{
	"id": "07dcced7-7340-42b0-b1b0-33ecc47d5670",
	"created_at": "2026-04-06T00:14:34.681768Z",
	"updated_at": "2026-04-10T13:11:51.460457Z",
	"deleted_at": null,
	"sha1_hash": "3951d977d829b084f31f6a99206f0e30e794d1e3",
	"title": "TheMoon Malware Resurfaces",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 82785,
	"plain_text": "TheMoon Malware Resurfaces\r\nBy By Black Lotus Labs\r\nArchived: 2026-04-05 19:05:01 UTC\r\nThe darkside of themoon\r\nPublished on Mar 26, 2024 | 6 minute read\r\nExecutive summary\r\nThe Black Lotus Labs team at Lumen has identified a multi-year campaign targeting end-of-life (EoL) small\r\nhome/small office (SOHO) routers and IoT devices, associated with an updated version of “TheMoon” malware.\r\nTheMoon, which emerged in 2014, has been operating quietly while growing to over 40,000 bots from 88\r\ncountries in January and February of 2024. As our team has discovered, the majority of these bots are used as the\r\nfoundation of a notorious, cybercriminal-focused proxy service, known as Faceless. While Lumen has previously\r\ndocumented this malware family, our latest tracking has shown TheMoon appears to enable Faceless’ growth at of\r\na rate of nearly 7,000 new users per week.\r\nThrough Lumen’s global network visibility, Black Lotus Labs has identified the logical map of the Faceless proxy\r\nservice, including a campaign that began in the first week of March 2024 that targeted over 6,000 ASUS routers in\r\nless than 72 hours. Faceless is an ideal choice for cyber-criminals seeking anonymity, our telemetry indicates this\r\nnetwork has been used by operators of botnets such as SolarMarker and IcedID. Lumen Technologies has blocked\r\nall traffic across our global network, to or from the dedicated infrastructure associated with both Faceless and\r\nTheMoon. We are releasing indicators of compromise (IoCs) to help others identify and take action, to disrupt this\r\noperation and impact the larger cybercrime ecosystem.\r\nLumen Technologies would like to thank our partners at Spur for their contributions to our efforts to track and\r\nmitigate this threat.\r\nIntroduction\r\nThe majority of anonymizing services are used for benign purposes, from bypassing censorship, or anonymizing a\r\nuser’s identity. However, there are services that exist to proxy internet traffic for those with ill intent. Black Lotus\r\nLabs has continued to refine our internal network-focused analytics to identify botnets and harmful proxies, and in\r\nlate 2023 we uncovered a SOHO/IoT-based activity cluster communicating with tens of thousands of distinct IP\r\naddresses per week. As we began research into this cluster’s command and control (C2) infrastructure, we found a\r\nfile hosted at that address carrying a new variant of TheMoon, a botnet that was previously thought to have been\r\nrendered inert. While its influence may have waned since Lumen described it in 2019, we found that TheMoon\r\nhas entered a new phase. Our analysis indicates that the operators behind this botnet were enrolling the\r\ncompromised end of life (EoL) devices into an established residential proxy service called Faceless. Faceless has\r\nbecome a formidable proxy service that rose from the ashes of the “iSocks” anonymity service and has become an\r\nhttps://blog.lumen.com/the-darkside-of-themoon\r\nPage 1 of 7\n\nintegral tool for cybercriminals in obfuscating their activity. We noted such a strong statistical correlation of\r\nTheMoon bots gravitating toward Faceless that we believe TheMoon is the primary, if not the only, supplier of\r\nbots to the Faceless proxy service.\r\nMalware analysis\r\nThe infection process for victim proxy devices began with a lightweight loader file, which first checked for the\r\npresence of “/bin/bash,” “/bin/ash,” or “/bin/sh.” If none of these shells are found, the file ceases execution. If one\r\nof those three shells is available, it will decrypt, drop, and execute the next stage payload “.nttpd.” This file once\r\nagain begins by checking for the presence of shell. Next it looks for the file “.nttpd.pid,” if not found it creates the\r\nfile and writes the processes pid along with the hardcoded version 26. If .nttpd.pid exists, it will open the file and\r\nif the version is newer than 26, it will kill all of the processes named .nttpd.pid.\r\nThe binary will then set up these iptable rules:\r\nINPUT -p tcp –dport 8080 -j DROP\r\nINPUT -p tcp –dport 80 -j DROP\r\nINPUT -s 91.215.158.0/24 -j ACCEPT\r\nINPUT -s 195.3.144.0/24 -j ACCEPT\r\nINPUT -s 185.246.128.0/24 -j ACCEPT\r\nFollowing the creation of rules, it sets up a thread to contact an NTP server from a list of legitimate NTP servers;\r\nwe suspect they are likely using NTP as a mechanism to ensure the infected device has internet connectivity, and\r\ndetermine it is not being run in a sandbox. Following this, it attempts to cycle through a set of hard-coded IP\r\naddresses, establish a connection on port 15194, and send a hardcoded packet on port 16194. We suspect the\r\nhardcoded packet is likely a check-in packet, signaling a successful connection.\r\nThe C2 may respond with a packet that gives a specific filename and a location from which it can be retrieved.\r\nThe infected device then requests and downloads the corresponding ELF executable. Thus far we have identified\r\ntwo subsequent modules, one appears to be a worm while the other file is named “.sox,” which is used to proxy\r\ntraffic from the bot to the internet on behalf of a user.\r\nWorm module\r\nTo obtain the worm module it will send another file, “.scz,” that will decrypt, drop, and execute an additional file,\r\n“.scn.” The .scn executable will attempt to spread itself by scanning an IP block supplied by the C2, in search of\r\nvulnerable web servers on ports 80 and 8080. If it finds one, it will attempt to write and execute the file as .nttpd\r\nusing a series of echo calls to the vulnerable web server.\r\n.sox files\r\nOnce the .sox file is executed on the infected system it begins by checking the shell. Next it confirms it is running\r\nthe most current version of the software, if not it will cease execution and run the latest version. Finally, it has the\r\nability to embed functionality to modify iptables, this enables the malware to open up additional ports to\r\ndownload the next modules.\r\nhttps://blog.lumen.com/the-darkside-of-themoon\r\nPage 2 of 7\n\nThe file then checks for the presence of a file called “.sox.twn.” If .sox.twn is not found, the .sox file attempts to\r\ncontact a hard-coded IP address embedded in the .sox file. Research indicated these embedded IP addresses did\r\nnot seem to respond and are possibly decoys or old C2s. The Sox file will continue to attempt to connect to the\r\nhard-coded IP on a port between 4210 and 4217, until the Moon C2, aware the infection is active, finally sends the\r\n.sox.twn file.\r\nOnce the .sox.twn file is received, the .sox file reads four bytes from a hard-coded offset in the .sox.twn file and\r\nuses this value to replace the hard-coded IP address. The four bytes read from the .sox.twn file represent a known\r\nFaceless C2, 195.3.147[.]73. The Sox file will then attempt to contact the new C2 on a random port between 4210-\r\n4217 every 5 seconds. If it receives a response, it will then contact the C2 on port 501#.\r\nThis process is illustrated below, showing the port 4215 activity followed by the port 5015 activity. The C2 on port\r\n5015 then forwards requests to the infected host on behalf of the Faceless user.\r\nUpdate C2 \u0026 clean-up scripts\r\nThe Moon C2 can occasionally respond with a handful of other files. The first file named “.soxT,” is a bash script\r\nthat writes the binary file “/tmp/.sox.twn.” This file is used to update the C2 server for the Faceless proxy.\r\nAnother shell script, “.soxP,” appears to do some cleanup and host-based evasion by removing the threat actor-dropped files from disk. An excerpt of the cleanup script is below:\r\n#!/bin/sh\r\ndd /tmp\r\nrm –r .sox1* .sox2* …\r\ncp .sox.pid sox10.pid\r\ncp sox.pid .sox20.pid …\r\nOverlap between TheMoon and Faceless\r\nAfter successfully discovering a co-habitation where a single device contained both a copy of TheMoon and\r\nFaceless executables; we observed a highly significant statistical overlap between the two family’s activity\r\nclusters. In a ten-day period, approximately 80% of bots that talk to Faceless C2s were also seen talking to the\r\nMoon C2. In fact, multiple Faceless C2s that Lumen has monitored, have a 90% overlap with the bots that are also\r\ntalking to the TheMoon C2.\r\nIn the graph above, the X-axis indicates the number of days it took for a newly infected bot communicating with\r\nTheMoon C2, to then communicate with a Faceless C2. Only 5% of the total bots had a scenario in which we first\r\nsaw the bot reach out to a Faceless C2 prior to a TheMoon C2. We observe 40% of new Moon bots go on to talk to\r\na Faceless C2 on the same day. In the event a bot does not talk to both on the same day, the trend shows 80% of\r\nnew TheMoon bots will talk to a Faceless C2 within 3 days, again pointing to the Moon being the initial infection\r\npoint for Faceless. Faceless C2s communicate with bots on ports with the scheme 421x, 481x and 501x, where the\r\nhttps://blog.lumen.com/the-darkside-of-themoon\r\nPage 3 of 7\n\nfinal number is randomly selected between 0 to 7. This is the same scheme we detailed above, used by TheMoon.\r\nWe have observed TheMoon payload hosted on multiple different servers, and in one instance, we observed the\r\npayload simultaneously hosted on a Faceless C2.\r\nFurther analogous activity showed one of the Faceless C2s contacting the Moon C2 on port 80, from the start of\r\n2024 through the middle of February. Based upon the totality of evidence we assess with high confidence that\r\nTheMoon is the singular botnet that powers Faceless.\r\nGlobal telemetry analysis – faceless\r\nFaceless proxy server infrastructure\r\nThe Faceless proxy service offers their users the ability to mimic a connection, as if they were a legitimate ISP\r\nend-user in a country of their choice. The user maintains anonymity all the way throughout this process, because\r\nFaceless doesn’t have a “know your customer” (KYC) verification process and only accepts money through\r\ncryptocurrencies. These are ideal conditions for those who wish to perform criminal activity without being traced.\r\nThey fabricate this network by compromising IoT Devices located around the globe, many of which appear to be\r\nend-of-life. We suspect these devices are preferred as they are no longer supported by the manufacturer, and as\r\ntime goes by, they become more vulnerable to exploitation as patches and updates are no longer forthcoming.\r\nThere is also the potential that devices such as these may sometimes be forgotten or abandoned.\r\nThe Faceless operators display a high level of operational security by siloing their infrastructure. In practice, this\r\nmeans anyone given access to Faceless will only communicate with one Faceless server throughout the time in\r\nwhich it is infected. These Faceless servers were likely all stood up and connected with a singular campaign.\r\nExamples of those campaign breakdowns are as follows:\r\n85% of one Faceless server’s activity primarily interacted with infected devices stemming from a single\r\nASN.\r\nTwo Faceless servers interacted with Network Attached Storage (NAS) devices running HipServ Operating\r\nsystems and old D-link cameras running “alphapd” web server software, such as DCS-930L. Of note, these\r\nalign with a worm file that was highlighted in the malware analysis section.\r\nAnother server was stood up to furnish their own scanning infrastructure. In February, 45.143.201[.]87 was\r\nseen talking to approximately 3,500 devices on its port 32123, which is an FTP server. Close to 80% of the\r\nIPs talking to 45.143.201[.]87:32123 were also seen talking to Moon and/or Faceless C2s during this time.\r\nWhat is also interesting is that on ports 3443 and 7880 of this IP it has an Acunetix Web Vulnerability\r\nScanner service running.\r\nWe were not able to determine how bots were redirected to yet another C2, as the bots for this C2 were all\r\nobserved communicating with different Faceless infrastructure hosting TheMoon malware. This likely\r\ndenotes an isolated set of siloed infrastructure, which may have been stood up to provide continuity in case\r\nother elements of the campaign were uncovered.\r\nThe latest emerging C2 was primarily focused on Asus devices, and grew to over 6,000 bots in a period of\r\n72 hours.\r\nFaceless bot analysis\r\nhttps://blog.lumen.com/the-darkside-of-themoon\r\nPage 4 of 7\n\nOnce a bot communicates with a Faceless server, it is enrolled in the Faceless proxy network. We noticed an\r\ninteresting trend in terms of longevity: 30% of the infections lasted for over 50 days, while around 15% of the\r\ndevices were part of the network for 48 hours or less. Our analysis revealed an anomalous, large assembly of bots\r\nthat were only infected for 23 days. This group was a product of Faceless gathering several thousand devices from\r\na specific ASN and subsequently losing control of them 23 days later.\r\nFrom September 2023 through February 2024, we observed a rolling weekly average of approximately 30,000\r\ndistinct bots talking to the Moon C2 and of those, about 23,000 individual bots communicated with Faceless C2s.\r\nThis shows us that not every bot infected with TheMoon malware became a Faceless bot. We are still seeking to\r\nunderstand the role of the 7,000 bots remaining with TheMoon, and how they interact within these two larger\r\necosystems.\r\nLogical structure of the Faceless service\r\nAn end-user is seamlessly routed through the Faceless network before they egress at their purchased exit point. In\r\nsome cases, we see certain Faceless C2s playing a dual role of the intermediary IP. This intermediary IP will then\r\nforward the request to the Faceless C2 (if that IP isn’t itself a C2 already), which will instruct the bot to go to the\r\nrequested resource and return the value through the same pipeline. In this manner, the true IP of the user is meant\r\nto be protected. The entire pipeline can be summarized below.\r\nBlack Lotus Labs sees a daily average of 3-5 IPs in contact with the Moon C2 on its port 80, these addresses are\r\nobserved talking with the Faceless C2s. We suspect these serve as the core intermediary proxies between the end\r\nusers and Faceless.\r\nUser activity\r\nThis global network of compromised SOHO routers gives actors the ability to bypass some standard network-based detection tools – especially those based on geolocation, autonomous system-based blocking, or those that\r\nfocus on TOR blocking. 