WolfRAT, a modified version of DenDroid. Based on strings in the code and C2 domain names, it appears that Thai users and devices are the targets of this campaign. After being installed on an Android device, WolfRAT provides the operators with various capabilities, such as information stealing and management of the malware. Researchers identified four variants of the RAT with minor changes between each version. Along with the C2 domain changing with each version, certain permissions and functions are either removed or added. Some of the added features since the initial version are the ability to execute shell commands and monitor Line, Facebook Messenger and WhatsApp activities. The most recent version also masquerades as a Google services application. The researchers note that the development cycle observed shows amateur development methodology. Infrastructure overlaps and leaked information led the researchers to attribute this activity to the Wolf Intelligence group, which was believed to be inactive since their activities were publicly reported on in 2018. Based on this attribution, along with the main functionality provided by the malware, it is likely their main goal is related to intelligence-gathering.