Fantasy Hub RAT MaaS Uncovered: Russian Spyware Uses Telegram Bot and WebRTC to Hijack Android Devices
Ddos 
Researchers at zLabs have uncovered a sophisticated Android Remote Access Trojan (RAT) known as Fantasy Hub, being sold on Russian-language cybercrime channels under a Malware-as-a-Service (MaaS) model. The spyware, advertised with videos, documentation, and Telegram-based subscriptions, enables full device control, data exfiltration, and targeted banking credential theft.
Unlike one-off commodity malware, Fantasy Hub represents a professionalized cybercrime product. Its seller advertises through Telegram, showcasing a sleek command panel, subscription tiers, and automated dropper builders — all accessible through a chatbot.
“Official ads enumerate features and direct buyers to a Telegram bot that manages paid subscriptions and builder access. The bot’s ‘Dropper’ option lets buyers upload any APK and returns a version with the Fantasy Hub dropper appended.”
These features lower the technical barrier for aspiring cybercriminals. Buyers can select subscription plans based on duration or feature set.
“Fantasy Hub is not a one-off commodity kit: it’s a MaaS product with seller documentation, videos, and a bot-driven subscription model that helps novice attackers by providing a low barrier to entry.”
Fantasy Hub’s arsenal rivals that of nation-state spyware, with modules for SMS interception, call recording, camera activation, and live streaming through WebRTC.
“These capabilities include the exfiltration of SMS messages, contacts, call logs, and bulk theft of images and videos. The malware can also intercept, reply, and delete incoming notifications.”
The spyware can even stream live audio and video from a victim’s phone, silently relaying content through an encrypted WebRTC channel back to the command-and-control (C2) server.
When active, the system briefly displays a subtle “Live stream active” message to maintain legitimacy, before turning off the camera and microphone once streaming stops.
A standout feature of Fantasy Hub is its phishing overlay system that targets customers of major Russian banks including Alfa-Bank, PSB, Tbank, and Sber. The spyware can spawn fake login screens directly over legitimate apps, tricking users into entering credentials, card numbers, and PINs.
These overlays can be customized through a simple interface. The seller even provides video tutorials teaching buyers how to create tailored phishing pages with custom fields for password and card details.
The Fantasy Hub operator provides detailed instructions to disguise payloads as legitimate apps, complete with fake reviews and icons, hosted on fraudulent Google Play pages.
One observed phishing page mimicked Telegram, featuring fabricated user reviews to enhance credibility. This level of social engineering sophistication allows Fantasy Hub campaigns to bypass casual user scrutiny — and, in some cases, Google’s initial screening mechanisms.
At the code level, Fantasy Hub demonstrates significant effort to avoid detection. A native dropper embedded within a module named metamask_loader decrypts an encrypted file (metadata.dat) at runtime using a custom XOR-based routine and gzip decompression.
By encrypting and decrypting payloads dynamically, the malware minimizes static indicators, making it more difficult for antivirus tools and sandboxes to detect its behavior before execution.
Fantasy Hub further distinguishes itself by abusing Android’s SMS handler role — granting itself sweeping access to messages, contacts, and files without requiring multiple user prompts.
This permission enables automatic interception of two-factor authentication (2FA) codes, a key component of many mobile banking attacks. When combined with phishing overlays, it allows attackers to fully compromise financial accounts in real time.
Fantasy Hub uses Telegram bots to handle both subscriptions and victim notifications. The seller instructs buyers to create a Telegram bot, retrieve its chat ID, and configure API tokens — an approach that mirrors other Russian MaaS families such as HyperRat.
The C2 dashboard displays infected device data, including model, SIM card slot identifiers, and subscription time remaining, making management simple even for low-skilled operators.
Donate