VB2021 paper: The Keksec botnets we observed in the past year


THE KEKSEC BOTNETS WE OBSERVED IN THE 
PAST YEAR
Ye Jin & Lingming Tu
Qihoo 360, China

jinye@360.cn
tulingming@360.cn

7 - 8 October, 2021 / vblocalhost.com

www.virusbulletin.com



THE KEKSEC BOTNETS WE OBSERVED IN THE PAST YEAR  JIN & TU

2 VIRUS BULLETIN CONFERENCE OCTOBER 2021

ABSTRACT
The Keksec group was created in 2016 by a number of experienced botnet actors. They kept silent for a period of time in 
2020, and resumed activity after August 2020 with nearly 20 botnet campaigns detected by us. In this paper we will study 
those campaigns in detail in terms of samples, exploits and C2 servers. Our analysis depicts the big picture of Keksec 
botnets since August 2020 and we believe that it will help defenders to better detect and mitigate against future botnet 
threats from Keksec and other similar groups.

1. INTRODUCTION
We have seen a rapid proliferation of Linux malware/botnets in recent years. While it’s not uncommon to find that many of 
them were created by script kiddies using easily obtained malware kits (e.g. Mirai and Gafgyt source code), according to 
our data over 50% of them were created by a relatively small number of professional actors who have persistence in 
operating Linux botnets. Compared with script kiddies, they usually have more resources and are more skilful, and are thus 
worthy of more attention.

The Keksec group is just one such threat actor. It became well known for building the Necro/Freakout botnet early this 
year. Further digging shows that it has a long history of running DDoS botnets, with the first one traced back to 2016. 
Interestingly, the members of the Keksec group were very open in showing off their attacking activities. For example, they 
used to publicize their invasions to a public billboard on social media. They also created an open directory in pastebin.com 
to hold their source and attack tools. The ease of accessing this information has helped us summarize the high profile group 
as follows:

• Keksec group was built in 2016 by a few experienced botnet actors. 

• They preferred DDoS and miner types of botnets.

• They had a rich set of popular botnet kits targeting both Windows and Linux machines.

For reasons unknown to us, the group kept silent for a period in 2020. Our data shows that their hacking activities were not 
resumed until August 2020. We detected nearly 20 botnet campaigns after that time. Detailed studies have been carried out 
on the collected data in terms of samples, exploits, and C2 servers. With the help of passive DNS, we obtained interesting 
results, which make us believe that it is possible to depict the big picture of Keksec botnets since August 2020. 

The remainder of this paper is organized as follows: in Section 2, we summarize the nearly 20 campaigns we detected since 
2020/08; in Sections 3, 4, and 5, we analyse those campaigns separately in terms of exploits, malware families and operations.

To summarize, the contributions of this paper are as follows:

• We analyse how the Keksec group exploited a large number of vulnerabilities to attack both Linux and Windows 
machines, especially how they quickly used some 1-day exploits.

• We summarize the three major botnet families that have been heavily used by Keksec. 

• We demonstrate their techniques in terms of code reuse, IRC protocol, DGA and Tor.

• We deduce the sample delivering and updating patterns.

• Plenty of C2 infrastructure was owned by this group. 

The C2 infrastructures we found are given in the Appendix.

2. CAMPAIGNS
We analysed the historical activities of Keksec by combing the attack activities from 2020/08 to the present, starting with 
samples and exploits.

First, we summarized the corresponding YARA rules by analysing the historical samples, and scanned back through the 
sample database to find the hit samples. Then we grouped them by sample similarity clustering and, using manual 
inspection, removed the false positive samples that clearly did not belong to Keksec, leaving about 5,000. We use this as a 
seed to expand the sample set through our own threat intelligence mining system, correlating queries on capture time, 
exploit, and some other relevant attributes. In the past year we captured a total of 23 exploits, 5,564 samples, and three 
malware families (ignoring variant classification).

