{ "id": "34adcb7e-07c7-47d5-aa4f-78eb024096ff", "created_at": "2026-04-06T00:17:23.868707Z", "updated_at": "2026-04-10T03:37:26.648571Z", "deleted_at": null, "sha1_hash": "49b4185a51db8738a0386e3cbfb279fd686910f6", "title": "WailingCrab malware misuses MQTT messaging protocol", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 671445, "plain_text": "WailingCrab malware misuses MQTT messaging protocol\r\nBy Charlotte Hammond, Ole Villadsen, Kat Metrick\r\nPublished: 2023-11-21 · Archived: 2026-04-05 18:33:26 UTC\r\nCharlotte Hammond\r\nMalware Reverse Engineer\r\nIBM Security\r\nOle Villadsen\r\nCyber Threat Hunt Analyst\r\nIBM Security\r\nKat Metrick\r\nSecurity Consultant\r\nIBM X-Force\r\nThis article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen\r\nand Kat Metrick.\r\nIBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating\r\nto its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT.\r\nWailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an\r\ninitial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab was first observed in\r\nDecember 2022, and since then it has been used extensively in email campaigns to deliver the Gozi backdoor often against\r\nItalian targets. In recent months, Hive0133 has targeted organizations beyond Italy with email campaigns delivering\r\nWailingCrab, frequently using themes such as overdue delivery or shipping invoices.\r\nThe malware authors have focused on stealth and anti-analysis techniques in the continued development of the WailingCrab\r\nmalware. The malware itself is split into multiple components, including a loader, injector, downloader and backdoor, and\r\nsuccessful requests to C2-controlled servers are often necessary to retrieve the next stage. Legitimate, hacked websites are\r\nused for initial C2 communications to lower the chance of network detection, and payloads are often hosted on well-known\r\nplatforms such as Discord. C2 servers are often taken down quickly or stop responding soon after a campaign which may\r\nprevent threat researchers from accessing them and retrieving the next stages of the malware. Additionally, WailingCrab\r\nmakes use of code obfuscation, anti-analysis, and anti-sandbox techniques throughout its code.\r\nWailingCrab’s core component is its backdoor, which is installed on the system only if the malware’s initial stages are\r\ncompleted successfully. Since mid-2023, WailingCrab’s backdoor component has communicated with the C2 using the\r\nMQTT protocol which is a lightweight IoT messaging protocol. MQTT uses a publish/subscribe architecture, whereby\r\nmessages are published to ‘topics’ and received by subscribers, with message distribution handled by a centralized broker. In\r\nthis instance, WailingCrab uses the legitimate, third-party broker, broker.emqx[.]io, which allows it to hide the true address\r\nof the C2 server.\r\nWailingCrab’s use of the MQTT is notable, as this protocol is not commonly used by malware. There have only been a\r\nhandful of instances reported, with the most recent being the MQsTTang backdoor attributed to the threat actor Mustang\r\nPanda. As a result of this, the protocol’s use may not be monitored as closely by security teams, allowing the backdoor’s C2\r\ncommunications to fly under the radar.\r\nThis blog provides an overview of WailingCrab and its C2 communications, with a focus on its use of the MQTT protocol.\r\nDelivery\r\nSince its inception, WailingCrab has been distributed via email spam campaigns using Microsoft Excel attachments,\r\nMicrosoft OneNote attachments or PDF attachments. In recent months, Hive0133 has favored the use of PDF attachments\r\ncontaining malicious URLs in their email campaigns delivering WailingCrab. When clicked, the links will download and\r\nexecute JScript files, which in turn will download and execute the WailingCrab loader, which is usually hosted as an\r\nattachment file on Discord. Below is an example of a Hive0133 email campaign delivering WailingCrab on 19 October.