{
	"id": "dfcc4806-7d4c-4d44-a06c-0c58d2762d8f",
	"created_at": "2026-04-06T01:32:29.924186Z",
	"updated_at": "2026-04-10T13:11:42.560183Z",
	"deleted_at": null,
	"sha1_hash": "179f755d5d2ee9222ae096accc1c2aac8b367d90",
	"title": "Threat Bulletin: Cutting-off the Command-and-Control Infrastructure of CollectorGoomba",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 422842,
	"plain_text": "Threat Bulletin: Cutting-off the Command-and-Control\r\nInfrastructure of CollectorGoomba\r\nBy VMRay Labs\r\nPublished: 2020-07-01 · Archived: 2026-04-06 01:15:05 UTC\r\nA Primer on Spyware-as-a-Service\r\nThe rise in spyware-as-a-service allows cyber-criminals to choose a specialty, whether improving spyware,\r\ninfecting users, or maximizing the profit derived from stolen information. The business model for spyware-as-a-service starts with an individual or team to developing the initial spyware and standing up any necessary\r\ninfrastructure that the malware relies upon. The development team can then sell its software to other, less tech-savvy cyber-criminals. Spyware-(or malware)as-a-service is economic specialization and is become more\r\ncommon in the cyber-criminal community – the malicious version of the software as a service in the cloud, but\r\ninstead of accounting or timekeeping, something much more nefarious.\r\nNetwork-based defenses are deployed by organizations to detect and prevent spyware communications. Some of\r\nthese network defenses include network logging and intrusion prevention systems (IPS). The rapid evolution of\r\nmalware can make portions of these defenses less effective. By detonating malware in VMRay Analyzer,\r\ndefenders can dissect new malware samples and learn how to modify their defenses to keep their network\r\nprotected. In this blog post, we will look at a spyware sample sold to criminal attackers. By analyzing the data\r\ndropped during execution of the spyware sample, the VMRay Labs Team was able to identify the name that the\r\nspyware calls itself, “COLLECTOR Project”, and find forums where this malicious spyware platform is being\r\nsold to criminals.\r\nView the VMRay Analyzer Report for CollectorGoomba\r\nFigure 1 shows an advertisement of the spyware being posted on this forum, it has since been taken down by the\r\nforum moderators. The author describes the benefits of using his product for stealing information which allows\r\nhttps://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/\r\nPage 1 of 8\n\ncriminals to easily access the stolen information and supposed periodic changes to the spyware in order to avoid\r\ndefenses (as a side-note: the history of file modifications to the command-and-control infrastructure suggest that\r\nthese spyware changes were closer to a month apart than the couple weeks criminals were promised). The author\r\nalso appears to be claiming that his team wrote this spyware-as-a-service strain.\r\nData Stolen\r\nDuring execution, CollectorGoomba (referred to as Collector Project and formerly Memory Project in criminal\r\nforums) steals sensitive information from the infected computer. The spyware reads sensitive data from the user’s\r\nweb browser including their web cookies, personal information, and even login details (frequently stored in the\r\nweb browser’s autofill feature). Specifically, the spyware targets the data files of Google Chrome, Firefox, and\r\nInternet Explorer.\r\nOther applications that have their authentication details targeted by this sample include:\r\nAuthy (2FA desktop app)\r\nN\r\nFileZilla\r\nSteam\r\nDiscord\r\nPidgin\r\nFinally, the sample takes a screenshot of the victim’s desktop and adds all of the stolen information to a zip\r\narchive. The theft of login credentials means that an attacker will be able to log in as the infected user – potentially\r\nusing the information to further-infiltrate an organization’s network.\r\nLoss of personal information can be devastating for a user and organization as it potentially leads to identity theft,\r\nextortion, banking fraud, stalking, and many other disastrous consequences. As part of the spyware-as-a-service\r\nmodel, criminals commonly trade personal details of victims, meaning that the attacker can sell the information to\r\na criminal broker who specializes in exploiting the stolen information.