web use only # Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions ----- #### Contents ##### Foreword .........................................................................................................................................3 Key Findings ...................................................................................................................................3 A Retrospective of Digital Trust and Rootkits ..............................................................................3 ###### Technical Analysis ...................................................................................................................................5 ##### Indicators of Compromise .............................................................................................................7 ###### C2 IPs ........................................................................................................................................................7 C2 Domains ..............................................................................................................................................7 Hashes ................................................................................................................................................... 17 Authors: Cristian Alexandru ISTRATE - Team Lead, Cyber Threat Intelligence Lab Balazs BIRO - Senior Security Researcher Rares Costin BLEOTU - Security Researcher Claudiu Stefan COBLIS - Security Researcher ----- Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions ## Foreword ## Key Findings ###### More than a decade ago, rootkits were the apex predators of cybercrime. These clandestine computer programs were built to offer attackers an uninterrupted foothold onto victims’ computers and conceal malicious activities from the operating system as well as from antimalware solutions. ###### These intruders living inside the operating system’s kernel have been evicted by the security mitigations introduced with Windows Vista, but once in a while, they make a comeback. For the past few months, Bitdefender researchers have seen a surge in malicious drivers with valid digital signatures issued by Microsoft through the WHQL signing process. This whitepaper documents FiveSys – a digitally signed rootkit that made its way through the driver certification process. ###### » Bitdefender researchers have identified a rootkit with a Microsoft-issued digital signa- ture; » The rootkit is used to proxy traffic to Internet addresses that interest the attackers. » We assume that the rootkit targets online games with the main goal of credential theft and in-game-purchase hijacking » The rootkit has been targeting computer users for more than a year now » Rootkit spreading is limited to China and we presume that it is operated by a threat actor with significant interest in the market. ###### We presume these two incidents might not be isolated cases, and we might increasingly see malware using digital signatures issued by Microsoft. The reason for this might be the new Driver Signing requirements from Microsoft, which demand drivers to be digitally signed by Microsoft before acceptance by the operating system. This new requirement ensures that all drivers are validated and signed by the operating system vendor rather than the original developer and, as such, digital signatures offer no indication as to the identity of the real developer. It seems that malware writers managed to work around the new requirements, as Netfilter and new FiveSys demonstrated. In addition, the fact that they have digital signatures issued by Microsoft might trick unsuspecting users into believing they are legitimate drivers and accept their installation: ----- ###### Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions We started seeing its components in late 2020, as shown in our detection telemetry below: 70 60 50 Jan Feb 40 Mar May Jun Jul 30 Sep Nov Dec 20 10 0 2020 2021 ###### FiveSys is very similar in nature to the Undead malware described in this report a few years ago. The attackers seem to originate from China and target several domestic games. We can confidently attribute this campaign to several threat actors, as their tools share the same functionality but are vastly different in implementation. Rootkit creators commonly employ the practice of blocking competing malware via a signature blacklist of stolen certificates used by other malware. ##### NOTE: We have reached out to Microsoft to flag this abuse of digital trust. Microsoft revoked the signature shortly after. 70 60 50 Jan Feb 40 Mar May Jun Jul 30 Sep Nov Dec 20 10 0 2020 2021 ----- Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions ### Technical Analysis ###### The main purpose of the rootkit is to redirect internet traffic and route it to a custom proxy server. To achieve this, the driver serves locally a Proxy Autoconfiguration Script to the browser. The driver will periodically update this autoconfiguration script. The script has a list of domains/URLs for which it redirects traffic to an endpoint under the attacker’s control: These domains are base64-encoded. The code below shows a fraction of the URLs it filters for redirection: Redirection takes place on both http and https. For https redirection to work, the rootkit installs a custom root certificate. This way the browser won’t warn of the unknown identity of the proxy server. ----- ###### Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions Modifications made in the