{
	"id": "d6f0f486-a6b5-4055-a620-6e2e529ce3f8",
	"created_at": "2026-04-06T00:12:56.624657Z",
	"updated_at": "2026-04-10T13:12:06.972145Z",
	"deleted_at": null,
	"sha1_hash": "4b09c6ee754f978c23ce875b0b1df660a4a32877",
	"title": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 387146,
	"plain_text": "Nozomi Networks Researchers Track Malicious Glupteba Activity\r\nThrough the Blockchain\r\nBy by Nozomi Networks Labs | December 15, 2022\r\nArchived: 2026-04-05 15:06:50 UTC\r\nThreat actors are increasingly leveraging blockchain technology to launch cyberattacks. By taking advantage of\r\nthe distributed and decentralized nature of blockchain, malicious actors can exploit its anonymity for a variety of\r\nattacks, ranging from malware propagation to ransomware distribution.\r\nThe Glupteba trojan is an example of a threat actor leveraging blockchain-based technologies to carry out their\r\nmalicious activity. In this blog, Nozomi Networks Lab presents our latest findings on Glupteba and how security\r\nteams can search for malicious activity in the blockchain.\r\nWhat is Glupteba?\r\nGlupteba is a backdoor trojan that is downloaded via Pay-Per-Install networks – online ad campaigns that prompt\r\nsoftware or application downloads – in infected installers or software cracks. Once Glupteba is active on a system,\r\nthe botnet operators can deploy additional modules from the credential stealer to exploit kits compromising\r\ndevices on the target network. There are several Glupteba modules aimed at exploiting vulnerabilities in various\r\nInternet of Things (IoT) appliances from vendors, such as MikroTik and Netgear.\r\nSurprisingly, Glupteba leverages the Bitcoin blockchain to distribute its Command and Control (C2) domains to\r\ninfected systems. Apart from the fact that this is an uncommon technique, this mechanism is also extremely\r\nresilient to takedowns as there is no way to erase nor censor a validated Bitcoin transaction. Using the same\r\napproach that Glupteba is using to hide data within the blockchain, researchers can hunt for malicious transactions\r\nand recover their payloads. If the said domains are not stored in plaintext, reversing the Glupteba samples enables\r\nsecurity researchers to decrypt the payload and access the embedded domains.\r\nUsing the Blockchain to Store Data\r\nThe Bitcoin blockchain can be used to store arbitrary data. This is made possible by the OP_RETURN opcode that\r\nenables storage of up to 80 bytes of arbitrary data within the signature script. This storage mechanism has several\r\nadvantages. First, it is resilient to takedowns. Once a transaction has been validated, there is no way to erase it –\r\nthis is the nature of the blockchain. Using this mechanism to distribute C2 domain means that law enforcement\r\nofficers, network defenders, and incident responders have no way to take down the Bitcoin address and erase the\r\ntransaction. The way the Bitcoin blockchain is built on top of modern cryptography also makes this mechanism\r\nsecure; without the Bitcoin address private key, one cannot send a transaction with such a data payload originating\r\nfrom the malicious address, hence, taking over the botnet is not possible. Additionally, threat actors can encrypt\r\ntheir payload from peering eyes, making the data storage scheme robust and cost effective.\r\nhttps://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nPage 1 of 20\n\nThis technique has also been used by the Cerber ransomware in the past. Bitcoin transactions originating from\r\nspecific addresses were monitored and the first 6 characters of a destination address were used along with a .top\r\nTLD appended to\u003e generate a domain, which would be used to query the active C2 infrastructure.