We use these data as a basis to comb through Keksec’s historical attack activity. We generated a chart showing chronicled 
Keksec attacks (Figure 1).

We can see that Keksec launched scans and attacks on targets across the network almost non-stop. Our honeypots see new 
variants and exploits all the time, with the exception of some occasional breaks. When a new exploit is introduced, the 
scans increase significantly.

The year-long attack campaign can be divided into two phases; high-frequency attacks are maintained until December 
2020, and resumed in January 2021, when Keksec starts spreading the brand new malware family Necro [1].



THE KEKSEC BOTNETS WE OBSERVED IN THE PAST YEAR  JIN & TU

3VIRUS BULLETIN CONFERENCE OCTOBER 2021

3. EXPLOITS
Keksec launches two types of scanning attacks, one using a dedicated scanning server, and the other using the sample’s 
built-in scanning capabilities. We do not distinguish between these two scanning methods, and only focus on the scan 
payload information for statistics.

We counted the new exploits and the corresponding propagated families in chronological order.

First seen Exploit (CVE) Exposure time Target device / software Family

1 2020.8.26 Realtek Tsunami

2 2020.9.3 Realtek Gafgyt

3 2020.9.20 Huawei_Router Gafgyt

4 2020.9.25 Avtech_Camera_RCE Gafgyt

5 2020.10.21 ThinkPHP_RCE Gafgyt

6 2020.11.2 JAWS_DVR_RCE Gafgyt

7 2020.11.11 ZTE_Router_RCE Gafgyt

8 2020.11.19 yarn_api Gafgyt

9 2020.11.19 Avtech_IP_Camera_ACI Gafgyt

10 2020.11.24 Zyxel_VIEWLOG_RCE Gafgyt

11 2020.11.26 ZeroShell_Kerbynet_RCE Gafgyt

12 2021.1.8 CVE-2020-7961 2020.7 Liferay Portal Necro

13 2021.1.8 CVE-2020-35665 2020.12.23 TerraMaster Necro

14 2021.1.8 CVE-2021-3007 2021.1.3 Zend Framework Necro

15 2021.3.10 WebLogic RCE Necro

16 2021.3.20 CVE-2021-21972 2021.2.27 VMware_vCenterServer Necro

17 2021.3.23 SonicWALL_XMLRPC_settimeconfig_RCE Gafgyt

18 2021.4.26 F5_iControl_mgmt_RCE Gafgyt

19 2021.5.1 VestaCP Necro

20 2021.5.1 SCO Openserver Necro

21 2021.5.1 Genexis PLATINUM Necro

22 2021.5.1 OTRS 6.0.1 Necro

23 2021.5.1 Unknown (Nrdh.php) Necro

Table 1: Exploit stats.

Comparing the point in time when the new exploit was added and the POC exposure time we can see that Keksec’s 
utilization of 1-days is very fast. Especially after the start of Necro propagation, the attack activity can often be seen within 
two to three days of POC exposure.

4. MALWARE FAMILIES
Keksec developed several families of malicious programs across Window and Linux systems, involving PC, server, multiple 
IoT platforms, and created a complicated botnet platform, here are some breakdowns:

Figure 1: Chronicled Keksec attacks.



THE KEKSEC BOTNETS WE OBSERVED IN THE PAST YEAR  JIN & TU

4 VIRUS BULLETIN CONFERENCE OCTOBER 2021

• Linux-based: Tsunami (Capsaicion, Ziggy), Gafgyt (LULzbOT, Oreo, Gafgyt_tor)

• Windows-based: DarkIRC (AutoIt packed) [2], DarkHTTP (AutoIt packed)

• Developed in Python to target dual systems: Necro

• From open-sourced projects: Rootkit, Miner, JS Bot

Keksec actively maintains three main families, Gafgyt, Tsunami and Necro, with new features constantly being added. 
While Necro’s framework is developed by Keksec itself, the threat group inherits the other two families from open-
source code. Our analysis shows that Keksec has extraordinarily strong code management capabilities, using open-
source or leaked code to develop different variants extensively, which leads to variant chaos. For example, Freak, a key 
member of Keksec, developed and open-sourced two Tsunami (a.k.a. Kaiten, a long established IRC botnet family) 
variants of Capsaicion [3] and Ziggy Redo. However, we found some Tsunami samples that mix codes of both 
Capsaicion and Ziggy.

