MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device

This report analyzes a MoqHao (Wroba/XLoader) smishing campaign that uses localized Apple ID phishing pages and malicious Android APKs delivered via shortened URLs; attackers abuse dynamic DNS (DuckDNS), legitimate services (Apple iCloud hosting), and obfuscate C2 addresses via a VK profile while redirecting victims through multiple domains. The analysis includes a malicious APK SHA256, VirusTotal detections, redirect chains, C2 IPs/ASNs, and a table of network observables, and concludes with mitigation advice for mobile users.