\r\nhttps://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/\r\nPage 1 of 12\n\nFigure 1: Hive0133 Email from 10/19/2023 delivering WailingCrab Loader.\r\nhttps://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/\r\nPage 2 of 12\n\nFigure 2: Hive0133 Email PDF Attachment with Malicious Link Leading to WailingCrab Loader.\r\nWailingCrab components\r\nMany of the technical details of WailingCrab’s operation and early variants have already been discussed in other research,\r\ntherefore in this blog, we will focus on new developments and those aspects which have not already been reported on.\r\nThe primary samples used for this research\r\nare 24c5f4868dc5af255edbb993d98de51a and f6ea7ec5d94bc65bf82a6b42b57a6c82, which were from campaigns in\r\nSeptember, and f6d0b9617405f35bb846d671edda75d3 which was observed in July and is the reference for the earlier\r\nversion of the MQTT protocol use. These samples are all first-stage WailingCrab Loaders, which were hosted on Discord\r\nand downloaded via spam campaigns like the one described above. The subsequent WailingCrab components discussed in\r\nthis blog were all unpacked or downloaded by these loaders.\r\nWailingCrab loader\r\nThe first component of WailingCrab is its loader, which commonly uses a legitimate DLL file as a template, with the\r\nmalicious code patched over one of the DLL’s exported functions. Its purpose is to load the second stage which is stored\r\nwithin the DLL as an encrypted shellcode.\r\nThis initial loader component of WailingCrab has received a few updates in more recent samples. In the previous version,\r\nthe loader would overwrite its own data section in memory with the code for its second-stage component. In the new\r\nversion, the malware first loads a legitimate Windows DLL, such as BingMaps.dll, and then overwrites the code for one of\r\nthe DLL’s exported functions with WailingCrab’s second-stage shellcode. It also patches the code at the DLL’s original entry\r\npoint such that it returns immediately rather than running its original code, allowing execution to proceed unimpeded to the\r\nmaliciously patched export function.\r\nThe WailingCrab loader then creates a new thread to run its second-stage shellcode within the context of the legitimate\r\nloaded DLL.\r\nWailingCrab injector\r\nhttps://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/\r\nPage 3 of 12\n\nThe second stage is the WailingCrab injector, the functionality of which has not changed much from the previous version.\r\nThe Injector component starts by looping through the currently running processes on the host system and creates a hash of\r\neach process filename until it finds one that matches its target hash, which in the analyzed sample corresponds\r\nto explorer.exe. At this point, the malware will also compare the hash of each running process name to a list of hashes\r\nassociated with sandbox or debugging applications, and will not continue if any of these are found.\r\nOnce it identifies its target process, WailingCrab opens it and allocates memory within the process space. It then decrypts its\r\nthird-stage component using XOR and writes the decrypted payload contents to the allocated memory region, along with a\r\nstring containing the file path of the initial loader.\r\nNext, WailingCrab searches the DLLs loaded within the target process (i.e. explorer.exe) and looks for ntdll.dll. Within the\r\nntdll.dll instance, it finds the address of a target API function, in this case, RtlWow64GetCurrentMachine. It then overwrites\r\nthe contents of this function with 12 bytes of trampoline hook code, the purpose of which is to jump to the start of the copied\r\npayload.