\r\nPassword Security Side-Note\r\nhttps://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/\r\nPage 2 of 8\n\nPassword Security Side-Note\r\nWeb browser autofill features can be very convenient for users, however, it is also dangerous to use because\r\nlogin credentials will be saved in clear text on the user’s computer. Many password managers can be installed\r\nas browser plugins and will enable users to login with similar ease. The benefit of proper password managers\r\nis that they will encrypt the information using a master password. Unlike a web browser’s autofill feature,\r\neven if spyware is able to steal the files that contain login credentials, an attacker will be unable to read the\r\nsensitive data.\r\nNetwork Traffic\r\nVMRay automates the monitoring of network traffic with the in-depth network summary is available in the\r\nVMRay Analyzer Report (Figure 3.1). In addition, the complete packet-capture can also be downloaded (Figure\r\n3.2) to be analyzed in full detail or sent to a network monitoring tool.\r\nCollectorGoomba makes use of high-level networking features to retrieve a text file that contains the domain of\r\nthe collection server. After the target domain is acquired the spyware attempts to upload the stolen data to the\r\nspyware-as-a-service collection server. The sample uses the API functions included in Wininet.dll, a Windows\r\nlibrary of high-level network communication functions. These functions are easy to use and make the\r\nprogramming of this spyware-as-a-service sample much simpler for the developer. The first network traffic that\r\nthe spyware will generate is from the function InternetReadFile(), which attempts to read a text file hosted in a\r\npublicly available GitHub repository.\r\nhttps://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/\r\nPage 3 of 8\n\nThe generated network traffic will first appear in the packet capture as a DNS query for\r\nraw.githubusercontent.com – a legitimate subdomain hosted by Github that enables the direct downloading of\r\nfiles. After receiving the IP address for this GitHub server, the infected computer then reaches-out and download\r\nthe contents of the text file nyun.txt from raw[.]githubusercontent[.]com/fkarelli/fjusbftnf/nyun[.]txt (Figure 4).\r\nThe received text file contains the details of the spyware-as-a-service domain where the sample is instructed to\r\nupload the victim’s stolen information.\r\nAs can be seen in Figure 5, the program checks that it received a valid response. It confirms that the\r\nInternetReadFile() function did not return 0 (indicating that it did not have an error). Then it checks that the\r\nnumber of bytes returned is not 0, which would indicate that the text file was not received. If either condition is\r\nmet, then the sample assumes that it failed to retrieve the domain information from nyun.txt and relies on a hard-coded domain for data exfiltration, which for this sample is u667503srd[.]ha004[.]t[.]justns.\r\nhttps://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/\r\nPage 4 of 8\n\nIf both the request succeeds and the return value is more than 0 bytes, then the spyware will assume that it\r\nreceived nyun.txt, relying on the returned text as the target domain. In the case of this execution, the contents of\r\nthe received text file “u667503srd[.]ha004[.]t[.]justns” is combined with the top-level domain “[.]ru” in order to\r\nconstruct the fully qualified domain name u667503srd[.]ha004[.]t[.]justns[.]ru. Shortly after the sample was run,\r\nthe developer for this spyware-as-a-service platform updated the text file in GitHub so that communicating\r\nspyware infections will receive “u7320947p3[.]ha004[.]t[.]justns” and will be directed to the new C2 domain\r\nu7320947p3[.]ha004[.]t[.]justns[.]ru.\r\nWhen the spyware acquires its target domain, it exfiltrates the zip archive that contains all of the stolen data\r\n(Figure 6). The code calls high-level networking functions HttpSendRequest() and InternetWriteFile() to send an\r\nHTTP POST to u667503srd[.]ha004[.]t[.]justns[.]ru/collect[.]php. On the spyware command-and-control server,\r\ncollect.php is listening for connections from spyware. According to the platform developers for this spyware-as-a-service, the attacker clients are able to connect to this server and access the data that they have stolen.