MalwareUsed by 1 actor

Marcher

Marcher is an Android banking trojan and password-stealing malware family that has existed since at least 2013. It is used to steal online banking credentials and payment-card data from Android users, including through overlay screens placed on top of legitimate banking applications. Reported capabilities include requesting extensive Android permissions, reading/sending/receiving/writing SMS, initiating calls, reading contacts, accessing location, modifying system settings, locking the device, requesting device administrator privileges, and displaying fake prompts to collect credit card numbers and card verification data.

The content describes a multistage phishing campaign observed by Proofpoint targeting customers of large Austrian banks including Bank Austria, Raiffeisen Meine Bank, and Sparkasse. In that activity, victims received phishing emails with shortened links leading to fake banking pages that harvested credentials and then pushed a fraudulent "security app" for Android. The lure claimed installation was required due to EU money laundering guidelines. The delivered APK, observed as "BankAustria.apk," used stolen bank branding, placed a legitimate-looking Bank Austria icon on the home screen, used string obfuscation, and functioned as a banking trojan by overlaying legitimate apps. Reported indicators from that campaign include MD5 8dfc01cfed545651e3cf73437ab748dc, fake certificate serial 1c9157d7, certificate SHA1 32:17:E9:7E:06:FE:5D:84:BE:7C:14:0C:C6:2B:12:85:E7:03:9A:5F, phishing landing IPs 47.91.92[.]60, 49.51.37[.]177, 49.51.37[.]247, 47.254.128[.]80, and Marcher C2 IP 185.188.204[.]16.

Marcher has also been observed in fake browser update/web inject delivery chains. Proofpoint reported that TA2726, assessed as a malicious traffic distribution service operator, redirected victims to TA2727 infrastructure, where Android users received Marcher while Windows users received Lumma Stealer or DeerStealer and macOS users received FrigidStealer. The same content notes Marcher was delivered to Android hosts via fake update pages in campaigns observed in 2025.

Infrastructure associations in the content include hosting on the Avalanche criminal infrastructure, which supported phishing, malware distribution, and money mule schemes and was linked to around 20 malware families including Marcher. Separate reporting also linked domains registered with the same email address used in a Japanese phishing operation to February-March 2018 attacks involving the Marcher Android banking trojan/password stealer.

High-confidence infection vectors mentioned in the content are phishing emails, fake banking portals, fake Android security-app prompts, and fake browser update pages. Targeting described in the content is primarily financial, especially banking customers and financial institutions’ users on Android devices.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TA2727

However, if a user was on an Android device, they would be given the same fake update redirect and download instructions, but the payload would be the Marcher banking trojan.

via proofpointproofpoint.com

MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

4 techniques

T1189Drive-by CompromiseEvidence1

Typically, an attack chain will consist of three parts: the malicious injects served to website visitors, which are often malicious JavaScript scripts; a traffic distribution service (TDS) responsible for determining what user gets which payload based on a variety of filtering options; and the ultimate payload that is downloaded by the script.

T1566PhishingEvidence2

The attacks described here begin with a banking credential phishing scheme, followed by an attempt to trick the victim into installing Marcher, and finally with attempts to steal credit card information by the banking Trojan itself.

T1566.001Spearphishing AttachmentEvidence1

They sent more than 1 million e-mails with damaging attachments or links every week to unsuspecting victims.

T1566.002Spearphishing LinkEvidence2

Marcher is frequently distributed via SMS, but in this case, victims are presented with a link in an email. Oftentimes, the emailed link is a bit.ly shortened link, used to potentially evade detection.

Execution

2 techniques

T1204User ExecutionEvidence2

The phishing template then presents additional instructions for installing the fake security application... Step 2: Allow installation... check Unknown sources. Step 3: Run installation... tap Install.

T1204.002Malicious FileEvidence2

From this small sample, we see that 7% of visitors clicked through to download the application, which is actually a version of the Marcher banking Trojan named “BankAustria.apk”.

Persistence

1 technique

T1205Traffic SignalingEvidence1

TA2726 appears to be a traffic seller and operates a TDS that can serve other threat actors to facilitate their malware distribution.

Stealth

3 techniques

T1027Obfuscated Files or InformationEvidence1

Analysis of the malware shows that it uses the common string obfuscation of character replacement (Figure 7).

T1036MasqueradingEvidence1

The link resolves to a URL designed to appear legitimate, with a canonical domain of sicher97140[.]info including the “bankaustria” brand.

T1205Traffic SignalingEvidence1

TA2726 appears to be a traffic seller and operates a TDS that can serve other threat actors to facilitate their malware distribution.

Credential Access

5 techniques

T1056Input CaptureEvidence1

In addition to operating as a banking Trojan, overlaying a legitimate banking app with an indistinguishable credential theft page, the malware also asks for credit card information from the user when they open applications such as the Google Play store.

T1056.003Web Portal CaptureEvidence1

The link leads to a phishing page that asks for banking login credentials or an account number and PIN.

T1056.004Credential API HookingEvidence1

In addition to operating as a banking Trojan, overlaying a legitimate banking app with an indistinguishable credential theft page...

T1555Credentials from Password StoresEvidence1

Millions of private and business computer systems were also infected with malware, enabling the criminals operating the network to harvest bank and e-mail passwords.

T1649Steal or Forge Authentication CertificatesEvidence2

This particular application is signed with a fake certificate: Owner: CN=Unknown, OU=Unknown, O=Unknown...

Discovery

1 technique

T1082System Information DiscoveryEvidence1

The actor used filtering to determine what browser the recipient used and downloaded the payload that aligned with their browser.

Collection

3 techniques

T1056Input CaptureEvidence1

T1056.003Web Portal CaptureEvidence1

The link leads to a phishing page that asks for banking login credentials or an account number and PIN.

T1056.004Credential API HookingEvidence1

In addition to operating as a banking Trojan, overlaying a legitimate banking app with an indistinguishable credential theft page...

Command and Control

2 techniques

T1071Application Layer ProtocolEvidence2

185.188.204[.]16 IP Marcher C&C

T1205Traffic SignalingEvidence1

TA2726 appears to be a traffic seller and operates a TDS that can serve other threat actors to facilitate their malware distribution.

INDICATORS OF COMPROMISE

IOCs tracked for this family

41 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

23 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

5 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

13 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app1 year ago

hash.sha256●●●●●●●●●●●●View more in app1 year ago

domain●●●●●●●●●●●●View more in app8 years ago

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Android banking trojan referenced as part of TA2727-associated activity set.

silentpush blogNews

Aug 6, 2025

Unmasking SocGholish: Silent Push Untangles the Malware Web behind the “Pioneer of Fake Updates” and Its Operator, TA569

Android banking trojan referenced as a TA2727 payload delivered via Keitaro TDS traffic flows discussed alongside SocGholish delivery chains.

proofpointNews

Feb 14, 2025

An Update on Fake Updates: Two New Actors, and New Mac Malware | Proofpoint US

An Android banking trojan delivered by TA2727 through fake update web injects. The report notes it has targeted Android devices since 2013.

palo alto networks unit 42 blogNews

Dec 20, 2018

Analysis of Smoke Loader in New Tsunami Campaign

Android banking trojan / password-stealing malware linked in the content to related attacker-registered domains used earlier in 2018.

+6 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching41

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.