Figure 2: Tsunami variant of Capsaicion.

 

Figure 3: Tsunami variant of Ziggy Redo.

The same sort of chaos also exists in Gafgyt variants including LulZBoT, Oreo, bigB04t and Simps. Some variants even 
reuse Tsunami code. As for Necro, the purely Python developed family not only reuses the IRC protocol for C2 
communication, but also borrows many key features from open-source projects. Due to that complication, we do not follow 
the naming of Keksec to classify the variants, but break down their samples into the three main families of Gafgyt, Tsunami 
and Necro to summarize and analyse the technical points and design ideas they share.

Scanners

The scanners used by Keksec are mainly telnet and SSH weak password scan and exploit scan.

Telnet scan

The telnet weak password scan of the open-source version of Tsunami uses a function called BurnTheJews, as shown in 
Figure 4.

In the captured sample we found that Keksec uses a function called ak47telscan, shown in Figure 5. The two sets of code 
algorithms are almost identical, only the standard output section has any difference.

The sample first detects if the device supports raw sockets, and if it does, it uses Mirai’s telnet scan code, scanner_init. It if 
doesn’t support raw sockets, ak47telscan will be used.

In fact, the ak47telscan function is also from publicly available source, not created by Keksec. The relevant code is shown 
in Figure 6.



THE KEKSEC BOTNETS WE OBSERVED IN THE PAST YEAR  JIN & TU

5VIRUS BULLETIN CONFERENCE OCTOBER 2021

Figure 4: Telnet scan function of BurnTheJews().

Figure 5: Keksec’s scan function of ak47telscan().



THE KEKSEC BOTNETS WE OBSERVED IN THE PAST YEAR  JIN & TU

6 VIRUS BULLETIN CONFERENCE OCTOBER 2021

Figure 6: The publicly available ak47 scan function.

SSH scan

The SSH weak password scan is done by the Necro botnet. Necro first tries to install the paramiko library on the device, 
and if it succeeds, it adds port 22 to the list of scanned ports, and if it fails to install the library, it just gives up the 22 scan.

Figure 7: Necro code for installing paramiko.

After receiving the scan command, the built-in weak password brute force starts, as shown in Figure 8. 

SSH weak passwords are constantly updated by version upgrades, and new weak passwords are added to replace some of 
the less effective ones.



THE KEKSEC BOTNETS WE OBSERVED IN THE PAST YEAR  JIN & TU

7VIRUS BULLETIN CONFERENCE OCTOBER 2021

Exploit scan

All samples contain an exploit scan. In Tsunami and Gafgyt, the exploit scan is placed in ak47scan. There is scanning code 
for Huawei and Realtek devices. According to our observation and analysis, Keksec does not have 0-day discovery 
capabilities, so most of the POC codes are publicly available. If the POC is implemented in C, it can be integrated into 
Tsunami and Gafgyt with simple modifications, and if the POC code is implemented in Python, it can be integrated into the 
Necro family. In some individual variants the number of exploits implemented can go up to dozens. 

The three more popular exploits integrated by Necro can be seen in Figures 9–11, and the original POCs for these codes 
can be found online.

1. TerraMaster RCE: CVE-2020-28188

Figure 8: Necro SSH weak password scan code.



THE KEKSEC BOTNETS WE OBSERVED IN THE PAST YEAR  JIN & TU

8 VIRUS BULLETIN CONFERENCE OCTOBER 2021

2. VMware vCenter Server RCE: CVE-2021-21972

3. WebLogic RCE: CVE-2020-14882

Figure 9: Necro TerraMaster RCE scan code.

