{
	"id": "4c4c86e0-fe34-4db6-aaf1-80185c5b4e67",
	"created_at": "2026-04-06T00:17:25.02106Z",
	"updated_at": "2026-04-10T03:20:03.164233Z",
	"deleted_at": null,
	"sha1_hash": "446e8384ac5630dd49f0a4d27931bfa5d051a693",
	"title": "PsiXBot Continues to Evolve with Updated DNS Infrastructure | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 859195,
	"plain_text": "PsiXBot Continues to Evolve with Updated DNS Infrastructure |\r\nProofpoint US\r\nBy August 13, 2019 Proofpoint Threat Insight Team\r\nPublished: 2019-08-12 · Archived: 2026-04-05 13:34:27 UTC\r\nOverview\r\nEarlier this year, FoxIT published research regarding the evolution of a .NET based malware known as\r\n“PsiXBot.”[1] We have continued to observe the malware in both malicious email and exploit kit campaigns.\r\nSince the publication of this initial research, Proofpoint researchers have observed another evolution of PsiXbot\r\n(v1.0.2) which exhibits some key differences, including a new and unique method of dynamically fetching its own\r\nDNS infrastructure by utilizing a URL shortening service to gather the server IP addresses required to resolve the\r\n.bit domains used for command and control (C\u0026C).\r\nFigure 1: Newly Observed Global Variable Version - 1.0.2\r\nAnalysis\r\nProofpoint researchers have observed a new version of PsiXBot in the wild. It has been historically delivered in\r\nboth malicious spam campaigns and as a payload for the Spleevo and RIG-v exploit-kits with indiscriminate\r\ngeographical targeting.\r\nAnalysts noted that in this version, the malware continued to check the infected machine’s installed language to\r\ndetermine if it is in Russia (RU) or not. If it is found to be RU, the PsiXbot will exit.\r\nHistorically, PsiXbot has made use of .bit domain addresses which are associated with the NameCoin\r\ncryptocurrency[2]. The .bit domain is not resolved in the same way as a more common TLDs, such as “.com” or\r\n“.net”. Rather, it requires a special DNS server to provide resolution from domain to IP address.[3] In previous\r\nversions of PsiXbot, an OpenNIC DNS server was hardcoded in the binary. Now, the authors are utilizing a URL\r\ncreated with the URL shortening service “tiny[.]cc” to gather the current DNS server for each C\u0026C domain:\r\nFigure 2: The initial GET request for a hex-encoded domain name using tiny[.]cc shortener service\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure\r\nPage 1 of 12\n\nThis shortened URL is a simple hex stream, which, upon decoding, provides a C\u0026C server domain. This is also\r\nhardcoded in the executable. After this initial HTTP request to tiny[.]cc, the connection is upgraded to HTTPS.\r\nOnce the connection is upgraded to HTTPS, it performs this same request, only this time an “HTTP 303 See\r\nOther” response is given.\r\nWith this request, the returned “Location” header contains another hex-encoded domain, similar to what we\r\nobserved in the URL shortener request. This is a bit different: when the hex-encoded domain provided in the\r\nLocation header is decoded, it is not a domain but rather an IP address. So far, we have observed two specific\r\nattackers provided IP addresses returned as hex-encoded domains.\r\nFigure 3: The GET request containing a hex-encoded C\u0026C domain (adm4[.]bit) followed by an HTTP 303 See\r\nOther response revealing the hex-encoded DNS server IP address as a domain.\r\nFigure 4: The GET request containing a hex-encoded C\u0026C domain (adm2[.]bit) followed by an HTTP 303 See\r\nOther response revealing another hex-encoded DNS server IP Address as a domain.\r\nUpon learning of the intended DNS server to be used for C\u0026C redirection, the malware will ping the IP address\r\ngathered from the hex-encoded domain in the Location header. This code for gathering the C\u0026C and IP address\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure\r\nPage 2 of 12\n\ncan be observed in the code snippet below.