{
	"id": "419ba925-4b20-49ff-a563-b701330c63ab",
	"created_at": "2026-04-06T02:11:59.885786Z",
	"updated_at": "2026-04-10T03:21:53.456467Z",
	"deleted_at": null,
	"sha1_hash": "379abbe592a442884c5e082365421295cb206081",
	"title": "360 Netlab Blog - Network Security Research Lab at 360",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 156448,
	"plain_text": "360 Netlab Blog - Network Security Research Lab at 360\r\nBy lvxing\r\nPublished: 2024-06-14 · Archived: 2026-04-06 01:31:12 UTC\r\n警惕：魔改后的CIA攻击套件Hive进入黑灰产领域\r\n概述 2022年10月21日，360Netlab的蜜罐系统捕获了一个通过F5漏洞传播，VT 0检测的可疑ELF文件\r\nee07a74d12c0bb3594965b51d0e45b6f，流量监控系统提示它和IP45.9.150.144产生了SSL流量，而且双方都\r\n使用了伪造的Kaspersky证书，这引起了我们的关注。经过分析，我们确认它由CIA被泄露的Hive项目\r\nserver源码改编而来。这是我们首次捕获到在野的CIA HIVE攻击套件变种，基于其内嵌Bot端证书的\r\nCN=xdr33， 我们内部将其命名为xdr33。关于CIA的Hive项目，互联网中有大量的源码分析的文章，读者\r\n可自行参阅，此处不再展开。 概括来说，xdr33是一个脱胎于CIA Hive项目的后门木马，主要目的是收集\r\n敏感信息，为后续的入侵提供立足点。从网络通信来看，xdr33使用XTEA或AES算法对原始流量进行加\r\n密，并采用开启了Client-Certificate Authentication模式的SSL对流量做进一步的保护；从功能来说，主要有\r\nbeacon，trigger两大任务，其中beacon是周期性向硬编码的Be\r\nSource: https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/\r\nhttps://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "ZH",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/"
	],
	"report_names": [
		"blackrota-an-obfuscated-backdoor-written-in-go"
	],
	"threat_actors": [],
	"ts_created_at": 1775441519,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/379abbe592a442884c5e082365421295cb206081.pdf",
		"text": "https://archive.orkl.eu/379abbe592a442884c5e082365421295cb206081.txt",
		"img": "https://archive.orkl.eu/379abbe592a442884c5e082365421295cb206081.jpg"
	}
}