{
	"id": "cf760d71-45f1-4e8c-bf73-932a8ad8367d",
	"created_at": "2026-04-06T00:12:03.316385Z",
	"updated_at": "2026-04-10T03:20:26.30713Z",
	"deleted_at": null,
	"sha1_hash": "08053f420a1b2a1c391deaa23d4c6238ac23b1b4",
	"title": "Lethic: M86 Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 482639,
	"plain_text": "Lethic: M86 Security\r\nArchived: 2026-04-02 11:59:16 UTC\r\nJanuary 7, 2010\r\nAliases\r\nNo obvious aliases, most samples we analyzed had varied generic detection names.\r\nComments\r\nAlthough recently uncovered, the Lethic spambot (or its predecessors) have probably been in existence for some\r\ntime. For over 2 years, we have observed a type of spam from an unknown botnet which we simply called \"Type\r\n11\". Recently, malware behind this spam was discovered by Arbor Security Engineering and Response Team.\r\nLethic is a proxy type spambot which relays spam from a control server to its destination. It is focused on sending\r\npharmaceutical and replica watch spam campaigns. As of this writing, Lethic was responsible about for 8-10% of\r\nspam.\r\nFeatures\r\nActs as a proxy to relay spam\r\nProcess injection to Explorer.exe\r\nFast, multi-threaded\r\nAnti-debugging and Anti-VM detection\r\nSpamming Rate\r\nVaries depending on the relaying server ranging from 12,000 msgs/hour/bot to peaks of 60,000\r\nmsgs/hour/bot.\r\nCommand and Control\r\nLethic is a proxy Trojan that allows a command and control server to use the infected system to relay spam. We\r\nhave observed that it connects to the following domains, many of which are hosted by FDCservers.net. \r\nb1ij7hifd.com (66.90.104.106) on port 8900\r\nOrgName:    FDCservers.net\r\nOrgID:      FDCSE\r\nAddress:    141 w jackson blvd.\r\nAddress:    suite #1135\r\nCity:       Chicago\r\nStateProv:  IL\r\nhttps://web.archive.org/web/20101031045748/http://www.m86security.com/labs/spambotitem.asp?article=1205\r\nPage 1 of 11\n\nPostalCode: 60098\r\nCountry:    US\r\n    blogforyour.com (64.191.15.133) on port 8900\r\nOrgName:    Network Operations Center Inc.\r\nOrgID:      NOC\r\nAddress:    PO Box 591\r\nCity:       Scranton\r\nStateProv:  PA\r\nPostalCode: 18501-0591\r\nCountry:    US\r\nbusnotstop.com (66.90.101.84) on port 1430\r\nOrgName:    FDCservers.net\r\nOrgID:      FDCSE\r\nAddress:    141 w jackson blvd.\r\nAddress:    suite #1135\r\nCity:       Chicago\r\nStateProv:  IL\r\nPostalCode: 60098\r\nCountry:    US\r\n   \r\nelephantanimal.com (66.90.109.19) 8900\r\nOrgName:    FDCservers.net\r\nOrgID:      FDCSE\r\nAddress:    141 w jackson blvd.\r\nAddress:    suite #1135\r\nCity:       Chicago\r\nStateProv:  IL\r\nPostalCode: 60098\r\nCountry:    US\r\n gooddoctorlist.com (66.90.104.166) on port 8090\r\nOrgName:    FDCservers.net\r\nOrgID:      FDCSE\r\nAddress:    141 w jackson blvd.\r\nAddress:    suite #1135\r\nCity:       Chicago\r\nStateProv:  IL\r\nPostalCode: 60098\r\nCountry:    US\r\ngoodhearme.cn (66.90.101.194) on port 8090\r\nOrgName:    FDCservers.net\r\nhttps://web.archive.org/web/20101031045748/http://www.m86security.com/labs/spambotitem.asp?article=1205\r\nPage 2 of 11\n\nOrgID:      FDCSE\r\nAddress:    141 w jackson blvd.\r\nAddress:    suite #1135\r\nCity:       Chicago\r\nStateProv:  IL\r\nPostalCode: 60098\r\nCountry:    US\r\nhappymanwoman.cn (67.159.44.237) on port 8900\r\nOrgName:    FDCservers.net\r\nOrgID:      FDCSE\r\nAddress:    141 w jackson blvd.\r\nAddress:    suite #1135\r\nCity:       Chicago\r\nStateProv:  IL\r\nPostalCode: 60098\r\nCountry:    US\r\niamnothere.cn (64.237.61.132) on port 8090\r\nOrgName:    Choopa, LLC\r\nOrgID:      CHOOP-1\r\nAddress:    2400 Main Street Extension\r\nAddress:    Suite 12\r\nCity:       Sayreville\r\nStateProv:  NJ\r\nPostalCode: 08872\r\nCountry:    US\r\nitsyourservice.cn (66.90.103.239) on port 8900\r\nOrgName:    FDCservers.net\r\nOrgID:      FDCSE\r\nAddress:    141 w jackson blvd.