{ "id": "6a3f7b6d-a9a1-4381-b034-dcf10ec8c943", "created_at": "2026-04-06T00:14:14.314571Z", "updated_at": "2026-04-10T03:21:15.563858Z", "deleted_at": null, "sha1_hash": "4b3159609cd5eba4be3e22ffb3413c4e8dde1c8a", "title": "Fodcha, a new DDos botnet", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1248108, "plain_text": "Fodcha, a new DDos botnet\r\nBy Hui Wang\r\nPublished: 2022-04-13 · Archived: 2026-04-05 21:16:43 UTC\r\nOverview\r\nRecently, CNCERT and 360netlab worked together and discovered a rapidly spreading DDoS botnet on the\r\nInternet. The global infection looks fairly big as just in China there are more than 10,000 daily active bots (IPs)\r\nand alsomore than 100 DDoS victims beingtargeted on a daily basis. We named the botnet Fodcha because of its\r\ninitial use of the C2 domain name folded.in and its use of the chacha algorithm to encrypt network traffic.\r\nBotnet size\r\nFrom March 29 to April 10, 2022, the total number of unique Fodcha bots(IPs) has exceeded 62,000, and daily\r\nnumbers fluctuate around 10,000. A daily breakdown is shown below.\r\nNetlab note:\r\nBased on direct data from the security community that we worked with, the number of daily live bots\r\nare more than 56000.\r\nWhen we look at the domestic data, the top provinces that the bots are coming from are the Shandong Province\r\n(12.9%), the Liaoning Province (11.8%) and the Zhejiang Province (9.9%).The service providers that these bots\r\noriginate from are China Unicom(59.9%), China Telecom(39.4%), and China Mobile(0.5%).\r\nhttps://blog.netlab.360.com/fodcha-a-new-ddos-botnet/\r\nPage 1 of 12\n\nSpread method\r\nFodcha is mainly spreading through the following NDay vulnerabilities and Telnet/SSH weak passwords.\r\nNetlab note:\r\nWe observed that a brute-force cracking tool we named Crazyfia appears on the same downloader\r\nserver of FodchaThe scan results of this tool will be used by the Fodcha author to install Fodcha\r\nsamples on the vulnerable devices.\r\nhttps://blog.netlab.360.com/fodcha-a-new-ddos-botnet/\r\nPage 2 of 12\n\nList of main vulnerabilities:\r\nVulnerability Affected Device/Service\r\nAndroid ADB Debug Server RCE Android\r\nCVE-2021-22205 GitLab\r\nCVE-2021-35394 Realtek Jungle SDK\r\nJAWS Webserver unauthenticated shell command execution MVPower DVR\r\nLILIN DVR RCE LILIN DVR\r\nTOTOLINK Routers Backdoor TOTOLINK Routers\r\nZHONE Router Web RCE ZHONE Router\r\nSample Analysis\r\nThe Fodcha botnet includes samples targeting mips, mpsl, arm, x86, and other CPU architectures. In the past 3\r\nmonths, the Fodcha samples we captured can be divided into two versions, v1 and v2. Their main functions are\r\nalmost the same. By cross-referencing the different versions, we can tell that the Fodcha operators are really trying\r\nto hide their C2s and load-balance among the C2s.