# mParivahan Phishing & Malware Campaign — Investigation Report **Report Reference:** CIIR-2026-0503-001 **Date of Report:** 03 May 2026 **Date of Incident:** 02 May 2026 (SMS received); phishing sites active since 18 April 2026 **Incident Classification:** Phishing / Malware Distribution / Government Service Impersonation **Threat Severity:** **CRITICAL** — Active credential harvesting and Android spyware distribution **Reporter:** Independent Security Researcher --- ## Executive Summary An active phishing campaign impersonating the Government of India's eChallan/mParivahan service is targeting Indian vehicle owners. The attack chain begins with SMS messages spoofing sender ID `57575711` (legitimate NIC short code), directing recipients to typosquatted domains that ultimately serve a weaponized Android APK. **Key Findings:** | Finding | Details | |---------|---------| | **Campaign Family** | NexusRoute — professionally maintained Android malware/phishing operation | | **Packing Tool** | NP Manager (Gymkhana Studio) — commercial APK obfuscation SaaS | | **APK Detections** | 12/64 vendors flagged as malicious (trojan, banker, dropper) | | **Signing Certificate** | Forged identity "Priya Kumari, PK Developers, Punjab" with 100-year validity | | **C2 Channel** | Google APIs (infinitedata-pa.googleapis.com) — blends with normal traffic | | **GitHub Downloads** | 236+ downloads of malicious APK | | **Additional Active Domains** | 8+ confirmed live phishing domains serving same lure | | **Credential Harvest** | Full web fraud stack (UPI, card, netbanking) on secondary domains | --- ## Attack Chain ``` [SMS from 57575711 (spoofed)] ↓ [mparivahangov.bond] — 301 redirect ↓ [mparivahanorg.help] — Landing page (APK download only) ↓ [GitHub: m2proxd-spec/v1] — APK download ↓ [Nextgen_mParivahan.apk] — Packed Android RAT (8.4 MB) ``` **Secondary Web Fraud Branch (on other domains):** ``` [rtochallan*.shop/.store/.space] → vahical.php → us.php ↓ [Mobile + Vehicle credential capture] ↓ [UPI/Card/Netbanking payment pages] ↓ [save_login.php, save_upi.php, save_netbanking.php] ``` --- ## Indicators of Compromise (IOCs) ### Domains | Domain | IP | Registered | Status | Type | |--------|----|-----------|--------|------| | mparivahanorg.help | 64.187.97.204 | 25 Apr 2026 | ACTIVE | APK delivery | | mparivahangov.bond | 45.77.92.157 | 01 May 2026 | ACTIVE | APK delivery | | rtochallan09363737.store | - | - | ACTIVE | Web fraud | | rtochallan55354587558888.store | - | - | ACTIVE | Web fraud | | rtochallan78658857846758855.space | - | - | ACTIVE | Web fraud | | rtochallan83937383839282.shop | - | - | ACTIVE | Web fraud | | rtochallan9087654532.store | - | - | ACTIVE | Web fraud | | rtochallan1239542138464.shop | - | - | ACTIVE | Web fraud | | kisandost.online | - | - | ACTIVE | Web fraud | ### APK Hashes | Hash Type | Value | |-----------|-------| | SHA256 | `94d2944c23049faec921ccd8d0bd3a6f9f3bb5b40433626e496f198a3df4b06f` | | SHA1 | `4d300818094e6c9872661a8a39a46ce0a6670928` | | MD5 | `26823bcc4a212fcece0cd6b76d11208a` | | VHASH | `8f25386083fd9dd06400538a5bdfb94d` | | SSDeep | `196608:IAKFrgXBAXG9qUVzcH9+KOC6qsx5yHA2oz018kvCE7:bKFr+cuX3FqF5or4` | | TLSH | `T12D960194FF899A2AC4FA477A4836433A62F7AD018B43C3D75944B638EC775E44F18AC4` | ### Signing Certificate | Field | Value | |-------|-------| | Subject | CN=Priya Kumari, OU=Android Dev, O=PK Developers, L=Punjab, ST=Punjab, C=IN | | Issuer | CN=Priya Kumari (self-signed) | | Serial | 38c0ce77 | | Thumbprint | 8b6639f5e5797aa34b519dba447f1f450a3a5107 | | Valid From | 2026-04-01 | | Valid To | 2126-03-08 (100-year validity) | ### Contacted IPs (from VT Dynamic Analysis) | IP | Owner | Detections | Purpose | |----|-------|-----------|---------| | 104.21.64.137 | Cloudflare | 0/91 | Phishing domain CDN | | 172.67.151.52 | Cloudflare | 0/91 | Phishing domain CDN | | 142.251.152.119 | Google | 1/91 | C2 (infinitedata-pa.googleapis.com) | | 173.194.193.138 | Google | 0/91 | Google CDN | | 173.194.194.94 | Google | 0/91 | Google CDN | | 173.194.206.106 | Google | 0/91 | Google CDN | | 74.125.202.95 | Google | 0/91 | Google CDN | --- ## Supply Chain Analysis ### NP Manager — The Packing Tool The APK is packed using **NP Manager** (aka NP Shell Protection), a commercial Android APK obfuscation tool developed by a Chinese developer alias "吹牛儿" (Gymkhana