\r\nThe malware then creates a new thread within the target process. The start address of the thread is set to that of the\r\nhooked API function, e.g. RtlWow64GetCurrentMachine. Upon creation, the new thread executes the target API function,\r\nwhich now contains the hook code, and this then transfers execution to the payload, which is the next WailingCrab\r\ncomponent.\r\nWailingCrab downloader\r\nThe third WailingCrab component is a Downloader/Loader, which is responsible for loading the Backdoor component. The\r\ncode for this stage is run within the context of the injected process; in this case, explorer.exe.\r\nMuch of the functionality of the downloader is the same as in previous versions, however, there have been some updates. In\r\nprior versions, this component would download the backdoor, which would be hosted as an attachment on the Discord CDN.\r\nHowever, the latest version of WailingCrab already contains the backdoor component encrypted with AES, and it instead\r\nreaches out to its C2 to download a decryption key to decrypt the backdoor.\r\nThe WailingCrab downloader starts in the same manner as prior versions, by sleeping for a set period, and then deleting the\r\noriginal loader file on disk. It also creates a mutex, where the mutex name is a hardcoded numeric string, for example,\r\n“823264″.\r\nAt this point in the previous version, WailingCrab would then perform connectivity and anti-sandbox checks by attempting\r\nto connect to https://www.wikipedia.org/ and also a non-existent domain and confirming that the results of both are what it\r\nexpects. However, these checks have been removed from the new version, and the malware proceeds straight to C2\r\ncommunication.\r\nWailingCrab proceeds to register with the C2. It randomly generates bot ID values and also gathers basic system information\r\nincluding domain, hostname, username, language and system time. These values are then formatted into a pipe-delimited\r\nstring, along with an eight-digit campaign ID which is hardcoded into the malware.\r\nIn the previous version, the randomly generated bot ID was a single eight-digit string, however in the new variant three 16-\r\ndigit strings are generated instead, and these will be used later on by the backdoor component as MQTT topic names during\r\nits communication with the C2.\r\nPrevious version:\r\n\u003ccampaign_id\u003e||\u003cbotid\u003e||\u003cdomain\u003e||\u003chostname\u003e||\u003cusername\u003e||\u003cadmin_status\u003e||\u003clanguage_id\u003e||\u003csystem_time\u003e||\u003cos_ve\r\ne.g.\r\n84234775||52270349||-||DESKTOP-JGLLJLD||admin||0||1033||2023.07.12+06:50||10.00.19044||\r\nNew version:\r\n\u003ccampaign_id\u003e||\r\n\u003c16_digit_bot_value1\u003e\u003c16_digit_bot_value2\u003e\u003c16_digit_bot_value3\u003e||domain||\r\n\u003chostname\u003e||\u003cusername\u003e||\u003cadmin_status\u003e||\u003clanguage_id\u003e||\u003csystem_time\u003e||\r\n\u003cos_version\u003e||\r\ne.g.\r\nhttps://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/\r\nPage 4 of 12\n\n63785091||258318294498701539673492921154037193237834753421||-||DESKTOP-JGLLJLD||admin||0||1033||2023.09.15+11:32||10.00.19045||\r\nThis string is then base64 encoded and added to the Cookie field in the HTTP registration request sent to the C2. The C2\r\nURL is chosen at random from a list, and the following URLs were present in the analyzed sample:\r\ncontent/themes/sydney/inc/notices/uiqbw123udibjk1d2.php?id=1\r\nhttps[:]//advocates4consumerprotection[.]com/wp-includes/js/tinymce/skins/iudjh9iwd182.php?id=1\r\nThe C2 registration domains are usually legitimate WordPress-based websites that have been compromised by the threat\r\nactor to include a malicious PHP file that processes the requests from the WailingCrab malware. When a request is made to\r\none of these URLs with the correct cookie set, the malicious PHP code inserts a comment into the source code of the\r\nreturned webpage which contains the response data for the downloader.