Researchers at F6 have analyzed an updated version of DeliveryRAT. The trojan disguises itself as popular food delivery apps, marketplaces, banking services, and parcel-tracking apps. The new version adds a number of features, including carrying out DDoS attacks and launching various UI activities to steal additional data.
The updated version of DeliveryRAT, which appeared in the second half of 2025, received three key additions to its core functionality.
First is the module for conducting DDoS attacks. The Trojan receives the target URL, the number of requests, and their parameters from the command server, after which the infected device attacks the target. After the attack ends, the malware reports to the operators on the number of successful and failed requests. This turns DeliveryRAT from a stealer into a tool for DDoS attacks.
The second is a system of dynamic activities. The malware operators can remotely launch five types of interfaces on the victim’s device: a credit card data entry form (Card), custom forms for arbitrary information (Custom), photo upload (Photo), QR code display (QR), and a simple text message (Text). All these windows look like part of the app’s interface but collect data for the attackers.
The QR code activity includes two configurable fields: a text field, which by default contains the value “Enter tracking number,” and a path to the QR code image. It also contains a Confirm button, which, when pressed, launches an activity with a loading animation. The researchers do not explain the exact purpose of this module, but one can assume it is used for additional social engineering schemes.
Third — mass SMS distribution to all of the victim’s contacts. The Trojan collects the contact list, sends it to the attackers’ server, and then, on command, can send a malicious message to all unique numbers from the list.
The first version of DeliveryRAT could already intercept SMS and push notifications (and hide them from the user), execute arbitrary USSD requests, send SMS, and hide or show the app icon. All of these capabilities are still present.
The Trojan uses a WebSocket connection to a command server to receive real-time commands and HTTP requests to exfiltrate stolen data. The malware achieves persistence via a boot event handler (BootReceiver) and creates periodic tasks to maintain communication with its command-and-control infrastructure.
Researchers discovered malware samples masquerading as Delivery Club, Ozon, Sberbank Online, postal trackers, services for finding specialists and rideshares, classifieds platforms, and ticketing services. They also found samples imitating government services and even a modified version of Telegram with an anonymity feature (Oniongram).
In some cases, the attackers used a loader app (com.harry.loader) that displayed a fake update window to victims and installed DeliveryRAT from its embedded resources.
Researchers note that the trojan is under active development — the operators are expanding its capabilities from simple data theft to participation in DDoS attacks, which allows the malware to be used not only for financial gain but also to carry out large-scale attacks.