registry are also protected by the rootkit. Besides redirecting internet traffic, the rootkit also blocks loading of drivers from other malware writing groups, as they are probably attempting to limit competitor threat actors’ access to the compromised system. To achieve this, it uses a blacklist of digital signatures. It monitors each file access and checks the digital signature (if available). It then blocks access to the given file if its signature is in the list. The list of digital signatures is updated periodically. Currently it has a blacklist of 68 such hashes, and each hash corresponds to a stolen/leaked signatures used by malware. The malware authors have left debug messages revealing the list of signatures it monitors: 00000478 186.51918030 [MY-1]MD5-0:9D9F343EAA8FB4045A4B7D05437AC02B 00000480 186.51918030 [MY-1]MD5-1:A269121725987B766740D43964E83CF3 00000482 186.51918030 [MY-1]MD5-2:698FD84F0AABAA65F8BD3E7AD417F4D4 00000484 186.51919556 [MY-1]MD5-3:CE7D7EE076A74D3C532265D8F6BBFF09 00000486 186.51919556 [MY-1]Sign-0:Zhang Zhengqi 00000488 186.51921082 [MY-1]Sign-1:Haining shengdun Network Information Technology Co., Ltd 00000490 186.51921082 [MY-1]Sign-2:SHENZHEN LIRINUOS 00000492 186.51921082 [MY-1]Sign-3:Shanghai easy kradar Information Consulting Co.Ltd … We’ve searched for samples containing the blacklisted signatures, and we’ve found rootkits from the netfilter and fk_ undead families. This reaffirms our suspicion competition is strong among the threat actors behind these campaigns, as each group tries to exclusively control the infected computers. To make potential takedown attempts more difficult, the rootkit comes with a built-in list of 300 domains on the “.xyz” TLD. They seem to be generated randomly and stored in an encrypted form inside the binary. When contacting the C&C, it will pick a random domain from the list, each such domain having several DNS A records. This level of d d i ifi tl i i i th h f C&C t k d ----- Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions ###### FiveSys has multiple components - historically we have identified several user mode binaries that would download or drop the malicious drivers. It also has an estimated four drivers, but in our research, we only managed to isolate two: » PacSys(PC.sys) is responsible for delivering the proxy autoconfiguration script (the *.PAC file, hence the name probably). » Up.sys downloads an executable and starts it using an embedded dll which it injects from kernel mode. » Both drivers can protect the other module too, and reinstall it if it gets deleted. Even though, technically speaking, the malware families are not among the sophisticated ones, the fact that they abuse digital signatures in this manner seriously undermines the credibility of this protection mechanism. ## Indicators of Compromise ###### An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users. The currently known indicators of compromise can be found below. ### C2 IPs ###### 103.85.85.90 110.42.9.69 60.217.248.67 103.88.32.158 103.230.236.90 110.42.5.55 27.159.65.61 45.113.202.114 ### C2 Domains ###### 125.77.158.136 211.99.103.229 45.248.11.7 43.228.66.130 103.85.85.97 45.248.11.29 125.77.168.118 103.219.31.42 ###### 180.188.19.11 36.99.113.51 103.40.13.51 221.229.210.107 103.53.124.199 110.42.11.6 115.230.124.18 103.107.190.138 ###### 103.91.209.141 103.219.31.147 180.188.17.204 162.14.178.70 211.99.99.190 113.141.163.181 08tayhl9pzog5l.7hgum3mdrp1y6h4unvp[.]xyz 0dt7fmri.n7vzlm2tfdz4[.]xyz 0erhtboedcix.sopl05iznfqywa[.]xyz 0kt49g-xympazsf.ynuembkr98wvsf-x[.]xyz 0mnt1bqfssen4.zwquakqgtje[.]xyz 0o1sgni.cjbae26sz0hogx9cbz[.]com 0obhfsqtmcl.nyrufij[.]xyz 0q8w7d4so.mwzaeyj2gg[.]xyz 0qhcpznfzyo.bvdwhl4tvy1r[.]xyz 0-umr89woqaheqd.ys03fpianv8cdvrwzq[.]xyz 1bwbosmlqqp3gf.vhld53sxiosqjm[.]xyz 1cjikxci-oxeq2p.7kp8z05-ow9yctundemu[.]xyz 1h3d5vlcmsbuwk2gqo.tytxanm[.]xyz 1ik2-8l4.jmc9wrzgz6f[.]xyz 1kt9q4wo.agfkt-zmupw[.]xyz 1mhifv8tjq3a.0fhm7qi[.]xyz 1ocalnawcnq.bilgmms[.]xyz 1tcocsr-w42.axwzdfs[.]xyz 1y6rv4w8ovo7tsbyed.anysq-ahjlm67r0fpzwb[.]xyz 20mussw4c9pfhea.mpydj[.]xyz ----- ###### Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions 2bk1xqfde7.zeo6huvsjd0km[.]xyz 2dgbzotyw.fplmtp-kqo7bay[.]xyz 2drjju0adtla91.5aavy09eonzwm-h[.]xyz 2eiy6akscfg.j0ilh[.]xyz 2ej3dw7pr8otpyu.aumvhwio[.]xyz 2lpexcx.zq7i9yo0qbk5vscaf[.]xyz 2lzyeg7joiht1xkem.eriapql[.]xyz 2md3jooirnmy9wx.h8dbwfc1m[.]xyz 2mdfowwethria.ubf5kob3agefvhuynnv[.]xyz 2qaporw8r9km.9tntegmhdo[.]xyz 2vf1waietknc6tf.19bedcs720ce[.]xyz 2vftek6px0ihdsua.hzwnmidqrclgbmdq[.]xyz 2vtobjeflra.5txo2ozyguy[.]xyz 2wv5sjh7uqxnqze.icxcjw5[.]xyz 2xxea-vm6ezk0h.0fdq4lyv[.]xyz 30ku9efzdtj.oq873mn[.]xyz 31mewt-iugrsmty5f4hk.ftrnoxld[.]xyz 34lh9ziy.oprwa-s9kqev2[.]xyz 3eyunk6ajq1smwio.2c8wvroeo[.]xyz 3f1pdv6yf.xwd9h1czqcvelpl[.]xyz 3m8uiascjds51olp.tmqyriqsstn2k7f[.]xyz 3mnu5karozci94.cmfaxcf-3bz6q0tjl[.]xyz 3mvlrws41jxj.bdxe4hkfk[.]xyz 3o809gtctbiov2.t89ctd[.]xyz 3oibvymhvi9wu2dt.tw7bqlq6dgn8e4btx[.]xyz 3p2ycniuqh-xjq.7pmundwx[.]xyz 3pirkuovrt9j6g.x7c8-yfufjsgpd4[.]xyz 3s9ijboln.eh1lcprm2xjwkfdg9[.]xyz 3sncz6v7jae0b.qlyvd0bmo[.]xyz 3utvpp4nxsdmhrkzxt.wqxopwt3cilfy7is[.]xyz 3wiyu5zcr921g8xf.i6p-ybdw[.]xyz 3ydabhom8lda6t5nu.icxcjw5[.]xyz 403czrsfpkldsqo1k6ag.mibkc7fvuefw3[.]xyz 4cjhmtfi.gg-mmfpz79[.]xyz 4czdqojsnvluz0avbmth.4snujin73tq[.]xyz 4dou3cpz2vnbk-cbp.k2wz1exjpcinja3twm[.]xyz 4dpyplftay8g90qb7l.kkvgsytcw4hsn3g0nc5r[.]xyz 4dyivtanev8.cmfaxcf-3bz6q0tjl[.]xyz 4evie8nsxp3hkuk0.rjhhol5rowi7lv[.]xyz 4k5swsv8tauelrqbx9.fqak-0l8egpu7icwzryt[.]xyz 4m6bjthzs7d.0fdq4lyv[.]xyz 