A sophisticated Android spyware dubbed ResidentBat has emerged, providing the Belarusian KGB with persistent access to the mobile devices of targeted journalists and civil society members. This advanced state-sponsored malware, first detailed in December 2025, has been under development since at least 2021, suggesting years of covert operation before its discovery.
The discovery comes from a joint investigation by Reporters Without Borders (RSF) and RESIDENT.NGO. ResidentBat’s deployment model is highly distinctive and manual, setting it apart from widespread mobile threats. Unlike malware distributed through app stores or phishing links, ResidentBat requires physical access to the target’s Android device for installation.
Attackers utilize the Android Debug Bridge (ADB) tool to directly sideload the spyware’s APK, manually grant necessary permissions, and disable Google Play Protect to evade detection. This hands-on approach means infection rates are kept low, but it ensures that every compromised device belongs to an individual specifically targeted for surveillance by the Belarusian KGB.
Once installed, ResidentBat is engineered to exfiltrate a wide array of sensitive data. It can read SMS messages and call logs, record audio using the device’s microphone, capture screenshots, access locally stored files, and even intercept communications from encrypted messaging applications. Analysts also identified the malware’s command-and-control (C2) infrastructure, noting a consistent technical fingerprint including self-signed TLS certificates with a common name set to “CN=server” and operation within a narrow port range of 7000 to 7257. This C2 infrastructure is exclusively used for receiving stolen data, issuing operator commands, and delivering configuration updates, maintaining continuous control over infected devices.
The capabilities of ResidentBat extend beyond simple data theft. Operators can also remotely wipe a compromised device, leveraging Android’s DevicePolicyManager.wipeData function. This feature can be used to destroy evidence or punish a target with a single command. As of February 2026, active ResidentBat infrastructure has been identified across ten hosts, primarily located in the Netherlands (5), Germany (2), Switzerland (2), and Russia (1). The malware’s C2 configuration is delivered in JSON format and includes parameters that govern the server address, data upload frequency, and an immediate upload flag.
C2 Hardening and Detection Evasion Techniques of ResidentBat
A notable characteristic of ResidentBat is the deliberate hardening of its C2 servers, which significantly complicates traditional network-based detection methods. When researchers attempt to probe these servers, all HTTP paths return a 200 OK response with an entirely empty body, regardless of the request content or authentication headers. This uniform response provides no exploitable behavioral information for defenders analyzing HTTP traffic, forcing them to focus detection efforts on TLS-layer indicators instead.
Further contributing to its evasion strategy, the C2 servers return a static or artificially set “Date” header in HTTP responses. For instance, a fixed timestamp like “Tue, 06 Jan 2026 01:00:00 GMT” is employed. This is a deliberate anti-forensics technique designed to reduce the ability to fingerprint and track the infrastructure. The server architecture also appears to rely on client certificate authentication embedded directly within the APK, a proprietary communication protocol that deviates from standard REST patterns. Additionally, server-side device allowlisting ensures that only pre-approved devices can interact meaningfully with the C2. Across the probed infrastructure, five distinct certificate SHA-256 fingerprints were observed, with some certificates being reused across multiple IP and port combinations. While this reuse might seem like a vulnerability, it can actually aid security researchers in clustering and tracking related infrastructure once a single endpoint is identified.
The ongoing presence of malware like ResidentBat underscores the evolving tactics used by state-sponsored actors to conduct surveillance. The technical sophistication of this spyware, including its manual deployment and robust C2 evasion techniques, highlights the challenges faced by security professionals and targeted individuals in protecting sensitive data. Future efforts will likely focus on developing more resilient detection methods capable of identifying such stealthy threats and enhancing the security of mobile devices against advanced persistent threats.