Figure 10: Necro VMware vCenter Server RCE scan code.

Figure 11: Necro WebLogic RCE scan code.

Sniffer

Packet sniffing is one of the more favoured features of Keksec, and the code can be seen in all three families. The basic 
function is to capture TCP traffic after filtering out some specified ports and IPs, and to send the remaining data to the C2.

Figure 12 shows the sniffer code used in Tsunami and Gafgyt. You can see that the same set of code is used.

Figure 12: Gafgyt sniffer code.



THE KEKSEC BOTNETS WE OBSERVED IN THE PAST YEAR  JIN & TU

9VIRUS BULLETIN CONFERENCE OCTOBER 2021

Figure 13 shows the sniffer code used by Necro. The code for this function can also be found on GitHub with similar open 
source code. 

Figure 13: Necro sniffer code.

We can see that the data is reported on the same port 1337, and since Necro also uses the IRC protocol, we can see that 
Necro may share the same C2 as Tsunami. Although we did not analyse DarkIRC in depth, it is easy to see that Keksec 
wants to build a botnet management platform based on the IRC protocol that can infect all architectures and operating 
systems and can act as a unified management platform for botnet management.

Disguising processes

Change process name

A very traditional technique on Linux systems is to use random strings to override argv parameters and prctl(PR_SET_
NAME,buf) to change the process name and start parameters in order to disguise the process.

Figure 14: Code using prctl() to change the process name.



THE KEKSEC BOTNETS WE OBSERVED IN THE PAST YEAR  JIN & TU

10 VIRUS BULLETIN CONFERENCE OCTOBER 2021

Use of rootkit to hide process

The open-source project r77 rootkit is used directly on Windows systems. It is a ring3 layer rootkit that intercepts and filters 
information about the target process by globally hooking some functions of ntdll.dll.

Figure 15: r77 rootkit code to hook system APIs.

Necro first downloads the corresponding version of the rootkit file, which is dynamically loaded and run directly in 
memory by process injection.

Figure 16: Necro code to download r77 rootkit.

Process injection

Necro uses process injection to load the rootkit by wrapping the dll file into a shellcode and then injecting the whole 
shellcode into the process memory; the loading of the rootkit is done by the shellcode, which comes from an open-source 
project on GitHub named RDI.

Figure 17: Necro code for injecting code into other process.



THE KEKSEC BOTNETS WE OBSERVED IN THE PAST YEAR  JIN & TU

11VIRUS BULLETIN CONFERENCE OCTOBER 2021

DGA

In its historical versions Necro used DGA to evade C2 interception. The relevant algorithm is described below.

Random

The first algorithm is a purely random one that picks 16 characters at random from a custom alphabet to generate a C2 
domain name with the top-level domain ‘xyz’. Because the seed of the random algorithm is fixed 0-3, the random number 
generated has a stable result.

Figure 18: Necro random DGA algorithm.

DDNS + random

The second algorithm is based on the DDNS service, and the random algorithm picks 10 to 19 characters randomly from a 
custom alphabet. This method is cheaper and more flexible.

Figure 19: Necro DDNS + random DGA algorithm.

Tor

We found Tor proxy being used to communicate with the C2 in both Gafgyt and Necro.

Gafgyt

In Gafgyt Tor proxy is used to talk to the C2 through a built-in proxy list. Up to 173 proxy IPs can be used for a single 
sample. Figure 20 shows Gafgyt’s Tor initialization code.

A communication is established by randomly selecting one from the list of candidate proxies and if successful, a 
connection to the onion C2 will follow. Figure 21 shows the connecting code and Figure 22 shows captured Gafgyt onion 
communication data.



THE KEKSEC BOTNETS WE OBSERVED IN THE PAST YEAR  JIN & TU

12 VIRUS BULLETIN CONFERENCE OCTOBER 2021

Figure 20: Gafgyt Tor initialization code.