4odk0n.fmogj1gljrd[.]xyz 4qylg5ijr9ux3x.jphdsj[.]xyz 4s0b5xuq2ztvc7ejiny.vhlkte2-gmrqy1zmvki[.]xyz 4tqfvthqi-zy.i2bpla0tfg1t7y69[.]xyz 4tun0cpzb1.1keuzwjk2l87[.]xyz 4vdcmeqnu9rh.gle-g5uorvbl6kikjf[.]xyz 4wd2g1fsh3uc.5bxfyseilj09t[.]xyz 4xn9gjixs1fqzw-dth.sj8yninf3ga6tv9r[.]xyz 4yi2pcyhw9xm1si7w08jh.jzlo[.]xyz 4zvjrhnlzocswwv1706d.wz9hrfe4fdiu[.]xyz 54hgsruf.jzdqnjbf1mx9[.]xyz 5-8wh.aeowncjzreft[.]xyz 5aki63obhpz4.hdiiyoe4focsn[.]xyz 5eeoqklnry1swalf.ftz1pu-votyri7fs[.]xyz 5hdabznqrjkgxw7a.fwv5vfmyrqswt[.]xyz 5nyxw.hhbn7lxww[.]xyz 5o9rzjlfpvhe.tjvuyz7wgeu9cmoz8mbv[.]xyz 5x07vcskagsp.jmodcpi9bvrha[.]xyz 65-xxprfuyl.iq6tsnzistanrd[.]xyz 69g3vts0wp4in.i8fh-b2haf7qm1zp[.]xyz 6c3le2v0ujbsmn8t.4xy9zaanrdptui[.]xyz 6jbemqcxdmnwl7otkysp.mj0go6p[.]xyz 6k4pwvnjh0a.xdx-scw1y7rj[.]xyz 6kygwpfetzs.ijbohr[.]xyz 6qtsj1x.s17vokrpqzdykd8a[.]xyz 6rliofhjq2b-jxsw3g.dfpt75iqble[.]xyz 6usa5ahkrtl3fh.xdlnd3umrtw2o[.]xyz 6vqcef2au.edxalisw5lcs[.]xyz 6wiyckcofsya5np.tmje4lqgfi5ypacvc0r[.]xyz 6zcvcspdtp5n.dwbqmx4irneym[.]xyz 75qafzrf.h4oehpt2[.]xyz 7acw8fshkefbaq.lgiol3v2p7he[.]xyz 7dbuqpktwiwm3q1zzg.dfpt75iqble[.]xyz 7enjypcealk0udm53xos.1igne4[.]xyz 7gojldr5l3atpafuhxt.y0o1v9qbmfuawzp-tcl4[.]xyz 7mjbk.67ekohwut[.]xyz 7moqstnalxaivfev.yhruvg8asenbw-k[.]xyz 7ncvvh19.quqww8skfr-yge3lc[.]xyz 7nvi5jtj2ybga.i2bpla0tfg1t7y69[.]xyz 7rvt1qoelkpfeucsitc.d8artsq3vtux5ajvgfxy[.]xyz 7vtu1.c97dvtldhqjuhfri[.]xyz ----- 7xfds-qtlpilo3o.qoeussss[.]com 89qtqzpxkgcvgf4db.npega3-ke8v[.]xyz 8ahtghpsx.21h3batmnn0fqcj4msk[.]xyz 8l0ry2reao9igyfxfds.oqfaeydevw6nl[.]xyz 8o2-p16j.eu56fq1o[.]xyz 8pbdt1uaf3vgbck6rq.tjwpzd6wbyp0i[.]xyz 8tvhlk.nd4dmlcu[.]xyz 8tytmjuae5pvb.4a1ydxhgb-nm[.]xyz 8wobner-g1zp.stuo9ubxej[.]xyz 8yqwziomreeiukokscc.szo79[.]xyz 8zgpamwjwedkymxuxh-b.c97dvtldhqjuhfri[.]xyz 95cykhlpcms.ryjk9[.]xyz 95dxgk.b0iardi[.]com 96gqjntx7ehmbmccf-j.v60pbltthj3[.]xyz 982cbdwtprk.ooo313145[.]com 9berfugq.aobqg-2onfe[.]xyz 9cjdbqyjvrauxfrfne.qrcg6jm0xipwkj57cze[.]xyz 9du7cj3k4uotds.ns6jnzbgrut[.]xyz 9k7gfhwdhdqloe.vsd9ce72lo[.]xyz 9mqjgitorafn28ppnc.eci2xvn4z6rhp[.]xyz 9oph83l6fsxf0syz.b-iwhdvzunvfbc7gw4[.]xyz 9py84v5fwubq.rylgmrze[.]xyz 9qhcrkbfh64.qzutldnw[.]xyz 9vq8hpann30ejyl.mj0go6p[.]xyz 9vy-gqc.dsmx1rrwo[.]xyz 9zthagzm7x3c.k-xtrtkx[.]xyz a1tw5o.j1h4jzsupddsfk5g[.]xyz a2biqundw6y.2zttcmf[.]xyz a3soi9g25fvyp.i5xd0uwzxb3mog[.]xyz a49gn8obmnkxielj.hleqpjxtf7zb[.]xyz aaszwhhby6tvlgv3.f2npdqtql[.]xyz aayxvmhl.jwzfsy[.]xyz abo7t1.c6qp7mupfmx1banug[.]xyz ac3wc8qq.zcwrt9nx[.]xyz acqa8cnblpbiu64gtjj.enpwem0xnaf9yjcwvq[.]xyz aczgb290h.uncgrqqvmh4pyx0jkzj[.]xyz ag9z0mob5ezbrg6amkus.zknhyeq8k6ax9p[.]xyz ahrzclsswpn3.40ipsxa7-yvzcqrblgt[.]xyz ahujm587l1.d7wonyt[.]xyz ahvvurfgbeldntlzbr6o.hvb7r5sckndwt[.]xyz aiw2w-qbgxne9uzkmj6t.xypnm451zuzmeord[.]xyz Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions alsh04x9inwvankeuc5z.37slo8gzsh2pekkry[.]xyz anlh5i4xbot.iaetl[.]xyz ao1sfsbdxr6h5qxudg.vhfs0[.]xyz apwkglcrhs2mzexn.zae1irszx8nvt93tgpq[.]xyz aq-mkcgo3gosacnwly.dsfa4412[.]com atnvbfc.ukc9g0o1ojepp[.]xyz aucq-yfop0jvsejl.hpefwexqrsobc[.]xyz auxqnveizgxmvyujldl.5aor92n[.]xyz avbz90fspgc8mq.5ajcr9s0x-sgbiyhawy[.]xyz avkyxddvpqzh.zxc4812qqq[.]com axsonxca3glemdbp.qwbdmhpv[.]xyz ayfmn5x7.h-tonzd97vhfyu[.]xyz b1ulxbzoxqhakz-wdh7c.y3bcjbm[.]xyz b5iahymoe.n6hhbcdjium7yyalsfm[.]xyz b5pcw8giet6-cbwr.giyvecrszyafgq[.]xyz b6pqiw5eynp2uo1t4rg.x6fgiguwq-q[.]xyz b84sac1skzt.e8sypxaxjmpat[.]xyz b9xm5afyz.kthwup483o6qercsvb[.]com bcuqtvrk.ieyrg3j[.]xyz bcvxuji2yyvplnmq.91fx0ozpwwie[.]xyz befxrz3if8qok.sw0epb[.]xyz bft1oxk.nlahmkt7vuix[.]xyz bg6unuy87h.tm4lfacu[.]xyz bh257h-fxvk3gkc16j.6dptl4fqjg9i8lueseq0[.]xyz bmtwqwatb12sj9qv.eienst63[.]xyz bnqduonwc4ij.q6g-g[.]xyz bo0svyf4gb.l9uaxg7nmqaywt[.]xyz bpldzvcsncu1qjgxq8tb.jq3ia61qcg-hcbkw[.]xyz bpx-uzwi.2fuhuzdhkowjrs[.]xyz bs8siuygjtqf.ncakv[.]xyz bskk2zqtcso84p5ao.i-shexdyv65u4vnbr[.]xyz bu4nulyfz3m.vyqtji4ywxp[.]xyz bu4yyhneq.qlc71rdgkr8vbog0eut[.]xyz buxpufjk.z5rfuiruoh7c[.]xyz bwo63tqgsctsuvm.gw7-uqnvt[.]xyz bylmxozhrfuwjq.chrzuzikbmr3st5xxl[.]xyz bzd7j6viarl3.vrlw2fnijkcd[.]com c2yw08thxs.yr9cnwdlihe4edufv[.]xyz c5imb8qwrt.rjwm52v7nmxcfak[.]xyz c8ofpdnz4lsramnku.nodw2gjmybl14[.]xyz c8xtvhebi.h0qqsg5gea6-7bd[.]xyz ----- ###### Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions cafzpjzxhxyrloh.bn6cqesfx8vsh[.]xyz cbdcukzmflr3j1.pbe1zno2fwt6yyvu-0[.]xyz cbia3l2ejvz.kufh1[.]xyz cbtx9x5ne0v8qi.i-shexdyv65u4vnbr[.]xyz cf0km-ac6hwikrjzir.5txo2ozyguy[.]xyz cgsxynum85vz-0lie1.x26rdhf4j3p[.]xyz ci1dkpcduxrxajbzg7.b5rtvodob-esy[.]xyz cizxssrdxcg-3gj6.ynuembkr98wvsf-x[.]xyz ckodcagquyzrfj43bnf.mhy0d[.]xyz ckyep0ath6jxriql4nwl.y-n3bihxc9qemkj[.]xyz cm3t9vbrw7evj4p.iw2pn[.]xyz cmkfzbsgu9eovgper.dsej6khn3[.]com cmw03lbxeghrmnzyj1e.fp547zwzvjhve[.]xyz cpkoul7rsj.z5rfuiruoh7c[.]xyz cqo-kozshjuxcbspzeg7.ojshmxw[.]xyz crlnx1.fx1rtqz7csii09[.]xyz crux5gpbaksmn.oqfaeydevw6nl[.]xyz cv3nzelht1.oxdfwq[.]xyz d0lk216l.jk9tha0lw[.]xyz dae9xv.nfe4-0iotd1bwrz[.]xyz dasuogm-2bzuy.fch7j5kg[.]xyz dcdefv.cnv5o[.]xyz debhzg.5douzgx7acc-ldoatf2m[.]xyz dicuon4.nbyb548ommyk3vxeuc[.]xyz d-jhrnwx4.hnblj8cesblsg[.]xyz dm1q6.getwpsiqv[.]com dmhfoy7.ygv4pj5swjzms2eqoke[.]xyz dmkvwan.wkrtpftfmnq6j4s8m5[.]xyz dptjgewfmosvznlxhvuo.h4oehpt2[.]xyz dqqhr5bmb.y-n3bihxc9qemkj[.]xyz ds4tqwjn0za.gjkdq7iofozisxv9[.]xyz dxekr93xf8vnisg1.xwd9h1czqcvelpl[.]xyz d-yhelzmhpog.agfkt-zmupw[.]xyz dyoz4ja.tytxanm[.]xyz dzuonmti.tbwdxvsl[.]xyz e1uvh5ncrzqvddey.ps3zn4ty8hidkpnr[.]xyz e7yqjkv8koymmla6.e5bg6ht[.]xyz ebao0.erzqhu0hcpgww2[.]xyz ecxa3.am9wf2ph5[.]xyz eesdimpp4hvxt2cjsxg.qoxthg9ejkcfqmtvv[.]xyz