PJobRAT Returns: New Campaign Distributes Malware via Counterfeit IM Apps

Threat Group: Unattributed (Historically linked to SideCopy)
Threat Type: Remote Access Trojan (Android RAT)
Exploited Vulnerabilities: Social Engineering, Compromised WordPress Sites
Malware Used: PJobRAT (latest variant with shell command execution)
Threat Score: High (8.7/10) – Due to persistence, enhanced capabilities, and deception-based delivery
Last Threat Observation: October 2024 (per Sophos and industry research)
Overview
PJobRAT, originally discovered in 2019, has reemerged in a prolonged and stealthy cyber-espionage campaign that targeted Android users in Taiwan from January 2023 to October 2024. Previously observed targeting Indian military personnel in 2021, the recent campaign represents a notable shift in both regional focus and technical sophistication. The malware was disseminated through counterfeit instant messaging applications named "SangaalLite" and "CChat," which were hosted on compromised WordPress websites—bypassing the traditional vetting mechanisms of official app stores.
This campaign showcases the threat actor's advanced use of social engineering and malware obfuscation. The PJobRAT variant analyzed features significant upgrades, including the ability to execute arbitrary shell commands on infected devices. It uses Firebase Cloud Messaging (FCM) and HTTP for command-and-control (C2) communications, effectively blending malicious activity with legitimate network traffic to evade detection. Even though the active phase of this campaign appears to have ended, the techniques and tools involved highlight ongoing risks, suggesting future operations remain likely.
Key Details
Delivery Method: Counterfeit Android messaging apps downloaded from compromised WordPress sites
Target: Android users in Taiwan (Previously Indian military personnel in 2021)
Functions:
- Execute shell commands remotely
- Maintain persistence by disabling battery optimization
- Exfiltrate data using HTTP and FCM
- Mimic legitimate chat applications
- Provide basic chat functionality to maintain user trust and disguise intent
Obfuscation Techniques:
- Use of Firebase Cloud Messaging (FCM) to camouflage C2 traffic
- Deployment via compromised WordPress websites to simulate legitimate distribution channels
- Counterfeit application interfaces designed to function minimally, maintaining a layer of deception
Attack Vectors
This campaign heavily relied on social engineering, exploiting users' trust in familiar app interfaces. The fake apps "SangaalLite" and "CChat" were designed to resemble well-known platforms like SignalLite. Users were likely directed to download these malicious applications via phishing emails, SMS, or other messaging channels leading to compromised WordPress sites.
Once installed, the apps requested excessive permissions, including the ability to disable Android’s battery optimization. This ensured the malware remained active in the background, enabling long-term surveillance. The apps featured rudimentary chat functionality, allowing users to register, login, and send messages—furthering the illusion of legitimacy.
Known Indicators of Compromise (IoCs)
FileHash-SHA256
- 0ad9cd56764ef70bdfbd3b2d269020557135f075d63327dbaab1bf0e9d816fb5
- 0ebcfbcda27b84b8f0db6d50abb1b0ff7831938913912156d27880704e69f1f2
- 37c390ff137ac71004223c73b99a9d8eec8ae2e879dee679bda29c09e1b11a37
- 44a05d1e36938c0d6039e0986de91744482d86d641d1d981f3e8a61385fb33a3
URL
- hxxp://westvist[.]myftp[.]org:3574
- hxxp://westvist[.]myftp[.]org:3574/m_chowa_srv/main[.]php
- hxxp://westvist[.]myftp[.]org:3574/notification/chat_notification_v2[.]php
- hxxp://westvist[.]myftp[.]org:8181
- hxxp://westvist[.]myftp[.]org:8181/socket[.]io/?EIO=4&transport=websocket
domain
- itechcube[.]xyz
- toolkitapi[.]xyz
hostname
- westvist[.]myftp[.]org
These IoCs serve as critical indicators for defenders and should be incorporated into detection and response systems.
Mitigation and Prevention
User Awareness:
- Regularly educate users on the dangers of sideloading apps, verifying app sources, and spotting fake application interfaces.
Email Filtering:
- Use advanced threat protection to detect phishing campaigns delivering links to compromised sites.
Antivirus Protection:
- Employ mobile threat defense tools like Sophos Intercept X for Mobile to detect known malware signatures such as Andr/AndroRAT-M.
Two-Factor Authentication (2FA):
- Secure all sensitive accounts with 2FA to reduce the risk of credential misuse.
Monitor Logs:
- Employ network traffic monitoring solutions that flag anomalous or suspicious communication to known malicious domains.
Regular Updates:
- Keep Android devices and applications patched to close off vulnerabilities targeted by mobile malware.
Application Whitelisting and MDM Solutions:
- For enterprise environments, restrict app installation to approved lists using mobile device management (MDM) platforms.
Security Audits and Risk Assessments:
- Conduct periodic audits to evaluate device security, user compliance, and detect early indicators of compromise.
Share Threat Intelligence:
- Collaborate with peer organizations and industry bodies to share emerging indicators, malware behaviors, and defensive strategies.
Risk Assessment
The technical evolution of PJobRAT, especially its shell command execution and stealthy dual-channel C2 setup, dramatically increases its threat level. Its reliance on deceptive distribution and blending with benign traffic makes detection difficult. Organizations with Android endpoints and operations in Taiwan or adjacent geopolitical regions should consider the malware an active threat and implement mobile-specific defense-in-depth strategies.
Conclusion
The latest PJobRAT campaign highlights a well-resourced and determined threat actor capable of orchestrating long-term surveillance operations. The use of legitimate infrastructure (FCM), carefully crafted counterfeit apps, and distribution via compromised websites all signal a high level of operational sophistication. The geographical shift in targeting from Indian military personnel to Taiwanese civilians or entities may suggest either a pivot in priorities or a new actor adopting PJobRAT for their own goals. Continued vigilance, user education, and proactive defense measures are critical.
Sources:
- The Hacker News - PJobRAT Malware Campaign Targeted Taiwanese Users - https://thehackernews.com/2025/03/pjobrat-malware-campaign-targeted.html
- Infosecurity Magazine - PJobRAT Malware Targets Users in Taiwan - https://www.infosecurity-magazine.com/news/pjobrat-malware-targets-taiwan-via/
- Sophos News - PJobRAT Makes a Comeback - https://news.sophos.com/en-us/2025/03/27/pjobrat-makes-a-comeback-takes-another-crack-at-chat-apps/
- SC Media - Bogus Apps Spread PJobRAT Malware - https://www.scworld.com/brief/bogus-apps-spread-pjobrat-malware-report-finds
- AlienVault - Indicators of Compromise ; https://otx.alienvault.com/pulse/67e5c8abe70b87d810a5b6c6