\r\nhttps://blog.netlab.360.com/fodcha-a-new-ddos-botnet/\r\nPage 3 of 12\n\nVersion Chacha20\r\nC2\r\nFormat\r\nC2\r\nMAPPING(Domain\u003c--\r\n\u003eIP)\r\nMAPPING(IP\u003c--\r\n\u003ePORT )\r\nv1 yes plaintext folded.in 1:N N:1\r\nv2 yes ciphertext fridgexperts.cc 1:N N:10\r\nThe latest sample of V2 X86 CPU architecture is selected as the main object of analysis in this paper, and its basic\r\ninformation is as follows.\r\n8ea56a9fa9b11b15443b369f49fa9719\r\nELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped\r\nPacker:None\r\nFodcha's function is simple. When it executes on the compromised device, it first checks the runtime parameters.\r\nWhen there are no parameters, it exits out. Fodcha does this as a simple countermeasure to deter sandbox. When\r\nparameters are present, it first decrypts the key configurations data, the data include some sensitive information\r\nsuch as C2s will It then prints “here we are” on the Console, and uses a random string to disguise the process\r\nname. Finally communication with the C2 will be established. The following section will focus on Fodcha's\r\ndecryption method and network communication.\r\nDecrypting key configurations\r\nFodcha uses a multiple-Xor encryption method to protect its key configurations such as C2 data.\r\nhttps://blog.netlab.360.com/fodcha-a-new-ddos-botnet/\r\nPage 4 of 12\n\nThe corresponding python implementation is shown below, taking the ciphertext EB D3 EB C9 C2 EF F6 FD FD FC\r\nFB F1 A3 FB E9 in the sample as an example. After decryption, we will get the Fodcha's C2: fridgexperts.cc.\r\ncipher=[ 0xEB, 0xD3, 0xEB, 0xC9, 0xC2, 0xEF, 0xF6, 0xFD, 0xFD, 0xFC,\r\n 0xFB, 0xF1, 0xA3, 0xFB, 0xE9]\r\n \r\nkey=[0x66, 0x4A, 0x69, 0x46, 0x4E, 0x61, 0x65, 0x66, 0x73, 0x65,\r\n 0x64, 0x69, 0x66, 0x73, 0x61, 0x69, 0x66, 0x73, 0x69,00]\r\ntmp=[]\r\nhttps://blog.netlab.360.com/fodcha-a-new-ddos-botnet/\r\nPage 5 of 12\n\nfor i in range(len(cipher)):\r\n tmp.append((cipher[i] ^ key[i])%0xff^0xbe)\r\nfor i in range(len(tmp)):\r\n for j in key:\r\n tmp[i]^=j\r\nout=''.join([chr(i) for i in tmp])\r\nprint out\r\nNetwork communication\r\nFodcha establishes a connection with C2 through the following code fragment where the DNS A record IP of the\r\nC2 domain corresponds to the PORT of N:10.\r\nOnce the connection is successfully established with C2, the Bot must go through 5 rounds of interaction with C2\r\nbefore it can actually communicate with C2. We use arm as the packet string, which generates the network traffic\r\nshown in the following figure.\r\nhttps://blog.netlab.360.com/fodcha-a-new-ddos-botnet/\r\nPage 6 of 12\n\nLet us elaborate on how this traffic is generated:\r\nStep 1: Bot--\u003eC2 (fixed length 5 bytes)\r\nThe hard-coded ee 00 00 is calculated by the tcp/ip checksum method to get the 2-byte checksum value 0xff11,\r\nwhich is filled to the last 2 bytes.\r\ndef checksum(data):\r\n s = 0\r\n n = len(data) % 2\r\n for i in range(0, len(data)-n, 2):\r\n s+= ord(data[i]) + (ord(data[i+1]) \u003c\u003c 8)\r\n if n:\r\n s+= ord(data[i+1])\r\n while (s \u003e\u003e 16):\r\n s = (s \u0026 0xFFFF) + (s \u003e\u003e 16)\r\n s = ~s \u0026 0xffff\r\n return s\r\nStep 2: C2--\u003eBOT (2 times, the first 32 bytes; the second 12 bytes)\r\nNote that the key and nonce are generated by the C2 side, not fixed.