Half Of Our Android RAT Corpus Arrived In The Last 72 Hours. The Next Mobile Campaign Is Staging On GitHub Right Now.

This is a prediction post, not a receipts-after-the-fact post. The shape that prompts the prediction is unambiguous.

The DugganUSA IOC corpus contains 31 Android-RAT-family indicators all-time. Fifteen of those 31 arrived in the last 72 hours. Forty-eight percent of a multi-month corpus appeared in three days. The source for every one of those 15 is our github-hunt-cron — the scheduled job that sweeps GitHub Search for known-bad infrastructure patterns at 08:15 UTC daily. The signal is operators staging Android RAT projects in public repositories at a rate the corpus has not previously recorded.

The next mobile malware campaign is in the staging phase right now.

What Got Staged

The 15 repositories surfaced in the last 72 hours include forks and fresh builds of the AhMyth Android RAT framework, NetworkPegasus2.0, RatMapAndroid, a project named Android-remote-control-2026, a build labeled SilkRate-Android, a project called Shadow-Builder, and ten others in the same family of naming conventions. The most recent of those repositories was first seen by our hunt cron less than an hour before this post was published. The oldest of the fifteen is 68 hours old. The arrival distribution is dense at both ends — these are not residual indexing of stale repos, this is fresh staging concentrated in the current weather pattern.

Mobile RAT staging in this volume historically precedes a campaign by two to six weeks. The AhMyth framework family in particular has a well-documented operator lifecycle — operators fork the framework, customize the C2 host and the application-icon disguise, push the project to GitHub for collaborator handoff, then pull the repository to a private host before the campaign launches. We are watching the public phase of that lifecycle in real time.

The Two Supporting Signals

The Android-RAT surge does not stand alone. In the same 72-hour window, our hunt cron also indexed six fresh TokenGrabber repositories — five Discord-targeted, one disguised as a phishing-education simulator, one disguised as a defender-presenting threat scanner. The Discord credential-theft economy and the Android RAT economy share substantial operator overlap. The same window also surfaced five fresh XWorm RAT builds, including Xworm v7.0 builds and a v4.6 builder kit — XWorm being a known Android-side companion to the desktop XWorm RAT family.

The clustering says three things simultaneously. Mobile RAT capacity is being staged. Credential-theft tooling is being staged. Multi-platform RAT infrastructure is being refreshed. Operators do not usually move all three axes at once unless a multi-front campaign is in the planning phase.

What Makes This A Pyramid And Not A Triangle

Single-axis surges are noise. Three orthogonal axes moving together on the same window is the structural test we apply before naming a prediction in public.

Axis one is volume — 15 fresh AndroidRAT IOCs is 48 percent of our all-time corpus in 72 hours, a ratio that does not happen as background noise. Axis two is shape — AhMyth forks, NetworkPegasus2.0, Shadow-Builder are operator-customized projects, not generic samples re-uploaded to GitHub. Axis three is co-staging — TokenGrabber and XWorm moved in the same window, which is the historical pattern of multi-front campaign preparation rather than independent single-actor activity.

Three axes, same direction, same window. Pyramid.

What This Does Not Tell Us

We do not yet know which specific victim sector the campaign is aimed at. The AhMyth disguise patterns historically split between banking app impersonation, productivity app impersonation, and crypto wallet impersonation. We do not yet know which C2 hosts will carry the launch traffic — the GitHub-staged repositories typically use placeholder C2 domains that get rewritten before the campaign moves out of GitHub into the wild. We do not yet know the language localization, which is the cleanest signal for victim-region targeting once it appears.

The current observable is the staging volume and the staging diversity. The current actionable is to start watching mobile app stores, Google Play sideload alerts, and your own employee-device telemetry for fresh Android RAT installs in the next two to six weeks. The operators who staged this week did not stage to leave their work on GitHub.

The Defender Posture

Mobile threat intelligence is not a strength of most enterprise security stacks. The detection cadence is generally weeks behind the desktop side because the telemetry path runs through MDM, EDR-on-mobile if you pay for it, and app store reporting, none of which run as fast as Sysmon-on-Windows. The lead time on this prediction is the window to harden that path.

The three concrete posture changes are: enable sideload-install alerting on every managed Android device today, not when the campaign drops; subscribe your SOC to the github-hunt-cron output stream via the DugganUSA STIX feed so the fresh staging IOCs reach your TIP before the C2 rewrite happens; and brief your help desk that "my phone is acting weird, but I did not install anything new" is a campaign-class signal between June and early July 2026, not a routine ticket.

The DugganUSA position is that the next major mobile malware campaign launches within six weeks of today, May 19, 2026. We will keep watching the staging shape and update this prediction if the supporting axes diverge. The receipt for this post is the 15 indicators already in our public corpus, queryable today at analytics.dugganusa.com against the iocs index filtered on malware_family AndroidRAT-Family. Anyone with a STIX key can verify the count and the timestamps independently.

If the prediction is wrong, the indicators are still wrong. That is the test the corpus has to pass either way.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com