\r\nGlupteba is known to be using a similar mechanism relying on OP_RETURN instead of destination addresses to\r\ndistribute its C2 domains. In case of a C2 domain being taken down, the botnet operators only need to send a new\r\ntransaction from the Bitcoin address distributing the domains and voila, the malware will adjust its configuration\r\nthe next time the C2 is refreshed. The latest identified Glupteba bitcoin transaction dates to the 8th of November\r\n2022 with its embedded payload 000c0b0006171c11064d150a0b16.\r\nThe hexadecimal payload above does not seem to represent anything close to a domain name and that is because\r\nGlupteba uses, in its latest variant, a XOR encryption scheme to protect the data. Once the key is known, typically\r\nby reverse engineering a sample such as c6d4ce67dd25764f571a84caa19fa6c2b067cae6, decrypting the data\r\nbecomes simple; see a sample of this decryption in Github.\r\nThe Evolution of Glupteba\r\nGlupteba is known to use the Bitcoin blockchain to distribute its C2 servers since at least 2019. To retrieve the\r\nBitcoin transactions, several providers are used, usually blockchain.com and blockstream.info. The Glupteba\r\nfunction responsible for querying blockchain.com to retrieve the transaction data is shown in Figure 1.\r\nFigure 1. The Bitcoin address that contains the transactions with the command-and-control\r\ndomains.\r\nThe way the domains are protected within the transactions has slightly evolved over time. In 2019, Glupteba used\r\nAES-GCM to protect and embed the data in the bitcoin transactions. Each sample was shipped with a hardcoded\r\nkey and initialization vector enabling the sample to decrypt the payload from the Bitcoin transaction. Figure 2\r\nshows the decryption routine in the oldest Glupteba versions..\r\nhttps://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nPage 2 of 20\n\nFigure 2. The Glupteba code calling the AES-GCM decryption routine.\r\nIn newer versions of the malware, this scheme was switched to a simple XOR cipher, which is currently being\r\nused. All samples we found were using the same key: “cheesesauce”. Figure 3 shows this key being moved around\r\nin memory in the function responsible to decrypt the ciphertext.\r\nFigure 3. The XOR cipher key is being loaded in the Glupteba decryption routine.\r\nTimeline of Events  \r\nGiven all that information, we went on a blockchain harvesting tour, scanning the entire Bitcoin blockchain for\r\nhidden C2 domains. We tried to decrypt the data payload of the OP_RETURN script present in each transaction of\r\nevery block using all the algorithms and keys we know to be associated with Glupteba. In addition, we\r\ndownloaded over 1500 Glupteba samples from VirusTotal and looked at the wallet addresses they used to make\r\nsure we did not miss anything. But that is not all: the latest set of TLS certificates Glupteba uses also exhibits a\r\nprecise pattern in the Subject Alternative Names and, thanks to certificate transparency, this can be hunted for.\r\nhttps://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nPage 3 of 20\n\nFinally, we also took a close look at the passive DNS records at our disposal to find potential associated domains\r\nand hosts.\r\nThis research gave us a massive series of events we decided to summarize with the timeline below, showing when\r\nactions were taken by Glupteba operators.