\r\n32 bytes at the beginning is chacha20 key:\r\n26 14 2d 4d 58 d2 9e 26 67 98 bc e4 ef 69 b9 04\r\ne6 d0 73 17 5c 4f 71 33 9f 97 18 f7 31 8d d4 d6\r\n12 bytes at the last is chacha20 nonce:\r\n2f 8a 5c da 57 50 a6 64 d7 98 f5 5d\r\nStep 3: BOT--\u003eC2 (fixed length 5 bytes)\r\nHard-coded 55 00 00 by checksum, calculate the checksum value 0xffaa, fill in the last 2 bytes, become 55 00\r\n00 aa ff , then use chacha20 algorithm to encrypt, the number of rounds is 1, get 99 9e 95 f6 32 .\r\nhttps://blog.netlab.360.com/fodcha-a-new-ddos-botnet/\r\nPage 7 of 12\n\nStep 4: C2--\u003eBOT(fixed length 5 bytes)\r\nAt this point, if the format of the 5 bytes received is 0x55 at the beginning and the last 2 bytes are the checksum\r\nvalue, it means the previous interaction is right, enter Step 5 and ask BOT to start sending packet information.\r\nStep 5: Bot---\u003eC2 (2 times, the first 5 bytes, the second grouping)\r\nFirst time\r\nHard-coded fe 00 00 , the third byte is really the grouping length, becomes fe 00 03 , calculate the\r\nchecksum value 0xfefe, fill in the tail to get fe 00 03 fe fe\r\nSecond time\r\ngrouping string arm , use chacha20 encryption, round number 1, get ad ec f8\r\nAt this point the BOT is successfully registered and waits to execute the instruction issued by C2. The instruction\r\ncode and its meaning are shown below:\r\n- 0x69, Heartbeat\r\n- 0xEB, DDoS Attack\r\n- 0xFB, Exit\r\nC2 Tracking\r\nOur botnet tracking system data shows that Fodcha has been launching DDoS attacks non stop since it came\r\nonline, with the following trends in attack targets.\r\nhttps://blog.netlab.360.com/fodcha-a-new-ddos-botnet/\r\nPage 8 of 12\n\nAs you can see, the DDoS behavior of this family is very active:\r\nThe most active attack time was on 2022-03-01, with over 130k attacking commands being recorded.\r\nIn the recent week, the average daily attack command has exceeded 7k, targeting 100+ DDoS victims.\r\nAt the same time, we can also clearly see from the DNS perspective that the C2 domain of this family made a\r\nturnover around 2022-03-19, corresponding to the shift from v1 to v2 in the aforementioned sample analysis\r\nsection.\r\nhttps://blog.netlab.360.com/fodcha-a-new-ddos-botnet/\r\nPage 9 of 12\n\nNetlab note:\r\nThe shift from v1 to v2 is due to the fact that the C2 servers corresponding to the v1 version were\r\nshutdown by a their cloud vendor, so Fodcha's operators had no choice but to re-launch v2 and update\r\nC2. The new C2 is mapped to more than a dozen IPs and is distributed across multiple countries\r\nincluding the US, Korea, Japan, and India, it involves more cloud providers such as Amazon, DediPath,\r\nDigitalOcean, Linode, and many others.