IOC Radar
TLP:WHITE5 IOCs

OverlayPhantom: The Android Banking Trojan Hiding in Plain Sight

CY
Cyble
Published May 27, 2026Original Report

Threat Actors

Malware Families

Diamond Model

SOCIAL AXISTECHNOLOGY AXISADVERSARYPlayTA0027INFRASTRUCTUREhttps://bitlrewards-a…https://199.217.99.122CAPABILITYPlayVICTIMunknown
Adversary(2)
Infrastructure(2)
Capability(1)
Victim

Attack Flow8 steps · MITRE ATT&CK mapped

Initial AccessTA0001·T1566
1/8
Phishing
ActionDistribute via malicious URLs
The malware is distributed via malicious URLs that impersonate trusted applications like ID Austria and TikTok.

5W+H Threat Analysis

Analysis unavailable

Indicators of Compromise

Indicators of Compromise5

TypeIndicatorConfidenceScoreFirst Seen
SHA256f8b614a2918378063d6e6655b676ceb52ae65b1510e2cc08087fcac31acb7aeb
file-hashintel-blogmalware
High
61
Jun 2, 26
SHA2569ef37376bfaa18e193cc72218924ad8ebf56d2667d348f0eae5ae6ec45ab8775
file-hashintel-blogmalware
High
61
Jun 2, 26
URLhttps://bitlrewards-app.com/api/download/IDAustria
intel-blogmalwarenetwork
High
68
Jun 2, 26
SHA2568ddc1f2a75f3d5b5bd054a5367bd5015ebc90f3453d63c7cce438c12dc2ae86a
file-hashintel-blogmalware
High
66
Jun 2, 26
URLhttps://199.217.99.122
intel-blogmalwarenetwork
High
68
Jun 2, 26

IOC Relationship Graph

IOC Relationship Graph5 total IOCs
SHA256URL
SHA2563URL2Actors2Malware1REPORTOverlayPhantom: The AndroiPlayTA0027Play
scroll to zoom · drag to pan · click IOC to open