Skip to main content
Mallory
Back to malware
Malware

Asin

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1078Valid AccountsEvidence1
TacticsInitial AccessPersistencePrivilege EscalationStealth

The spyware also relies on victims granting requested permissions, which can provide access to sensitive information stored on the device.

T1566.002Spearphishing LinkEvidence2
TacticInitial Access

ESET found that some of these websites were promoted through social media accounts on Facebook and Telegram.

Execution

2 techniques
T1204User ExecutionEvidence2
TacticExecution

As with many Android threats distributed outside official app marketplaces, users must manually install the software before it can operate.

T1204.002Malicious FileEvidence1
TacticExecution

The operators used different websites during each phase of the operation, presenting them as legitimate services to encourage users to download malicious Android applications.

Persistence

1 technique
T1078Valid AccountsEvidence1
TacticsInitial AccessPersistencePrivilege EscalationStealth

The spyware also relies on victims granting requested permissions, which can provide access to sensitive information stored on the device.

Privilege Escalation

1 technique
T1078Valid AccountsEvidence1
TacticsInitial AccessPersistencePrivilege EscalationStealth

The spyware also relies on victims granting requested permissions, which can provide access to sensitive information stored on the device.

Stealth

2 techniques
T1036MasqueradingEvidence2
TacticStealth

Another site, pdf-reader[.]help, registered two days later, claimed to provide secure PDF viewing and editing capabilities... A third domain, live-war-map[.]com, registered in January 2025, advertised itself as a source of information about military incidents and conflict activity.

T1078Valid AccountsEvidence1
TacticsInitial AccessPersistencePrivilege EscalationStealth

The spyware also relies on victims granting requested permissions, which can provide access to sensitive information stored on the device.

INDICATORS OF COMPROMISE

IOCs tracked for this family

7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
5 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other
2 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
uri●●●●●●●●●●●●View more in app
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
the hacker newsNews
Jun 5, 2026
Android Spyware Asin Targets Arabic Users via Fake News, PDF and War Map Apps

Android spyware distributed via fraudulent websites impersonating utilities, war-related update services, and a government news source. The malicious apps combine legitimate-looking functionality with stealthy spyware capabilities and require users to manually install the app and grant permissions.

Read more
cysecurity newsNews
Jun 5, 2026
Android Spyware ‘Asin’ Uses Fake News and Utility Apps to Target Arabic-Speaking Users - CySecurity News - Latest Information Security and Hacking Incidents

Previously undocumented Android spyware distributed via fraudulent websites masquerading as legitimate services. The malicious apps combine advertised functionality with hidden background surveillance capabilities and rely on users manually installing the apps and granting permissions to access sensitive device information.

Read more
eset welivesecurity blogNews
May 28, 2026
ESET APT Activity Report Q4 2025-Q1 2026

Android spyware targeting Arabic-speaking users through apps masquerading as conflict-tracking tools.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching7

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.