{
	"id": "ad3d5733-c5c0-4ad2-9c86-c7483beffef2",
	"created_at": "2026-04-06T01:31:13.471999Z",
	"updated_at": "2026-04-10T13:12:01.700368Z",
	"deleted_at": null,
	"sha1_hash": "048a07e287d908779a2a52d214e13120e4722019",
	"title": "The Flusihoc Dynasty, A Long Standing DDoS Botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1293618,
	"plain_text": "The Flusihoc Dynasty, A Long Standing DDoS Botnet\r\nBy ASERT team\r\nPublished: 2017-10-03 · Archived: 2026-04-06 01:13:38 UTC\r\nSince 2015, ASERT has observed and followed a DDoS Botnet named Flusihoc. To date very little has been\r\npublished about this family, despite numerous anti-virus and intrusion detection signatures created by various\r\nvendors. Flusihoc has remained persistent with multiple variants, over 500 unique samples in our malware zoo,\r\nand continued development. Flusihoc is a versatile C++ malware capable of a variety of DDoS attacks as directed\r\nby a Command and Control server. We have decided to take a look at this malware family due to a recent uptick in\r\nobserved activity. This post will discuss this family, its features and observed activity over the years.\r\nPossible Chinese Origin\r\nThe geolocation of the identified C2 addresses and static attributes of the malware suggest that Flusihoc may be of\r\nChinese origin. Looking at Flusihoc samples, we find debug strings such as:\r\nC:\\Users\\chengzhen\\Desktop\\svchost\\Release\\svchost.pdb\r\nbearing the word Chengzhen which translates to the phrase, “to become true”, in English from Chinese.\r\nAdditionally, other samples contained debug strings and values which included Chinese characters. Looking at PE\r\nresources of samples we find a large portion of samples have Chinese_Simplified language resources. It is\r\nimportant to note these points could be part of the attacker’s intentional effort to mislead researchers.\r\nCommand and Control (C2) Communications\r\nFlusihoc communicates with its C2 via HTTP in plain text. An example C2 communication looks like:\r\nhttps://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/\r\nPage 1 of 7\n\nThe C2 uses a command structure based on numbers; the bot will receive a number and respond appropriately\r\nbased on the command associated with that number value. The communication strings are separated by \"|\"\r\ncharacters and terminated with the string \"end\". ASERT identified the following numbered commands: 1 -\r\nRequests the bot to send infected system information; this command will prompt the bot to return information\r\nsuch as, operating system name, CPU details, RAM size and network speed. 22 - Tells the bot to check for attack\r\npayloads and send a \"null\" to the C2 if it has not previously received a payload. If the bot responds with a “null”,\r\nthe C2 will send a blob of text which the bot will parse out and use for its attack payloads. If the bot already has\r\nan attack payload it will send an \"end\" to the C2. 333 - Gets attack status and will prompt the bot to send a \"Busy\"\r\nor \"Idle\" message based on if it is actively attacking a target. 4444 - Commands the bot to stop the current attack\r\nAdditionally, the C2 will send a command in this format to initiate an attack:\r\n\u003cattack command #\u003e|\u003ctarget\u003e|\u003cport\u003e|\u003c# of threads\u003e|\u003curi\u003e|\u003cattack type\u003e\\n…end\r\nDDoS Attack Types\r\nFlusihoc is capable of 9 types of DDoS attacks:\r\nSYN_Flood (1)\r\nUDP_Flood (2)\r\nICMP_Flood (3)\r\nTCP_Flood (4)\r\nHTTP_Flood (5)\r\nDNS_Flood (6)\r\nCON_Flood (7)\r\nCC_Flood (8)\r\nCC_Flood2 (9)\r\nhttps://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/\r\nPage 2 of 7\n\nThese attack types are sent by the C2 in string format for the bot to parse and issue attacks based off of.  The\r\nmechanisms used to conduct these attacks vary by attack type and variant primarily utilizing Winsock2 from the\r\nWindows SDK.\r\nObserved Improvements and Changes\r\nRemoved then Re-Added Persistence\r\nEarly variants of Flusihoc such as this sample available on VirusTotal used a persistence registry entry in\r\n'Software\\Microsoft\\Windows\\CurrentVersion\\Run'. However, in later samples, this persistence mechanism is\r\nnot present in a large portion of samples. This may be to evade detection however, it also makes it harder for the\r\nbot to restart after a system reboot. In newer samples, we see the Flusihoc authors bring back this persistence\r\nmechanism, presumably due to the difficulties maintaining persistence after the run entry was removed.