Update README.md

README.md

@@ -15,12 +15,14 @@ Your device is infected with malware, constantly trying to find a [C2 server](ht
 
 ## 28-Apr-2023 · Stage 1 Classes.dex gives up its secrets
 
-Stage 1 will go to http://128.199.97.77/update/update.conf (which **was** _adc.flyermobi.com_ until today) and get the URL for Stage 2:
+Stage 1 will go to http://adc.flyermobi.com/update/update.conf (128.199.97.77) and get the URL for Stage 2:
 
      {"Id":1,"version":"2.802","url":"http://adc.flyermobi.com/data/b2802.data","package":"com.mozgame.fruitmania","cid":"801"}
 
 The URL above is arbitrary and can/will change.  Stage 2 payload was encrypted; decrypted version is archived as [classes.dex](https://github.com/DesktopECHO/T95-H616-Malware/blob/main/stage-2-classes.dex/classes.dex).  This particular example is meant to generate ad-click revenue in the background, but the malware a device receives is at the whim of the people running this IP.
 
+Fun fact: [*http://adc.flyermobi.com/update/update.conf*](https://www.virustotal.com/gui/file/4395f1d6ba0ae4c512630ecaf367593a6f14c81cb1589173a1c2b8262a474b1c/details) is also a URL used by the [Gigaset Smartphone supply chain attack](https://www.malwarebytes.com/blog/news/2021/04/pre-installed-auto-installer-threat-found-on-android-mobile-devices-in-germany) of August 2021.
+
 Those responsible did a good job hiding their identity until now, but they left behind an expired SSL certificate from 2017 bound to port 443.  It's a real certificate issued by Symantec: **dsp.dotinapp.com**.  The https site appears to be a dev/test version of the malware being served on port 80.  This certificate, likely forgotten for years, is a clear indication of those behind the malware: 
 ![dsp dotinapp com](https://user-images.githubusercontent.com/33142753/235279545-09f8c0cb-4c67-44d6-92be-8235fab55d99.png)