\r\nDate Source Description\r\n2022-\r\n11-22\r\nPassive DNS Domain registration limeprime[.]org\r\n2022-\r\n11-21\r\nPassive DNS Domain registration greenphoenix[.]xyz\r\n2022-\r\n11-08\r\nBlockchain Wallet 1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK update cdneurops[.]pics\r\n2022-\r\n10-29\r\nBlockchain\r\nWallet 1NX7zTP6C4oGj2y3DaJTrg26AGFWExvYnr update mastiakele[.]icu\r\nWallet 1CzetoTU29WbhNy1UozrQpxuFuCVxffbTd update mastiakele[.]xyz\r\nWallet 1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK update cdneurops[.]buzz\r\nWallet 1CfevVPC8cSpFf7QKQwShrFgQYfyQaoXhc update cdneurops[.]shop\r\nWallet 14XZhcCJDguZuZF4p13tfLXJ6puudY7gqs update zaoshanghaoz[.]net\r\nWallet 1BrEshrz6gVbVuHGBgJ5GuHBvC2sdoeTAJ  update cdneurop[.]cloud\r\nWallet 1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK update cdneurop[.]cloud\r\nWallet 1AuWUMtjPo7Cc1Ji2pz7DWVvVJ5EjiUaHh update cdneurops[.]health\r\nWallet 1BqY56No1LR64AGcog4mF54UTPnjrPAPHz update mastiakele[.]cyou\r\nWallet 1CfevVPC8cSpFf7QKQwShrFgQYfyQaoXhc update mastiakele[.]cyou\r\nWallet 14XZhcCJDguZuZF4p13tfLXJ6puudY7gqs update zaoshanghaoz[.]net\r\nWallet 1NX7zTP6C4oGj2y3DaJTrg26AGFWExvYnr update mastiakele[.]icu\r\nWallet 1Mz2b2onxnAYhJTJQoGHdSBy6wu2HpufVR update\r\nmastiakele[.]ae[.]org\r\nWallet 1MuJwQKLQKt1VCBQ9u1RtepW7sDD3AwRE6 update zaoshang[.]ooo\r\nWallet 19RzEN3pqHvgRHGMjjtYCqjVTXt8bnHkK3 update cdntokiog[.]studio\r\nWallet 1CzetoTU29WbhNy1UozrQpxuFuCVxffbTd update cdntokiog[.]studio\r\nWallet 1HSC8Yt2yjuFUSGpUfJnwLMr4HzNxV3dvP` update zaoshang[.]moscow\r\nWallet 15nWGFaodg3efVKATgsaaSPU2TxSbiMHcP update окрф[.]рф\r\nWallet 1LQ2EPBwPqdbmXwN6RodPS4xqcm8EtPcaB update zaoshang[.]ru\r\nWallet 1HzJkTn6Z5nDrgbR6dHVBDVtsRYqwDmGzN update zaoshanghao[.]su\r\n2022-\r\n10-28\r\nCertificate\r\nTransparency\r\nLet’s encrypt certificate registration\r\n2022-\r\n10-28\r\nBlockchain\r\nWallet 1BL6NZSoXtMSdquRmePDUCQxFaXtLLSVWG update\r\nduniadekho[.]bar\r\nhttps://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nPage 4 of 20\n\nDate Source Description\r\n2022-\r\n10-27\r\nPassive DNS\r\nDomain registration cdneurops[.]pics mastiakele[.]icu mastiakele[.]xyz\r\ncdneurops[.]buzz cdneurops[.]shop zaoshanghaoz[.]net cdneurop[.]cloud\r\ncdneurops[.]health mastiakele[.]cyou mastiakele[.]ae[.]org zaoshang[.]ooo\r\ncdntokiog[.]studio zaoshang[.]moscow окрф[.]рф zaoshang[.]ru zaoshanghao[.]su\r\nduniadekho[.]bar\r\n2022-\r\n10-26\r\nBlockchain Wallet 1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK update checkpos[.]net\r\n2022-\r\n10-25\r\nPassive DNS Domain registration checkpos[.]net\r\n2022-\r\n10-01\r\nPassive DNS Domain registration revouninstaller[.]homes\r\n2022-\r\n09-30\r\nBlockchain Wallet 1HzJkTn6Z5nDrgbR6dHVBDVtsRYqwDmGzN update tmetres[.]com\r\n2022-\r\n09-28\r\nPassive DNS Domain registration tmetres[.]com\r\n2022-\r\n08-12\r\nBlockchain\r\nWallet 1BL6NZSoXtMSdquRmePDUCQxFaXtLLSVWG update\r\n3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid[.]onion\r\nWallet 1HzJkTn6Z5nDrgbR6dHVBDVtsRYqwDmGzN update\r\nyeug3c6mnwocixwlotka4nwo3fjtfic65o4psmpxvrdul5q7dgjmsvad[.]onion\r\n2022-\r\n08-12\r\nPassive DNS Domain registration getyourgift[.]life\r\n2022-\r\n07-04\r\nBlockchain\r\nWallet 1Cxy9e6KtHtBJrQwCwpKgcyp6dhncx6eNh update\r\nx4l2doee6uhhf3lqjvjodgqtxsjvwbkdqyldhwyhwkhf4y23aqq7jayd[.]onion\r\nWallet 1HSC8Yt2yjuFUSGpUfJnwLMr4HzNxV3dvP update\r\nbihgkrr546ctjdn4mwr7x4bhvwz55sftx6xir6cwlfo6rhppd2eu7syd[.]onion\r\n2022-\r\n06-09\r\nBlockchain\r\nWallet 1CzetoTU29WbhNy1UozrQpxuFuCVxffbTd update\r\nx4l2doee6uhhf3lqjvjodgqtxsjvwbkdqyldhwyhwkhf4y23aqq7jayd.onion\r\n2022-\r\n06-07\r\nBlockchain\r\nWallet 1CzetoTU29WbhNy1UozrQpxuFuCVxffbTd update\r\nx4l2doee6uhhf3lqjvjodgqtxsjvwbkdqyldhwyhwkhf4y23aqq7jayd.onion\r\n2022-\r\n06-06\r\nBlockchain Wallet 1AuWUMtjPo7Cc1Ji2pz7DWVvVJ5EjiUaHh update\r\nc43tnmrkzfmkjyd3j4v6xbyrd67q6pskzy67dwkzj36uoqwpoju2loyd.onion\r\nWallet 1CfevVPC8cSpFf7QKQwShrFgQYfyQaoXhc update\r\n2pkktxkf3gnpcjh2bhi62arz2ieyjgxocb3jne3kc2nu2yvyxqq23nad.onion\r\nhttps://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nPage 5 of 20\n\nDate Source Description\r\nWallet 1BrEshrz6gVbVuHGBgJ5GuHBvC2sdoeTAJ update\r\nyeug3c6mnwocixwlotka4nwo3fjtfic65o4psmpxvrdul5q7dgjmsvad.onion\r\nWallet 