\r\nFigure 5: Code snippet for gathering the DNS Server address\r\nIf the malware receives a response back, indicating the DNS server is up, it will then send a DNS query for the\r\nC\u0026C domain using the gathered DNS server. The following annotated code shows this process.\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure\r\nPage 3 of 12\n\nFigure 6: Annotated code walking through the process of retrieving the C\u0026C IP Address via the attacker’s DNS\r\nserver.\r\nFrom the network level (Figure 8), the process is as follows:\r\nFigure 7: Annotated network traffic showing the process of gathering the DNS server to C\u0026C traffic.\r\n1. Unintended GET request to the hex-encoded IP Address of the DNS server to be used (185.228.234.204)\r\n2. Ping to the DNS server IP Address to obtain connectivity status (185.228.234.204)\r\n3. DNS query to the .bit domain (hardcoded in the sample) which returns the C\u0026C IP Address\r\n(185.159.129.37)\r\n4. Ping to the C\u0026C IP Address for connectivity status (185.159.129.37)\r\n5. HTTPS traffic to the C\u0026C domain (185.159.129.37)\r\nAn example of the HTTPS-based command and control traffic appears below:\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure\r\nPage 4 of 12\n\nFigure 8: A look at the initial C\u0026C request containing system information\r\nThe data in the POST body is encrypted with RC4. In this case, the hardcoded RC4 key was\r\n“63a6a2eea47f74b9d25d50879214997a”, which is the same key used in previous versions of PsiXBot. Using this\r\nkey, we can decrypt the C\u0026C traffic to show particular checks in an infected system’s information:\r\naction=call\u0026user_name=test\u0026bot_id=B4DCF733C9C43D10C80120CF7760B564\u0026av=N\u0026os_major=Microsoft\r\nWindows 7 Ultimate \u0026permissions=Admin\u0026os_bit=64\u0026cpu=Intel(R) Core(TM) i3-2100\r\nCPU\u0026gpu=NVIDIA GeForce 8800 Ultra 768\u0026version=1.0.2\u0026user_group=Admin\r\nThe bot_id in this sample is created by taking the MD5 hash of the following system details in this order:\r\nCPU\r\nUser Name\r\nGPU\r\nMachine Name\r\nOS Version\r\nUser Domain Name\r\nBased on previous analysis, it appears this version of PsiXBot chose not to include some system information it\r\npreviously gathered, such as .NET version and HDD information. Upon successful C\u0026C check in, the server will\r\nreply with a JSON blob containing a “result_code”:\r\n{result_code:[{\"result_code\":\"200\"}]}\r\nAs with the previously analyzed versions of PsiXBot, upon a successful check-in, the bot will then request\r\nsubsequent commands by POSTing a request containing an action of “command” and its specific bot_id to the\r\nC\u0026C server:\r\naction=command\u0026bot_id=B4DCF733C9C43D10C80120CF7760B564\r\nAfter receiving this data, the C\u0026C server will return another JSON blob containing commands to be executed.\r\nBelow is an example of this:\r\n{\r\n               result_code:\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure\r\nPage 5 of 12\n\n[\r\n               {\r\n               \"result_code\":\"200\"\r\n               }\r\n               ]\r\n               ,commands:[{   \r\n               \"command_id\":\"def_1\",\r\n               \"command_action\":\"StartSchedulerModule\",\r\n               \"command_data\":\"\",\r\n               \"command_arg\":\"\"\r\n               },{ \r\n               \"command_id\":\"def_2\",\r\n               \"command_action\":\"StartFGModule\",\r\n               \"command_data\":\"\",\r\n               \"command_arg\":\"\"\r\n               },{ \r\n               \"command_id\":\"def_3\",\r\n               \"command_action\":\"GetSteallerPasswords\",\r\n               \"command_data\":\"\",\r\n               \"command_arg\":\"\"\r\n               }]}\r\nUpon receiving this command list, the bot will then begin to execute the modules on the infected machine and\r\nreport back the status of each.