\r\nAfter the stolen data is exfiltrated, the spyware deletes the temporary files it created, frees the memory it used, and\r\nfinishes executing.\r\nCommand-and-Control Take Down\r\nThe VMRay Labs Team sent our findings of the C2 traffic to GitHub and were able to get the malicious repository\r\nremoved. The attackers can no longer rely on this file to direct the malware to the data exfiltration server. Now\r\nwhen the spyware attempts to get nyun.txt from GitHub, it receives an error instead of the spyware-as-a-service\r\ndomain *[.]ha0004[.]t[.]justns. CollectorGoomba has poorly programmed (as its namesake will suggest) and as\r\nhttps://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/\r\nPage 5 of 8\n\ncan be seen in Figure 7, it attempts to upload the stolen data to “404: Not Found.ru/collect.php”. This attempt fails\r\nand the sample execution actually crashes. All of the attackers’ malware that was relying on this GitHub repository\r\nshould now fail to upload the stolen data – regardless of which exfiltration server had been hard-coded into the\r\nmalware.\r\nAs early as Jun 20th, the spyware developers modified and updated their brand new code to now rely on text files\r\nhosted on upaste[.]me. However, any instance of CollectorGoomba which has been compiled before the update\r\nshould still fail to upload the data it stole.\r\nSo why name is CollectorGoomba?\r\nSo why name is CollectorGoomba?\r\nThe spyware is malicious and can definitely harm victims, however, I understand that it is not a sophisticated\r\ncredential stealer and that it was poorly programmed. During our search to confirm that this was indeed a new\r\nsample, we found several discussions on criminal forums about “COLLECTOR Project” and its predecessor\r\n“Memory Project”. Honestly, the basic coding of the spyware, malicious nature and ease of shutting it down\r\nreminded me of the basic enemies that you fight in Mario, Goombas.\r\nGoombas can be harmful, but they are also unintelligent (historically they have very basic programming) and\r\ncan be easily destroyed simply jumping on them. According to the game’s lore, however, Goombas can\r\nactually grow to become a larger threat if left alone. The new spyware strain, CollectorGoomba, is still under\r\nactive development by its criminal programmers. While the spyware strain is currently easy to block and shut\r\ndown – without analysis it could potentially grow to become a larger threat.\r\nNetwork Defender’s Perspective\r\nUsing VMRay Analyzer defenders and researchers can see exactly how malware executes, even exporting log files\r\nas necessary. VMRay supports an add-on for Splunk, allowing analysts to submit the data generated by the\r\nVMRay Analyzer directly to Splunk for reporting and correlation with other sources. By using the analyzer, a\r\nSOC analyst can safely study the networking features of a potentially malicious program – understanding how the\r\nmalware works and what indicators of compromise (IOCs) it will generate.\r\nBy analyzing this sample using VMRay, a network defender can see in the report that the sample will generate a\r\nrequest for raw[.]githubusercontent[.]com/fkarelli/fjrusbftnf/blob/master/nyun[.]txt and will exfiltrate data to a\r\nsubdomain of justns[.]ru. By searching through an organization’s network logs, an incident responder can use this\r\nknowledge to find records of DNS queries or even the exfiltration HTTP traffic. Defenders can identify which\r\ncomputers on their network may have been infected. An organization’s intrusion prevention system (IPS) can also\r\nhttps://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/\r\nPage 6 of 8\n\nbe set to monitor for these IOCs and automatically protect the affected computers. A network can also be set to\r\nblackhole the DNS queries for raw.githubusercontent.com, upaste[.]me, or *[.]ha0004[.]t[.]justns[.]ru. By\r\nconfiguring the network’s local DNS server to give an incorrect answer for those domain names, the spyware will\r\nbe unable to connect to the command-and-control infrastructure (use caution before you block domains, your users\r\nmay rely on sites such as raw.githubusercontent.com). With the C2 infrastructure safely blocked data will not be\r\nexfiltrated – similar to how older versions of CollectorGoomba will no longer be able to refer to GitHub.