Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0097: Bouncing Golf

Bouncing Golf is a cyberespionage campaign targeting Middle Eastern countries.[1]

MobileG0097GroupObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Bouncing Golf is a mobile cyberespionage campaign reported against Middle Eastern countries. For leaders, its main decision value is not the group name itself, but the reminder that mobile devices can become intelligence-collection endpoints, especially where executives, field personnel, or regional operations rely on Android devices for email, messaging, identity access, and business coordination.

Executive priority

Prioritize validation of mobile security visibility where the organization operates in, travels to, or supports Middle Eastern business activity. This object supports a focused discussion on whether mobile devices are covered by incident response, managed detection, identity access policy, and audit evidence—not just traditional endpoints. Because ATT&CK provides no official detection guidance for this group, leadership should ask what evidence would prove or disprove compromise of managed Android devices and whether BYOD creates an unmanaged blind spot.

Technical view

The supplied relationships show Bouncing Golf uses GolfSpy, described as Android spyware, and uses Match Legitimate Name or Location, where malicious mobile artifacts mimic trusted names, icons, package names, or locations. SOC and IR teams should validate Android-focused visibility: installed applications, package metadata, app icons/names, install source, permissions, device network activity, and identity activity tied to the mobile device. Detection engineering should avoid relying only on known malware names and should test whether controls can identify suspicious impersonation of legitimate apps or package naming patterns.

Likely telemetry

  • MDM/UEM device inventory and compliance state for Android devices
  • Installed application inventory, package names, app labels, icons, versions, and install sources
  • Mobile security or EDR events where deployed on Android
  • Application permission grants and changes, especially sensitive permissions
  • Device network, DNS, proxy, or secure web gateway logs attributable to mobile devices

Detection direction

  • Confirm whether Android mobile devices are in scope for SOC monitoring; unmanaged BYOD may be the primary blind spot.
  • Map detections to GolfSpy where trusted threat intelligence or internal indicators are available, but do not depend solely on static names or hashes.
  • Hunt for apps that approximate trusted application names, icons, or package naming conventions, consistent with T1655.001 behavior.
  • Tune for false positives from legitimate enterprise apps, regional app variants, rebranded applications, and approved administrative tools.
  • Correlate suspicious app presence with unusual identity activity, new device registrations, or unexpected access from mobile devices.

Mitigation priorities

  • Establish or validate mobile device management for Android devices that access business email, collaboration, or identity-protected resources.
  • Restrict unapproved application installation and require trusted app distribution paths where feasible.
  • Use conditional access or equivalent policy to tie sensitive access to device compliance and managed status.
  • Review mobile app permissions and enforce least-privilege access to sensitive device capabilities where policy allows.
  • Prepare mobile IR procedures for containment, evidence preservation, user notification, and credential/session reset decisions.
Analyst notes and limits

The most useful relationship context is that Bouncing Golf uses GolfSpy, an Android spyware family, and a technique involving mimicking legitimate names or locations. This supports mobile-focused defensive validation and impersonation-based detection logic, but not a broader claim about current activity or specific victim exposure.

ATT&CK provides a sparse group record: no official detection text, no tactics, and no platforms directly on the intrusion-set object. Android relevance is derived from the related GolfSpy software and related technique platform data. Local environment telemetry, device ownership model, regional exposure, and approved mobile management controls are required to turn this into an actionable coverage assessment.

Official MITRE ATT&CK definition

Bouncing Golf

Bouncing Golf is a cyberespionage campaign targeting Middle Eastern countries.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1655.001 Match Legitimate Name or Location Sub-technique

Bouncing Golf distributed malware as repackaged legitimate applications, with the malicious code in the `com.golf` package.CitationTrend Micro Bouncing Golf 2019
Associated objects

Groups, software, and campaigns

Relationship explorer

All related ATT&CK context

uses · Malware S0421: GolfSpy Mobile uses · Technique T1655.001: Match Legitimate Name or Location Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
949401aa8fc4072d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 949401aa8fc4…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Trend Micro Bouncing Golf 2019

    E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.

    Open source URL
  2. [2]
    mitre-attack G0097
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use