19RzEN3pqHvgRHGMjjtYCqjVTXt8bnHkK3 update\r\ndg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion\r\nWallet 1HSC8Yt2yjuFUSGpUfJnwLMr4HzNxV3dvP update\r\nc43tnmrkzfmkjyd3j4v6xbyrd67q6pskzy67dwkzj36uoqwpoju2loyd.onion\r\nWallet 1BqY56No1LR64AGcog4mF54UTPnjrPAPHz update\r\n2pkktxkf3gnpcjh2bhi62arz2ieyjgxocb3jne3kc2nu2yvyxqq23nad.onion\r\nWallet 1LQ2EPBwPqdbmXwN6RodPS4xqcm8EtPcaB update\r\ndg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion\r\nWallet 15nWGFaodg3efVKATgsaaSPU2TxSbiMHcP update\r\npapmcl4r32awafck75y5446n252qqqq4h6c4y2slaayposrtfbcebdqd.onion\r\nWallet 14XZhcCJDguZuZF4p13tfLXJ6puudY7gqs update\r\nc43tnmrkzfmkjyd3j4v6xbyrd67q6pskzy67dwkzj36uoqwpoju2loyd.onion\r\n2022-\r\n06-03\r\nBlockchain\r\nWallet 1Mz2b2onxnAYhJTJQoGHdSBy6wu2HpufVR update\r\n2pkktxkf3gnpcjh2bhi62arz2ieyjgxocb3jne3kc2nu2yvyxqq23nad.onion\r\nWallet update 1MuJwQKLQKt1VCBQ9u1RtepW7sDD3AwRE6\r\ndg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion\r\nWallet update 14XZhcCJDguZuZF4p13tfLXJ6puudY7gqs\r\npapmcl4r32awafck75y5446n252qqqq4h6c4y2slaayposrtfbcebdqd.onion\r\nWallet update 1HzJkTn6Z5nDrgbR6dHVBDVtsRYqwDmGzN\r\nyeug3c6mnwocixwlotka4nwo3fjtfic65o4psmpxvrdul5q7dgjmsvad.onio\r\nWallet 1Cxy9e6KtHtBJrQwCwpKgcyp6dhncx6eNh update\r\nyeug3c6mnwocixwlotka4nwo3fjtfic65o4psmpxvrdul5q7dgjmsvad.onio\r\n2022-\r\n06-01\r\nBlockchain\r\nWallet 1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK update\r\ndg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion\r\nWallet 1CzetoTU29WbhNy1UozrQpxuFuCVxffbTd update\r\nmaesvpovrwqfaqjw44bbeb2w62h6n7eyosbeit7rfrrdbyjymqaxfryd.onion\r\n2021-\r\n12-29\r\nBlockchain Wallet 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97  update dafflash[.]com\r\n2021-\r\n12-27\r\nBlockchain Domain registration dafflash[.]com\r\n2021-\r\n12-25\r\nBlockchain Wallet 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 update filimaik[.]com\r\n2021-\r\n12-13\r\nBlockchain\r\nWallet 12EfzLra6LttQ8RWvBTDzJUjYE6eRxx4TY update\r\n7owe32rodnp3vnx2ekqncoegxolkmb3m2fex5zu6i2bg7ktivhwvczqd.onion\r\nhttps://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nPage 6 of 20\n\nDate Source Description\r\n2021-\r\n12-12\r\nBlockchain\r\nWallet 12EfzLra6LttQ8RWvBTDzJUjYE6eRxx4TY update\r\nr5vg4h5rlwmo6oa3p3vlckuvf5na2wb2tnqbsbkivhrhlyze6czlpjad.onion\r\n2021-\r\n12-10\r\nPassive DNS Domain registration godespra[.]com filimaik[.]com\r\n2021-\r\n12-09\r\nBlockchain Wallet 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 update mydomelem.com\r\n2021-\r\n12-08\r\nBlockchain Wallet 1HjoomvzjtvZdbznoEijTNAkMjmsFba9fY update nameiusr.com\r\n2021-\r\n12-07\r\nBlockchain Wallet 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 update younghil.com\r\n2021-\r\n12-06\r\nPassive DNS Domain registration mydomelem.com nameiusr.com younghil.com\r\n2021-\r\n11-09\r\nBlockchain Wallet 1GLjCyG3fDf7vT3SxwtEUx7Z2w2UQrR3FU update newcc[.]com\r\n2021-\r\n10-19\r\nBlockchain Wallet 1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1 update nisdably[.]com\r\n2021-\r\n10-13\r\nBlockchain Wallet 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 update tyturu[.]com\r\n2021-\r\n10-11\r\nPassive DNS Domain registration tyturu[.]com\r\n2021-\r\n03-28\r\nPassive DNS Domain registration nisdably[.]com\r\n2020-\r\n05-13\r\nBlockchain Wallet 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 update maxbook[.]space\r\n2020-\r\n05-07\r\nBlockchain Wallet 1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1 update easywbdesign[.]com\r\n2020-\r\n04-08\r\nBlockchain Wallet 1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1 update sndvoices[.]com\r\n2020-\r\n04-02\r\nPassive DNS Domain registration easywbdesign[.]com sndvoices[.]com\r\nhttps://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nPage 7 of 20\n\nDate Source