\r\nIoC\r\nSample Hash(md5)\r\n0e3ff1a19fcd087138ec85d5dba59715\r\n1b637faa5e424966393928cd6df31849\r\n208e72261e10672caa60070c770644ba\r\n2251cf2ed00229c8804fc91868b3c1cb\r\n2a02e6502db381fa4d4aeb356633af73\r\n2ed0c36ebbeddb65015d01e6244a2846\r\nhttps://blog.netlab.360.com/fodcha-a-new-ddos-botnet/\r\nPage 10 of 12\n\n2fe2deeb66e1a08ea18dab520988d9e4\r\n37adb95cbe4875a9f072ff7f2ee4d4ae\r\n3fc8ae41752c7715f7550dabda0eb3ba\r\n40f53c47d360c1c773338ef5c42332f8\r\n4635112e2dfe5068a4fe1ebb1c5c8771\r\n525670acfd097fa0762262d9298c3b3b\r\n54e4334baa01289fa4ee966a806ef7f1\r\n5567bebd550f26f0a6df17b95507ca6d\r\n5bdb128072c02f52153eaeea6899a5b1\r\n6244e9da30a69997cf2e61d8391976d9\r\n65dd4b23518cba77caab3e8170af8001\r\n6788598e9c37d79fd02b7c570141ddcf\r\n760b2c21c40e33599b0a10cf0958cfd4\r\n792fdd3b9f0360b2bbee5864845c324c\r\n7a6ebf1567de7e432f09f53ad14d7bc5\r\n9413d6d7b875f071314e8acae2f7e390\r\n954879959743a7c63784d1204efc7ed3\r\n977b4f1a153e7943c4db6e5a3bf40345\r\n9defda7768d2d806b06775c5768428c4\r\n9dfa80650f974dffe2bda3ff8495b394\r\na996e86b511037713a1be09ee7af7490\r\nb11d8e45f7888ce85a67f98ed7f2cd89\r\nb1776a09d5490702c12d85ab6c6186cd\r\nb774ad07f0384c61f96a7897e87f96c0\r\nc99db0e8c3ecab4dd7f13f3946374720\r\nc9cbf28561272c705c5a6b44897757ca\r\ncbdb65e4765fbd7bcae93b393698724c\r\nd9c240dbed6dfc584a20246e8a79bdae\r\ne372e5ca89dbb7b5c1f9f58fe68a8fc7\r\nebf81131188e3454fe066380fa469d22\r\nfe58b08ea78f3e6b1f59e5fe40447b11\r\nDownload Links\r\nhttp://139.177.195.192/bins/arm\r\nhttp://139.177.195.192/bins/arm5\r\nhttp://139.177.195.192/bins/arm7\r\nhttp://139.177.195.192/bins/mips\r\nhttp://139.177.195.192/bins/realtek.mips\r\nhttp://139.177.195.192/blah\r\nhttp://139.177.195.192/linnn\r\nhttp://139.177.195.192/skidrt\r\nhttp://139.177.195.192/z.sh\r\nhttp://162.33.179.171/bins/arm\r\nhttp://162.33.179.171/bins/arm7\r\nhttp://162.33.179.171/bins/mpsl\r\nhttps://blog.netlab.360.com/fodcha-a-new-ddos-botnet/\r\nPage 11 of 12\n\nhttp://162.33.179.171/bins/realtek.mips\r\nhttp://162.33.179.171/bins/realtek.mpsl\r\nhttp://162.33.179.171/blah\r\nhttp://162.33.179.171/k.sh\r\nhttp://162.33.179.171/linnn\r\nhttp://162.33.179.171/z.sh\r\nhttp://206.188.197.104/bins/arm7\r\nhttp://206.188.197.104/bins/realtek.mips\r\nhttp://206.188.197.104/skidrt\r\nhttp://31.214.245.253/bins/arm\r\nhttp://31.214.245.253/bins/arm7\r\nhttp://31.214.245.253/bins/mips\r\nhttp://31.214.245.253/bins/mpsl\r\nhttp://31.214.245.253/bins/x86\r\nhttp://31.214.245.253/k.sh\r\nhttp://31.214.245.253/kk.sh\r\nC2 domain\r\nfolded.in\r\nfridgexperts.cc\r\nReaders are always welcomed to reach us on Twitter or email us to netlab at 360 dot cn.\r\nSource: https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/\r\nhttps://blog.netlab.360.com/fodcha-a-new-ddos-botnet/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/" ], "report_names": [ "fodcha-a-new-ddos-botnet" ], "threat_actors": [], "ts_created_at": 1775434454, "ts_updated_at": 1775791275, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4b3159609cd5eba4be3e22ffb3413c4e8dde1c8a.pdf", "text": "https://archive.orkl.eu/4b3159609cd5eba4be3e22ffb3413c4e8dde1c8a.txt", "img": "https://archive.orkl.eu/4b3159609cd5eba4be3e22ffb3413c4e8dde1c8a.jpg" } }