Studio). **Evidence:** - Native library: `libnp_protect_res.so` - Embedded email: `gymkhana.studio@gmail.com` - Runtime linker chain: `libnp_protect_res.so → Java_np_protect_assets_ShellApplication_n → xhook (PLT hooking) → /proc/self/maps → DtcLoader` **Verification:** - CYFIRMA Research (Dec 2025) directly links `gymkhana.studio@gmail.com` to NexusRoute - NP Manager Telegram: https://t.me/s/npmanagerall (4,600+ subscribers) - Sold as VIP service for anti-analysis **Conclusion:** The NexusRoute operators are **customers** of NP Manager's packing service, not the tool developers themselves. NP Manager is a dual-use tool — legitimate developers use it for IP protection, while malware operators use it to evade detection. --- ## Threat Actor Profile: NexusRoute | Attribute | Value | |-----------|-------| | **Name** | NexusRoute | | **Sophistication** | Professional / Organized Crime | | **Motivation** | Financial fraud (UPI theft, banking credential harvesting) | | **Targets** | Indian Android users, specifically vehicle owners | | **First Seen** | December 2025 (CYFIRMA report) | ### Capabilities - Government service impersonation (mParivahan, eChallan) - Phishing portal clusters with rapid domain rotation - GitHub-based malware distribution - Fully obfuscated Android RAT (NP Manager packed) - SMS interception for OTP theft - UPI PIN and banking credential harvesting - Screen overlay attacks for credential stealing - GPS tracking, microphone, camera access - Contact list and call log harvesting - Default home screen launcher replacement - ₹1 verification scams for UPI/card/netbanking fraud ### Infrastructure - NameSilo (registrar) + PrivacyGuardian (WHOIS privacy) - HostSilo and Vultr hosting - Cloudflare CDN - GitHub (releases + GitHub Pages) - Google APIs (C2 channel) --- ## Operator Hints (Not Deanonymized) **Note:** These are behavioral clues only — not sufficient for positive identification. ### GitHub Account Patterns | Account Pattern | Evidence | |----------------|----------| | Burner accounts | Created recently, zero bio, zero followers | | Numbered repos | `mParivahan`, `Mparivahan-nextgen.apk` | | Rapid creation | Multiple repos in March 2026 timeframe | | Template reuse | Similar page structures across domains | ### Development Language - PHP-based web fraud stack with Hindi/localized variable names - JavaScript for visit tracking and redirect logic - Mobile number validation patterns for Indian formats ### Operational Security - WHOIS privacy protection - Rapid domain rotation - No cross-platform handle reuse detected - No social media footprint linked to certs/domains --- ## MITRE ATT&CK Mapping | Tactic | Technique | Evidence | |--------|-----------|----------| | Command & Control | T1071 (Web Protocol) | HTTPS to Google APIs | | Command & Control | T1573 (Encrypted Channel) | TLS 1.3 to Google domains | | Discovery | T1421 (Device Info) | 41 permissions requested | | Discovery | T1426 (SMS) | READ_SMS, RECEIVE_SMS | | Discovery | T1430 (Location) | GPS permissions | | Collection | T1430 (Data Harvest) | Contacts, call logs, files | --- ## Recommended Actions ### For Victims 1. **Uninstall** the malicious APK immediately 2. **Scan** device with reputable antivirus 3. **Change** all banking credentials and UPI PIN 4. **Monitor** bank accounts for unauthorized transactions 5. **Report** to cybercrime portal: https://cybercrime.gov.in/ ### For Authorities | Priority | Action | |----------|--------| | P1 | Block phishing domains at ISP level | | P1 | Takedown GitHub malware releases | | P1 | Suspend NameSilo domains or force WHOIS reveal | | P2 | Investigate SMS gateway compromise (57575711 spoofing) | | P2 | Trace NP Manager customer billing records | ### For CERT-In - Add SHA256 hash to national blacklist - Issue public advisory about mParivahan phishing - Coordinate with NIC to secure SMS gateway - Work with Google to block C2 endpoint --- ## Appendix: Sources 1. CYFIRMA Research — "NexusRoute attempting to disrupt an Indian Government Ministry" 2. The Hacker News — "Android Malware Operations Merge Droppers, SMS Theft, and RAT" 3. Seqrite / CXOToday — "Seqrite exposes advanced fake NextGen mParivahan malware" 4. VirusTotal Dynamic Analysis — SHA256 hash 5. Original phishing page archives (mparivahanorg.help, mparivahangov.bond) 6. NP Manager Telegram channel analysis --- *End of Report*