Description\r\n2020-\r\n03-28\r\nBlockchain\r\nWallet 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 update myinfoart[.]xyz\r\nWallet 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 update gfixprice[.]xyz\r\nWallet 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 update getfixed[.]xyz\r\n2020-\r\n03-15\r\nPassive DNS Domain registration maxbook[.]space\r\n2020-\r\n02-17\r\nBlockchain\r\nWallet 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 update\r\nanotheronedom[.]com\r\n2020-\r\n02-17\r\nPassive DNS Domain Registration anotheronedom[.]com\r\n2020-\r\n02-14\r\nBlockchain\r\nWallet 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 update\r\nsleepingcontrol[.]com\r\n2020-\r\n01-24\r\nBlockchain Wallet 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 update robotatten[.]com\r\n2020-\r\n01-23\r\nBlockchain Wallet 34RqywhujsHGVPNMedvGawFufFW9wWtbXC update robotatten[.]com\r\n2020-\r\n01-23\r\nPassive DNS Domain registration sleepingcontrol[.]com robotatten[.]com\r\n2019-\r\n06-19\r\nBlockchain\r\nWallet 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 update\r\nvenoxcontrol[.]com\r\n2019-\r\n06-14\r\nPassive DNS Domain registration venoxcontrol[.]com\r\nThe 4 Glupteba Campaigns\r\nWe have been able to identify 15 Glupteba bitcoin addresses spawning over 4 years and what we believe to be 4\r\ndifferent campaigns.\r\nCampaign 1\r\nThe oldest wave seems to have started in June 2019. Back then, only one single Bitcoin address was used to\r\ndistribute the malicious domains. This also corroborates what Google found out in their lawsuit against two\r\nGlupteba operators.\r\nhttps://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nPage 8 of 20\n\nAddress\r\nFirst\r\nseen\r\nLast seen Transactions\r\nNumber of\r\nsamples\r\n15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6\r\n2019-06-\r\n17 15:51\r\n2020-05-\r\n13 13:02\r\n16 54\r\nFigure 4 shows a graph of the address transactions. We can see the OP_RETURN transactions like 3Jt2U where\r\nthe funds bounce back to the 15y7d address. Interestingly all the remaining $36.18 on the 15y7d address were sent\r\nto the address 3Jwj7 in February 2020. No activity has been observed at that address since then.\r\nFigure 4. The graph shows the transaction to and from the address involved in the 2019 campaign.\r\nCampaign 2\r\nThe second wave seems to have started in April 2020, this time two Bitcoin addresses were used to distribute the\r\nmalicious C2 domains. Interestingly we did not find any samples using the second address; it could be a testing\r\naddress to ensure the Glupteba variants were behaving as expected. In addition, the domain distributed via the\r\nhttps://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nPage 9 of 20\n\nsupposedly testing address deepsound[.]live has not been seen in any other transactions we were able to find\r\nacross both addresses. It could also be that we simply are missing some samples.\r\nAddress First Seen Last seen Transactions\r\nNumber of\r\nsamples\r\n1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1\r\n2020-04-\r\n08 18:28\r\n2021-10-\r\n19 17:28\r\n11 87\r\n1bRfcRZVws98j3QQEZxrgRVd15vVF6zSU\r\n2020-04-\r\n08 14:21\r\n2020-04-\r\n08 15:49\r\n2 0\r\nHere the same pattern can be observed on the main address 1CgPC, after a period of activity, the remaining funds\r\naccounting for $28.45 were transferred back to some vendor or merchant in November 2021. At the supposed test\r\nBitcoin address, the funds were not transferred and remain to this day on the account for a balance of $76.80.\r\nFigure 5 shows the transactions to and from both addresses.\r\nhttps://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nPage 10 of 20\n\nFigure 5. The graph shows the transaction to and from the addresses involved in the 2020 Glupteba\r\ncampaign.