Figure 21: Gafgyt Tor connecting code.

Figure 22: The captured Gafgyt onion communication data.

Necro

Necro also uses Tor proxy to reach an onion C2, and IRC protocol is used for the C2 communication. Figure 23 shows the 
code Necro uses to contact the C2 with Tor.

Figure 23: Necro code to contact C2 with Tor.



THE KEKSEC BOTNETS WE OBSERVED IN THE PAST YEAR  JIN & TU

13VIRUS BULLETIN CONFERENCE OCTOBER 2021

Obfuscation and packer

UPX

Most of the Gafgyt and Tsunami samples we captured were not packed and had no stripped symbolic information, while a 
few of the packed samples used the standard UPX shell, which can be removed directly using open-source tools. The 
unpacked samples were also not stripped.

String encoding

Gafgyt and Tsunami samples encrypt sensitive strings (such as C2 addresses) with a simple mapping algorithm, and 
encrypt them with the decode function when using strings.

Figure 24: Gafgyt C2 decryption.

This algorithm is also not developed by Keksec, it is used by a Tsunami variant called ziggystartux. In the early variants of 
Keksec this code table was identical to the one in the original ziggystartux code.

Figure 25: Ziggystartux’s cipher code table.

After several iterations this code table was changed to "'%q*KC)&F98fsr2to4b3yi_:wB>z=;k? 
"EAZ7.D-md<ex5U~h,j|$v6c1ga+p@un0'".

Necro also cryptographically protects the string by first performing character substitution and then doing zip compression. 
The relevant algorithms are shown in Figure 26.

Figure 26: Necro string encryption code.

Polymorphic engine

Necro uses a Python source code obfuscation technique exposed in 2015, referred to by Keksec as ‘polymorph engine’, and 
this algorithm is updated and improved during Necro upgrades. So far we have observed two versions of polymorphic 
morphing.

The old version uses a random string to replace a predefined list of key object names, as shown in Figure 27.

The new version, shown in Figure 28, uses Python’s own AST library to dynamically traverse and replace the global objects 
with random strings. As we can see, there is no need to manually filter the object names, and the strings can automatically 
be traversed and encrypted.



THE KEKSEC BOTNETS WE OBSERVED IN THE PAST YEAR  JIN & TU

14 VIRUS BULLETIN CONFERENCE OCTOBER 2021

Figure 27: Necro’s old polymorphism code.

Figure 28: Necro’s new polymorphism code based on AST.

C2 protocol

Keksec’s malware mainly uses Gafgyt and IRC protocols to send commands.

Gafgyt

This protocol is mainly used by the Gafgyt variant. Interestingly, the commands in the sample are encrypted using the 
encode function. After receiving the instructions, the local instructions need to be decrypted and then parsed. Gafgyt’s 
encrypted and decrypted commands are shown in Figure 29.



THE KEKSEC BOTNETS WE OBSERVED IN THE PAST YEAR  JIN & TU

15VIRUS BULLETIN CONFERENCE OCTOBER 2021

Figure 29: Gafgyt encrypted and decrypted commands.

IRC

The IRC protocol is the most widely used protocol in Keksec, and is supported by the Tsunami, Necro and DarkIRC 
families. This means that only one C2 system needs to be developed and maintained to control all families.

Spread

Exploit

Keksec attacks the target device mainly through exploits, so the network-wide vulnerability scan is its main means of 
spreading malicious samples, while the worm-like propagation through the infected device is also an important function of 
the malware. In addition to this, there are some horizontal propagation methods.

Infect page

We found that Necro can infect web files (.js, .html, .htm, .php) on the target device. 

Figure 30: Necro code for infecting web files.

After receiving the infection command, it inserts a JS code, hxxp[:]//ublock-referer.dev/campaign.js, into the 
file. Campaign.js is a highly obfuscated code which, after decoding, is a JavaScript-based trojan (Cloud9).