\r\nThe below image shows a request being made to one of the C2 URLs, where the cookie field contains the base64 encoded\r\nregistration string.\r\nIf the registration request is successful, the source code of the returned web page will contain a comment containing the\r\nword ‘gmail’ followed by a base64 string, similar to that seen in the below image.\r\nIn prior versions of WailingCrab, the base64 response would be decoded to reveal a Discord CDN URL path which the next\r\nstage of the malware could be downloaded from.\r\nIn the new version, the decoded base64 instead contains an encrypted AES key. In this case, the first 8 bytes of the decoded\r\ndata are XOR’d together, and the final value is then used to XOR-decrypt the remaining 32 bytes of the data which is the\r\nAES key.\r\nThe AES key is then used by WailingCrab to decrypt the backdoor component using AES-256 in CBC mode with a null-byte\r\nIV. The backdoor code is then executed.\r\nWailingCrab backdoor\r\nThe WailingCrab backdoor is a sophisticated piece of malware responsible for installing persistence and beaconing to the\r\nC2. The backdoor installs itself in a randomly named subdirectory of either the user’s %AppData% folder or the\r\n%ProgramData% folder. WailingCrab copies several files to this directory and modifies some by overwriting them with\r\nchunks of its code:\r\nC:\\ProgramData\\\u003cmalware_dir\u003e\\version.dll\r\n(copied from C:\\WINDOWS\\system32\\version.dll and modified)\r\nC:\\ProgramData\\\u003cmalware_dir\u003e\\\u003crandom_name\u003e.exe\r\n(copied from C:\\WINDOWS\\system32\\printfilterpipelinesvc.exe)\r\nC:\\ProgramData\\\u003cmalware_dir\u003e\\xpspushlayer.dll\r\n(copied from C:\\ProgramData\\\u003cmalware_dir\u003e\\version.dll)\r\nC:\\ProgramData\\\u003cmalware_dir\u003e\\thumbs.db (contains encrypted WailingCrab code)\r\nhttps://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/\r\nPage 5 of 12\n\nC:\\ProgramData\\\u003cmalware_dir\u003e\\\u003crandom_name\u003e.dll\r\n(copied from C:\\ProgramData\\\u003cmalware_dir\u003e\\version.dll and modified)\r\nWailingCrab installs persistence by creating a randomly named subkey under the registry Run key and adding the file path\r\nof the copied and randomly renamed printfilterpipelinesvc.exe file. When this file is executed it loads the modified\r\nversion.dll file via DLL hijacking, and execution then jumps between the various WailingCrab code chunks loaded from the\r\nother files, eventually ending up within an injected explorer.exe instance. The full technical details of this process are\r\nbeyond the scope of this blog but are available in our full malware report on X-Force Exchange.\r\nMQTT communication\r\nCommunication between the WailingCrab backdoor component and the C2 is performed using the MQTT protocol which is\r\na lightweight IoT messaging protocol. MQTT uses a publish/subscribe architecture, with message distribution handled by a\r\ncentralized broker. WailingCrab uses a third-party broker, broker.emqx[.]io, which allows it to hide the true address of the\r\nC2 server.\r\nThe basics of the MQTT protocol are quite straightforward. The client starts by sending a connect request to the broker,\r\nspecifying its client ID, which the broker then acknowledges. After that the client can either publish messages to specific\r\n‘topics’, or it can request to subscribe to a topic. Any clients who are subscribed to a topic will then receive future messages\r\npublished on that topic.\r\nPrevious version\r\nWe initially observed WailingCrab using the MQTT protocol in mid-2023, and this version of the backdoor communicated\r\nwith the C2 using the following procedure.