ntroduction
In October 2025, Group-IB specialists detected a new wave of malware attacks targeting users in Uzbekistan. This research provides an in-depth overview of the findings: how the malware is evolving, which distribution schemes are being used by threat actors, and how they are adapting to modern Android protection mechanisms.
A key shift in attacker tactics is the transition from direct delivery of trojans to a more stealthy distribution model. Previously, users received “pure” trojan APKs that acted as malware immediately upon installation. Now, adversaries increasingly deploy droppers disguised as legitimate applications. The dropper looks harmless on the surface but contains a built-in malicious payload, which is deployed locally after installation – even without an active internet connection. In other words, instead of searching for the trojan itself, it is important to focus on dropper artifacts capable of installing the trojan silently on the device. This report outlines the architecture of this scheme, its delivery vectors, and updated threat actors’ internal mechanisms.
This evolution significantly increases the resilience of malicious campaigns against traditional protection methods. Adaptive environment checks – such as emulator detection, installed app scanning, geolocation validation, or debug flag inspection – combined with encrypted payload storage in the assets folder and custom unpacking routines make both static and dynamic analysis more complex.
This report describes one of the tracking threat actor groups alongside used tools including droppers and Wonderland, a previously uncovered Android SMS stealer to highlight a new step in the regional malware landscape. Wonderland introduces a bidirectional command-and-control (C2) communication for real-time command execution, allowing for arbitrary USSD requests and SMS sending. Special thanks to Martijn van den Berk for contributing to technical analysis.
Group-IB analysts also take a closer look at the local context: why users in Uzbekistan have become the primary target, what social engineering tactics are used to lure victims, and which types of applications are commonly impersonated by droppers. The following sections of the report will break down the technical details of the observed samples, attack flow, and actionable defense strategies.
Key discoveries
Two types of droppers most commonly used in campaigns.
Telegram remains as a key distribution vector for Android SMS stealers in Uzbekistan.
Cybercriminals adapt to defense mechanisms by utilizing droppers and changing network infrastructure.
A new malware family, dubbed “Wonderland” has been discovered, the first mass-spreading Android SMS stealer in Uzbekistan with two-way command-and-control (C2) communication.
Who may find this blog interesting:
Cybersecurity analysts
Fraud analysts
Malware researchers and reverse engineers
Threat intelligence analysts and specialists
Law enforcement investigators
Group-IB Threat Intelligence Portal: TrickyWonders
Group-IB customers can access our Threat Intelligence portal for more information about the threat actors and malware described in this report:
Threat Actors:
TrickyWonders
Blazefang
Ajina
Malware:
Wonderland
MidnightDat
RoundRift
Qwizzserial
Ajina.Banker