How Belarusian authorities track activists and journalists through ResidentBat.
A phone can end up in the hands of law enforcement for a few minutes in a variety of situations. A border guard asks to unlock the device to inspect its contents, a checkpoint officer takes the device to a separate room under the pretext of a search, the phone is confiscated, and then returned after a brief interrogation. For ResidentBat, this window is sufficient: infection occurs not via the internet or remotely, but through physical access to the device.
ResidentBat is described as Android spyware that, according to a joint investigation by Reporters Without Borders and RESIDENT.NGO, was used against journalists and civil society representatives. ResidentBat was publicly announced in December 2025. Code analysis indicates that development may have begun at least as early as 2021.
ResidentBat's distribution is targeted. The command-and-control server doesn't distribute installation files or infect devices directly. Installation requires physical access to the phone, downloading the APK via ADB , manually granting permissions, and disabling Google Play Protect. ADB, or Android Debug Bridge, is typically used for debugging, but during an attack, this tool allows app installation bypassing the store. This method isn't suitable for mass infections, but it does provide stable control over a specific device.
Once installed, ResidentBat grants the operator long-term access to the phone's data and functions. These capabilities include call and SMS logs, access to encrypted messaging apps, microphone recording, screenshots, and file downloads from the device's memory. The control server receives the downloaded data, sends commands, transmits updates, and modifies the agent's settings.
A separate risk is associated with remote wiping. ResidentBat can summon DevicePolicyManager.wipeDataand wipe a device. For journalists and activists, this poses risks not only due to leaks but also to the loss of materials, correspondence, and contacts, including sources.
The command and control channel operates over HTTPS and produces a stable set of signatures. ResidentBat nodes use self-signed certificates with a value CN=serverand a consistent banner fingerprint. Censys added ResidentBat to the Threat Module with the identifier THREAT-240to automatically detect such nodes. As of February 2026, one Censys view showed ResidentBat's infrastructure concentrated in Europe and Russia: the Netherlands (5 nodes), Germany (2), Switzerland (2), and Russia (1). Command and control traffic typically travels over ports 7000–7257, with some nodes also using port 4022.
One of the search indicators looks like this:
banner_hash_sha256: 6f6676d369e99d61ce152e1e2b2eb6f5e26a4331f4008b5d6fe567edefdbeaca
When examining exposed nodes, researchers observed attempts to complicate identification at the HTTP level. Any path returns a 200 OK response with an empty body, and authorization headers and POST request bodies provide no visible response. Responses contain static or forged headers Date, such as Tue, 06 Jan 2026 01:00:00 GMT[[ ... ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ]
Certificate matching helps link nodes together. Five different SHA-256 certificate fingerprints were observed in the probed infrastructure, with some certificates duplicated on two or more IP and port combinations. This reuse simplifies the search for related nodes if at least one node is already known.
The agent settings are provided in JSON format. The parameters include the server address sars, the download period spd, and a flag aspthat enables sending data as quickly as possible.
Censys offers two approaches to infrastructure discovery. The first relies on a pre-built Threat Module tag:
host.services.threats.name = "ResidentBat"
The second one expresses the same logic manually, through a combination CN=serverof a banner hash:
host.services: (
cert.parsed.subject_dn = "CN=server" and
banner_hash_sha256 = "6f6676d369e99d61ce152e1e2b2eb6f5e26a4331f4008b5d6fe567edefdbeaca"
)
The infrastructure is hosted on virtual servers hosted by European and Russian providers. The report highlights AS29182 RU-JSCIOT[[ http://www.css.org/ ] AS210976 TWC-EU, ... AS44812AS51395AS44051
Protecting against ResidentBat begins with preventing installation via physical access and ADB. For those at risk, it's important to disable USB debugging , keep your unlocked phone private, avoid installing apps from untrusted sources, and ensure Google Play Protect remains enabled . The recommendations specifically mention Android Advanced Protection Mode, which blocks app installations outside the store and strengthens other security settings.
For network monitoring, it's useful to track outgoing HTTPS connections to hosts with a self-signed certificate CN=serveron ports 7000–7257, as well as 4022 where this port is encountered. Certificate fingerprints and banner hashes can be used for blocking and alerting. On the device, monitoring ADB usage, searching for packages installed without using the store, and checking permissions for apps masquerading as system apps can help.