\r\nAddress:    suite #1135\r\nCity:       Chicago\r\nStateProv:  IL\r\nPostalCode: 60098\r\nCountry:    US\r\nlinktomem.cn (66.197.237.165) on port 8900\r\nOrgName:    Network Operations Center Inc.\r\nOrgID:      NOC\r\nAddress:    PO Box 591\r\nCity:       Scranton\r\nStateProv:  PA\r\nhttps://web.archive.org/web/20101031045748/http://www.m86security.com/labs/spambotitem.asp?article=1205\r\nPage 3 of 11\n\nPostalCode: 18501-0591\r\nCountry:    US\r\nMacysGiftsOnline.com (66.90.109.19) on port 8900\r\nOrgName:    FDCservers.net\r\nOrgID:      FDCSE\r\nAddress:    141 w jackson blvd.\r\nAddress:    suite #1135\r\nCity:       Chicago\r\nStateProv:  IL\r\nPostalCode: 60098\r\nCountry:    US\r\nmo8f2eerrd.com on port (66.90.101.74) 8090\r\nOrgName:    FDCservers.net\r\nOrgID:      FDCSE\r\nAddress:    141 w jackson blvd.\r\nAddress:    suite #1135\r\nCity:       Chicago\r\nStateProv:  IL\r\nPostalCode: 60098\r\nCountry:    US\r\nsomethingwrong.cn (66.90.103.223) on port 8090\r\nOrgName:    FDCservers.net\r\nOrgID:      FDCSE\r\nAddress:    141 w jackson blvd.\r\nAddress:    suite #1135\r\nCity:       Chicago\r\nStateProv:  IL\r\nPostalCode: 60098\r\nCountry:    US\r\nsometimesgood.com (67.159.44.78) on port 1430\r\nOrgName:    FDCservers.net\r\nOrgID:      FDCSE\r\nAddress:    141 w jackson blvd.\r\nAddress:    suite #1135\r\nCity:       Chicago\r\nStateProv:  IL\r\nPostalCode: 60098\r\nCountry:    US\r\ntenverybest.com (66.90.103.237) on port 5050\r\nhttps://web.archive.org/web/20101031045748/http://www.m86security.com/labs/spambotitem.asp?article=1205\r\nPage 4 of 11\n\nOrgName:    FDCservers.net\r\nOrgID:      FDCSE\r\nAddress:    141 w jackson blvd.\r\nAddress:    suite #1135\r\nCity:       Chicago\r\nStateProv:  IL\r\nPostalCode: 60098\r\nCountry:    US\r\nunderseaprawn.com (96.9.147.37) on port 8090\r\nOrgName:    Network Operations Center Inc.\r\nOrgID:      NOC\r\nAddress:    PO Box 591\r\nCity:       Scranton\r\nStateProv:  PA\r\nPostalCode: 18501-0591\r\nCountry:    US\r\nverywellhere.cn (67.159.44.236) on port 8090\r\nOrgName:    FDCservers.net\r\nOrgID:      FDCSE\r\nAddress:    141 w jackson blvd.\r\nAddress:    suite #1135\r\nCity:       Chicago\r\nStateProv:  IL\r\nPostalCode: 60098\r\nCountry:    US\r\nwasyoujoy.cn (208.69.112.58) on port 8090\r\nOrgName:    CPC Technologies, LLC.\r\nOrgID:      CPCTE\r\nAddress:    1301 E. Debbie Ln Ste 102\r\nAddress:    #160\r\nCity:       Mansfield\r\nStateProv:  TX\r\nPostalCode: 76063\r\nCountry:    US\r\nyounotgood.cn (208.69.113.130) on port 8900\r\nOrgName:    CPC Technologies, LLC.\r\nOrgID:      CPCTE\r\nAddress:    1301 E. Debbie Ln Ste 102\r\nAddress:    #160\r\nhttps://web.archive.org/web/20101031045748/http://www.m86security.com/labs/spambotitem.asp?article=1205\r\nPage 5 of 11\n\nCity:       Mansfield\r\nStateProv:  TX\r\nPostalCode: 76063\r\nCountry:    US\r\nLethic seems to have a custom communication protocol. Once connected, the control server initiates the\r\nhandshaking and gives the bot an IP address and port to relay the data to.  It then uses the infected system as a\r\nproxy to relay spam messages to its target. The image below shows the handshaking and communication between\r\nthe command and control server and the infected machine.\r\nFigure 1.\r\nThe Lethic command and control server uses command codes to communicate to its bot. The packet header\r\nconsists of a thread number and command code followed by its corresponding parameter.\r\nHere is a list of the command and control server's command codes:\r\n0x01 - Tells the bot on what SMTP server IP address and port to connect. The command code is followed\r\nby the IP address then the port number.\r\n0x03 - Send data to the bot. The command code is followed by the data length and the data.\r\nhttps://web.archive.org/web/20101031045748/http://www.m86security.com/labs/spambotitem.asp?article=1205\r\nPage 6 of 11\n\n0x13 - Unknown command, usually followed by 0x01.