Dubbed Octo, the botnet was first mentioned on dark web forums in January 2022, but an analysis of its code revealed a close connection with ExobotCompact, which is believed to be the successor of the Exobot Android trojan, which in turn was based on the source code of the Marcher trojan.

Exobot was used in numerous attacks on financial institutions in Australia, France, Germany, Japan, Thailand, and Turkey, and was maintained until 2018.

ExobotCompact emerged as a lite version of the trojan, with at least four variants observed to date, the most recent of which emerged in November 2021. The malware was even distributed via a dropper app published to Google Play – Fast Cleaner – where it gathered over 50,000 downloads.