eexlk2wd6g0rz5fk8.qblpz8naw76ft[.]xyz eg3oljan9.htcyf8qu[.]xyz ei5iprwkamt3bl.7fkm9j[.]xyz einfsrsckx.fjeo4hds2n6u7[.]xyz el96zpitwv.jxyinctpsqls3ahneh[.]xyz elwhuxaibrk0jni6x5.eq7mbupaa8d2ifo6j[.]xyz emp3bwufxhxvs52w9.pfhq5mzw6v1[.]xyz en3ufdm2ysp7z1hyi0ml.gle-g5uorvbl6kikjf[.]xyz eo7jyg14hxker.lt4dehgfszioer[.]xyz eodbxv80iul.bdxe4hkfk[.]xyz eojcly0k6f538s7mjrf.2c8wvroeo[.]xyz epa3tb.sj8yninf3ga6tv9r[.]xyz er3vns5why.nyrufij[.]xyz errcttsqulqydkgmfz.qhijobr6n4s9ni[.]xyz erxqa6fjeuml.ptr1wqxrpkf9[.]xyz es-fri6vd8wmb7c1.ontv8ramkzpzy29[.]com esp6hkudavi.l1ygr0f3qqmahxctfng[.]xyz etw-fcaw3ikmlf.gkapwue27wvn8[.]xyz eu2rn8v3fphslvt79o.gkapwue27wvn8[.]xyz evqlw8uaon01b-9z.2cfzznl1qo-htrdske[.]xyz evyfdhs64qbw9mrk73w.szebg[.]xyz evz0mrku8wbnx6x.qhijobr6n4s9ni[.]xyz ewsi3bdyhmuqkfuc.7blwuafgmjcnpbdeia[.]xyz exv3s1.ec9tn4brybhcomdzmiwi[.]xyz eybz7an.lmbdu2[.]xyz eylpl.sbacnyyua7fzzgkrqdn[.]xyz eynktsi67z.vgf85r0j1s[.]xyz ezaau8ojgw9um5kf.ujy9oewnszm[.]xyz f0pnmz.eagxfdbhr-n0[.]xyz f6cvnpaepush.rsfyxbgh[.]xyz f8g9ka4s1ky7shiipmwn.keruijvm2[.]xyz f9abzlrj0psuwgewzia.eu56fq1o[.]xyz fcp1m-lt3zknpxvcb.kr9lnhxodg1ltqn[.]xyz ffl7xqug.9woc8ae6er[.]xyz ffpgqj.me1zdqag0ipavho[.]xyz fik5ouyxdpcv96weor.rdowfotkusrxkt[.]xyz file.zkrf8ar[.]xyz fjixdqrah-g3mt7ug4.tjwpzd6wbyp0i[.]xyz fkmmp65r1aogjq.esofaygtv6nk[.]xyz fmqfkvjtvhdnpu.k4icqw[.]xyz fntykiax5hgsp.drmur4xmh30vc8gk1[.]xyz fonryjnaixb.0eyagzdfpw8o2n[.]xyz ----- fq0inzyuvtpkeeow.9km7ejgcnvlhze4[.]xyz fshg81zolepqw.p5m4-n[.]xyz ftruzhsm.2cqrvhhlm[.]xyz ftublay0czfvvih-tuxa.t-dhovexbzlqtvj49prc[.]xyz fut035zylfucmv6n7yb.3nelqkt2rc0v5s[.]xyz fzavjrjv5hthkl.1ewdvk3g[.]xyz g47h019n.flpua12[.]xyz g5gazevopswhtb0h8.auugl2ovyfywj[.]xyz g7mwboqrioy5gjuklur.aev2thlxzc8nxk-0jim[.]xyz g8ljqewmbnt1ozhs.nklpg[.]xyz gayendhbqcu.aypbbe[.]xyz gdaszt6be.ady4111523[.]com gdq5ig4xabvsycrm.bffmkj1apezt9isaoz[.]xyz geubslqrfrft.dqeciu67h[.]xyz gf5xwmk1qs.dyzvfwbxhnbqygzu[.]xyz ggkzv7dxfwr5u.jf0dj[.]xyz gh5lbdzdn1or3x0m.iq6tsnzistanrd[.]xyz giyd1tp.ydsvap1jixwmwug[.]xyz gjrav3lm8wez5.q9m2ptk4mje0tgwfy[.]xyz gjzlmeyksb.vdwacklotndh[.]xyz gk8er3.adfc5569[.]com gorbispre6-qu3x.ehn7t[.]xyz gqbodwiwr-deyaqicb.5zaze[.]com gqtpirua-xo.edxalisw5lcs[.]xyz gtrsszbxi9jq.ktqg6j4sc[.]xyz guf9aysgk.bytwm[.]xyz gvl7d.ciqhe[.]xyz gwcal65eqofzyiwlgi.3nelqkt2rc0v5s[.]xyz gwyvexxqp2.jf0dj[.]xyz gxczdplaa6y4om.tbwdxvsl[.]xyz gxekwhtlrapumrgb.7bo1cak2vn4eilderj[.]xyz gywom6xvrcv4.pxquewm[.]xyz h49imkohe3qcl.3om05uatabgbdh4n[.]xyz h4ojug-l3ygof5xua9a.gj2oydber4xfa6c[.]com h6gfewj1suj4zoq9.nxflyt3pmzd[.]xyz h6npl45l03kewm.mhy0d[.]xyz h6uut9qrmz.67ekohwut[.]xyz h8alw0-3rjtlkmcp.a6rpebpx4qt7[.]xyz h8sorunkx6bpidgdzh.c4ftfkslrvyom5p[.]xyz ha7pxkqjkowolruze.s7equm[.]xyz ha93jdsqmwvak2d.zid7lkev8t6d5jure[.]xyz Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions h-bje5q.crfbl[.]xyz hbtxvrt.qhfdyvz8atv4rln[.]com hd04louiazvsy.q9m2ptk4mje0tgwfy[.]xyz hdcszfxjv16iggm.wqrcnl9aokemk16qgfj[.]xyz hf2mzanq8ulup07x4t1.ng-hxuklsgdyhr6jft[.]xyz hijbaqdzy0.2d1glguwt[.]com hjrlr2qzph6w.4qk7yhsvzlyjftjw[.]xyz hka58nz.qq-aixjl3pykadik[.]xyz hmsn28d-ka.kr9lnhxodg1ltqn[.]xyz hncgsao5qnvhzu0tkod2.6g9u-andvo[.]com hnimjs-q.b-iwhdvzunvfbc7gw4[.]xyz hnnsjucgi.qxnlagu6kh[.]xyz hoqvdle6cd4qsnnfma.jwzfsy[.]xyz hpb42tn.ketfwzsih6mh4pns5b[.]xyz hsdidt2fj7v4l1qggw3s.yvw6ug0tn92wpri-p[.]xyz hvslan910ek47zopb.qdgsieeiogvdh[.]xyz hxcrpq5r8fa.hyevij5nsfsqbd[.]xyz hzl9tjvo43t0iugn.ihkx8nblfoeutvt9[.]xyz hzprodtn1n5.nkcxd[.]xyz i8rit4cw6hf.b5x2zupyis3s[.]xyz i9p7gfrjantu-fqta.g06akeozq-xqnzj9m[.]xyz ibgrda70getlz.qxitwgi-yos0beo[.]xyz iblhuroqejz8e0vpn.wbm1czpc3s2xn[.]xyz icyg0pnxt9u4.kv0fbyfsq[.]xyz ielh8towbruajtxdqnuv.lqepn95z[.]xyz ihc3dr1wf7ozbj9upk.qlyvd0bmo[.]xyz ihk08nox917sgrhc.ps3zn4ty8hidkpnr[.]xyz iimbwuakzge3x7-c.vey6tl-2q[.]xyz ijvtdw6apum.aau2pblv0hsz[.]xyz ikpsj0fm.xdx-scw1y7rj[.]xyz ilhxew-uz4mt.x6k4f[.]xyz ilmtyaqmwdx5zwkzlgt4.5ogqfdvrs[.]xyz ilqdum0z.qoxthg9ejkcfqmtvv[.]xyz iocvc5yutak0wbz-y.2fuhuzdhkowjrs[.]xyz iom6lbtaxp4mzgu.cltxb8eva-n4dtjo1r2[.]xyz ip3rsz7btw-vl6evtyz.ln0tkrj8lu[.]xyz ip-rbdj4mw.aoty7g[.]xyz irk6uyed9o.u62xncvxk[.]xyz ituv9nflgrz6cvq.ugy-pj2arfbk1orb[.]xyz itxzkyjgumro.x7c8-yfufjsgpd4[.]xyz iuoc0k1jfb.adfcby142[.]com ----- ###### Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions iw9trjobfxjy.giyvecrszyafgq[.]xyz iwb8g7etoqrhkol.19bedcs720ce[.]xyz izmnuzl9kom.j1h4jzsupddsfk5g[.]xyz izutr6opwfhnc0sgdg.7xbkeqjkhociz[.]xyz j4dd2.vmueld0yscgp8qo[.]xyz j7azut-xpghs.b5x2zupyis3s[.]xyz jaagv20dns7he.mxlk9dfal-5p[.]xyz jacdabzsi.7xbkeqjkhociz[.]xyz jaodqrvp8.jgqnwipekbomnfyvh0kc[.]xyz jbswvpu3qxl.aobqg-2onfe[.]xyz jbuze7b-tcsm5.wgv2ktfdl[.]com jco0bw-8sdghtxfbmo.quqww8skfr-yge3lc[.]xyz jfro42eqsqbz03bdnr.dx8cfrphapqv7lk[.]xyz jguaqntap29lsfeb1.mc-kvau6[.]xyz jh-amuvx.ngoawcecpiij9axrg-kb[.]xyz jilr64eotz.9tntegmhdo[.]xyz jisptx6hflvudyneu.pkofuyalr[.]xyz jky5drwmw9vxq4ix.ybqct3v[.]xyz jlphmaiddq.vhfs0[.]xyz jlrgte5d-qh9oohykz.icbajxh0tguiu[.]xyz j-nzbcvp5t.ouc4eerq1dvlwmjg7[.]xyz jox50fvm7qoet.vgf85r0j1s[.]xyz jpq8rygp.rwfer5xiztm1ih[.]xyz jqw0edo8hvwtaiy2zl.xypnm451zuzmeord[.]xyz jrifvzbuugd5fyie0ow.sbacnyyua7fzzgkrqdn[.]xyz jt8kxiefb.iktvjl914qxv[.]xyz jucn0d.92k4vom7[.]xyz jumjvfyzdt0qoz1kc5.3itqgq4vbo20bohse[.]xyz jve107skxha.e8kod7w-6pvayhdpwcl5[.]xyz jxc9rw.glzho8n4yb[.]xyz jxmvuat0wz.zknhyeq8k6ax9p[.]xyz jzng2q0zetwmwcvsdvf.asbyw[.]xyz jzodgj.h-tonzd97vhfyu[.]xyz kaisitubczgvjrz3.wgsvd8o[.]xyz kcgdb56ozwpb1uvq.50qe9k[.]xyz kcnyrdttimbeeufclwa.d5yd1jjq4efzraq[.]xyz kcw2gtae.s3rtcbegiv8kgx[.]xyz kd75sdggufhcxpjttli.i-xbp9tajqwd81tmuhe[.]xyz