Android Malware Wonderland Targets Uzbekistan with SMS Theft and RAT Capabilities

First reported

22.12.2025 08:11

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Threat actors are using malicious dropper apps disguised as legitimate applications to deliver Wonderland, an Android SMS stealer, to users in Uzbekistan. Wonderland facilitates bidirectional command-and-control (C2) communication, enabling real-time command execution, USSD requests, and SMS theft. The malware is distributed through fake Google Play Store pages, Facebook ad campaigns, and compromised Telegram accounts. Once installed, it steals SMS messages, intercepts OTPs, and siphons funds from victims' bank cards. The operation is coordinated by the financially motivated group TrickyWonders, which employs a hierarchical structure for malware distribution and financial fraud.

Timeline

22.12.2025 08:11 1 articles · 23h ago

Wonderland Malware Targets Uzbekistan with SMS Theft and RAT Capabilities
Threat actors have been observed leveraging malicious dropper apps to deliver Wonderland, an Android SMS stealer, to users in Uzbekistan. The malware facilitates bidirectional command-and-control (C2) communication, enabling real-time command execution, USSD requests, and SMS theft. The operation is coordinated by the financially motivated group TrickyWonders, which employs a hierarchical structure for malware distribution and financial fraud.
Show sources

Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale — thehackernews.com — 22.12.2025 08:11
Open in new tab

Information Snippets

Wonderland, previously known as WretchedCat, is an Android SMS stealer that facilitates bidirectional C2 communication.
First reported: 22.12.2025 08:11

1 source, 1 article
Show sources
- Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale — thehackernews.com — 22.12.2025 08:11
The malware is distributed through fake Google Play Store pages, Facebook ad campaigns, and compromised Telegram accounts.
First reported: 22.12.2025 08:11

1 source, 1 article
Show sources
- Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale — thehackernews.com — 22.12.2025 08:11
Once installed, Wonderland steals SMS messages, intercepts OTPs, and siphons funds from victims' bank cards.
First reported: 22.12.2025 08:11

1 source, 1 article
Show sources
- Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale — thehackernews.com — 22.12.2025 08:11
The operation is coordinated by the financially motivated group TrickyWonders, which employs a hierarchical structure for malware distribution and financial fraud.
First reported: 22.12.2025 08:11

1 source, 1 article
Show sources
- Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale — thehackernews.com — 22.12.2025 08:11
Wonderland is propagated using dropper malware families MidnightDat and RoundRift, which conceal the primary encrypted payload.
First reported: 22.12.2025 08:11

1 source, 1 article
Show sources
- Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale — thehackernews.com — 22.12.2025 08:11
The malware uses Telegram as the primary platform for coordination and distribution.
First reported: 22.12.2025 08:11

1 source, 1 article
Show sources
- Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale — thehackernews.com — 22.12.2025 08:11
Wonderland is part of a growing trend of sophisticated Android malware that includes Cellik, Frogblight, and NexusRoute.
First reported: 22.12.2025 08:11

1 source, 1 article
Show sources
- Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale — thehackernews.com — 22.12.2025 08:11

Summary

Timeline

Wonderland Malware Targets Uzbekistan with SMS Theft and RAT Capabilities

Information Snippets