\r\nHere is a list of the bot's command codes:\r\n0x21 - The bot acknowledges every command sent by the control server.\r\n0x03 - Send data to the control server. The command code is followed by the data length and the data.\r\n0x13 - unknown command, usually followed by 0x01.\r\nHere is a short explanation on how the C\u0026C communcation works, based on the packet capture in figure 1.\r\nhttps://web.archive.org/web/20101031045748/http://www.m86security.com/labs/spambotitem.asp?article=1205\r\nPage 7 of 11\n\nHere are some typical sample spam messages that the Lethic Trojan was sending at the time of writing.\r\nhttps://web.archive.org/web/20101031045748/http://www.m86security.com/labs/spambotitem.asp?article=1205\r\nPage 8 of 11\n\nMalware Behavior on Host\r\nDrops a copy of itself in the Windows System directory. Here are the malware paths from the various samples we\r\nexamined:\r\nC:\\WINDOWS\\system32\\xcllsx.exe\r\nC:\\WINDOWS\\system32\\ldfrmmd.exe\r\nC:\\WINDOWS\\system32\\ncmdds.exe\r\nC:\\WINDOWS\\system32\\lsprcxs.exe\r\nC:\\WINDOWS\\system32\\jdsuml.exe\r\nAn autorun registry entry was created to execute files upon Windows startup.\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\u003crandom value\u003e = \"C:\\WINDOWS\\system32\\ldfrmmd.exe\"\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\u003crandom value\u003e = \"C:\\WINDOWS\\system32\\jdsuml.exe\"\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\u003crandom value\u003e = \"C:\\WINDOWS\\system32\\lsprcxs.exe\"\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\u003crandom value\u003e = \"C:\\WINDOWS\\system32\\ncmdds.exe\"\r\nhttps://web.archive.org/web/20101031045748/http://www.m86security.com/labs/spambotitem.asp?article=1205\r\nPage 9 of 11\n\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\u003crandom value\u003e = \"C:\\WINDOWS\\system32\\xcllsx.exe\"\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\r\nTaskman = \"C:\\WINDOWS\\system32\\jdsuml.exe\"\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\r\nTaskman = \"C:\\WINDOWS\\system32\\ldfrmmd.exe\"\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\r\nShell = \"explorer.exe,C:\\WINDOWS\\system32\\xcllsx.exe\"\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\r\nTaskman = \"C:\\WINDOWS\\system32\\xcllsx.exe\"\r\nLethic injects its code into Explorer.exe and creates a random-named mutex in the infected machine:\r\n \r\nOnce the malicious code is injected to Explorer.exe, the infected machine tries to contact the C\u0026C server using a\r\nhardcoded domain name on a predefined port. The infected machine then receives spamming data from the C\u0026C\r\nserver. The infected explorer process spawns multiple threads that relays spam to a destination SMTP server.\r\nhttps://web.archive.org/web/20101031045748/http://www.m86security.com/labs/spambotitem.asp?article=1205\r\nPage 10 of 11\n\nFinally, during our analysis, we also saw Lethic installed alongside other spambots such as Grum and Pushdo, all\r\nof which were distributed by Virut.\r\n© M86 Security Last Reviewed: January 6, 2010 by Rodel Mendrez\r\nSource: https://web.archive.org/web/20101031045748/http://www.m86security.com/labs/spambotitem.asp?article=1205\r\nhttps://web.archive.org/web/20101031045748/http://www.m86security.com/labs/spambotitem.asp?article=1205\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://web.archive.org/web/20101031045748/http://www.m86security.com/labs/spambotitem.asp?article=1205"
	],
	"report_names": [
		"spambotitem.asp?article=1205"
	],
	"threat_actors": [],
	"ts_created_at": 1775434323,
	"ts_updated_at": 1775791226,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/08053f420a1b2a1c391deaa23d4c6238ac23b1b4.pdf",
		"text": "https://archive.orkl.eu/08053f420a1b2a1c391deaa23d4c6238ac23b1b4.txt",
		"img": "https://archive.orkl.eu/08053f420a1b2a1c391deaa23d4c6238ac23b1b4.jpg"
	}
}