APT / THREAT GROUP💰 FINANCIALHIGH

FluBot

4
aliases
Last seen:Mar 17, 2026

Intelligence Profile

PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it's C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.

Threat Analysis

FluBot is a high-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like FluBot prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, FluBot is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Sophisticationhigh
Aliases4

Also Known As

FakeChatCabassousapk.flubotFluBot

External Intelligence

Malpedia: apk.flubot

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
FluBot — APT / Threat Group | Threat Intelligence | CTIWATCH.COM