ResidentBat: Belarusian KGB Android Spyware at Internet Scale

ResidentBat is an Android spyware implant attributed to the Belarusian KGB that requires physical access and ADB sideloading to install and provides operators with SMS/call/messenger exfiltration, microphone and screen capture, file access, remote commands, and a remote wipe capability. The report details C2 infrastructure fingerprints (self-signed certificates with CN=server, banner_hash_sha256, and a concentrated port range 7000–7257 and 4022), observed hosting geography, operational context against journalists/activists, and recommended network- and device-based detection and mitigation strategies.