kdagfbhq.5e6lu-v2xnmwyulbr[.]xyz kfn2wlmhx6fo54.nohq8etbh[.]xyz kj2mwok.qsimqxa[.]xyz klmtbuevry.o75z2vsjw1xp9[.]xyz kltptvx8.oje-dsuz85rhbek9w[.]xyz kmueqe52htt.obomizk0[.]xyz kni0mruclg4usoqj.ernwy[.]xyz ko5qvf084uqhgt.4xy9zaanrdptui[.]xyz kodv0k4ls6fz-yswmwz.ieyrg3j[.]xyz kovmwzlnota6u0p91lns.6vom2mrjlva0uidft[.]xyz kozwu8mupq1tdy.sa6j9bvik1lwbfm[.]xyz kprse0x.hxyeac7aoeyw[.]xyz kqzihyq4bfd7p0.g4jq8xr9qu2eykm[.]xyz ksganp3m1.ctump1usqhh[.]xyz ku71w9pf.oaelqwppx[.]xyz kubx6m0ej3gsq7ywvj.iegmxlso6j5cl2nz3[.]xyz kucy5anffo.o75z2vsjw1xp9[.]xyz kx2cqwrdzvuhyfj.vizko[.]xyz l6bu9a2hr7wpk.x7-sh2i4[.]xyz l7arxyqm.z7fuqo4cjvwb2mk3tf[.]xyz labgqpfvu.v3c7nods0[.]xyz lb4tspcsxwe6kt9zqx.enouk3vu8s[.]xyz lbm3k-e0mfxfza.jk9tha0lw[.]xyz lbo6kac498vvm.sqh0mgmztfjr4[.]xyz lbpseoaqo1.snt3emts-0inx8[.]xyz lbwzxafuq.hxyeac7aoeyw[.]xyz lc963jo4xsan.bvdwhl4tvy1r[.]xyz lcdii-whpfaxbcz6.ugy-pj2arfbk1orb[.]xyz lcolgjo.nxeh8md1ktzsqq[.]xyz ld4mb.oo3rdhpw7dl4t[.]xyz lddjspvtginyyrs.vizko[.]xyz lhu4e8wdbnq.cdts67mdly[.]xyz lj0mehfp6uzi5dvso.7vtpfqxfu[.]xyz ljmrwjzhobqtd63ak.hzwnmidqrclgbmdq[.]xyz llsf3-og0jr7q8mq.iitawwm0p1o[.]xyz lm3gxritnkccs.qdgsieeiogvdh[.]xyz lm3-xrkh.s7equm[.]xyz ln6xbwxd.kal7jcf1nqgv9[.]xyz lnoctwj7tqkaisuhp2.wr9y7jubv[.]xyz lodd7uj9.eq7mbupaa8d2ifo6j[.]xyz lqpimoaqrgjsjs.xfkk017um-zg8jcy[.]xyz lquw4ttay2.ffynd386[.]xyz lrxqexn53duio.5c7-hzxrdlepn[.]com lt-k5dpbe2dewa9.7fkm9j[.]xyz ----- luax1swbix.jrrucdtjeolpyza36ubt[.]xyz lunglkyram8a1qe.qkz9546[.]com lur-8limpcet.r8qzjft9-nuvc[.]xyz lvmr3ihjeqd1.dzilphw-2dmqbechu0[.]xyz lvubgzkqtg2cs4drxlu.ptr1wqxrpkf9[.]xyz lzinj5aqy89op.142fb[.]xyz lzitr3b5n.6xg-rv[.]xyz m2z53btyjcrn.oenu5413[.]com m3uokrrd8qw.zwquakqgtje[.]xyz m45pywadnz.q6g-g[.]xyz mf09dzg8.h8dbwfc1m[.]xyz mg1p04u.k8tjn-y[.]xyz mgci3h-wa4xihwovr5a.nfe4-0iotd1bwrz[.]xyz mhu9xr.c4ftfkslrvyom5p[.]xyz miwqjjyg8.keruijvm2[.]xyz mkfj8vzyvgcbwlnrr.fodvtlyn[.]xyz mkoc9ukvxf-iob.fplmtp-kqo7bay[.]xyz mmlcwvyp5hu0.orjzu5devkl[.]xyz mni052yb7.2idn8gducc-ata37wo[.]xyz mnokj.uneovi9uqe5dr[.]xyz modl7uxpyikz5.fch7j5kg[.]xyz mqh9c6qp4dgxrto.1ewdvk3g[.]xyz msu8edk45oi.ys03fpianv8cdvrwzq[.]xyz msv9wgoj47wegdyi.u6lkikwu-4[.]xyz msxpvznqpy8.flpua12[.]xyz msyfb2avpk.dmwali1gjlmcthi6[.]xyz mtzq4a23emjiwtv.9c51qzq[.]xyz mu1yxj.g3bsawkb[.]xyz mwtcqspv692dlkafq4ex.gpuvotxmiv2y[.]xyz mzipxjnn8gdpvmlsbrv.afklaj129561[.]com n4mg8vwu2pzy3tun9.hdiiyoe4focsn[.]xyz n62de.jcprclfq8lg5bswk9bw[.]com n6axioy18.tash-irdk46ze[.]xyz n6xjtea8dsp4mcue.ce7hfo-q[.]xyz n8pcj.1y8dtpw2vi9-so6d7hxj[.]xyz nawvz0.gioej0tzyxxccynf7lh[.]xyz nbq6ojmy.qwbdmhpv[.]xyz ndvd1bat.jzlo[.]xyz ne0xcbfiylrpjif.ryjk9[.]xyz neduv9au8qakg.hhbn7lxww[.]xyz nho7eayz9ovk4yzs3.drmur4xmh30vc8gk1[.]xyz Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions nl4d7htu5vd1zehf6.jx3sbz-gekgpi8hmq[.]xyz nlworxcgpi.dgmiiqu5pd[.]xyz nlzcjcreoaxdlfu.y5pc-ngzeapt[.]xyz nmiakq8i0sew.hleqpjxtf7zb[.]xyz nmo1n.5ogqfdvrs[.]xyz no4labykrztapv.m1s9n[.]xyz npl4drbrwx8m5f.p5m4-n[.]xyz nqxs1pz-8ymjfdko.vdwacklotndh[.]xyz nrq5438cpq9ipv721ade.nxeh8md1ktzsqq[.]xyz nrwyro0be-ojt.mafjqkb7ciatz6hrcu4[.]xyz nxrwikl05eb4.lm8pkrau[.]xyz nypzbu3vsf.igpih8-5[.]xyz o0r2wtpqmd1rizb.f53anbertu[.]xyz o0z2a49flundt.f3juvrxvg[.]xyz o6jesjylvz07o8.ydsvap1jixwmwug[.]xyz o79kfvttyqo5qyz.7n32eq[.]xyz o94mkqdhhk0bs.4bcqyrbw7lfj[.]xyz o9-azig7j8o.jphdsj[.]xyz o9pslbjoat.6-ocmuae[.]xyz oatcugeycrx6dgn3.n9zxeam2xn0km[.]xyz oc5m1ukbedvyl2kwz.dngzc30hgvmpqw[.]xyz ocgguuyhsl.adqoa451[.]com ocln0lfxtdjz.zdnotkvu8n03ipp4zr9[.]xyz ogr16qyfdcbxl7-vwuu.qsimqxa[.]xyz ogynou1ihylirb.snt3emts-0inx8[.]xyz ohqsi4c6tfdz2.yvw6ug0tn92wpri-p[.]xyz oillx-jh0v956thr.hmvq7nxklcdc[.]xyz oj9thdbnzt.qc8aeratb[.]xyz ojarwuz.wxojeqomtvw8b7qsrg[.]com om9xkvexhuc.gizmjnnvab4p80ra6j[.]xyz omjsvhayulrizc.feecst[.]xyz onez8cifrpuloihvyr.nf9gwilhsyi[.]com onkw0myxzcfprp.n6hhbcdjium7yyalsfm[.]xyz oo3wuy.muqk-wrhjoebniagu9l[.]xyz op9lyfrhlvm5.ln0tkrj8lu[.]xyz opdauz2c4em1brqp.7kf0ykpvqf9ysx[.]xyz oprohtzjw.aeowncjzreft[.]xyz oqioyuwsq7e.emquo-od3regsty[.]xyz or1vlp0blds7r.ukgrdsq4qgio[.]xyz orjtsuivg8mwbcx.0dhkosm14jyvix[.]xyz osicvyou5wjx7kphdykt.d7wonyt[.]xyz ----- ###### Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions otn4iqmu7muonvax.5aor92n[.]xyz ouints8f-yplh6mgd.mtobaz1v0jxx2u[.]xyz oymjq6u2vyx.6-ocmuae[.]xyz ozqb25pxcala8tg3z.dgmiiqu5pd[.]xyz p09euq3eqmsfsvhwg-in.3zw7bzdql91h8[.]xyz p8j5agqsmdk2ryfwcbo.kxtdrgla-hi[.]xyz pacapi.test.zkrf8ar[.]xyz pah7fbvdyl.bn6cqesfx8vsh[.]xyz pb8igpkro.4vgq1qrjlz[.]xyz pbqcwdgmfryf3ox.h6a-url97kejd[.]xyz pdfw45w3lvnhexf.gg-mmfpz79[.]xyz pegwlybwx23qrjxh.cejydqcyow4z6kufhr0[.]xyz penho5ummij6j.6vom2mrjlva0uidft[.]xyz pg9ovbxa7q-ueoat.v3c7nods0[.]xyz pjqh5rwtokzf.yvz-wkub3sd[.]xyz pknkhr0c5s91s.vbhxi80rvz[.]xyz plq9ek2ns.lyrsa1hckmongrz[.]xyz pmocqyo4hu1mgk.9km7ejgcnvlhze4[.]xyz poyadkez.u9ky8l[.]xyz pr7ybl5xz.nkcxd[.]xyz psjkg4h5afztkwbzih.aau2pblv0hsz[.]xyz pvfgjy761kuus.pbe1zno2fwt6yyvu-0[.]xyz pvtmx3zw-c8o.nklpg[.]xyz pw5oty6iut71f2lbg.cqfj1dzmwr[.]xyz pwsqjmy6zijnoosv2n.mqlhl[.]xyz pwuim3nyqos.e8kod7w-6pvayhdpwcl5[.]xyz pxnbmivycx-m.h0qqsg5gea6-7bd[.]xyz q13g67x.szebg[.]xyz q4a1zbyp79.kj4g3nrtgvvu0n1dde[.]xyz q60avtsiyebwrpnnl.7kf0ykpvqf9ysx[.]xyz q7h4n.pc3-l[.]xyz q9ejzkb-xyn3cq.lpsm3jp[.]xyz qdsln-2czdfrxbkfy.jrrucdtjeolpyza36ubt[.]xyz qfwjtlzisbme.wvhujkviswm[.]xyz qgix8hjpusclmv65okp.iaetl[.]xyz qgsb3dco4fyw.fwph7fdqsepkccbqt[.]com qigav7bebpwf2mr.mrnok[.]xyz qikg6w-dj.q-y45dnv7oec3b[.]xyz qjndm83iq1cb.ned1diht[.]xyz qjzui2mtmfge.7dphsrwtz0arv8h2o[.]xyz qkgfg17o8srrlp aiuq1684[ ]com qleffzjctdy1.qq-aixjl3pykadik[.]xyz qlierx20tj.bytwm[.]xyz