\r\nThe backdoor starts by sending a connect request to broker.emqx[.]io using a randomly generated client ID.\r\nBackdoor -\u003e broker.emqx.io\r\n – MQTT Connect packet\r\n – Protocol version 5\r\n – Randomly generated Client ID, e.g. xMMRYbWc\r\nIt then registers with the C2 by publishing a message to a topic named using the same campaign ID string found in\r\nthe WailingCrab downloader. The registration message is 25 characters long and consists of the number ‘1’, which is\r\nlikely the message type, followed by a randomly generated 16-digit string, followed by the eight-digit bot ID\r\ngenerated by the downloader. For example:\r\nBackdoor -\u003e broker.emqx.io (Campaign Topic) -\u003e C2\r\n – MQTT Publish packet\r\n – Topic: Campaign ID (e.g. 84234775)\r\n – Message: Registration type message, e.g. ‘1852460395177254652270349’\r\n 1 digit message type = ‘1’ (registration message)\r\n 16 digit randomly generated string, e.g. ‘8524603951772546’\r\n 8 digit bot ID, e.g. ‘52270349’\r\nThe purpose of the randomly generated 16-digit string (8524603951782546) is for it to be a client-specific topic\r\nname for the C2 and backdoor to communicate via, as opposed to the campaign name topic which is shared by all\r\nsamples in the same campaign. The backdoor sends a subscribe request to the MQTT broker with the topic name set\r\nto this 16-digit string, which means that the broker will forward any future messages published to this topic to the\r\nbackdoor. Once the subscription request is sent, the broker will then respond with a ‘subscribe ack’ packet to\r\nacknowledge the subscription request.\r\nhttps://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/\r\nPage 6 of 12\n\nBackdoor -\u003e broker.emqx.io\r\n– MQTT Subscribe packet\r\n – Subscribe Topic: Generated client-specific topic name e.g. 8524603951772546\r\nThe backdoor then publishes a general ‘check-in’ type message to the campaign topic, which consists of the character\r\n‘2’ followed by the eight-digit bot ID.\r\nBackdoor -\u003e broker.emqx.io (Campaign Topic) -\u003e C2\r\n – MQTT Publish packet\r\n – Topic: Campaign ID (e.g. 84234775)\r\n – Message: Check-in type message, e.g. ‘252270349’\r\n 1 digit message type = ‘2’ (check-in message)\r\n 8 digit bot ID, e.g. ‘52270349’\r\nAt this point, the backdoor checks for any received messages. The C2 will publish any messages for the target to the\r\nclient-specific topic, which the broker will then forward to the backdoor since it has subscribed to that topic. The\r\nmessages from the C2 take the form of the character ‘0’ if the C2 does not have any further instructions for the client,\r\nor the character ‘2’ followed by a download path:\r\nC2 -\u003e broker.emqx.io (Client Topic) -\u003e Backdoor\r\n – MQTT Publish packet\r\n – Topic: Client Specific (e.g. 8524603951772546)\r\n – Message: Either ‘0’ or payload message, e.g. ‘2+1135578349968818269+1143152400132210688+djibh1ud21dORD1s\r\n 1 digit message type = ‘0’ or ‘2’\r\n Download path with ‘/’ characters replaced by ‘+’, e.g. ‘+1135578349968818269+1143152400132210688+djib\r\n Pipe delimiter, followed by single digit, usually ‘1’ or ‘2’\r\nIf the backdoor receives a download path from the C2 it will append the received path string to the URL\r\nhttps[:]//cdn.discordapp[.]com/attachments/ to create the full download URL. Any ‘+’ characters in the path are\r\nconverted to ‘/’. The backdoor will then download a payload from the constructed URL, decode it using base64 and\r\nthen decrypt it using the same XOR-based algorithm used throughout the malware. The malware will generate a\r\nrandom filename with the .log extension, write the payload to the user’s Temp directory, and then execute the file by\r\ncreating a new process with the following command:\r\nrundll32.exe \u003cpayload_filepath\u003e, DllRegisterServer\r\nThe backdoor will then report the status back to the C2 by publishing a message to the campaign channel. If the\r\npayload download and execution operation was a success then it will send a message consisting of the character ‘3’\r\nfollowed by the bot ID. Otherwise, if there was an error, it will send the character ‘4’ followed by the bot ID.