THE KEKSEC BOTNETS WE OBSERVED IN THE PAST YEAR  JIN & TU

16 VIRUS BULLETIN CONFERENCE OCTOBER 2021

Figure 31: Necro code for injecting JavaScript code into web files.

SMB scan

Necro added the SMB scan code in one of its versions to achieve the function of horizontal propagation in the intranet.

Figure 32: Necro SMB scan code.

Perhaps the actual effect was not satisfactory, as this feature was removed in subsequent versions. This code can also be 
found on GitHub [4].

Figure 33: The publicly available SMB scan code.



THE KEKSEC BOTNETS WE OBSERVED IN THE PAST YEAR  JIN & TU

17VIRUS BULLETIN CONFERENCE OCTOBER 2021

Others

Keksec not only enriches it functionality with a lot of references to third-party code, but also delivers the complete 
open-source project directly to the target device to complete the corresponding functionality.

JS Bot

Necro’s goal in infecting web files is to spread JS Bot (Cloud9). The bot is loaded when the user accesses an infected page 
through a browser. The bot is very feature-rich, recording keyboard information, stealing forms, clipboards, cookies and 
other data, faking web access behaviour, and launching HTTP DDoS attacks through the browser.

We discovered a fake Firefox plug-in on the download server, and found through reverse engineering that this plug-in is 
also injecting Cloud9 [5] malicious code into the browser. It is not clear through what channel this plug-in is propagated.

Figure 34: Fake Firefox plug-in install page.

Miner

Keksec also contains the popular mining function, which is not deeply integrated in the bot but directly implemented by 
releasing a third-party miner program.

Figure 35: Necro XMR wallet.

Most of the samples are after Monroe coins; occasionally we see some other coins, such as XTZ coins.

Figure 36: Necro XTZ wallet.

Checking the relevant wallet addresses we found that the returns are not ideal.

Through the above technical analysis points we can summarize the characteristics of the relevant families into the following 
table.

Feature\FN Necro Tsunami Gafgyt

IRC * *

Tor * *

String encode * * *

Polymorphic *

UPX * *

Not stripped * *

DGA *

DGA+DDNS *

Sniffer * * *

Ak47Scan * *

Telnet scan * *

SSH scan *

Exploit scan * * *

SMB scan *

Table 2: Feature comparisons across families.



THE KEKSEC BOTNETS WE OBSERVED IN THE PAST YEAR  JIN & TU

18 VIRUS BULLETIN CONFERENCE OCTOBER 2021

We can see that Necro has the most comprehensive functions and features, but Keksec is still maintaining and developing 
Tsunami and Gafgyt. We suspect that Necro relies on the Python runtime environment and some low-power devices do not 
support Python. In order to cover more platforms, the botmaster has to operate multiple families of botnet at the same time.

5. OPERATIONS

Delivery

We counted the number of new samples captured by day starting from August 2020. 

Figure 37: Stats on delivered x86 and x64 samples.

We can see a significant increase in the number of samples over the last year. This is not simply a repetitive propagation of 
the same samples, as the code is adjusted almost on a daily basis – sometimes several upgraded samples can be captured in 
one day. This indicates that the Keksec group has sufficient manpower and resources and is becoming increasingly active.

Infrastructure

We collected the x86 and x64 samples of the Tsunami and Gafgyt families, extracted the C2 information, and looked at the 
history of their C2 activity.

Figure 38: Stats on Keksec C2 activity.

By correlating the domain name resolution records of C2 IP addresses in 2020 through PDNS, we can get two key domain 
names, gxbrowser.net and cnc.c25e6559668942.xyz, as shown in Figure 39. Most of the IPs have resolution association 
with these two domain names. From 2021 onwards Keksec drops the use of these two domains in favour of the Tor network 
and DGA domains.



THE KEKSEC BOTNETS WE OBSERVED IN THE PAST YEAR  JIN & TU

19VIRUS BULLETIN CONFERENCE OCTOBER 2021

Figure 39: Mapping of key C2 domains and IPs.