\r\nThe features contained in 1.0.2 are as follows, with the new features identified in bold:\r\nDownloadAndExecute\r\nExecute\r\nGetInstalledSoft\r\nGetOutlook\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure\r\nPage 6 of 12\n\nGetSteallerCookies\r\nGetSteallerPasswords\r\nSelfDelete\r\nStartComplexModule\r\nStartCryptoModule\r\nStartFGModule\r\nStartKeylogger\r\nStartNewComplexModule\r\nStartSchedulerModule\r\nStartSpam\r\nNew Module Analysis\r\nSelfDelete\r\nThe “SelfDelete” module runs a command using the cmd [.] exe shell in a hidden window to delete the running\r\nbot process and remove it from the infected system.\r\nStartCryptoModule\r\nThe “StartCryptoModule”, assembly name “LESHI”, has a new module name (possibly to account for the various\r\ncryptocurrencies included), but appears to have the same functionality as the previously analyzed module. This\r\nmodule will monitor the clipboard for text matching a Bitcoin, Etherium, Monero, Ripple, or Litecoin wallet\r\naddress, and if found, replace it with a self-configured wallet address.\r\nStartFGModule\r\nThe “StartFGModule”, assembly name “omg228”, is a newly implemented “form grabbing” module. It appears\r\nrudimentary, as it is not targeting any traffic or domains specifically, such as banking or financial websites. This\r\nmodule will store GET or POST requests in a log file titled “temp.log” stored in the User’s %TEMP% directory.\r\nThis log is subsequently sent to the C\u0026C server.\r\nStartSpam\r\nThe “StartSpam” module, assembly name “Spam”, is another newly implemented module which has the ability to\r\nsend outbound email using Microsoft Outlook to send messages with varying content, crafted by the attacker\r\nbased on command line switches provided:\r\nSubject\r\nBody\r\nName\r\nAttachment\r\nThe StartSpam module is configured to delete any outbound messages after sending. In addition to this, it will\r\nharvest any saved Outlook email signatures to be used inside any messages sent by this module.\r\nConclusion\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure\r\nPage 7 of 12\n\nPsiXBot continues to evolve with new ways of evading detection and new features to steal information. The .bit\r\ndomains remain in use; however, it utilizes a new technique to retrieve the DNS servers required to connect.\r\nPsiXBot continues to operate as a bot with various stealer actions, but this new version expands its list of modules,\r\nwhich pushes the bot’s capabilities in new directions. Since PsiXBot first emerged in 2017, it has undergone\r\nseveral changes, making it a competent and relevant stealer. The changes observed here demonstrate that the\r\nauthor or group behind this malware is committed to evolving this malware to compete in the threat landscape.\r\nReferences\r\n[1] https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/\r\n[2] https://dotbit.me/\r\n[3] https://abuse.ch/blog/dot-bit-the-next-generation-of-bulletproof-hosting/\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\n185.228.233.135\r\nIP\r\nAddress\r\nPsiXBot\r\nCommand and\r\nControl\r\n185.159.129.37\r\nIP\r\nAddress\r\nPsiXBot\r\nCommand and\r\nControl\r\nadm1.bit Domain\r\nPsiXBot\r\nCommand and\r\nControl\r\nadm2.bit Domain\r\nPsiXBot\r\nCommand and\r\nControl\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure\r\nPage 8 of 12\n\nadm3.bit Domain\r\nPsiXBot\r\nCommand and\r\nControl\r\nadm4.bit Domain\r\nPsiXBot\r\nCommand and\r\nControl\r\nadm5.bit Domain\r\nPsiXBot\r\nCommand and\r\nControl\r\nadm6.bit Domain\r\nPsiXBot\r\nCommand and\r\nControl\r\nadm7.bit Domain\r\nPsiXBot\r\nCommand and\r\nControl\r\nadm8.bit Domain\r\nPsiXBot\r\nCommand and\r\nControl\r\nadm9.bit Domain\r\nPsiXBot\r\nCommand and\r\nControl\r\nadm10.bit Domain\r\nPsiXBot\r\nCommand and\r\nControl\r\n185.228.234.204\r\nIP\r\nAddress\r\nPsiXBot