\r\nBackdoor -\u003e broker.emqx.io (Campaign Topic) -\u003e C2\r\n – MQTT Publish packet\r\n – Topic: Campaign ID (e.g. 84234775)\r\n – Message: Result type message, e.g. ‘352270349’\r\n 1 digit message type = ‘3’ or ‘4’\r\nhttps://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/\r\nPage 7 of 12\n\n8 digit bot ID, e.g. ‘52270349’\r\nThe malware will then disconnect the MQTT connection and then sleep for a fixed period of time before checking in\r\nwith the C2 again.\r\nNew version\r\nNewer versions of WailingCrab, observed from September 2023 onwards, use an updated protocol when communicating\r\nwith the C2.\r\nAs described above, in the previous version, all clients infected by a specific campaign would register with and send regular\r\ncheck-in messages to a single centralized MQTT topic named after the campaign ID. The initial registration message sent by\r\neach client would then contain a randomly generated 16-character numeric string which would then serve as the name of a\r\nclient-specific topic where the C2 could send commands/payloads to the respective client.\r\nIn the new version, the use of the centralized topic has been removed, and infected clients and the C2 now communicate\r\nsolely via client-specific topics, the names of which are taken from the three randomly generated 16-digit strings created by\r\nthe downloader component and shared with the C2 as part of its initial request to the WordPress C2 URL.\r\nFor example, if the initial registration request sent by the downloader component contained the following:\r\n63785091||258318294498701539673492921154037193237834753421||-||DESKTOP-JGLLJLD||admin||0||1033||2023.09.15+11:32||10.00.19045||\r\nThen the three client-specific topic names would be:\r\n1. 2583182944987015\r\n2. 3967349292115403\r\n3. 7193237834753421\r\nThe use of Discord for hosting payloads has also been removed from this stage of the malware, and the backdoor now\r\nreceives a shellcode-based payload directly from the C2 via MQTT rather than a Discord-based download path.\r\nA full breakdown of the new C2 communication protocol is as follows:\r\nAs with the previous version, the backdoor starts by sending an MQTT connect packet to broker.emqx[.]io via TCP\r\nport 1883 using a randomly generated eight-character client ID.\r\nBackdoor -\u003e broker.emqx.io\r\n – MQTT Connect packet\r\n – Protocol version 5\r\n – Randomly generated Client ID, e.g. xMMRYbWc\r\nIt then retrieves the local time of the infected system and constructs a datetime structure which it encodes using\r\nbase64. The backdoor then publishes a message containing the base64 string, with the topic set to the second of the\r\nrandomly generated topic names.\r\nBackdoor -\u003e broker.emqx.io (Client Topic 2) -\u003e C2\r\n – MQTT Publish packet\r\n – Topic: Client topic 2 (e.g. 3967349292115403)\r\n – Message: Check-in message, e.g. ‘AgAcABwAFAAKAOcH’\r\n Base64 encoded datetime value, e.g. 02 00 1c 00 1c 00 14 00 0a 00 e7 07\r\nhttps://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/\r\nPage 8 of 12\n\nBreaks down as six 2–byte values: Hour Min Sec Day Month Year\r\nThe backdoor then sends a subscribe request to the third topic.