Mobile devices are essential tools for communication and activism—but in repressive environments, they can become instruments of surveillance. ResidentBat is a custom Android spyware implant deployed by the Belarusian KGB to gain persistent access to journalists, activists, and civil society targets.
Unlike mass-market spyware, ResidentBat relies on hands-on installation, sidestepping app stores and automated defenses. This article explores how ResidentBat operates, its capabilities, deployment methods, and mitigation strategies for high-risk Android users and organizations supporting at-risk communities.
Overview of ResidentBat
ResidentBat is a targeted Android spyware designed for precision attacks, rather than broad-scale exploitation:
- Operator: Belarusian KGB
- Active Since: At least 2021 (based on code lineage)
- Disclosure: December 2025 (RSF and RESIDENT.NGO)
- Deployment: Hands-on physical access, not via phishing or exploits
- Targets: Journalists, civil society organizers, activists
Key insight: By focusing on high-value individuals, ResidentBat maximizes impact per infection rather than scale.
How ResidentBat Malware Operates
Hands-On Installation
Deployment requires direct access to the device:
- Enable USB debugging on Android
- Sideload the APK via Android Debug Bridge (ADB)
- Manually grant extensive device permissions
- Disable Google Play Protect to prevent automated detection
This approach bypasses app store protections and typical mobile malware defenses.
Command-and-Control (C2) Infrastructure
ResidentBat communicates with C2 servers to:
- Exfiltrate data (SMS, call logs, microphone recordings, screen captures, files)
- Push commands or configuration updates
- Monitor device health and enforce policy compliance
- Remotely wipe devices using
DevicePolicyManager.wipeData
The malware uses JSON-based tasking, allowing operators to automate tasks while maintaining granular control over each device.
Network Fingerprint and Detection
Censys research identifies a distinctive ResidentBat network footprint:
- Outbound HTTPS sessions to self-signed CN=server certificates on ports 7000–7257 (some on 4022)
- Static TLS/HTTP banner hash for correlation
- Hardened C2s with catch-all HTTP 200 responses and likely client certificate authentication
These indicators allow network defenders to track, cluster, and block malicious infrastructure.
Capabilities of ResidentBat
ResidentBat is designed for deep surveillance and device control:
| Capability | Description |
|---|---|
| SMS & Call Logging | Collects all messages and call metadata |
| Microphone Recording | Activates audio capture for eavesdropping |
| Screen Capture | Takes snapshots of device activity |
| Encrypted Messaging | Accesses content from apps like Signal and WhatsApp |
| File Exfiltration | Retrieves local documents and media |
| Remote Wipe | Executes factory reset via Android API to remove traces or retaliate |
| Policy Enforcement | Monitors device health and compliance using C2 tasking |
Critical point: Even if a device is recovered, Remote Wipe functionality can erase evidence and hinder investigations.
Global Footprint of ResidentBat C2 Servers
As of February 2026, Censys data shows at least 10 ResidentBat-related hosts, distributed as follows:
- Netherlands: 5
- Germany: 2
- Switzerland: 2
- Russia: 1
Servers are hosted on VPS and data-center networks, including Russian ASN AS29182 and European ASNs like AS210976. Certificate reuse across IP:port combinations allows analysts to cluster related infrastructure and create blocklists.
Threat Mitigation and Best Practices
For high-risk Android users and organizations:
Device Hardening
- Enable Android Advanced Protection Mode
- Disable USB debugging unless required
- Restrict sideloading permissions
Monitoring and Detection
- Track ADB activity on devices
- Flag unauthorized sideloaded APKs or “system-like” apps
- Ensure Google Play Protect is active
Organizational Measures
- Provide secure devices for journalists and civil society teams
- Audit devices after physical access events (e.g., border crossings)
- Correlate APK hashes and C2 endpoints with VirusTotal, MalwareBazaar, or other threat intelligence sources
Expert insight: The combination of physical device access, deep surveillance, and remote wipe capability makes ResidentBat particularly dangerous in authoritarian contexts, where digital evidence can be weaponized against users.
FAQs
1. How is ResidentBat deployed?
It is hands-on installed via ADB sideloading on physically seized devices.
2. Who are the targets?
Journalists, civil society organizers, and activists in Belarus.
3. Can it be delivered via phishing or Play Store apps?
No. It relies on physical access and disables automated detection.
4. What data does it collect?
SMS, calls, files, microphone recordings, screen captures, and encrypted messaging content.
5. How can users defend against ResidentBat?
Use Advanced Protection Mode, disable USB debugging, enforce sideload restrictions, and monitor devices for suspicious activity.
Conclusion
ResidentBat demonstrates the risks of targeted mobile surveillance in repressive environments. Its hands-on deployment, extensive data collection, and remote wipe capabilities make it a potent tool for the Belarusian KGB against journalists and civil society.
Actionable steps:
- Harden Android devices with Advanced Protection Mode
- Limit sideloading and ADB access
- Monitor device activity for signs of unauthorized apps or disabled security features
- Correlate C2 network indicators with threat intelligence for proactive blocking
By understanding ResidentBat, security teams and at-risk users can reduce exposure and safeguard mobile privacy.