\r\nCampaign 3\r\nThe third campaign starts in November 2021; the number of bitcoin addresses used to deliver malicious domain\r\ndoubled, from 2 in 2020 to 4 in 2021. This campaign was the shortest of all, with a lifespan of only about two\r\nmonths. We believe this is likely due to Google efforts to take the botnet down, when about a1 year ago Google\r\nfiled a lawsuit against Glupteba two operators and several actions were taken to disrupt the botnet operations. This\r\nis also the first time TOR hidden services were used as a command-and-control server by Glupteba.\r\nhttps://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nPage 11 of 20\n\nAddress First seen Last seen Transactions\r\nNumber of\r\nsamples\r\n1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97\r\n2021-10-\r\n13 15:20\r\n2021-12-\r\n29 10:15\r\n12 77\r\n12EfzLra6LttQ8RWvBTDzJUjYE6eRxx4TY\r\n2021-12-\r\n12 21:38\r\n2021-12-\r\n13 21:14\r\n3 3\r\n1HjoomvzjtvZdbznoEijTNAkMjmsFba9fY\r\n2021-12-\r\n08 15:57\r\n2021-12-\r\n08 17:12\r\n2 17\r\n1GLjCyG3fDf7vT3SxwtEUx7Z2w2UQrR3FU\r\n2021-11-\r\n09 12:22\r\n2021-11-\r\n09 12:49\r\n2 0\r\nGlupteba operators used four wallets, with the most active one being 1CUha as shown in Figure 6. Again, there\r\nwere no remaining funds left on the Bitcoin addresses. This is also the oldest address in this campaign and the one\r\nwith the highest number of transactions. Interestingly, we were not able to find a single sample referring to the\r\naddress 1GLjC which we believe could have been used for testing the malware, similar to 2020. The domain used\r\nnewcc[.]com was also not registered at the time and could indicate it was used in a testing environment or we\r\ncould be missing some samples.\r\nhttps://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nPage 12 of 20\n\nFigure 6. The graph shows the transaction to and from the addresses involved in the 2021 Glupteba\r\ncampaign.\r\nCampaign 4\r\nThe latest and ongoing campaign started in June 2022, 6 months after the Google lawsuit, and this time the\r\nnumber of malicious bitcoin addresses significantly increased. We believe this is due to several factors. First,\r\nhaving more Bitcoin addresses makes security researcher job more complicated. Second, to show that the Google\r\nlawsuit did not have a major effect on their Glupteba operations. For this campaign we were not able to find any\r\nsamples for 3 of the addresses we gathered. We believe these addresses are not made for testing as they distribute\r\nsome domains found in other Bitcoin addresses for which we found samples. In addition, there was a tenfold\r\nincrease in TOR hidden service being used as C2 servers since the 2021 campaign.\r\nhttps://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nPage 13 of 20\n\nAddress\r\nFirst\r\nseen\r\nLast\r\nseen\r\nTransactions\r\nNumber of\r\nsamples\r\n1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK\r\n2022-06-\r\n01 14:16\r\n2022-11-\r\n08 11:54\r\n11 1197\r\n1LQ2EPBwPqdbmXwN6RodPS4xqcm8EtPcaB\r\n 2022-\r\n06-03\r\n13:59\r\n2022-\r\n10-29\r\n11:29\r\n4 6\r\n1MuJwQKLQKt1VCBQ9u1RtepW7sDD3AwRE6\r\n2022-06-\r\n03 15:02\r\n2022-\r\n10-29\r\n11:37\r\n4 6\r\n1Mz2b2onxnAYhJTJQoGHdSBy6wu2HpufVR\r\n2022-06-\r\n03 14:33\r\n2022-\r\n10-29\r\n11:40\r\n5 3\r\n1NX7zTP6C4oGj2y3DaJTrg26AGFWExvYnr\r\n2022-06-\r\n06 14:10\r\n2022-\r\n10-29\r\n12:07\r\n6 6\r\n14XZhcCJDguZuZF4p13tfLXJ6puudY7gqs\r\n2022-06-\r\n03 14:56\r\n2022-\r\n10-29\r\n12:03\r\n8 12\r\n15nWGFaodg3efVKATgsaaSPU2TxSbiMHcP\r\n2022-06-\r\n03 14:34\r\n2022-\r\n10-29\r\n11:30\r\n6 48\r\n19RzEN3pqHvgRHGMjjtYCqjVTXt8bnHkK3\r\n2022-06-\r\n06 13:51\r\n2022-\r\n10-29\r\n11:37\r\n4 6\r\n1AuWUMtjPo7Cc1Ji2pz7DWVvVJ5EjiUaHh\r\n2022-06-\r\n06 14:04\r\n2022-\r\n10-29\r\n11:43\r\n4 3\r\n1BL6NZSoXtMSdquRmePDUCQxFaXtLLSVWG\r\n2022-06-\r\n07 