DNS\r\nServer\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure\r\nPage 9 of 12\n\n5.182.39.23\r\nIP\r\nAddress\r\nPsiXBot DNS\r\nServer\r\n588f065399bf668456f5e6c7f7f7d585536225c073c1773b766c178c27870a8a\r\nSha256\r\nHash\r\nPsiXBot\r\nExecutable\r\na97ad5e7fdbeb53ce17eca72e064d06f09edf24ce1e18b05bc3859ba9356ee40\r\nSha256\r\nHash\r\nPsiXBot\r\nExecutable\r\nd86991e4aa978fbb100a5857d1eaafabcc0f40d8afb5a02fc409e5f40816139a\r\nSha256\r\nHash\r\nPsiXBot\r\nExecutable\r\n10d14d8c05cfa166ffd120fa9e61115f23a5851920121772cd0b2e27c149cdaf\r\nSha256\r\nHash\r\nPsiXBot\r\nExecutable\r\ndcd27c9a7ebcf778375a9d3d7892aae0f4d6419c0e7726e003bc1709605268eb\r\nSha256\r\nHash\r\nPsiXBot\r\nExecutable\r\n8b6dcb12fe5390005d2765c026bd6fdc352d22a072e3306fbc6ae67b81e648b8\r\nSha256\r\nHash\r\nPsiXBot\r\nExecutable\r\n8b2d37419db1190a5af20d3201f37f9002cd59b749a20f65412291baed19e097\r\nSha256\r\nHash\r\nPsiXBot\r\nExecutable\r\n9b6a9e143707f288ebefcdcf4085967f64f3496612a613eea4b6c9d599a777c2\r\nSha256\r\nHash\r\nPsiXBot\r\nExecutable\r\n89c59e36a61b30ef04e89238ecdae64553ef533188dd7d724cbb79fdf3849be5\r\nSha256\r\nHash\r\nPsiXBot\r\nAndroid Module\r\n6a9841b7e19024c4909d0a0356a2eeff6389dcc1e2ac863e7421cca88b94e7e0\r\nSha256\r\nHash\r\nPsiXBot\r\nBrowser Module\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure\r\nPage 10 of 12\n\nd9dc74ae8d1191300f9ef9faad3d4a771089a4acb9cd201eb96a151da54e514d\r\nSha256\r\nHash\r\nPsiXBot\r\nComplex\r\nModule\r\n1ac50fc15f7a88ce2e511f3bcdedbf899ea314f9978888184562c2256e41901e\r\nSha256\r\nHash\r\nPsiXBot Crypto\r\nModule\r\n53ebcf039e45175ea6ea5bcbe3dd14dd53d341e2aafd9e87637f32187a10056f\r\nSha256\r\nHash\r\nPsiXBot FG\r\nModule\r\nce1f110392896414e880743b902bb4e4685ceb6f36eb9d175b8a97edbdbf5fcb\r\nSha256\r\nHash\r\nPsiXBot\r\nKeylogger\r\nModule\r\n2ca771b70ca913d68fe329220b0fd4f856141c4e8570c1320a34f9c98d005ad7\r\nSha256\r\nHash\r\nPsiXBot\r\nNewComplex\r\nModule\r\nb01fbb8cfeb16c4232fddea6dea53212a57e73ef32ee20056cd69d29570bf55c\r\nSha256\r\nHash\r\nPsiXBot\r\nOutlook Module\r\n6e123ce5c7c48132f057428c202638eb9d0e4daa690523619316a9f72b69d17f\r\nSha256\r\nHash\r\nPsiXBot\r\nScheduler\r\nModule\r\n5da1b63864f9cf7728e7c581c484901a21ff0769e80335dc73487b22b3f0ce52\r\nSha256\r\nHash\r\nPsiXBot Spam\r\nModule\r\nET and ETPRO Suricata/Snort Signatures\r\n2837663 - ETPRO TROJAN PsiXbot DNS Malformed Query\r\n2837653 - ETPRO TROJAN PsiXbot DNS Server Request M1\r\n2837654 - ETPRO TROJAN PsiXbot DNS Server Request M2\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure\r\nPage 11 of 12\n\n2837655 - ETPRO TROJAN PsiXbot DNS Server Request M3\r\n2837656 - ETPRO TROJAN PsiXbot DNS Server Request M4\r\n2837657 - ETPRO TROJAN PsiXbot DNS Server Request M5\r\n2837658 - ETPRO TROJAN PsiXbot DNS Server Request M6\r\n2837659 - ETPRO TROJAN PsiXbot DNS Server Request M7\r\n2837660 - ETPRO TROJAN PsiXbot DNS Server Request M8\r\n2837661 - ETPRO TROJAN PsiXbot DNS Server Request M9\r\n2837662 - ETPRO TROJAN PsiXbot DNS Server Request M10\r\n2837726 - ETPRO TROJAN PsiXbot DNS Malformed Query\r\n2837734 - ETPRO TROJAN Win32/PsiXBot CnC Checkin\r\n2837903 - ETPRO TROJAN Observed Malicious SSL Cert (PsiXBot CnC)\r\n2837617 - ETPRO TROJAN Likely Hostile DNS Query for Hex Encoded IP Address as Domain\r\n2837616 - ETPRO POLICY OpenSSL Suspicious Demo Cert (CN=www .mydom .com)\r\n2017645 - ET CURRENT_EVENTS DNS Query Domain .bit\r\nSource: https://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure"
	],
	"report_names": [
		"psixbot-continues-evolve-updated-dns-infrastructure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434645,
	"ts_updated_at": 1775791203,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/446e8384ac5630dd49f0a4d27931bfa5d051a693.pdf",
		"text": "https://archive.orkl.eu/446e8384ac5630dd49f0a4d27931bfa5d051a693.txt",
		"img": "https://archive.orkl.eu/446e8384ac5630dd49f0a4d27931bfa5d051a693.jpg"
	}
}