MalwareUsed by 1 actor

Marcher

Marcher is an Android banking trojan and password-stealing malware family. The provided content explicitly describes victims on Android devices being redirected to a download page for the Marcher Banking Trojan, and refers to Marcher as an Android banking trojan/password stealer. Marcher is also listed among malware families hosted or distributed through the Avalanche criminal infrastructure, a large fast-flux/double-fast-flux platform used for phishing, malware distribution, spam, and money mule schemes. Avalanche-linked campaigns were associated with credential theft and online banking fraud, and Marcher was one of roughly 20 malware families tied to that infrastructure. Additional reporting in the content links domains registered with the same email address used in a 2018 Japanese-themed phishing infrastructure to earlier February-March 2018 attacks involving Marcher. High-confidence details in the content therefore support that Marcher targets Android devices, is used for banking credential and password theft, and has been observed in financially motivated criminal campaigns and infrastructure associated with large-scale malware distribution. No specific Marcher-exclusive IOCs are directly provided beyond those infrastructure associations.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TA2727

...Android devices are redirected to a download page for the Marcher Banking Trojan.

via silentpush blogsilentpush.com

MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques

T1566PhishingEvidence1

TacticInitial Access

The criminal groups have been using the Avalanche infrastructure since 2009 for conducting malware, phishing and spam activities. They sent more than 1 million e-mails with damaging attachments or links every week to unsuspecting victims.

T1566.001Spearphishing AttachmentEvidence1

TacticInitial Access

They sent more than 1 million e-mails with damaging attachments or links every week to unsuspecting victims.

T1566.002Spearphishing LinkEvidence1

TacticInitial Access

They sent more than 1 million e-mails with damaging attachments or links every week to unsuspecting victims.

Credential Access

2 techniques

T1555Credentials from Password StoresEvidence1

TacticCredential Access

Millions of private and business computer systems were also infected with malware, enabling the criminals operating the network to harvest bank and e-mail passwords.

T1649Steal or Forge Authentication CertificatesEvidence1

TacticCredential Access

Victims may have had their sensitive personal information stolen (e.g., user account credentials).

Command and Control

1 technique

T1071Application Layer ProtocolEvidence1

TacticCommand and Control

Sinkholing is an action whereby traffic between infected computers and a criminal infrastructure is redirected to servers controlled by law enforcement authorities... infected computers can no longer reach the criminal command and control computer systems and so criminals can no longer control the infected computers.

INDICATORS OF COMPROMISE

IOCs tracked for this family

9 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

3 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

3 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

3 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app7 years ago

uri●●●●●●●●●●●●View more in app7 years ago

domain●●●●●●●●●●●●View more in app7 years ago

hash.sha256●●●●●●●●●●●●View more in app7 years ago

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Android banking trojan referenced as part of TA2727-associated activity set.

silentpush blogNews

Aug 6, 2025

Unmasking SocGholish: Silent Push Untangles the Malware Web behind the “Pioneer of Fake Updates” and Its Operator, TA569

Android banking trojan referenced as a TA2727 payload delivered via Keitaro TDS traffic flows discussed alongside SocGholish delivery chains.

palo alto networks unit 42 blogNews

Dec 20, 2018

Analysis of Smoke Loader in New Tsunami Campaign

Android banking trojan / password-stealing malware linked in the content to related attacker-registered domains used earlier in 2018.

europolNews

Dec 1, 2016

‘Avalanche’ network dismantled in international cyber operation | Europol

A malware family distributed through Avalanche; known in context here as part of credential and financial theft operations.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching9

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.