A novel Android spyware known as ResidentBat has been traced back to the Belarusian KGB, offering state agents extensive access to the mobile devices of journalists and members of civil society. This discovery underscores the persistent threat posed by government-linked cyber surveillance.
Development and Discovery
Unveiled to the public in December 2025, ResidentBat was the focus of a collaborative investigation by Reporters Without Borders (RSF) and RESIDENT.NGO. The malware’s coding history indicates it might have been under development since 2021, operating clandestinely long before its official exposure.
ResidentBat’s deployment strategy distinguishes it from typical mobile malware. Instead of utilizing malicious links or apps, its installation requires physical access to the target’s Android device. Attackers employ the Android Debug Bridge (ADB) tool to sideload the spyware, manually adjusting permissions and disabling Google Play Protect to avoid detection. This methodical approach ensures that each infected device is specifically targeted by the Belarusian KGB.
Capabilities and Infrastructure
Once installed, ResidentBat can capture extensive sensitive data, ranging from SMS and call logs to audio recordings and screenshots. It also intercepts encrypted messaging app traffic. Analysts from Censys identified the malware’s command-and-control (C2) infrastructure, noting its consistent use of self-signed TLS certificates and a limited port range, which facilitates data reception and command execution.
Beyond data theft, ResidentBat enables operators to remotely erase all data on a compromised device, using the Android DevicePolicyManager.wipeData function, thereby eliminating evidence or punishing targets. As of February 2026, active infrastructure was detected in several countries, including the Netherlands, Germany, Switzerland, and Russia, with Russian autonomous systems playing a significant role.
Evading Detection
ResidentBat’s C2 servers are fortified to resist traditional detection methods. When probed, these servers respond with a 200 OK status and an empty body, regardless of the request details. This pattern pushes detection efforts to focus on TLS-layer indicators.
Adding complexity to its evasion strategy, the servers return static or artificial timestamps in HTTP responses to thwart forensic analysis. The reliance on client certificate authentication embedded within the APK and proprietary communication protocols further complicates detection. Researchers identified five distinct certificate SHA-256 fingerprints, aiding in tracking related infrastructure once a single endpoint is revealed.
For more updates on cybersecurity threats, follow us on Google News, LinkedIn, and X, and set CSN as a preferred source on Google.
