Cyble Research and Intelligence Labs has identified a surge in MiningDropper, a modular Android malware delivery framework also known as BeatBanker. It uses a multi-stage architecture combining XOR-based native obfuscation, AES-encrypted payload staging, dynamic DEX loading, and anti-emulation techniques to evade detection. The framework initially deploys a cryptocurrency miner before transitioning to a user-defined payload such as an infostealer or BTMOB RAT. Two active campaigns were identified: one targeting Indian users via phishing sites impersonating RTO services, banks, and telecom providers; another distributing BTMOB RAT across Europe, LATAM, and Asia. Over 1,500 samples were found in the wild, with more than 50% showing minimal antivirus detection. BTMOB RAT enables credential theft, keylogging, accessibility service abuse, and real-time remote control via WebSocket C2. The modular design allows threat actors to swap final payloads with only configuration changes, enabling rapid campaign scaling.
Table of contents
Executive SummaryKey TakeawaysDropper CharacteristicsOverviewTechnical AnalysisConclusionOur RecommendationsMITRE ATT&CK® TechniquesIndicators of Compromise (IOCs)Sort: