{ "id": "7f629fea-9d4d-4809-8a89-790cccf33d34", "created_at": "2026-04-06T00:12:17.746865Z", "updated_at": "2026-04-10T03:32:46.251238Z", "deleted_at": null, "sha1_hash": "3ff2ed1cfc6039ae37401503cef690f9a9aa2672", "title": "Watching the WatchBog: New BlueKeep Scanner and Linux Exploits", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1777605, "plain_text": "Watching the WatchBog: New BlueKeep Scanner and Linux\r\nExploits\r\nBy Paul Litvak\r\nPublished: 2019-07-24 · Archived: 2026-04-05 23:40:54 UTC\r\nWe have discovered a new version of WatchBog—a cryptocurrency-mining botnet operational since late\r\n2018—that we suspect has compromised more than 4,500 Linux machines in newer campaigns taking\r\nplace since early June.\r\nAmong the new Linux exploits, this version of WatchBog implements a BlueKeep RDP protocol\r\nvulnerability scanner module, which suggests that WatchBog is preparing a list of vulnerable systems to\r\ntarget in the future or to sell to third party vendors for profit.\r\nThe malware is currently undetected by all security vendors.\r\nIn this blog post we provide prevention and response recommendations for Windows and Linux users, in\r\naddition to a YARA signature for detecting this and future threats that share the same malicious code.\r\nIntro to WatchBog Cryptomining Malware\r\nWatchBog is a cryptocurrency-mining botnet that was spotted as early as November 2018. The group is known to\r\nbe exploiting known vulnerabilities to compromise Linux servers. The group was documented in the past by the\r\nAlibaba Cloud Security department.\r\nSince the last publication regarding this group, it has upgraded its implants by implementing a new spreading\r\nmodule in order to improve the coverage of vulnerable servers. We have detected a new version of WatchBog,\r\nwhich incorporates recently published exploits—among them being Jira’s CVE-2019-11581 (added 12 days after\r\nthe release of the exploit), Exim’s CVE-2019-10149, and Solr’s CVE-2019-0192.\r\nWe also found that this spreader module incorporated a BlueKeep scanner.\r\nBlueKeep, also known as CVE–2019-0708, is a Windows-based kernel vulnerability, which allows an attacker to\r\ngain RCE over a vulnerable system. The vulnerability is present in unpatched Windows versions ranging from\r\nWindows 2000 to Windows Server 2008 and Windows 7. There is no known public PoC available for achieving\r\nRCE with this vulnerability, and no attack has been spotted in the wild yet. The incorporation of this scanner\r\nmodule suggests that WatchBog is preparing a list of vulnerable systems for future developments with regards to\r\nBlueKeep.\r\nThe Jira, Solr and BlueKeep scanner modules were all added in the time frame of 13 days. WatchBog seems to be\r\naccelerating the incorporation of new functionalities as of late.\r\nThe spreader binary is currently undetected by security vendors:\r\nhttps://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/\r\nPage 1 of 10\n\nVirusTotal\r\nAfter uploading this file to Intezer Analyze we can immediately see that it shares code with WatchBog, before\r\neven beginning to reverse engineer the file:\r\nIntezer Analyze analysis\r\nWhile investigating this new spreader module, we discovered a flaw with its design that allowed us to stage a\r\n‘man-in-the-middle’ attack, to help us analyze the binary. We provide an analysis of this module in the technical\r\nanalysis below.\r\nTechnical Analysis of WatchBog\r\nThe WatchBog threat actor group runs an initial deployment script when infecting a target. This script sets up\r\npersistence via crontab and downloads further Monero miner modules from Pastebin, as has been previously\r\ndocumented by Alibaba Cloud.\r\nThe interesting addition to this script is the following part in the end of the script:\r\nAs per the WatchBog’s script’s typical way of operating, the script downloads another base64-encoded payload\r\nfrom Pastebin, which further downloads another module and then executes it:\r\nhttps://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/\r\nPage 2 of 10\n\nHowever, this is not another miner module. Rather, it is the new spreader module.\r\nFrom a quick view this is a plain dynamically linked ELF executable. However, once we started analyzing the\r\nexecutable, we were surprised to see that this was actually a Cython-compiled executable requiring us to expand\r\nour analysis efforts.\r\nCython-compiled binary\r\nAs stated by this Medium article about Cython:\r\n“Meet Cython, an optimizing static compiler that takes your .py modules and translates them to high-performant\r\nC files. Resulting C files can be compiled into native binary libraries with no effort. When the compilation is done\r\nthere’s no way to reverse compiled libraries back to readable Python source code!”.\r\nThe compiled binary does, however, include some hints to the original Python module:\r\nInitialization\r\nInitially, the binary creates a file at /tmp/.gooobb in which it writes its pid as a footprint of the malware execution.\r\nConsequent attempts to launch the spreader will fail while this file exists.\r\nThe binary then retrieves its C2 servers from Pastebin:\r\nhttps://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/\r\nPage 3 of 10\n\nAn .onion C2 server address is also hardcoded in the binary and is used as a fallback.\r\nWe can estimate the number of victims infected based on the number of visits to the Pastebin links:\r\nAs seen above, we suspect around 4,500 endpoints were infected with the use of these specific Pastebin links. As\r\nWatchBog is known to have been active before June 5—which is the upload date of these Pastebins—we believe\r\nadditional machines may have been infected with the use of older Pastebin links.\r\nThe binary first attempts to connect to one of the available static C2 servers.\r\nWe observed that the onion C2 server had an expired certificate.\r\nNormally, HTTPS clients check the validation of the SSL certificate that they are interacting with. However, this\r\nwas not the case with WatchBog’s implants. This led us to assume that the WatchBog client did not verify the\r\ncertificate when using HTTPS, otherwise it would reject it and refuse to communicate with the C2.\r\nThis flaw allowed us to setup a transparent HTTPS proxy with our own certificate and stage a ‘man-in-the-middle’\r\nattack to analyze WatchBog SSL/TLS traffic:\r\nhttps://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/\r\nPage 4 of 10\n\nThe binary then generates a unique key for the infected victim and sends an initial message to the C2 under this\r\nkey. The following images include a sample request and response payloads from the SSL/TLS decrypted traffic:\r\nThese packets were encoded to obfuscate its content. During the analysis, we were able to determine the encoding\r\nalgorithm used. The following script decodes the payload:\r\nfinal = \"\"\r\narr = input()\r\nfor a in arr:\r\n stri = \"begin 666 n{0}n nendn\".format(a)\r\n .decode(\"uu\").strip('x00')\r\n .decode(\"hex\")\r\n .decode(\"base64\")\r\nfinal += chr(int(stri))\r\nprint(final[::-1])\r\nThe initial message contains the compromised system information:\r\nThis information will be merged and hashed to build the route of WatchBog’s API hosted in its CNCs. The server\r\nreplies with a “task” for the bot to perform on a list of targets:\r\nhttps://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/\r\nPage 5 of 10\n\nBlueKeep Scanner\r\nIn this newer version of WatchBog it seems that the group has integrated an RDP scanner in order to find\r\nvulnerable Windows machines to the BlueKeep vulnerability. This scanner is a Python port from\r\nzerosum0x0’s scanner hosted in Github. We can make this assessment based on function name similarities:\r\nThe scanner will then attempt to find vulnerable RDP servers from the IP list provided by the CNC:\r\nWatchBog scanning RDP ports\r\nhttps://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/\r\nPage 6 of 10\n\nThe default Windows service port for RDP is TCP 3389, and can easily be identified in the packets with “Cookie:\r\nmstshash=”.\r\nWe can observe the use of the string ‘watchbog’ as the username of the RDP mstshash field.\r\nAmong some of the IP lists we found being supplied for RDP scanning, we spotted that some of the IP addresses\r\nbelonged to Vodafone Australia and Tencent Computer Systems infrastructure.\r\nAfter the scanning stage, the WatchBog client returns an RC4 encrypted list of vulnerable IP addresses encoded as\r\na hexadecimal string:\r\nEncrypted scanned IP addresses\r\nThe threat actors behind WatchBog may be gathering a list of vulnerable BlueKeep Windows endpoints for future\r\nuse, or perhaps to sell to a third party to make a profit.\r\nSpreading\r\nThe WatchBog client includes five exploits for the following CVEs:\r\nCVE-2019-11581 (Jira)\r\nhttps://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/\r\nPage 7 of 10\n\nCVE-2019-10149 (Exim)\r\nCVE-2019-0192 (Solr)\r\nCVE-2018-1000861 (Jenkins)\r\nCVE-2019-7238 (Nexus Repository Manager 3)\r\nAvailable “pwn” modules\r\nFurthermore, two modules for bruteforcing CouchDB and Redis instances exist together along with code to\r\nachieve RCE.\r\nAll of the exploited “pwn” modules allow an attacker to achieve remote code execution.\r\nOnce a vulnerable service is discovered to which exists an exploit module, the binary spreads itself by invoking\r\nthe right exploit and installing a malicious bash script hosted on Pastebin.\r\nWe were able to find an early test version of the spreader module uploaded to HybridAnalysis, including an\r\nexploit to Solr CVE-2019-0192, an exploit to ActiveMQ CVE-2016-3088, and a module utilizing a technique to\r\ngain code execution over cracked Redis instances:\r\nSolr exploit as it appears in the test version.\r\nConclusion\r\nWe presented our findings regarding the high pace of adaptation that WatchBog is maintaining by integrating\r\nrecently published exploits and updating its implants with more up-to-date offensive technologies.\r\nhttps://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/\r\nPage 8 of 10\n\nIt is important to highlight that Python malware can become harder to analyze if it is deployed natively with\r\nengines such as Cython. That is in contrast to other Python native frameworks such as pyinstaller, where Python\r\ncode can not be recovered.\r\nThe incorporation of the BlueKeep scanner by a Linux botnet may indicate WatchBog is beginning to explore\r\nfinancial opportunities on a different platform. Currently, no known public RCE BlueKeep PoCs exist and it will\r\nbe interesting to monitor this group once a PoC is published.\r\nPrevention and Response\r\nWe recommend to update your relevant software to its latest version:\r\nWe suggest Windows users refer to Microsoft’s customer guidance in order to mitigate the\r\nBlueKeep vulnerability.\r\nWe suggest Linux users, who use Exim, Jira, Solr, Jenkins or Nexus Repository Manager 3, to\r\nupdate to the latest versions.\r\nWe suggest Linux users, who use Redis or CouchDB, to ensure that there are no open ports that are\r\nexposed outside of trusted networks.\r\nWe recommend Linux users who suspect that they are infected with WatchBog to check for the existence of\r\nthe “/tmp/.tmplassstgggzzzqpppppp12233333” file or the “/tmp/.gooobb” file.\r\nWe have also created a custom YARA rule based on WatchBog’s malicious code for detecting this threat.\r\nGenetic Analysis\r\nWatchBog is indexed in Intezer’s genetic database. If you have a suspicious file that you suspect to be WatchBog,\r\nyou can upload it to Intezer Analyze in order to detect code reuse to this malware family. You are welcome to try it\r\nin our free community edition.\r\nIOCs\r\nb17829d758e8689143456240ebd79b420f963722707246f5dc9b085a411f7b5e\r\n26ebeac4492616baf977903bb8deb7803bd5a22d8a005f02398c188b0375dfa4\r\ncdf11a1fa7e551fe6be1f170ba9dedee80401396adf7e39ccde5df635c1117a9\r\nhttps://9d842cb6.ngrok[.]io\r\nhttps://7dc5fb4e.ngrok[.]io\r\nhttps://z5r6anrjbcasuikp.onion[.]to\r\nhttps://pastebin[.]com/raw/Dj3JTtnj\r\nhttps://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/\r\nPage 9 of 10\n\nhttps://pastebin[.]com/raw/p3mGdbpq\r\nhttps://pastebin[.]com/raw/UeynzXEr\r\nhttps://pastebin[.]com/raw/MMCFQMH9\r\n3.14.212[.]173\r\n3.14.202[.]129\r\n3.17.202[.]129\r\n3.19.3[.]150\r\n18.188.14[.]65\r\nSource: https://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/\r\nhttps://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/" ], "report_names": [ "watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits" ], "threat_actors": [ { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434337, "ts_updated_at": 1775791966, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3ff2ed1cfc6039ae37401503cef690f9a9aa2672.pdf", "text": "https://archive.orkl.eu/3ff2ed1cfc6039ae37401503cef690f9a9aa2672.txt", "img": "https://archive.orkl.eu/3ff2ed1cfc6039ae37401503cef690f9a9aa2672.jpg" } }