A phone can end up in the hands of law enforcement for a few minutes in a variety of situations. A border guard asks to unlock the device to inspect its contents, a checkpoint officer takes the device to a separate room under the pretext of a search, the phone is confiscated, and then returned after a brief interrogation. For ResidentBat, this window is sufficient: infection occurs not via the internet or remotely, but through physical access to the device.
ResidentBat is described as Android spyware that, according to a joint investigation by Reporters Without Borders and RESIDENT.NGO, was used against journalists and civil society representatives. ResidentBat was publicly announced in December 2025. Code analysis indicates that development may have begun at least as early as 2021.
ResidentBat's distribution is targeted. The command-and-control server doesn't distribute installation files or infect devices directly. Installation requires physical access to the phone, downloading the APK via ADB , manually granting permissions, and disabling Google Play Protect. ADB, or Android Debug Bridge, is typically used for debugging, but during an attack, this tool allows app installation bypassing the store. This method isn't suitable for mass infections, but it does provide stable control over a specific device.
Once installed, ResidentBat grants the operator long-term access to the phone's data and functions. These capabilities include call and SMS logs, access to encrypted messaging apps, microphone recording, screenshots, and file downloads from the device's memory. The control server receives the downloaded data, sends commands, transmits updates, and modifies the agent's settings.
A separate risk is associated with remote wiping. ResidentBat can summon DevicePolicyManager.wipeDataand wipe a device. For journalists and activists, this poses risks not only due to leaks but also to the loss of materials, correspondence, and contacts, including sources.
The command and control channel operates over HTTPS and produces a stable set of signatures. ResidentBat nodes use self-signed certificates with a value CN=serverand a consistent banner fingerprint. Censys added ResidentBat to the Threat Module with the identifier THREAT-240to automatically detect such nodes. As of February 2026, one Censys view showed ResidentBat's infrastructure concentrated in Europe and Russia: the Netherlands (5 nodes), Germany (2), Switzerland (2), and Russia (1). Command and control traffic typically travels over ports 7000–7257, with some nodes also using port 4022.
One of the search indicators looks like this:
banner_hash_sha256: 6f6676d369e99d61ce152e1e2b2eb6f5e26a4331f4008b5d6fe567edefdbeaca
When examining exposed nodes, researchers observed attempts to complicate identification at the HTTP level. Any path returns a 200 OK response with an empty body, and authorization headers and POST request bodies provide no visible response. Responses contain static or forged headers Date, such as Tue, 06 Jan 2026 01:00:00 GMT[[ ... ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ]
Certificate matching helps link nodes together. Five different SHA-256 certificate fingerprints were observed in the probed infrastructure, with some certificates duplicated on two or more IP and port combinations. This reuse simplifies the search for related nodes if at least one node is already known.
The agent settings are provided in JSON format. The parameters include the server address sars, the download period spd, and a flag aspthat enables sending data as quickly as possible.
Censys offers two approaches to infrastructure discovery. The first relies on a pre-built Threat Module tag:
host.services.threats.name = "ResidentBat"
The second one expresses the same logic manually, through a combination CN=serverof a banner hash:
host.services: (
cert.parsed.subject_dn = "CN=server" and
banner_hash_sha256 = "6f6676d369e99d61ce152e1e2b2eb6f5e26a4331f4008b5d6fe567edefdbeaca"
)
The infrastructure is hosted on virtual servers hosted by European and Russian providers. The report highlights AS29182 RU-JSCIOT[[ http://www.css.org/ ] AS210976 TWC-EU, ... AS44812AS51395AS44051
Protecting against ResidentBat begins with preventing installation via physical access and ADB. For those at risk, it's important to disable USB debugging , keep your unlocked phone private, avoid installing apps from untrusted sources, and ensure Google Play Protect remains enabled . The recommendations specifically mention Android Advanced Protection Mode, which blocks app installations outside the store and strengthens other security settings.
For network monitoring, it's useful to track outgoing HTTPS connections to hosts with a self-signed certificate CN=serveron ports 7000–7257, as well as 4022 where this port is encountered. Certificate fingerprints and banner hashes can be used for blocking and alerting. On the device, monitoring ADB usage, searching for packages installed without using the store, and checking permissions for apps masquerading as system apps can help.