qlxbqntiz5upkrhgf2.fp547zwzvjhve[.]xyz ql-xozgicf8ji.rwfer5xiztm1ih[.]xyz qlzgd75zja.9jvbsh6ytuaw4m[.]xyz qnk37buh.9fvylachxud4gcnliyop[.]xyz qpfnf3bj.cvkgbqjn1zrtibdr[.]xyz qqxjnip6ezo02g.bkgacvu3uqxxajdtihj[.]xyz qrg2imprybsnwh.jmc9wrzgz6f[.]xyz qrzwilcvsjjto9ag6ea.m6ifhx[.]xyz qstb3boulwwh.ned1diht[.]xyz qtndylkanoopkzumlq.4vgq1qrjlz[.]xyz qu1i20mg.r8qzjft9-nuvc[.]xyz qv32xe978zy6-ch.fmogj1gljrd[.]xyz qv7pgd.aypbbe[.]xyz qwfmk.qnkhruia5m4edztcb[.]xyz qyrr0v1s.ijbohr[.]xyz qzits0j1pkyhloy.7vtpfqxfu[.]xyz qzk-x1niv3.k2wz1exjpcinja3twm[.]xyz r0zjiwhhs.2cqrvhhlm[.]xyz r2h-ebdwqflfgtn5e.qh5wastihjk[.]xyz r3i9az.aev2thlxzc8nxk-0jim[.]xyz r7dcjdrvjkg.rylgmrze[.]xyz r9piyvgvjsbxm6lehmfa.92k4vom7[.]xyz ram0gdawk2wlrujotvd.tmqyriqsstn2k7f[.]xyz raw5k6zzhfr.st8p3ckwwfd90abxuj[.]xyz rayqh6jkniei7mwq.cnv5o[.]xyz rbdrkhwtbxjo-29q.dqeciu67h[.]xyz rcpa4.gpuvotxmiv2y[.]xyz rdwgy1ojvg8p.gnk1sxla[.]xyz reujashlo.tm4lfacu[.]xyz rev9i.ruch2j4jpl[.]xyz rkrolxzgsl.zw4iaaqvf7rul[.]xyz rl51afzjcv7g.dyzvfwbxhnbqygzu[.]xyz rlcaiqn.1fychp7q-rx[.]xyz rli-vr0kxhxsoascgc9z.jngbsl9mkgr1z[.]xyz rowgltabp8u.zvfpegx31huw[.]xyz rpfoaz5l07q1gjim9x2b.wqxopwt3cilfy7is[.]xyz rplagwtm-nq.eagxfdbhr-n0[.]xyz rpw7-q.jrqnww8scm1gl7y[.]xyz rqbzgfk14vsrdot ygnxnpth0vf[ ]xyz ----- rsh5vpqp.xzlu-frvqivu2etnbc[.]xyz rugfvvkan3ejh7fin.bkgacvu3uqxxajdtihj[.]xyz rv3mwi0xfd.feecst[.]xyz rv8mfd.u6lkikwu-4[.]xyz rvbsqp.ajjgicyudh9kpfsa2bq[.]xyz rvfek6nwxdbmpip0mw.jmodcpi9bvrha[.]xyz rvvxdquhcsaboe3zum.qgtqpa8g2aw5k0xv6ui[.]xyz rwiydmda49zxtjtn.wvhujkviswm[.]xyz rxnpvm.nnid2scgz-q9[.]xyz rxpbncreq50y.zk-lncqtovmsq[.]xyz rxybs0bo-m2dl4kv5.7kp8z05-ow9yctundemu[.]xyz ryd5t6qqexohbu2jki.xqaiccw5b[.]xyz ryijegw7b6krz90lhgoq.pkofuyalr[.]xyz rynxoumt9poympeha.k4u6ncxdgbxqry[.]xyz ryux83whnndfvhiesq.vhlkte2-gmrqy1zmvki[.]xyz rzrnocs9vbav5y.iegmxlso6j5cl2nz3[.]xyz s0c1cowmie2h6d4iyd.rawm83rgniob1m[.]xyz s38rdkvgs.rjseddtvyf36r[.]com s3boqm8iwrd-q6xpl.mwzaeyj2gg[.]xyz s7ua6xzcn.vyqtji4ywxp[.]xyz sbntcdv543dgw8eq.gioej0tzyxxccynf7lh[.]xyz schlgnuwcjiqa.bffmkj1apezt9isaoz[.]xyz sdxn2ouzfr0mm.545adfcss0[.]com sfoyeqi3p.l4ats[.]xyz sielp8dhv1jgbsquk2.50qe9k[.]xyz sj3g9l6m0t.5ajcr9s0x-sgbiyhawy[.]xyz sji-bhu4ml6zc.ivkvoztp[.]xyz skgidjwathe.f4wqq6kboo7clzspe[.]xyz sl1smwp9.aumvhwio[.]xyz sl9tvg4jhxb1-08.l9uaxg7nmqaywt[.]xyz soyx9vxukbgvfgid.lsesbp9zh8y37p[.]xyz spli29lozhd.9c51qzq[.]xyz spxbzcwng0mhuaq.ygnxnpth0vf[.]xyz sqk6vd0ajot.7tjwfg2s[.]xyz svhko7lfb9trsbvc24j.npega3-ke8v[.]xyz svlfyqx7zqw.adiu4841[.]com swgvdzq4nc6kx7th.qgtqpa8g2aw5k0xv6ui[.]xyz sx2pek8fmnj.omqxmdhz0wok[.]xyz szioeffb-m6qln.37slo8gzsh2pekkry[.]xyz t4hv5wol8ow.k-xtrtkx[.]xyz tamyjs8w ncakv[ ]xyz Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions tblybjho6yr8jm50saes.4qk7yhsvzlyjftjw[.]xyz tdomujgae-t709.hvstygpqnx73wo0zao[.]xyz teqk7wnuxgbutizpvl.st8p3ckwwfd90abxuj[.]xyz th8peg2znf.fjeo4hds2n6u7[.]xyz thr7iwsgobv0j.mibkc7fvuefw3[.]xyz tiyprosc5bo8klhb3g4x.dewncovl4tiaxspbmq[.]xyz tk1zbk9waxip.qke459yluhcrvbt0gkor[.]xyz tlh9jubdcpxquo.udlbtvdrqcfflxj[.]xyz tlhvzurebn-ia7rdu4.gnk1sxla[.]xyz tlzx8b2wcc9h-ud.wgsvd8o[.]xyz tnhcxdgmbzn1.hvstygpqnx73wo0zao[.]xyz tnzuyphrvs2hg8o9jc.lt4dehgfszioer[.]xyz t-ogux239fjp.dl-wc79gw[.]xyz togycbpj6s.0dhkosm14jyvix[.]xyz tqiatqdagf3y50efixlv.sxso5[.]xyz tr1hd-comsxav4z6.ewahxbgm04owpjozi9k[.]xyz trokjcpsxau.ad68fq[.]xyz trwjlsapfnl.mc-kvau6[.]xyz ts6vdit-ax5kd0h.04jufgp39tlqcewto[.]xyz tuswztbfjgr.k4u6ncxdgbxqry[.]xyz tw9amhzlrtk.7tjwfg2s[.]xyz txsdfrbucymqgowf5.qc0sserkjmtdgnilp[.]xyz ty3ownqd75emcvwq.qzutldnw[.]xyz tyy1btwjb.igpih8-5[.]xyz u04ws-xkde9bdwhml.xzlu-frvqivu2etnbc[.]xyz u0zgepj9gyp3bcmi2s.4o2hmuvxuidiptsr[.]xyz u1v49lcqxihr8rnqv.hs8kekqstq5a30[.]xyz u5d7sgerj2qncduokbht.jxubzeafe[.]xyz ua89jyowsm7lyeq.nyq6rxx0lfjhn-mgcok[.]xyz ug9mpa3q.6dptl4fqjg9i8lueseq0[.]xyz ui6fss0h-42kakf8.e0lwhdhuf1[.]xyz uktsqj1e0a6olpi.zbmzc3kdjvqwltgh9ev8[.]xyz umgx8huhaso.gvoulfya-xza[.]xyz umq5g4s1nj8n27orz3.u9ky8l[.]xyz unobshr935.uncgrqqvmh4pyx0jkzj[.]xyz unveej.ubf5kob3agefvhuynnv[.]xyz uo9bgmrvfkx.ng-hxuklsgdyhr6jft[.]xyz up79b4qlqfb.rjwm52v7nmxcfak[.]xyz uqneblsakw.nywqxmbh[.]xyz utn9vsyr.cwlkhidkbm6tmh[.]xyz uw2rqux rfheamotyc6y2[ ]xyz ----- ###### Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions uwntpioagfhjuplwg.ujy9oewnszm[.]xyz uwtpacof.jgqnwipekbomnfyvh0kc[.]xyz uy2zvpfxbt.d5yd1jjq4efzraq[.]xyz uyeuprz73e.dowtzfdybusarqc[.]xyz uz3qt5j0lopnee9.p-mqnr76ar[.]xyz uzarjf4q.olzlxk-o1twq6hmfxnj[.]xyz uzovdkjp.yvike5bmndt0o3hkzc[.]xyz uzrl63m0wmg8.cdts67mdly[.]xyz uzs8gioku9-vcmdryy.dpiz7e6ms[.]xyz v2drlvuxkgal8kntogj.l1ygr0f3qqmahxctfng[.]xyz v2pxzuf8lguace3.ishcynuhnk[.]xyz v2t5pmdrtvgnz.cwlkhidkbm6tmh[.]xyz v6pwxac4ue9j.xvqhncx8ie6ajpo[.]com v6tl8mwzs5jhrw.zw4iaaqvf7rul[.]xyz varfo9cg.5douzgx7acc-ldoatf2m[.]xyz veghcual59jxt7.gycts[.]xyz ven4mrikxm193sxfp.zae1irszx8nvt93tgpq[.]xyz vihsym2.zeo6huvsjd0km[.]xyz vijloytwbdpac.5aavy09eonzwm-h[.]xyz vilghqnx.vmu9kprdtsmggqpw[.]xyz vkju1nhlgoqpdn9yo-3.12iano41132[.]com vkypt0oztn6.jyvqa[.]xyz vmgfh6b.9jyxv3[.]xyz vmzr2fyhuzgnt.gvoulfya-xza[.]xyz vntusxgxlc7q50kp.rfheamotyc6y2[.]xyz vopp4xfg.iktvjl914qxv[.]xyz vptyixkwusc8.mpydj[.]xyz vqr-lkdtyb0ekjbhy.gizmjnnvab4p80ra6j[.]xyz vre61d5.ho6sez[.]xyz vtdjhcpbxujeo-mns.me1zdqag0ipavho[.]xyz vvrfhgtn2eljaor.gvv9qiir5epdzowgc[.]xyz vwu7oekmdnx4ssrbhg8.bbctwa72y[.]xyz vxasc1pw0ri.jq3ia61qcg-hcbkw[.]xyz vxrflacpbkpj.lgiol3v2p7he[.]xyz vznd4blico83djp.2zttcmf[.]xyz w0zdms8iabt5okqj4x.qxitwgi-yos0beo[.]xyz w5npd8qutj.ngoawcecpiij9axrg-kb[.]xyz w7ud43n9ohnrbiff.zk-lncqtovmsq[.]xyz w8avlbixt.qblpz8naw76ft[.]xyz