VERY IMPORTANT

Several months ago, we discovered and exposed RETADUP malware in Israeli hospitals. We also learned that an Android malware known as “GhostCtrl” was stored in their infrastructure, which might be used for cyberespionage or cybercrime. Since then, we’ve encountered more samples in the wild. While RETADUP was found in Israeli hospitals, a new variant was targeting specific industries and governments in South America. We believe the use of the Retadup malware family is limited to a very small set of threat actors. We found no evidence of it being sold or distributed via underground marketplaces or forums. This new RETADUP variant has features that would be useful for cybercrime instead of espionage. One would think that this would result in widespread use, but instead it has only been found in limited areas. It has frequently been used to spread cryptocurrency mining malware, perhaps indicating an evolution towards direct monetization.