08:51\r\n2022-\r\n10-28\r\n10:51\r\n4 3\r\n1BqY56No1LR64AGcog4mF54UTPnjrPAPHz\r\n2022-06-\r\n04 07:59\r\n2022-\r\n10-29\r\n11:41\r\n4 3\r\nhttps://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nPage 14 of 20\n\nAddress\r\nFirst\r\nseen\r\nLast\r\nseen\r\nTransactions\r\nNumber of\r\nsamples\r\n1BrEshrz6gVbVuHGBgJ5GuHBvC2sdoeTAJ\r\n2022-06-\r\n04 02:35\r\n2022-\r\n10-29\r\n11:42\r\n4 3\r\n1CfevVPC8cSpFf7QKQwShrFgQYfyQaoXhc\r\n2022-06-\r\n06 14:05\r\n2022-\r\n10-29\r\n12:10\r\n6 3\r\n1HzJkTn6Z5nDrgbR6dHVBDVtsRYqwDmGzN\r\n 2022-\r\n06-03\r\n13:55\r\n2022-\r\n10-29\r\n11:28\r\n8 3\r\n1HSC8Yt2yjuFUSGpUfJnwLMr4HzNxV3dvP\r\n2022-06-\r\n06 13:58\r\n2022-\r\n10-29\r\n11:33\r\n6 0\r\n1Cxy9e6KtHtBJrQwCwpKgcyp6dhncx6eNh\r\n2022-06-\r\n03 14:05\r\n2022-\r\n07-04\r\n16:07\r\n4 0\r\n1CzetoTU29WbhNy1UozrQpxuFuCVxffbTd\r\n 2022-\r\n05-31\r\n15:19\r\n2022-\r\n10-29\r\n12:04\r\n8 0\r\nThe transactions graphs shown in Figure 7 involving the addresses used in the 2022 campaign show the upscaling\r\nof the operations since 2019. Lastly, we traced back these transactions even further, and we believe that at least\r\nfive different merchants and exchanges were used to fund the Glupteba addresses since 2019.\r\nhttps://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nPage 15 of 20\n\nFigure 7. The graph shows the transaction to and from the addresses involved in the 2022\r\ncampaign.\r\nConclusion\r\nIn this blog, we have shown how Glupteba can be hunted by following blockchain transaction, TLS certificate\r\nregistrations, and by reverse engineering samples. We also had a look at how the blockchain can be used to store\r\narbitrary data and how threat actors leverage this in the wild. In addition, we tried to shed some light on the\r\nGlupteba campaigns over the years. In terms of resilience, we have seen how the actions Google took to disrupt\r\nthe Glupteba botnet had an impact on the 2021 campaign, which we believe ended abruptly. Even with Google\r\nwinning a favorable ruling recently, we hoped it would have inflicted a severe blow to Glupteba operations, but\r\nalmost a year later we can say it most likely did not. Indeed, it took Glupteba about six months to build a new\r\ncampaign from scratch and distribute it in the wild, and this time on a much larger scale.\r\nFor defenders and responders, we strongly suggest blocking blockchain-related domains like blockchain.info but\r\nalso Glupteba known C2 domains in your environment. We also recommend monitoring DNS logs and keeping\r\nthe antivirus software up to date to help prevent a potential Glupteba infection.\r\nhttps://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nPage 16 of 20\n\nIOC Description\r\ncdneurops[.]pics C2 domain 2022\r\nmastiakele[.]icu C2 domain 2022\r\nmastiakele[.]xyz C2 domain 2022\r\ncdneurops[.]buzz C2 domain 2022\r\ncdneurops[.]shop C2 domain 2022\r\nzaoshanghaoz[.]net C2 domain 2022\r\ncdneurop[.]cloud C2 domain 2022\r\ncdneurops[.]health C2 domain 2022\r\nmastiakele[.]cyou C2 domain 2022\r\nzaoshanghaoz[.]net C2 domain 2022\r\nmastiakele[.]ae[.]org C2 domain 2022\r\nzaoshang[.]ooo C2 domain 2022\r\ncdntokiog[.]studio C2 domain 2022\r\nzaoshang[.]moscow C2 domain 2022\r\nzaoshang[.]ru C2 domain 2022\r\nzaoshanghao[.]su C2 domain 2022\r\nduniadekho[.]bar C2 domain 2022\r\ncheckpos[.]net C2 domain 2022\r\ndafflash[.]com C2 domain 2021\r\ngodespra[.]com C2 domain 2021\r\nfilimaik[.]com C2 domain 2021\r\nmydomelem[.]com C2 domain 2021\r\nnameiusr[.]com C2 domain 2021\r\nyounghil[.]com C2 domain 2021\r\nnewcc[.]com\r\nC2 domain 2021 (potential\r\ntesting domain)\r\nhttps://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nPage 17 of 20\n\nIOC Description\r\nnisdably[.]com C2 domain 2021\r\ntyturu[.]com C2 domain 2021\r\nmaxbook[.]space C2 domain 