MidnightDat

MidnightDat is an Android dropper malware family used in a large-scale malware campaign targeting users in Uzbekistan. It has been observed delivering the Wonderland SMS stealer and is described as one of two dropper families designed to conceal the primary encrypted payload, alongside the AES-based RoundRift. According to the provided reporting, MidnightDat was first seen on August 27, 2025.

Infection typically begins with a malicious APK masquerading as a legitimate application, including fake Google Play Store apps, popular Uzbek apps, or lures such as videos and invitations. The broader campaign relies heavily on Telegram-based social engineering, sideloaded APKs, fake websites, and abuse of stolen Telegram accounts to propagate malware to victims' contacts. Group-IB observed MidnightDat in the Uzbekistan-focused wave that began in October 2025.

The dropper is used to evade detection by appearing clean or harmless while embedding the stealer deeper inside the application package. The associated droppers can pass many standard security checks, complicating early detection. The malware in this campaign uses heavy obfuscation, deliberately confusing code, and anti-analysis functionality intended to hinder sandboxing and researcher analysis. Attackers also regularly rotate infrastructure domains and malicious package names.

MidnightDat is associated in the reporting with campaigns involving the Wonderland SMS stealer, which has been attributed to the financially motivated TrickyWonders group. The broader activity has targeted Android users in Uzbekistan, especially Telegram users, with the objective of stealing SMS messages, one-time passwords, credentials, and ultimately money from victims' bank cards. No MidnightDat-specific indicators of compromise are provided in the content beyond its name, role as a dropper, first-seen date, and its use in these Uzbekistan-focused Android malware operations.