS messages.

Collection

3 techniques

T1056.001KeyloggingEvidence1

The malicious app performs keylogging through accessibility services.

T1123Audio CaptureEvidence1

T1125Video CaptureEvidence1

Command and Control

2 techniques

T1071Application Layer ProtocolEvidence1

Ultimately, it receives commands from the C2 server and performs malicious functions related to keylogging and information theft.

T1105Ingress Tool TransferEvidence2

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

breakglass intelNews

Apr 3, 2026

Android TV Botnet Landscape: Bigpanzi, Kimwolf, and the Misattribution of Kimsuky - Breakglass Intelligence - Breakglass Intelligence

An Android spyware attributed in the report to Kimsuky for espionage operations, delivered via QR phishing.

the hacker newsNews

Feb 28, 2026

Android - Latest News, Reports & Analysis | The Hacker News

Android RAT delivered via QR-phishing; decrypts an embedded encrypted APK and launches a malicious service providing remote-access capabilities.

scworldNews

Jan 9, 2026

FBI: Kimsuky steals credentials via QR code 'quishing' attacks | SC Media

Android remote access trojan distributed via QR codes (quishing) that, once installed, provides access to messages, calls, files, camera, and microphone.

the hacker newsNews

Dec 22, 2025

⚡ Weekly Recap: Firewall Exploits, AI Data Theft, Android Hacks, APT Attacks, Insider Leaks & More

Android infostealer malware distributed via QR code phishing, masquerading as a logistics app to steal user data.

+6 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.