2020\r\neasywbdesign[.]com C2 domain 2020\r\nsndvoices[.]com C2 domain 2020\r\nmyinfoart[.]xyz C2 domain 2020\r\ngfixprice[.]xyz C2 domain 2020\r\ngetfixed[.]xyz C2 domain 2020\r\nanotheronedom[.]com C2 domain 2020\r\nsleepingcontrol[.]com C2 domain 2020\r\nrobotatten[.]com C2 domain 2020\r\ndeepsound[.]live\r\nC2 domain 2020 (potential\r\ntesting domain)\r\nvenoxcontrol[.]com C2 domain 2019\r\n3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid[.]onion C2 domain 2022\r\nyeug3c6mnwocixwlotka4nwo3fjtfic65o4psmpxvrdul5q7dgjmsvad[.]onion C2 domain 2022\r\nx4l2doee6uhhf3lqjvjodgqtxsjvwbkdqyldhwyhwkhf4y23aqq7jayd[.]onion C2 domain 2022\r\nbihgkrr546ctjdn4mwr7x4bhvwz55sftx6xir6cwlfo6rhppd2eu7syd[.]onion C2 domain 2022\r\n2pkktxkf3gnpcjh2bhi62arz2ieyjgxocb3jne3kc2nu2yvyxqq23nad[.]onion C2 domain 2022\r\nc43tnmrkzfmkjyd3j4v6xbyrd67q6pskzy67dwkzj36uoqwpoju2loyd[.]onion C2 domain 2022\r\n2pkktxkf3gnpcjh2bhi62arz2ieyjgxocb3jne3kc2nu2yvyxqq23nad[.]onion C2 domain 2022\r\nyeug3c6mnwocixwlotka4nwo3fjtfic65o4psmpxvrdul5q7dgjmsvad[.]onion C2 domain 2022\r\ndg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad[.]onion C2 domain 2022\r\nc43tnmrkzfmkjyd3j4v6xbyrd67q6pskzy67dwkzj36uoqwpoju2loyd[.]onion C2 domain 2022\r\n2pkktxkf3gnpcjh2bhi62arz2ieyjgxocb3jne3kc2nu2yvyxqq23nad[.]onion C2 domain 2022\r\npapmcl4r32awafck75y5446n252qqqq4h6c4y2slaayposrtfbcebdqd[.]onion C2 domain 2022\r\nhttps://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nPage 18 of 20\n\nIOC Description\r\nmaesvpovrwqfaqjw44bbeb2w62h6n7eyosbeit7rfrrdbyjymqaxfryd[.]onion C2 domain 2022\r\nyeug3c6mnwocixwlotka4nwo3fjtfic65o4psmpxvrdul5q7dgjmsvad[.]onio C2 domain 2022 with a typo\r\n7owe32rodnp3vnx2ekqncoegxolkmb3m2fex5zu6i2bg7ktivhwvczqd[.]onion C2 domain 2021\r\nr5vg4h5rlwmo6oa3p3vlckuvf5na2wb2tnqbsbkivhrhlyze6czlpjad[.]onion C2 domain 2021\r\nlimeprime[.]com Associated domain\r\ngreenphoenix[.]xyz Associated domain\r\nrevouninstaller[.]homes Associated domain\r\ngetyourgift[.]life Associated domain\r\n12EfzLra6LttQ8RWvBTDzJUjYE6eRxx4TY Wallet Address\r\n14XZhcCJDguZuZF4p13tfLXJ6puudY7gqs Wallet Address\r\n15nWGFaodg3efVKATgsaaSPU2TxSbiMHcP Wallet Address\r\n19RzEN3pqHvgRHGMjjtYCqjVTXt8bnHkK3 Wallet Address\r\n1AuWUMtjPo7Cc1Ji2pz7DWVvVJ5EjiUaHh Wallet Address\r\n1BL6NZSoXtMSdquRmePDUCQxFaXtLLSVWG Wallet Address\r\n1BqY56No1LR64AGcog4mF54UTPnjrPAPHz Wallet Address\r\n1BrEshrz6gVbVuHGBgJ5GuHBvC2sdoeTAJ Wallet Address\r\n1CfevVPC8cSpFf7QKQwShrFgQYfyQaoXhc Wallet Address\r\n1HzJkTn6Z5nDrgbR6dHVBDVtsRYqwDmGzN Wallet Address\r\n1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK Wallet Address\r\n1LQ2EPBwPqdbmXwN6RodPS4xqcm8EtPcaB Wallet Address\r\n1MuJwQKLQKt1VCBQ9u1RtepW7sDD3AwRE6 Wallet Address\r\n1Mz2b2onxnAYhJTJQoGHdSBy6wu2HpufVR Wallet Address\r\n1NX7zTP6C4oGj2y3DaJTrg26AGFWExvYnr Wallet Address\r\n1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1 Wallet Address\r\n1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 Wallet Address\r\n1HjoomvzjtvZdbznoEijTNAkMjmsFba9fY Wallet Address\r\nhttps://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nPage 19 of 20\n\nIOC Description\r\n34RqywhujsHGVPNMedvGawFufFW9wWtbXC Wallet Address\r\n15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 Wallet Address\r\nSource: https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nhttps://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/"
	],
	"report_names": [
		"tracking-malicious-glupteba-activity-through-the-blockchain"
	],
	"threat_actors": [],
	"ts_created_at": 1775434376,
	"ts_updated_at": 1775826726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b09c6ee754f978c23ce875b0b1df660a4a32877.pdf",
		"text": "https://archive.orkl.eu/4b09c6ee754f978c23ce875b0b1df660a4a32877.txt",
		"img": "https://archive.orkl.eu/4b09c6ee754f978c23ce875b0b1df660a4a32877.jpg"
	}
}