Belarusian KGB Gains Persistent Control Through ResidentBat Android Malware

The Belarusian KGB (State Security Committee) uses the advanced Android spyware implant ResidentBat to spy on journalists and civil society This article explores residentbat gives kgb. . found by RESIDENT and Reporters Without Borders (RSF).

The NGO stated in December 2025 that the malware gives the KGB continuous access to the devices of the people it targets. ResidentBat gives operators access to private information such as call logs, SMS messages, encrypted messenger traffic, microphone recordings, screen captures, and locally stored files after it has been installed through physical access and ADB (Android Debug Bridge) sideloading. The malware is a highly targeted tool rather than a widespread attack because its deployment method necessitates physical handling of the device.

Because of this distribution method, ResidentBat is frequently utilized in particular situations, like during supply chain interruptions, border crossings, or arrests. ResidentBat's development seems to have begun at least in 2021, suggesting that the malware was in use for a long time before being identified. Technical Features and Capabilities Because ResidentBat's C2 (Command and Control) infrastructure runs over HTTPS, it is challenging to identify without careful examination.

Servers with the common name "CN=server" are identified by self-signed certificates, and traffic usually flows over a small port range (7000-7257). Together with reliable TLS fingerprints, these technical features offer important clues for identifying ResidentBat.

Distribution of ResidentBat countries (Source: Censys) With a notable concentration in the Netherlands, Germany, Switzerland, and Russia, ResidentBat's infrastructure is primarily found in Europe and Russia. The servers that allow for ongoing control over compromised devices are located in these areas as of February 2026. The Censys Threat Module allows security experts to monitor these servers and prevent them from communicating with compromised devices.

Consequences and Suggestions for Defense ResidentBat poses a significant risk to journalists and activists who could be targeted by the Belarusian KGB due to its sophisticated capabilities. Users should concentrate on both device-level and network-level defenses to fend off such attacks. Device-based defense: It's critical to prevent unauthorized individuals from physically accessing devices and to turn off ADB when required in order to prevent infection.

Users should refrain from sideloading apps from unreliable sources and keep Google Play Protect enabled. To further prevent sideloading and strengthen the security of the device, turn on Android Advanced Protection Mode (AAPM). Network-based defense: Security teams can keep an eye out for odd network activity, particularly TLS connections to servers on ports 7000–7257 that have the CN=server certificate.

Malware communication can be stopped by identifying and blocking traffic from these identified C2 servers. Additionally, ResidentBat-related infrastructure can be tracked and added to blocklists by security experts using the Censys Threat Platform. ResidentBat Gives the KGB Power (Source: Censys) One blatant example of focused, ongoing surveillance is ResidentBat. It poses a significant risk to people who are the focus of state-sponsored surveillance because of its sophisticated capabilities and ability to function covertly.

Improving device security and putting monitoring tools in place are crucial for reducing the risks that this and other malware threats pose to those who are vulnerable.