Skip to content
Malware family

Hydra

Hydra is an Android banking trojan, also referred to in the provided content as BianLian, and was described as one of the most active mobile banking malware families in 2022.

Profile source: Mallory opens in a new tab

Hydra

Family profile

Hydra is an Android banking trojan, also referred to in the provided content as BianLian, and was described as one of the most active mobile banking malware families in 2022. Its primary purpose is credential theft from banking and cryptocurrency applications. Hydra uses overlays/injections against targeted apps, abuses Android Accessibility Services for keylogging and interaction capture, steals SMS messages to obtain OTPs, collects installed application lists, and can steal the device unlock code. It also includes a screencast capability that sends screenshots to its command-and-control (C2) server and can receive commands to simulate Accessibility events such as clicks and text entry, enabling remote device manipulation and helping operators bypass antifraud controls tied to IP or device checks.

The content also describes a Hydra Android sample that was packed with JsonPacker and used DexClassLoader for dynamic code loading. In that analysis, the malware contained anti-emulation checks for common Android emulator artifacts including generic, unknown, goldfish, ranchu, google_sdk, Emulator, Android SDK built for x86, Genymotion, sdk_x86, vbox86p, emulator, and simulator, which could suppress C2 communication during analysis. That sample’s reported primary C2 was http://lalabanda.com, with a mirrors endpoint at http://lalabanda.com/api/mirrors and related infrastructure including http://cslon.com, http://cariciu-carilas.com, http://carilas-carilas.net, and http://carilas-carilas.top. It downloaded a ZIP archive from http://lalabanda.com/storage/zip/jk5xWNYPKnTh4e7LP6vPG8z4YiBmoQYtKefRNId1.zip containing overlay templates for 360 targeted applications.

Beyond credential theft via overlays, the provided content attributes additional capabilities to Hydra including WebView-based cookie theft, notification interception and exfiltration, contact theft, bulk SMS/smishing, premium-rate USSD abuse, and call-forwarding manipulation. Around June 2022, Hydra reportedly added cookie-stealing functionality that used official login pages in a WebView and exfiltrated resulting session cookies after login. Initial cookie-theft targets included Google Mail and BBVA Spain, later expanding to Facebook and Davivienda. The analyzed sample also included a component that could read cookies via CookieManager, steal cookies from applications such as Facebook and Google, exfiltrate keylogging data to a device/kl endpoint, and upload intercepted notification contents to a device/push endpoint.

Researchers identified three Hydra variants based on C2 discovery: one retrieving a Base64-encoded JSON list of servers from a Tor .onion /api/mirrors endpoint, one using a GitHub-hosted file containing Base64-encoded C2 data, and one with a hardcoded C2 that may still query /api/mirrors for updates. The content states Hydra is rented on underground forums, with different operators using either default target lists or region-specific targeting such as LATAM and Spanish banks. Observed C2 hosting was concentrated in the Netherlands, the United States, and Ukraine, with fewer servers in Russia and none observed in China.

Hydra is referenced in broader reporting as an active Android banking malware family alongside threats such as Sharkbot, Flubot, Anubis, and Cerberus, and as one of the top mobile malware families in April 2025. The content also notes a bespoke version of the Hydra banking trojan named GREYBATTLE used by UNC5125 (FlyingYeti/UAC-0149) in campaigns targeting Ukrainian drone operators and military-related victims, where it was used to steal credentials and data. Reported sample hashes from one Hydra analysis are APK SHA-256 8b321553f1a269ee4b68a02162ba2d14c71a92907b6001ff3db0fe5bae6b3430 and decrypted payload SHA-256 fd87c4f7c8ece0448dab67a0b689c4a417a153081059750295fbed29a1422b03.

Reported operators

Threat actors

2 named in public reporting
UAC-0149

"...GREYBATTLE, a bespoke version of the Hydra banking trojan..."

UNC5125

"...GREYBATTLE, a bespoke version of the Hydra banking trojan..."

MITRE ATT&CK

Hydra in ATT&CK

31 distinct techniques

Reporting

Research mentioning Hydra

Feb 13
The Hacker News

Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations

"...GREYBATTLE, a bespoke version of the Hydra banking trojan..."

Jan 7
Bitsight

Top 4 Malware Targeting the Financial Sector in 2026

Trend data showing ongoing use and re-use of families such as Anubis, Hydra, and Cerberus.

May 12
Hackread

FakeUpdates, Remcos, AgentTesla Top Malware Charts in Stealth Attack Surge

"...with Anubis, AhMyth, and Hydra topping the list of mobile malware in April."

Nov 19
Recorded Future

The Need for Cyber Fraud Fusion Centers

“Recorded Future observes thousands of malicious files with anti-virus signature names like Hydra, Hook, Sova, and more every quarter.”

Feb 17
Ncc Group Research

Threat Spotlight – Hydra

Hydra, also known as BianLian, has been one of the most active mobile banking malware families in 2022, alongside Sharkbot and Flubot... Hydra is an Android banking malware whose main goal is stealing credentials...

Oct 27
Cyble

Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers

Some well-known Android banking trojans such as Hydra, BRATA, Anubis, and several others heavily rely on the Accessibility Service...

Sep 20
Muha2xmad

Technical analysis of Hydra android malware - muha2xmad

But It didn’t go as well as my last analysis of a previous sample of Hydra on my twitter ... Yara rule rule Hydra { ... description = "Hydra android malware" ... }

Oct 20
Cisa Advisories

Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors | CISA

"...dropping and executing open source and free tools such as Hydra, SecretsDump, and CrackMapExec."

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.