Octo2, the newest variant of Octo, has been observed in a campaign in several European countries. Originally spotted in 2016 as Exobot, Octo2 has undergone many upgrades and transformations since its humble beginnings as a banking trojan. After Octo’s source code was leaked in 2024, the original author, Architect, released the newest version, Octo2.

Like its previous variants, Octo2 is an Android malware featuring improvements to its operational stability, obfuscation techniques to prevent detection and analysis, and a domain generation algorithm (DGA) to improve the resilience of communications with the command and control (C2) server. Octo2 has been seen masquerading as NordVPN, Google Chrome, and Europe Enterprise applications. Once Octo2 is back on the market, the list of applications being imitated will likely grow.

The newest campaign is currently limited to Italy, Poland, Moldova, and Hungary. However, given Octo’s history as a malware-as-a-service and the threat actor’s promise of a pricing discount for current users of Octo, it is just a matter of time before the newest variant is seen in similar global attacks.

Recommendations

• Type official website URLs into browsers manually.
• Avoid installing apps outside the Google Play store and be wary of granting invasive and unnecessary permissions to apps.
• Obtain software from legitimate developers or companies after analyzing customer reviews.