\r\nEncrypted C2 Address\r\nFlusihoc also transitioned from a plaintext C2 to a RC4 encrypted C2 address in later variants. In a sample with a\r\nMarch 2017 compilation date, available on VirusTotal, we can see the C2 address in plaintext:\r\nHowever, we see an encrypted C2 in a newer sample on VirusTotal with a compilation date in April 2017. In this\r\nsample, the C2 looks similar to the March 2017 variant however, instead of a plain text C2, we have an encrypted\r\nC2:\r\nhttps://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/\r\nPage 3 of 7\n\nThe bot then calls a function that employs standard RC4 encryption to decrypt the C2 value with a key. In the case\r\nof this sample the RC4 key was \"crealloc\" which we found within the byte ptr of the RC4 decryption function\r\nseen below: The RC4 function is standard and when given the above encrypted C2 value and the key you will get\r\nthe C2 address of:  Main[.]dresou[.]net\r\nDownload and Execute Functionality\r\nIn the same sample from April 2017, we found new functionality where the bot will download and execute a file\r\nusing the Windows API functions URLDownloadToFileA, WinExec and ShellExecuteA. If the file ends with\r\n\"exe\" it will download a file from the provided URL and execute it.\r\nIf the file name does not end with \"exe\", it will run it with ShellExecuteA using the \"open\" operation.\r\nhttps://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/\r\nPage 4 of 7\n\nThis feature allows the botnet controller to update Flusihoc malware or download additional malicious files\r\nremotely.\r\nCampaign activity\r\nC2s Discovered\r\nUsing our botnet infiltration system, ASERT has tracked 154 different C2s associated with Flusihoc issuing\r\n24,137 attacks commands since July 2015. 48 C2s are still active as of Sept. 2017. below are the C2s generating\r\nthe most attack commands:\r\nwm[.]sshtdk[.]com\r\n1211[.]sshtdk[.]com\r\n121[.]sshtdk[.]com\r\npp[.]sshtdk[.]com\r\nqq[.]sshtdk[.]com\r\nThe majority of C2s observed geo-locate to China with most of the attack commands directed towards target\r\nURLs within China. A cursory review of the target URLs does not reveal any obvious correlation between targets\r\nsuggesting this family is likely part of a financially motivated booter service in China.\r\nObserved DDoS Activity\r\nArbor ATLAS infrastructure collects anonymized DDoS attack data from nearly 400 globally distributed service\r\nproviders running the Arbor SP/TMS Platform. Leveraging ATLAS, we are able to measure a portion of the\r\nbotnet's attacks. Since July 2017, we can correlate observed Flusihoc attack commands with 909 subsequent\r\nDDoS events reported into ATLAS. The peak attack size was 45.08 Gbps seen on July 6th, 2017.  A majority of\r\nthe DDoS attacks involve TCP SYN over port 80, 1-1023 and 443. These events have an average attack size of\r\n603.24 Mbps usually launching around 14 different attacks per day.\r\nhttps://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/\r\nPage 5 of 7\n\nConclusion\r\nFlusihoc is likely a Chinese DDoS botnet which primarily focuses on targets in China. Analysis suggests this\r\nbotnet is part of a regional DDoS service based on the variance of targets. This malware family has been around\r\nsince at least 2015 and has been associated with over 154 C2s. Flusihoc, although not the largest DDoS botnet,\r\nwould still be capable of causing problems given the fragility and brittleness of so many sites, servers, services,\r\nand applications. These DDoS attacks can be mitigated by Arbor solutions like  Arbor SP/TMS.\r\nIndicators\r\nSamples:\r\n41f1c2b942fb8c78d9d3b9e339480970ead06241\r\n2ff3eab0892325b936beee70d8625c4e8d50d7c0\r\n6a1863abded29f1151db7f1eebe33298adbcb793\r\nC2s:\r\nMain[.]dresou[.]net\r\nwm[.]sshtdk[.]com\r\n1211[.]sshtdk[.]com\r\nhttps://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/\r\nPage 6 of 7\n\n121[.]sshtdk[.]com\r\npp[.]sshtdk[.]com\r\nqq[.]sshtdk[.]com\r\nYara Rule:\r\n(GitHub URL removed)\r\nSource: https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/\r\nhttps://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/"
	],
	"report_names": [
		"the-flusihoc-dynasty-a-long-standing-ddos-botnet"
	],
	"threat_actors": [],
	"ts_created_at": 1775439073,
	"ts_updated_at": 1775826721,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/048a07e287d908779a2a52d214e13120e4722019.pdf",
		"text": "https://archive.orkl.eu/048a07e287d908779a2a52d214e13120e4722019.txt",
		"img": "https://archive.orkl.eu/048a07e287d908779a2a52d214e13120e4722019.jpg"
	}
}