Summary Acronis Threat Research Unit (TRU) has identified a targeted campaign distributing a trojanized version of the Red Alert rocket warning Android app to Israeli users via SMS messages impersonating official Home Front Command communications . The malicious app retains full rocket alert functionality, allowing it to appear legitimate while running malicious code in the background. The threat actor implemented certificate spoofing and runtime manipulation techniques to bypass Android security checks and make the application appear legitimately signed. Once installed, the malware monitors granted permissions and begins collecting sensitive data, including SMS messages, contacts, location data, device accounts and installed applications. Stolen data is staged locally and continuously transmitted to a remote command-and-control (C2) server controlled by the attackers. This campaign highlights how trusted emergency services can be weaponized during periods of geopolitical tension, combining social engineering with mobile espionage to exploit user trust and maximize impact. Introduction Acronis Threat Research Unit (TRU) has been actively monitoring malware campaigns and threat activity leveraging recent geopolitical developments across the Middle East and abusing these events to deliver malware to individuals. During our investigation, TRU identified a targeted campaign distributing a trojanized version of the Red Alert rocket warning Android app to Israeli users via SMS messages impersonating official Home Front Command communications, aimed at Israeli individuals. The activity stood out due to its use of an emergency-themed lure , which our researchers discovered on March 1 while hunting for malicious threats, and reported by multiple Israeli citizens on social media. The trojanized application mimics the legitimate Red Alert — Israel ( צבע אדום ) app used by millions of Israeli citizens to receive real-time rocket and missile alert notifications. This makes it an exceptionally effective social engineering vector; during periods of active conflict, the urgency to install or update such an application overrides the caution users might otherwise exercise, particularly when the delivery message appears to originate from the Home Front Command ( פיקוד העורף ). This report provides a detailed analysis of the full infection chain, from the initial SMS delivery through dropper execution and deployment of the embedded spyware payload. Background and context Numerous regional threat actors, ranging from hacktivist groups to nation-state-aligned operators, have been targeting individuals and organizations across national borders. Their activities have included claims of distributed denial-of-service (DDoS) attacks, attempted intrusions into critical infrastructure, and other disruptive operations. Groups such as Handala and other MOIS-affiliated actors have been particularly prominent in recent years. Operationally, while tracking this cluster of activity , we found multiple accounts of individuals who have been claiming that they have been receiving messages with shortened links to download and install software which is primarily used as an alerting mechanism for rocket strikes. One similar attack during 2023 which was attributed to the hacktivist group AnonGhost features some striking similarities, though the attack we’ve analyzed seems to contain a new infrastructure and code in some parts. Infection chain Button Button Infection chain of the campaign Technical details Initial analysis and delivery mechanism Our investigation began after identifying a smishing campaign targeting Israeli citizens. The campaign used SMS messages impersonating the official "Oref Alert" rocket warning service, urging recipients to install an updated version of the application due to an alleged alert malfunction. The messages, distributed from spoofed sender IDs, contained a bit.ly shortened link redirecting victims to download a trojanized APK masquerading as the legitimate Red Alert application. Button Button Israeli citizen's report of receiving SMS from Oref Alert The use of link-shortening services, combined with the urgency of updating an existing application associated with public safety, prompted us to analyze the malicious application, its capabilities and the infrastructure used to control the malware and exfiltrate harvested data and credentials. Timeline 2023-10-16 Prior Red Alert campaign (AnonGhost) Earlier trojanized Red Alert campaign attributed to AnonGhost during October 2023 escalation; MO overlaps with current campaign. 2025-06-23 C2 domain registered ra-backup[.]com registered via Namecheap Inc. Fresh disposable infrastructure for this campaign. 2026-03-01 APK first submitted to VirusTotal SHA256 first seen on VT at 12:44:22 UTC. 3/65 detections at time of submission. 2026-03-01 TRU discovers campaign Acronis TRU identifies the smishing campaign during threat hunting; SMS reports from Israeli citizens observed. 2...