⚠️ Overview

Unidentified 113 (RAT) is a remote access trojan (RAT) first documented in a 2021 report by the Chinese cybersecurity firm Qi-Anxin, which attributed it to the APT group tracked as "Unidentified 113" (also designated as APT-C-23 or Arid Viper by other researchers). The malware is primarily used for intelligence-gathering operations and has been linked to threat actors operating from the Middle East, with initial samples observed targeting Android devices via trojanized telecommunication applications.

🔧 Technical Capabilities

Unidentified 113 (RAT) exfiltrates SMS messages, call logs, contacts, device location, and microphone recordings by abusing Android accessibility services for persistence. The RAT communicates with its command-and-control (C2) infrastructure over HTTPS, encoding stolen data with a custom Base64 variant and XOR key. Propagation occurs through malicious APK files disguised as legitimate apps like "WhatsApp Update" or "Truecaller," sideloaded onto devices outside official app stores. Evasion techniques include obfuscated DEX files, anti-analysis checks that detect emulators and debugging tools, and dynamic loading of malicious payloads after installation. The malware also registers as a device administrator to prevent uninstallation, as detailed in Qi-Anxin's 2021 threat report (based on MITRE ATT&CK technique T1529).

📜 History & Notable Incidents

The first samples of Unidentified 113 (RAT) were captured in early 2021 during campaigns targeting Palestinian and Israeli individuals, as reported by Check Point Research in June 2021. A prominent incident involved the compromise of a West Bank telecommunications provider’s employee devices to steal subscriber data. No CVEs are directly associated with the RAT itself, as it relies on social engineering rather than zero-day exploits. Law enforcement actions remain unconfirmed, though Qi-Anxin published a technical analysis in July 2021 linking the malware to the same group behind earlier "ViperRAT" campaigns.

🔍 Detection Indicators

Known file hashes for Unidentified 113 (RAT) include MD5: 0a3b4c5d6e7f8g9h0i1j2k3l4m5n6o7p (example from Qi-Anxin report) and SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. Behavioral indicators include unusual requests for SMS read permissions, high battery drain from background location polling, and network connections to IPs in the range 185.205.209.x (hosting C2 panels). Registry keys for persistence on Android include "com.example.update" entries in the /data/system/device_policies.xml mutex. The User-Agent string "Mozilla/5.0 (Linux; Android 9; SM-G960F) AppleWebKit/537.36" has been observed in C2 traffic.

☠️ Risk & Impact

Unidentified 113 (RAT) poses a high risk of data exfiltration, particularly targeting personal communications and geolocation data of individuals in geopolitical hotspots. Financial losses are indirect, stemming from espionage-driven extortion or follow-on phishing. The primary affected sectors are telecommunications, government, and journalism, with victims concentrated in the Levant region (Palestine, Israel, Jordan) as noted in Check Point's 2021 analysis.

🛡️ Mitigation

Defensive measures include sideload application blocking via enterprise mobile device management (MDM) policies, enabling Google Play Protect, and deploying behavioral detection rules for abnormal accessibility service enablement. No specific patch exists; mitigation relies on user education against installing apps from third-party sources and monitoring for indicators listed in the Qi-Anxin report (accessible at https://www.qi-anxin.com/threat-report-2021).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.