w8vda1kyorutnitzl3o.prwl5e[.]xyz w9mhigtpsnloi2fdr hnblj8cesblsg[ ]xyz wabrzz.uyjadb11212[.]com wbimp.9x-m43omgvbfyed6v[.]xyz wc4n6ae.enpwem0xnaf9yjcwvq[.]xyz wckumbqrmlwistezj165.h6a-url97kejd[.]xyz wdtvrgpi6w8uol.bphialcjdo7qa0wxyfr[.]xyz wewhk3c0yz.4b1oztiepwx-dvu2[.]xyz wguyfi2xaydfv3.ls-qfeyw8[.]xyz why2rnmktmq1bau.qunchvg5go[.]xyz wjktd1r09t4zzyh5hsc.dewncovl4tiaxspbmq[.]xyz wkbdrh25fs8odx.nohq8etbh[.]xyz wkdf7hqmlz2l.g06akeozq-xqnzj9m[.]xyz wkxdeodcwf8vqpuhvu.sxso5[.]xyz wnjemp4k7-b.bn1cp79ygt0qo[.]xyz wnorz.fqak-0l8egpu7icwzryt[.]xyz w-opver.orjzu5devkl[.]xyz wqvbknwtp.1igne4[.]xyz wsw1bix9v8t3vkd.wqrcnl9aokemk16qgfj[.]xyz wtizlao7efhcsdfbjig9.kj4g3nrtgvvu0n1dde[.]xyz wtyhg40zm3xujlq.7judig[.]xyz wvedm4t-8cenructhky.5yfi0wpdnrcl[.]xyz wwyc4xjyjpu8tq.sw0epb[.]xyz wydr6vz5pzwfxts9.jngbsl9mkgr1z[.]xyz x0hiytmtob.9fvylachxud4gcnliyop[.]xyz x0hv8yf9wrjpf.jzdqnjbf1mx9[.]xyz x27yuwu-nr4hih3tvq.e5bg6ht[.]xyz x2lompn3r5.hyevij5nsfsqbd[.]xyz x5lbpii9vwzajhetutu.nfrq8beh[.]xyz x8ua0a-cnnjr6eol.cvkgbqjn1zrtibdr[.]xyz xb6hbefjs8ytie3l7gn.63nzr[.]xyz xcwtlq.itxzikvsexk-0uj[.]xyz xd7apsw4xuzcsphr.40ipsxa7-yvzcqrblgt[.]xyz xebszfa.lpsm3jp[.]xyz xeea-ny.vhld53sxiosqjm[.]xyz xfhoss8xotijkg.sopl05iznfqywa[.]xyz xignruf0fslbt-kdxm.ybqct3v[.]xyz xkvmeiya1f0hrcn.k4icqw[.]xyz xl5nmbmwstx.u62xncvxk[.]xyz xlqxdoh1liz0pg8yjs.7issgdnjtwonkdktcm[.]xyz xodux.asd123ooo[.]com xpdlvhkamh.wr9y7jubv[.]xyz xpofmqbxwyu8j4l 6rwmwiqhsbn[ ]xyz ----- xuqjiwi.qqipkap1f[.]xyz xvtllu-urohn48kry.y76lyhzcn[.]xyz xwidgm4yrzkfvvuzph.ei3kox78md[.]xyz xwrbqkgilh1enttunmxk.mafjqkb7ciatz6hrcu4[.]xyz xyjnrgqoinpge6l.l4ats[.]xyz xzegrwh8hr56w.e8sypxaxjmpat[.]xyz y043n7jo.gw7-uqnvt[.]xyz y0r3fvtg.qxd7sx28r-bdpe41q[.]xyz y31sarc8ejcmb.txgj49iedlkiwa[.]xyz y3ksubtivwjaz-cx6fl.eg8dokkmrqfai9hed[.]xyz y9s4gvy2.bphialcjdo7qa0wxyfr[.]xyz ybf6das9rzin-jbewk.7n32eq[.]xyz ycahltwr.omqxmdhz0wok[.]xyz ydo5u74vjya2.loe24jcmbn[.]xyz yevx6ogzrcb0c5.qwe123uuuooo[.]com yfvxnnm9i5rl.eg8dokkmrqfai9hed[.]xyz yh4oxmdvsvhbliq1.vey6tl-2q[.]xyz yiw-kn3mzfbdv02paqy.stuo9ubxej[.]xyz yjbig6wiyrvog.qxnlagu6kh[.]xyz yki9eolfiaac1djtvx4w.nd4dmlcu[.]xyz ykotx640eqdra.f53anbertu[.]xyz ylbckyzsn5im2wt.7blwuafgmjcnpbdeia[.]xyz ymyibtsij4f.4etaofzd[.]xyz ynifmev8gbjgkh.pnuwzlfqc[.]xyz ynomu.1laytu8xvgri6lk[.]xyz yn-vr3gzi.4bcqyrbw7lfj[.]xyz yp2s4dv9okug.lmbdu2[.]xyz ypncw8igxdf4a2p7u0dk.wz9hrfe4fdiu[.]xyz yqdceapbs0gi9-m3.wuvt7qa0bslnwqhm[.]xyz yrpnj9pum73y1u.4b1oztiepwx-dvu2[.]xyz ys4nij8we5qpalm.sqh0mgmztfjr4[.]xyz ysk-cprpevsfbwa.f2npdqtql[.]xyz yskpi5m4lngj13u.i6p-ybdw[.]xyz ### Hashes ###### 1fa8471bf22d9867f349b35276b72440c9d9bde4 ea9c4026b0415e3a35dc51f49d7597ee07de1ccc 2e1f1c03ee126297a64ea285c195f0864e91e824 072c7e3939012eb0c862fae9ff7c5db336f9b69b Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions yuxj-6agh.yvike5bmndt0o3hkzc[.]xyz ywucnsb2yfx.5yfi0wpdnrcl[.]xyz yx1o8qdljrkwj6.nyq6rxx0lfjhn-mgcok[.]xyz yxhp0f.9woc8ae6er[.]xyz yynig0oqotchjv-bb3f7.oje-dsuz85rhbek9w[.]xyz z0tpzckab-n5dcf.23df45adf[.]com z1ucxs9or5e-ff.k756pg-rl[.]xyz z2unwvatuojs5elh7.zcwrt9nx[.]xyz z2wsudeverjm1.lyrsa1hckmongrz[.]xyz z312ytcrxjbszm5.chrzuzikbmr3st5xxl[.]xyz z86kdulehtpxyoueow.mjbzklg[.]xyz z8lxhvya.ftz1pu-votyri7fs[.]xyz z8qfx2l.eci2xvn4z6rhp[.]xyz zax0g.0lekwcgzvdan[.]xyz zbuq16.05avwyfch8bnex[.]xyz zcawebbju.ewahxbgm04owpjozi9k[.]xyz zcfpkq.yvz-wkub3sd[.]xyz zeqbog8.h8jkl70lf5c2gzv[.]xyz zi4m0oftr6klfs-ch.pfhq5mzw6v1[.]xyz zjbgz8wa.emquo-od3regsty[.]xyz zjdpxmcy80gr.dngzc30hgvmpqw[.]xyz zl8wofpcuzbj7dy23.jyvqa[.]xyz zmjchoql3gwaltkhy1r6.qc0sserkjmtdgnilp[.]xyz znieywomidezpbn.2eosmbve13rh7w0l[.]xyz znka8wlbehs9vcyxc.aoty7g[.]xyz zo4sptpan27rx16qqxfo.atqvx69f1[.]xyz zofnnemy9rxx.tash-irdk46ze[.]xyz zojpev8m.hp0rxwgsl4m[.]xyz zqp-k6gy4brj.0fhm7qi[.]xyz zsigprsuwblwh-kajz9i.ls-qfeyw8[.]xyz zsl8wc7jqudravx5mbbe.nodw2gjmybl14[.]xyz zz3ryu60jncvxoi8dwsg.7dphsrwtz0arv8h2o[.]xyz zzgqbehypuas.zx-s28dihj9ndqe[.]xyz ###### 10178d14962697fb2911e562bead41d8abbe1044 15061adf38446fcff8e4a214a055a3f6158f3ad6 092b7494afeae45662f5ce416b93a6583556cb37 c36ec8fd5c2501eb82832bedb9a906fdd8d750fa ----- ###### Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions ###### 71ae8824395463b08eda228492b3ce9ccd3aa03b a879dd29cd6dfb289fc29680923a8ad0107203b6 18ac3a69d495be634873fa4869d0f31de8b10914 f5da9d2603f5457a8a96db076eff193e78f072df 07c5a6568caf372b55e17d7fae88ac474bbadbee ac131518b2cdfbaf772a4bfbcb520851f1b85db8 b826e1c67e3b18797c8b96c4a2711a180353eb41 6bee6d7661b3c768b190c9adfbff8ee8325a4a8b 767eaddda3ed5ae0136471a49afb8960818949ec d2e25791dbe6f0014c32d217a0c2eefcfe75d676 9fef75de2d53fd550f3940bd2c2f8bf60b358252 4ac6eb0c34158ce9fb49fb4ceb836d45eb87feeb a47aaf0f5513a90a5efb7134c7a8f12f53c17667 635b7a218b0bf98e80477aa261b0cf29c869bcaf 4e74853916bf2e989e2fbb51b83ca344bdf84869 a3b9809f847f273df6f42badd726ca601baf3c9c a44ef0e53c9440c17335ff4c71f87feb40445f33 e301b89634eb6b95b2dc86d8b00fbbc5c8698b36 7c60d629a8620e7d8edc45e173dd300b745a6bec 9eeae55832174cd5efbfd41725ca933cf9eb9540 f0ecf17ebfe4235ee08b7a873962951dfd196ee7 f8c19d70e065b5babdc44df60ca883e7ba78e4f8 1ac7f8d7db9685ac0746a02c25a489f14395b5ec 8b481eeaa835ba8014a8bd8d8b98a69d75d92406 b848e7dfa039d9af252332cef03c96123987bc51 3109acd74a8299c45daece07b1c7adcce43ecd3c c707a036eac5cb96d28179f50ac484795055c025 0c1fdce56f9ff696859f7112156584afd0fa7bd6 e11e1440728cde3d912889cc81a5072d674d32eb a952e90ddd9c3688f46fec2c8a035920caf5b1ab 3ba223669177a2ef06742e8cc00c60ab56bf8b36 36e0710e14ff21d9464bfb9ecfcbe3f7ae5da969 9dc1b844b18ec415718894ce38b9cbbfae53ad0b c72abd49c0db7d1493fd3548d9a864c7cad9e916 