ResidentBat: The Belarusian KGB’s Covert Android Surveillance Tool
In a significant cybersecurity revelation, a sophisticated Android spyware known as ResidentBat has been identified, providing the Belarusian KGB with deep and persistent access to targeted mobile devices. This malware has been strategically deployed against journalists and members of civil society, raising serious concerns about privacy and state-sponsored surveillance.
Discovery and Development Timeline
ResidentBat first came to public attention in December 2025 through a collaborative investigation by Reporters Without Borders (RSF) and RESIDENT.NGO. However, analysis of the malware’s code indicates that its development dates back to 2021, suggesting that it may have been operating undetected for several years prior to its exposure.
Unique Deployment Methodology
Unlike typical mobile malware that spreads via malicious links or compromised applications, ResidentBat requires physical access to the target device for installation. Attackers utilize the Android Debug Bridge (ADB) tool to sideload the spyware directly onto the device. They manually grant the necessary permissions and disable Google Play Protect to evade detection. This hands-on approach ensures a low infection rate but guarantees that each compromised device belongs to a specifically chosen individual under surveillance by the Belarusian KGB.
Comprehensive Data Extraction Capabilities
Once installed, ResidentBat exhibits a wide array of data collection functionalities:
– SMS and Call Log Access: The malware reads all incoming and outgoing text messages and call logs, providing insight into the target’s communications.
– Audio Recording: It can activate the device’s microphone to record ambient audio, capturing conversations and environmental sounds.
– Screenshot Capture: ResidentBat takes periodic screenshots, allowing attackers to monitor the user’s activities visually.
– File Access: The spyware accesses files stored on the device, including documents, photos, and other sensitive data.
– Encrypted Messaging Interception: Notably, it can intercept traffic from encrypted messaging applications, undermining the security measures users rely on for private communication.
Command-and-Control Infrastructure
Analysts from Censys have identified ResidentBat’s command-and-control (C2) infrastructure, noting a consistent technical fingerprint characterized by self-signed TLS certificates with the common name set to CN=server, operating across a narrow port range of 7000 to 7257. The C2 servers are utilized exclusively to receive stolen data, push commands to the malware, and deliver configuration updates, maintaining the attacker’s control over the compromised device long after the initial infection.
Remote Device Wiping Capability
Beyond data theft, ResidentBat empowers operators with the ability to remotely wipe a compromised device using Android’s `DevicePolicyManager.wipeData` function. This feature can be employed to destroy evidence of surveillance or as a punitive measure against the target.
Geographical Distribution of C2 Servers
As of February 2026, active ResidentBat infrastructure has been identified across ten hosts located in the Netherlands (5), Germany (2), Switzerland (2), and Russia (1). Russian autonomous systems, particularly AS29182 (RU-JSCIOT), play a notable role in this distribution. The malware’s C2 configuration is delivered in JSON format, including parameters that control the server address, data upload timing, and an upload data immediately flag.
Advanced Evasion Techniques
ResidentBat employs several sophisticated techniques to evade detection:
– C2 Server Hardening: When researchers probe these servers, every HTTP path returns a 200 OK response with an empty body, regardless of the request content or authentication headers. This uniform response pattern provides no useful information to defenders analyzing HTTP traffic, shifting detection efforts toward TLS-layer indicators.
– Static Date Headers: The C2 servers return a static or artificially set `Date` header in HTTP responses, such as Tue, 06 Jan 2026 01:00:00 GMT. This anti-forensics technique reduces the ability to fingerprint the servers based on response headers.
– Client Certificate Authentication: The server architecture relies on client certificate authentication embedded directly within the APK, a proprietary communication protocol that does not follow standard REST patterns, and server-side device allowlisting. This means only pre-approved devices can interact meaningfully with the C2 servers.
Implications and Recommendations
The emergence of ResidentBat underscores the evolving landscape of state-sponsored cyber surveillance and the lengths to which entities will go to monitor specific individuals. The physical access requirement for installation highlights the targeted nature of this operation, focusing on high-value individuals such as journalists and activists.
Recommendations for Potential Targets:
1. Regular Security Audits: Conduct frequent security checks on devices to detect unauthorized applications or configurations.
2. Physical Security Measures: Ensure that devices are not left unattended and are protected against unauthorized physical access.
3. Enable Security Features: Keep Google Play Protect enabled and regularly update device software to benefit from the latest security patches.
4. Monitor for Unusual Behavior: Be vigilant for signs of compromise, such as unexpected battery drain, unusual data usage, or unfamiliar applications.
By understanding the capabilities and deployment methods of ResidentBat, individuals and organizations can better protect themselves against such targeted surveillance efforts.