\r\nBackdoor -\u003e broker.emqx.io\r\n – MQTT Subscribe packet\r\n – Subscribe Topic: Client topic 3 (e.g. 7193237834753421)\r\nThe backdoor checks to see if it has received any messages via the subscribed topic, and then sends a disconnect\r\npacket. If no message is received, the malware proceeds to sleep and then restart the communications loop. If a\r\nmessage has been received, the backdoor checks that the length is greater than 128 bytes, and if so proceeds to\r\ndecode it from base64. The first 8 bytes of the decoded payload contain a payload ID value, and the second set of 8\r\nbytes is used to calculate the XOR key to decrypt the rest of the payload data. The backdoor expects the decrypted\r\npayload to be another shellcode component which it then executes in a new thread.\r\nC2 -\u003e broker.emqx.io (Client Topic 3) -\u003e Backdoor\r\n – MQTT Publish packet\r\n – Topic: Client topic 3 (e.g. 7193237834753421)\r\n – Message: Base64 encoded shellcode payload\r\nBackdoor -\u003e broker.emqx.io\r\n – MQTT Disconnect packet\r\nIf a payload is received then, the backdoor reconnects to the MQTT client using a new randomly generated client ID.\r\nIt then publishes a message with the character ‘0’ to the third client-specific topic acknowledging receipt of the\r\npayload, and publishes a second message to the first client-specific topic with the results of loading the payload. This\r\nmessage consists of the eight-byte payload ID followed by either the character ‘3’ if the payload was executed\r\nsuccessfully, or the character ‘4’ if an error was encountered. The backdoor then sends a disconnect packet and\r\nproceeds to sleep before restarting the communications loop.\r\nBackdoor -\u003e broker.emqx.io\r\n – MQTT Connect packet\r\n – Protocol version 5\r\n – Randomly generated Client ID\r\nBackdoor -\u003e broker.emqx.io (Client Topic 3) -\u003e C2\r\n – MQTT Publish packet\r\n – Topic: Client topic 3 (e.g. 7193237834753421)\r\n – Message: Acknowledgement of payload ‘0’\r\nBackdoor -\u003e broker.emqx.io (Client Topic 1) -\u003e C2\r\n – MQTT Publish packet\r\nhttps://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/\r\nPage 9 of 12\n\n– Topic: Client topic 1 (e.g. 2583182944987015)\r\n– Message: Result type message\r\n 1 digit message type = ‘3’ or ‘4’\r\n 8 digit payload ID\r\nBackdoor -\u003e broker.emqx.io\r\n – MQTT Disconnect packet\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think\r\nNewsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nConclusion\r\nThe move to using the MQTT protocol by WailingCrab represents a focused effort on stealth and detection evasion. The\r\nMQTT protocol is currently not commonly used by malware. It therefore is unlikely to come under much scrutiny by\r\nexisting security solutions, especially in environments that use MQTT for legitimate IoT traffic. However, as MQTT is\r\nprimarily used for IoT traffic, this may also make malicious use of it easier to detect in environments or systems that should\r\nnot have IoT-related activity.\r\nThe newer variants of WailingCrab also remove the callouts to Discord for retrieving payloads, further increasing its\r\nstealthiness. Discord has become an increasingly common choice for threat actors looking to host malware, and as such it is\r\nlikely that file downloads from the domain will start coming under higher levels of scrutiny. Therefore, it is not surprising\r\nthat the developers of WailingCrab decided on an alternative approach.\r\nThe upgrades to the C2 communication protocol have also been an unfortunate blow to security researchers. In the initial\r\nversion, the use of the communal campaign topic made it relatively straightforward to observe the malware’s activity. The\r\nfact that WailingCrab uses a public broker means that anyone could subscribe to the campaign topic and monitor the\r\nmessages being sent to it. In the new version the developers have switched to communicating via client-specific topics only,\r\nand unfortunately removing this wider visibility of the malware’s activity.