RedHook: A New Android Banking Trojan Targeting Users In Vietnam
Essential information
- Published
- 31/07/2025 19:23
- Modified
- 31/07/2025 19:52
- Tags
- 2025-07-31 android aws s3 banking trojan chinese-language keylogging phishing rat redhook vietnam websocket
- Related entities
- 13 observables, 1 malware, 2 others
Description
A sophisticated Android banking trojan named RedHook has been discovered targeting Vietnamese users through spoofed government and financial websites. The malware uses WebSocket to communicate with its command-and-control server and supports over 30 remote commands, enabling complete control over compromised devices. RedHook combines phishing, RAT, and keylogging capabilities to exfiltrate credentials and conduct fraud. It abuses Android's MediaProjection API for screen capture and sends data to a live C2 server. The malware's low antivirus detection rate makes it a stealthy and active threat. Code artifacts suggest development by a Chinese-speaking threat actor or group. An exposed AWS S3 bucket revealed operational data dating back to November 2024, indicating a shift from previous scam campaigns to this advanced banking trojan.