VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)

VajraSpy is Android malware distributed via trojanized messaging and news applications. It has been used to target individuals in Pakistan and India since at least 2021 and has been delivered through the Google Play Store, malicious domains, and other uncontrolled distribution channels. VajraSpy is attributed with high confidence to Patchwork which has used the malware to conduct targeted espionage, primarily against devices in Pakistan. (Citation: ESET_VajraSpy_Feb2024)(Citation: ArcticWolf_DroppingElephant_July2025)(Citation: K7Dhanalakshmi_VajraSpy_April2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80)	Attack Pattern	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	1
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	1
System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Exfiltration Over Unencrypted Non-C2 Protocol - T1639.001 (37047267-3e56-453c-833e-d92b68118120)	Attack Pattern	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	1
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	1
Lockscreen Bypass - T1461 (dfe29258-ce59-421c-9dee-e85cb9fa90cd)	Attack Pattern	VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	1
Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160)	Attack Pattern	VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	1
Bidirectional Communication - T1481.002 (939808a7-121d-467a-b028-4441ee8b7cee)	Attack Pattern	VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848)	Attack Pattern	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Access Notifications - T1517 (39dd7871-f59b-495f-a9a5-3cb8cc50c9b2)	Attack Pattern	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	1
Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747)	Attack Pattern	VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	1
Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df)	Attack Pattern	VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	1
Abuse Accessibility Features - T1453 (2204c371-6100-4ae0-82f3-25c07c29772a)	Attack Pattern	VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Call Control - T1616 (351ddf79-2d3a-41b4-9bef-82ea5d3ccd69)	Attack Pattern	1
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	1
Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6)	Attack Pattern	VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0)	Malware	1
Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80)	Attack Pattern	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	2
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
Exfiltration Over Unencrypted Non-C2 Protocol - T1639.001 (37047267-3e56-453c-833e-d92b68118120)	Attack Pattern	Exfiltration Over Alternative Protocol - T1639 (3e091a89-a493-4a6c-8e88-d57be19bb98d)	Attack Pattern	2
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
Bidirectional Communication - T1481.002 (939808a7-121d-467a-b028-4441ee8b7cee)	Attack Pattern	Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	2
Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	2