\r\nRecommendations\r\nEnsure anti-virus software and associated files are up to date\r\nSearch for existing signs of the indicated IOCs in your environment\r\nConsider blocking and or setting up detection for all URL and IP-based IOCs\r\nConsider blocking or monitoring the use of the MQTT protocol, especially in environments or systems that should\r\nnot have IoT-related activity\r\nKeep applications and operating systems running at the current released patch level\r\nExercise caution with attachments and links in emails.\r\nIOCs\r\nIndicator\r\nIndica\r\nType\r\n24c5f4868dc5af255edbb993d98de51a MD5\r\nf6ea7ec5d94bc65bf82a6b42b57a6c82 MD5\r\nf6d0b9617405f35bb846d671edda75d3 MD5\r\nhttps://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/\r\nPage 10 of 12\n\n971dd6c48909adf98861fb8457125faa MD5\r\nf03e8c10c84f7ba65caa84e194831a34 MD5\r\n9e20801f9f4dc6f871d67470583dde0c MD5\r\nhttps[:]//epikurgroup[.]com/plugins/content/jw_allvideos/jw_allvideos/tmpl/Responsive/oiyqnk182.php?id=1 URL\r\nhttps[:]//rgjllc[.]pro/wp-content/themes/sydney/inc/notices/uiqbw123udibjk1d2.php?id=1 URL\r\nhttps[:]//advocates4consumerprotection[.]com/wp-includes/js/tinymce/skins/iudjh9iwd182.php?id=1 URL\r\nhttps[:]//inspiration-canopee[.]fr/vendor/fields/assets/idnileeal/sifyhewmiyq/3jnd9021j9dj129.php?id=1 URL\r\nhttps[:]//www.p-e-c[.]nl/wp-content/themes/twentytwentyone/hudiiiwj1.php?id=1 URL\r\nhttps[:]//vivalisme[.]fr/forms/forms/kiikxnmlogx/frrydjqb/vendor/9818hd218hd21.php?id=1 URL\r\nhttps[:]//tournadre.dc1-mtp[.]fr/wp-content/plugins/kona-instagram-feed-for-gutenbargwfn/4dionaq9d0219d.php?id=1 URL\r\nhttps[:]//studiolegalecarduccimacuzzi[.]it/Requests/tmetovcqhnisl/vendor/gyuonfuv/languages/vgwtdpera/Requests/5i8ndio12niod21.php?\r\nid=1\r\nURL\r\nhttps[:]//erbilmail[.]com/ind9010j29d0j2.php?id=1 URL\r\nhttps[:]//www.flow[.]enterprises/wp-admin/css/piudbnui91nid2s1.php?id=1 URL\r\nhttps[:]//luna-render[.]com/wp-admin/css/pinqidnmwm1192.php?id=1 URL\r\nhttps[:]//loopmatrix[.]in/dbh9182hdj1o2mde.php?id=1 URL\r\nhttps[:]//humandata[.]solutions/wp-admin/js/diub890hd91222.php?id=1 URL\r\nbroker.emqx[.]io Domai\r\nhttps[:]//cdn.discordapp[.]com/attachments/1128405963062378558/1128406314452799499/dw4qdkjbqwijhdhbwqjid.iso URL\r\nhttps[:]//cdn.discordapp[.]com/attachments/1148282858646016085/1148283708323938354/dj12iodd12iond.pic URL\r\nhttps[:]//cdn.discordapp[.]com/attachments/1151584859765080094/1151616346656886885/d17b28d9d2m9od92.avi URL\r\nhttps://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/\r\nPage 11 of 12\n\nhttps[:]//cdn.discordapp[.]com/attachments/1124390807626076192/1128383419970240662/s42.iso URL\r\nSource: https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/\r\nhttps://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/\r\nPage 12 of 12\n\n– Topic: Client topic – Message: Check-in 2 (e.g. 3967349292115403) message, e.g. ‘AgAcABwAFAAKAOcH’ \nBase64 encoded datetime value, e.g. 02 00 1c 00 1c 00 14 00 0a 00 e7 07\n Page 8 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/" ], "report_names": [ "wailingcrab-malware-misues-mqtt-messaging-protocol" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4", "created_at": "2022-10-25T16:07:24.453427Z", "updated_at": "2026-04-10T02:00:04.997515Z", "deleted_at": null, "main_name": "Bamboo Spider", "aliases": [ "Bamboo Spider", "TA544" ], "source_name": "ETDA:Bamboo Spider", "tools": [ "AndroKINS", "Bebloh", "Chthonic", "DELoader", "Dofoil", "GozNym", "Gozi ISFB", "ISFB", "Nymaim", "PandaBanker", "Pandemyia", "Sharik", "Shiotob", "Smoke Loader", "SmokeLoader", "Terdot", "URLZone", "XSphinx", "ZLoader", "Zeus OpenSSL", "Zeus Panda", "Zeus Sphinx", "ZeusPanda", "nymain" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434643, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/49b4185a51db8738a0386e3cbfb279fd686910f6.pdf", "text": "https://archive.orkl.eu/49b4185a51db8738a0386e3cbfb279fd686910f6.txt", "img": "https://archive.orkl.eu/49b4185a51db8738a0386e3cbfb279fd686910f6.jpg" } }