We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:AndroidOS/Multiverze
Aliases: No associated aliases
Summary
Trojan:AndroidOS/Multiverze identifies a versatile family of malware that, despite its Android-focused naming, presents significant risks to Windows and Linux devices. Its operation hinges on exploiting common programming runtimes and server vulnerabilities, creating a blended threat landscape. Security teams note frequent detections involving Java archive files on desktops and Go-language binaries on servers under this same signature. This analysis details the malware's technical mechanisms, its infection lifecycle, and practical steps for response and prevention.
The core threat is a backdoor designed for persistent remote control and data theft. Threat actors deliver it through sophisticated methods, including exploiting critical vulnerabilities in web frameworks like React/Next.js or bundling it within modified application packages. Following a breach, Multiverze establishes a foothold that allows threat actors to deploy high-capacity attack tools such as Sliver or CobaltStrike beacons. Its cross-platform nature is key to its effectiveness; it leverages Java bytecode's portability and Go's compilation features to target multiple operating systems from a shared codebase. The ultimate impact ranges from single-device compromise to full network infiltration, as it often includes functionality for network proxying and lateral movement.
- Immediately disconnect the affected device from all networks (wired, Wi-Fi, and cellular) to contain the threat.
- Manually inspect and remove persistence artifacts: delete malicious systemd services, cron jobs, and scheduled tasks, and clear any related files from /dev/shm, /tmp, and hidden directories.
- Terminate any identified malicious processes running in memory.
- From a known-clean device, reset passwords for every account that is accessible from the compromised system and enable multi-factor authentication.
- Analyze network logs to determine the scope of data exfiltration to external command and control servers.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