80% of Faceless bots are located in the United States, implying that accounts and\r\norganizations within the U.S. are primary targets. We suspect the bulk of the criminal activity is likely password\r\nspraying and/or data exfiltration, especially toward the financial sector. In some cases, we have seen long-duration\r\nuser connections stemming from SolarMaker and IcedID actor-controlled infrastructure. We assess that these\r\nconnections are associated with administrative activity, stemming from threat actors connecting to their C2 servers\r\nvia this obfuscation network, adding another layer of anonymity to their operational security.\r\nConclusion\r\nThis is not the first instance of infected devices being enrolled into a proxy service, and it is a growing trend. We\r\nsuspect that with the increased attention paid to the cybercrime ecosystem by both Law Enforcement and\r\nIntelligence Organizations, criminals are looking for new methods to obfuscate their activity. While some groups\r\nrely on tools like commercially available VPN services, there has been at least one case of VPN logs leading to the\r\nidentification of a criminal. There are some signs that the TOR network itself, could lead to de-anonymization if a\r\ngiven entity controlled enough nodes and received sufficient data from them. Events like these may not eclipse the\r\nhttps://blog.lumen.com/the-darkside-of-themoon\r\nPage 5 of 7\n\nuse of VPN services, but the tides are shifting toward residential proxy servers as criminal organizations’ first\r\nchoice.\r\nBlack Lotus Labs continues to monitor and track large scale botnets to help protect and help better secure the\r\ninternet as a whole. To that end, we have blocked traffic across the Lumen global backbone to all of the\r\narchitecture related to TheMoon and Faceless. This includes the Faceless and Moon C2s, intermediary IPs, and IPs\r\nused to scan and infect new bots. We have added the indicators of compromise (IoCs) from this campaign into the\r\nthreat intelligence feed that fuels the Lumen Connected Security portfolio. We will continue to monitor new\r\ninfrastructure, targeting activity, and expanding TTPs, and we will continue to collaborate with the security\r\nresearch community to share findings related to this activity.\r\nWe encourage the community to monitor for and alert on these and any similar IoCs. We also advise the\r\nfollowing:\r\nCorporate Network Defenders:\r\nContinue to look for attacks on weak credentials and suspicious login attempts, even when they originate\r\nfrom residential IP addresses which bypass geofencing and ASN-based blocking.\r\nProtect cloud assets from communicating with bots that are attempting to perform password spraying\r\nattacks and begin blocking IoCs with Web Application Firewalls.\r\nConsumers with SOHO routers:\r\nUsers should follow best practices of regularly rebooting routers and installing security updates and\r\npatches. For guidance on how to perform these actions, please see the “best practices” document prepared\r\nby Canadian Centre for Cybersecurity.\r\nFor Organizations that manage SOHO routers: make sure devices do not rely upon common default\r\npasswords. They should also ensure that the management interfaces are properly secured and not accessible\r\nvia the internet. For more information on securing management interfaces, please see DHS’ CISA BoD 23-\r\n02 on securing networking equipment.\r\nWe also recommend replacing devices once they reach their manufacturer end of life and are no longer\r\nsupported.\r\nAnalysis of TheMoon and Faceless was performed by Chris Formosa and Steve Rudd. Technical editing by Ryan\r\nEnglish and Danny Adamitis.\r\nFor additional IoCs associated with this campaign, please visit our GitHub page.\r\nIf you would like to collaborate on similar research, please contact us on Twitter @BlackLotusLabs.\r\nThis information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is\r\nat the end user’s own risk.\r\nAuthor\r\nBlack Lotus Labs\r\nhttps://blog.lumen.com/the-darkside-of-themoon\r\nPage 6 of 7\n\nThe mission of Black Lotus Labs is to leverage our network visibility to help protect customers and keep the\r\ninternet clean.\r\nSource: https://blog.lumen.com/the-darkside-of-themoon\r\nhttps://blog.lumen.com/the-darkside-of-themoon\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.lumen.com/the-darkside-of-themoon"
	],
	"report_names": [
		"the-darkside-of-themoon"
	],
	"threat_actors": [],
	"ts_created_at": 1775434474,
	"ts_updated_at": 1775826711,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3951d977d829b084f31f6a99206f0e30e794d1e3.pdf",
		"text": "https://archive.orkl.eu/3951d977d829b084f31f6a99206f0e30e794d1e3.txt",
		"img": "https://archive.orkl.eu/3951d977d829b084f31f6a99206f0e30e794d1e3.jpg"
	}
}