5be4c1f32ead78e643a27832f155803b3b0d4775 3a47d4c54fab05613b376723e173de8ca83eeae5 4c2efd5d8989e3e2fdfd2438df43d6ea94d8b90a 1ca51f22854600ece6afc17caaa2a5eafda0c58f ###### 0109ac2f25d93ad06546c8c80389c4705a9160eb 93778c706fdcf7afa45d5510df8e2615e927b26e 995de4259560b60f6ebd6d9dc3ddc98e51233f7d f2cdec6cd9ac5aa1e657e19e47dcf8144034025e 771e0929987d70358ebe951b812f3308daf7d443 073a36800cd69188360f3a93a2aafca9619fbe2c 9ae6e91bbc5a8e88afb64b78946137a3f2d3f6bb 6ef2a83b6c85c0331aada0b4312617f841d38970 09c54d8268b9cc99c0f0c9db4d19663bb11aae63 b3a2a0d0adda7542e27079adf0d0198d6730708f 335501c5d45cc8d21ae91e9b73946de025321bb9 f3abe0c521717579ccac3cb11651e68fab6eac62 a15b39e130a8b0216e88b631630535f70f25abca a0dbb9b2ccbc96616bae341248e06803b8a56e7c 80d8c885e6edf48a1a37bcf6c24d9628303a168a 31609ab5ae3295c5e8e190d58d5f98a348a7daf6 407c5ef34e9d51d41d6bc938dd36a4f2b1916884 b588870db9df1af1695840092a4ddbd94ce8b832 6183a02614bcf6bf127c112ca576a0f2f2e26936 c442ef972d36db7050ff417feb4c7d01c48c6592 0091d1d1d8ae98ee571b5ee5cee562e22ff03f59 fd06993a202e538cdcf8d2eda79dbf7cdc4a4046 0bf06790aad6c7c99c2ecac5ee0fb809eae6eb0c 3c836a65dc19d65249db168e75e4d0a7d8f9cb95 629695def0d7f07e0d75e6fb7c0ee96ff5826529 2c9ef1083fb0d008525b6e87b1a4b370c35fb66a 2b1cbfacf6039bbc29b8bccffc07a8afbe3efdda 7bd30d18e06973007b9694abbafe5337bb9b28d8 786e0cc7b1e5ee404413c5aa084db436d2e345a5 2b6907c7cefa8d41bd585e784619ba606f317c8e a51034c542716be361bd81642e589d814fcd237e 3fdd8f7a1178a9fa779fa22741c75ee0b22220db 6f2baa137a43108cad1711d439b5bec25533a03a 0cdc3fda19b42075cba6ceb34b4025fd8771d540 53ca8f969e2c470149ba01a76aa09626c72671bc 691d7364c805f11ffaa5099b96f52199d76c3e9e e70f12fe294c0873e5b8c1255d0e5b7a541a1350 6607d251f41f048cb07be9eadc8ab8f31e5ed062 ----- ###### 323035f533d2de58f0e85ee683e2720f7554497d 38a40eb704ab2f2eb8e40d9369092c13f208ac9f b8550d91b2bc478053909601d12c1f73b9e7d24a 5612385a4249db8b6a76bfd20fb4bc7edc5b5b20 178f1046eeaa5c9da97aaeeb074dc37e70e95bf1 8a346d24c16276a970903c39e95d3f27675454a3 123da03661d165e14cd28e6379c9421062a06413 48145632f4653fe0ef1c3623e8fc7658b528bad2 c410b6a4da3e977e8b7c7246bae9e23cfc6646c3 b97e7f80ac3dd0c63225e143f7d73ce4a3d6c24c 81f58cb77cc2db53733d008fc9f4b0d4dee22b4f 0e1f276b842e9d7bf252889e28c92580e1f605c9 ea430c2cf72315509e2f4fc99e2ae7d1b3d955b3 2eff722392efa82ef1b57be91849ce219a90c331 b6910df2a8f4c8e80579d8227176aa12e7ffaf3d 2655e0b29618e26f4c556492f1749811ae5ec54c 1dd6f6244bf27907765b1b4ca780cc7c18fe2fc0 0910ead3353f58749936e15b32bc6d9d0c290f7f 21bf308c577f7d9ab543e6d61cdd2e5d8e4a1b88 927840bb4409104fb1bbe0a1dd4ffaf885336e75 b4dfa8d2dba707f174f89903367f69f87a0e031e 7761c2d496f030806f9dac48842401cf8fbf02f3 5805887ba9a1da81c0c437fa875c9c7a563f5971 393f246db7ffa672dfb4f7550947e94019bf328c 8175da686e2b60947e67ab2cbf321a8fcf73d134 Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions ###### bcf70cb1534bc9a277d7644c3f056605b05edccf 2f36083df22a5a0110378308c85c9a05fee73ffe 8c6fc95f10dfb5940c4748f2cfdfa236612febdd c51bdb996e0a5d7598e6bac443285f9c48a6e92f 2d1c33117a43f6022a4149715fc5e2ea6b3f9dd2 3170801d93fb843bda4e5fac1bc65a749bdbfd7e b860e6f08530604bcdcf3453d9b578c3b5b2b26c c420e3e3e9a8f5fae40b63c824fb88b6ef74504d 31e0107d1f5aad30a83b933574c0a977917e145b d0ab09ce568aa36599dc1f6ded6bfefdf4423421 460a350821db26bbdcc3cc8cf854286b36160158 a4b29a8c6b2d0033bf0a123908f57e305f238bfc 08f8aa14dc704efd6481c5829eae2653a8c7c373 9dae602ffed6aef29b54c2cd2399c7bc1b0bc7c2 557f5ac5cb845e776586fe76e61ba31645c65ae9 eb1f857b7467ed4ca9e35dd9cd6d57de07c1dd12 43bd6139a8804be4d8791441d1a597a71d2707a3 18d70c5bcc2708e329067b62ca1083dd35e5c97d 584e70f7f806a84f3752c8faf6dfe437502e949f 38f364805ca0f4cb8d07942bf62e5e79d51f07df 7afc3da9514a6ab22a36bbd7272627391e5680b0 ce7ef83541bab60e3f85e897cca7e78d9db60179 8669b0f3bcd0de9d2c11bcb3a617679e8fc2053e bb0ff6e34f6365801c6dd56c284ec4e0c7de01f2 ----- Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions ----- ###### UNDISPUTED INNOVATION LEADER. WORLD’S FIRST END-TO-END BREACH AVOIDANCE 38% of all cybersecurity vendors worldwide integrated The first security solution to unify hardening, prevention, at least one Bitdefender technology. Present in 150 detection and response across endpoint, network and countries. cloud. #1 RANKED SECURITY. AWARDED ACROSS THE BOARD. ##### UNDER THE SIGN OF THE WOLF **Founded 2001, Romania** A trade of brilliance, data security is an industry where only the clearest view, sharpest mind and deepest insight can **Number of employees 1800+** win — a game with zero margin of error. Our job is to win every single time, one thousand times out of one thousand, and one million times out of one million. **Headquarters** Enterprise HQ – Santa Clara, CA, United States And we do. We outsmart the industry not only by having the clearest view, the sharpest mind and the deepest insight, Technology HQ – Bucharest, Romania but by staying one step ahead of everybody else, be they black hats or fellow security experts. The brilliance of our collective mind is like a luminous Dragon-Wolf on your side, powered by engineered intuition, created to guard against **WORLDWIDE OFFICES** all dangers hidden in the arcane intricacies of the digital realm. **USA & Canada: Ft. Lauderdale, FL | Santa Clara, CA | San Antonio, TX |** Toronto, CA This brilliance is our superpower and we put it at the core of all our game-changing products and solutions. **Europe: Copenhagen, DENMARK | Paris, FRANCE | München, GERMANY** | Milan, ITALY | Bucharest, Iasi, Cluj, Timisoara, ROMANIA | Barcelona, SPAIN | Dubai, UAE | London, UK | Hague, NETHERLANDS -----