Using the above graphical information, we find a clear pattern of activity:

1. Each C2 IP survival cycle varies from one month to three months.

2. The preference is to use IP resources in the same network segment within the same cycle.

3. The deployment of C2s used domain names and IPs until March 2021, then shifted to using Tor proxies from March
onwards.

4. After Tor is introduced, the onion C2 domains get updated at high frequency, for example, 10 onion domains were
used in March alone.



THE KEKSEC BOTNETS WE OBSERVED IN THE PAST YEAR  JIN & TU

20 VIRUS BULLETIN CONFERENCE OCTOBER 2021

Family reuse statistic

We also found some patterns when tracking the delivery of the samples.

1. The Tsunami sample appeared in mid-August 2020 and was active for a short period of time.

2. The Gafgyt sample was active intermittently from September to December 2020.

3. A malicious family named Necro suddenly appeared in January 2021.

4. From early to mid-February 2021, first the Tsunami sample resumed propagation, then Gafgyt, followed by 
Gafgyt_tor.

5. There are many similarities between the Gafgyt_tor variant and the previously captured Gafgyt sample, with code 
that is clearly homologous.

Each family is constantly switching between development and propagation cycles. In the development cycle a large range 
of improvements are made to the samples. This ‘change-as-you-distribute’ approach is used to continuously improve botnet 
functionality, resulting in a large number of different samples being distributed in a short period of time.

Figure 40: Fam ily reuse history.

6. CONCLUSIONS
Keksec is trying to make profit from DDoS, mining, stealing user information and selling malware. Through long-term 
tracking we can see that DDoS attack activity is the most prominent, which is probably its biggest source of revenue. 
However, Keksec has not given up on other means and has kept expanding into new directions. It seems to be a highly 
organized, productive and aggressive group. Although it has no 0-day discovery capabilities, its strong code integration and 
bot operations make it a serious hacking group. We will continue to keep an eye on it. 

REFERENCES

[1]  https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/.

[2]  https://pastebin.com/XUBLGuFT.

[3]  https://pastebin.com/HMD7z6FR.

[4]  https://github.com/adithyan-ak/MS17-010-Manual-Exploit/
blob/9b7b0ea5434bca066612f8fc84112a1b84a9507a/42315.py.

[5] https://github.com/Antonio24/Cloud9/blob/master/.

APPENDIX: KEKSEC C2s
107.174.133.119

107.175.31.130

143.198.120.58

185.10.68.175

192.210.163.201

193.239.147.211

193.239.147.224

198.144.190.116

198.144.190.5

23.94.190.101

45.145.185.221

https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/
https://pastebin.com/XUBLGuFT
https://pastebin.com/HMD7z6FR
https://github.com/adithyan-ak/MS17-010-Manual-Exploit/blob/9b7b0ea5434bca066612f8fc84112a1b84a9507a/42315.py
https://github.com/Antonio24/Cloud9/blob/master/


THE KEKSEC BOTNETS WE OBSERVED IN THE PAST YEAR  JIN & TU

21VIRUS BULLETIN CONFERENCE OCTOBER 2021

45.145.185.229

45.145.185.83

45.153.203.124

5.253.84.197

55pnros74tawlmqn.onion

70.66.139.68

83.97.20.90

84.16.79.130

b4bzpyrhc65airpg.onion

cjoy2cks2bhtyibj.onion

dimumdjenyy4jwlc.onion

faw623ska5evipvarobhpzu4ntoru5v6ia5444krr6deerdnvpa3p7ad.onion

fpv4a2q6wqxx7jdh.onion

fxiiouorymolxsqcjltq2mqaz3il5uqs3ynlabh5onfw3irbqltot6ad.onion

ks5wtmd7bbuybajg.onion

tzfue66fa5khu44z.onion

wvp3te7pkfczmnnl.onion