\r\nIOCs\r\nSample:\r\nSHA256: 49a56e067a73bb6f553b8df8a354d3b3328b8fffb64a459a1e719d86df89a322\r\nC2 Infrastructure:\r\nraw[.]githubusercontent[.]com/fkarelli/fjrusbftnf/master/nyun[.]txt\r\nu7320947p3[.]ha0004[.]t[.]justns[.]ru/collect[.]php\r\nu667503srd[.]ha004[.]t[.]justns[.]ru/collect[.]php\r\nu667503gif[.]ha004[.]t[.]justns[.]ru/collect[.]php\r\nu640763aha[.]ha004[.]t[.]justns[.]ru/collect[.]php\r\n185[.]22[.]155[.]51 (observed hosting collect.php, April 2020 – June 2020)\r\nupaste[.]me/r/4040523075fb98d9f (replaces GitHub in latest instance of spyware)\r\nSpyware Samples Referencing C2 Infrastructure (SHA256):\r\n0d27f5aec4935de8cf10ec74eb5c8558e57768f06ed118a0feed6fecebebaa34\r\n0d65734eb25e7671cf618a2cd062a5f45ace06a4aeb8c3475c234daa2211f1ed\r\n12fdab70f2ce661a0cd09c7862edb45aa9c974a564d1236dacf7ae81decd95af\r\n1bbbf7558d64c231a1fd57b06386de9c28a914306ed1c3fe6c45b46335ef6798\r\n31adc3a008913f0d63be55f536d936d405d7468bac97bc820c50ad4f598e7d21\r\n36f9a4f21bafa4ade632e47d1f72d31eb0b41d647549f6f455c1ccca9242cde2\r\n385651ce8441af1f43c9baf8fc24040a2eea53d574c193e5ba2618d09eef1050\r\n3c04368599e361dab09da4e18f822db21c87d7a2531eab7c0e3c6baa5a0f7209\r\n51e917806f84d3035b2d94cb3701b07ec47b3dc07a5b3e4dd38a5c552482a8bb\r\n5216b6155c962abfd7d01ea02bbe7c7fd4e3c61f66437f1df6f2f0c128157b7a\r\n53ad307d86d47f830a4decc093ccac947fb28a4909b7d4e8d02c909d1348d64c\r\n5897c6061bf82ece002e1f4db3ea6e9e4ac27339223f66d85778f19fc1fb5bf6\r\n76a0602451b6e0ab9e4f1843ae4455e8c0e1488450edd73bda7bd0a698ead565\r\n7adfa2e759e2aac98647eea87fdaafb42127c734a524b064d44ad33471e2f7ee\r\n7afcd27e5887e417d09657407e52e51d4f62cb070e43c9b698002750d6098129\r\n85f5eaccf6bd35d7447b5e65171014d2de833599ed79fd3c2cecea9d946de8ae\r\n8efa7e0b78331847d4e541e607da2ede323a506719773854c7643230b7a52994\r\n95b98f660cd9a3940264e2d28f80ac6686384b4a5ff69f94fb5618cebfe91d6a\r\n9b1c741dc51852aae7654a62f919c9755f4fce79077cf09316fcc764aa782d29\r\na4bd9a97b7dc82f254ed96749c5ab1ba8b92332e0d5dd7fc860588e252840f25\r\nafc1dfa00008188ec3947dda0057a1e6f42330024e2b4e3fba74a5e40fea4d1f\r\nhttps://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/\r\nPage 7 of 8\n\nb6cb4634459bd3eaf6bd3603d5795bbdfc30885f336d6b0b3050da3bb694d570\r\nbca35de184fe234a061de7872a1b69b68738f900dbe1ed86db6e9514d59c270d\r\nce3f2b9a2704436f72efab3a30a622ec89413a9e4c157c0408474dd4573c947c\r\ne453c1b908c18881bec40c6ae1e85bf64d12ef84d7a9a704cf957af83252af4e\r\ne9daf12c4d651fa2ce757f1ca6209917bb272c37f1b7d65a4e6f6df32dbccae5\r\nf120d323fc380bdfb8573dba310c9f66aefd890e0f5b624add1d1af15c51937e\r\nfcdefe8655c9b54d44a587435ef2d19320b0deba57d52afabc3f4f1416aee2d7\r\nActive Samples (now using upaste[.]me instead of GitHub):\r\n639bd88a73154bd38aa18eaea3e968b76f4431ade64d25936cc7e34509075f94\r\nc2b96838c24b59490a318b4165ae8231b9ed2f7e1b0cb61391c7816ff0f859f9\r\nVMRay Analyzer Reports for Related Samples:\r\nhttps://www.vmray.com/analyses/385651ce8441/report/overview.html\r\nhttps://www.vmray.com/analyses/51e917806f84/report/overview.html\r\nhttps://www.vmray.com/analyses/ce3f2b9a2704/report/overview.html\r\nhttps://www.vmray.com/analyses/639bd88a7315/report/overview.html\r\nhttps://www.vmray.com/analyses/c2b96838c24b/report/overview.html\r\nSource: https://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/\r\nhttps://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/"
	],
	"report_names": [
		"cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin"
	],
	"threat_actors": [],
	"ts_created_at": 1775439149,
	"ts_updated_at": 1775826702,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/179f755d5d2ee9222ae096accc1c2aac8b367d90.pdf",
		"text": "https://archive.orkl.eu/179f755d5d2ee9222ae096accc1c2aac8b367d90.txt",
		"img": "https://archive.orkl.eu/179f755d5d2ee9222ae096accc1c2aac8b367d90.jpg"
	}
}