{
	"id": "3a397223-e431-4155-aa27-4e6f98971b99",
	"created_at": "2026-04-06T00:21:28.290931Z",
	"updated_at": "2026-04-10T03:38:10.013854Z",
	"deleted_at": null,
	"sha1_hash": "4c49a98c5529e840eb2bc50e9c9ecf958d868afc",
	"title": "Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3291220,
	"plain_text": "Grandstream and DrayTek Devices Exploited to Power New\r\nHoaxcalls DDoS Botnet\r\nBy Ken Hsu, Haozhe Zhang, Zhibin Zhang, Ruchna Nigam\r\nPublished: 2020-04-03 · Archived: 2026-04-05 23:39:31 UTC\r\nExecutive Summary\r\nAs soon as the proof-of-concept (PoC) for CVE-2020-8515 was made publicly available in March, this\r\nvulnerability was employed by a new DDoS botnet for propagation. Further analysis shows that this malware can\r\nalso propagate by exploiting CVE-2020-5722. As of now, the attack traffic detected has doubled since 03/31/2020,\r\nimplying that many Grandstream UCM6200 and Draytek Vigor devices are infected or under active attack. We\r\nnotified regional CERTs of potentially infected devices identified during our research prior to publication in an\r\neffort to help with awareness and remediation. The Grandstream devices are business telephone systems providers\r\nover IP, whereas the latter are routers. \r\nBoth CVE-2020-8515 and CVE-2020-5722 have a critical rating (i.e CVSS v3.1 score of 9.8 out of 10) due to\r\ntheir trivial-to-exploit nature. Once exploited, the attacker can execute arbitrary commands on the vulnerable\r\ndevice. It’s not surprising that the threat actors collect these exploits into their arsenals and start wreaking havoc in\r\nthe Internet of Things (IoT) realm. While Palo Alto Networks customers are protected from such ongoing\r\ninfections, they are still advised to update patches as soon as possible.\r\nThe malware is built on the Gafgyt/Bashlite malware family codebase, which we have dubbed “Hoaxcalls”, based\r\non the name of the IRC channel used for command and control (C2) communications, and is capable of launching\r\na variety of DDoS attacks based on the C2 commands received. In addition to its advanced DDoS capabilities,\r\nHoaxcalls is also capable of propagation by exploiting the aforementioned critical vulnerabilities.\r\nDDoS Bot - Hoaxcalls\r\nHoaxcalls is a DDoS bot that communicates with its C2 server over IRC. It has various DDoS attack capabilities\r\nbased on the choice of the C2 operator. Upon reception of a proper C2 command, It can propagate by scanning\r\nand infecting vulnerable devices using CVE-2020-8515 and CVE-2020-5722 exploits.\r\nUpon execution, hoaxcalls initializes a message table, xor-decrypts a specific message based on its corresponding\r\nindex, fetches and prints the message to the console, and then encrypts the decrypted message again. The index of\r\nthe encrypted string is 0x21, and the decrypted message is hubnr and vbrxmr was here.\r\nThe encryption scheme used is the standard byte-wise XOR seen used in most Mirai variants - with the exception\r\nof the use of 5 (instead of a single) 8-byte table keys:\r\n0x1337C0D3\r\n0x0420A941\r\nhttps://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/\r\nPage 1 of 14\n\n0x4578BEAD\r\n0x0000A10E\r\n0x6531A466\r\nThis is effectively the equivalent of XOR-ing each byte of the encrypted strings with 0xEC. A similar use of\r\nmultiple XOR keys was observed in a previous variant.\r\nTable 1 below shows the complete list of the decrypted strings and their corresponding indices. The decrypted\r\nstring at index 0x1 is used in rand_alpha_str(), and the strings with indices 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9,\r\nand 0xa are used when the malware starts the watchdog process.\r\nTable Index Decrypted String\r\n0x21 hubnr and vbrxmr was here\r\n0x1 afsadhgqegtx5425\r\n0x2 /dev/watchdog\r\n0x3 /dev/misc/watchdog\r\n0x4 /sbin/watchdog\r\n0x5 /bin/watchdog\r\n0x6 /dev/FTWDT101_watchdog\r\n0x7 /dev/FTWDT101/watchdog\r\n0x8 /dev/watchdog0\r\n0x9 /etc/default/watchdog\r\n0xa /etc/watchdog\r\n0xd /dev/netslink/\r\n0xe STD\r\n0xf /usr/bin/python\r\n0x11 /status\r\n0x12 /proc/\r\n0x13 /exe\r\n0x14 /fd\r\n0x15 /proc/net/tcp\r\nhttps://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/\r\nPage 2 of 14\n\n0x16 /maps\r\n0x17 /mnt/\r\n0x18 /root/\r\n0x19 /tmp/\r\n0x1a /var/\r\n0x1b /home/\r\n0x1c UPX!\r\n0x1d PR_SET_NAME\r\n0x1e /cmdline\r\nTable 1. Decoded credentials and commands\r\nThe bot then connects to its C2 server 178[.]32[.]148[.]5 on TCP port 1337 over IRC. The C2’s IRC channel is\r\n#hellroom. The nick, ident, and user are strings with length 13 that always start with XTC|, followed by 9 random\r\ncharacters. The following figure shows the bot’s C2 communication with its C2 server over IRC.\r\nFigure 1. Connect to its C2 over IRC\r\nBased on the command received from its C2 server, hoaxcalls carries out different kinds of operations. The\r\nfollowing tables show the bot’s supported commands as well as the kind of DDoS attacks hoaxcalls has employed.\r\nBot Commands Description\r\n352 set spoof IP addr\r\n376 report nickname, channel, and the key\r\n433 reset nickname with a new random string\r\nhttps://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/\r\nPage 3 of 14\n\n422 same as command 376\r\nPRIVMSG handle flooder command\r\nPING respond a PONG message\r\nNICK assign nickname with a designated value\r\nTable 2. Bot’s supported commands\r\nFlooder Commands Description\r\nUDP launch UDP flood against specified target\r\nHEX launch HEX flood against specified target\r\nDNS launch DNS flood against specified target\r\nDRAYTEK scan and infect other Draytek devices by exploiting CVE-2020-8515\r\nUCM scan and infect other Grandstream UCM devices by exploiting CVE-2020-5722\r\nHELP display command usage\r\nRULES display rules to follow when using the botnet\r\nINFO display a brief intro about the bot\r\nTable 3. Flooder commands\r\nThe following Figures 2 and 3 show the exploit code when the bot is scanning and infecting any potentially\r\nvulnerable victims.\r\nFigure 2. CVE-2020-8515 exploit in hoaxcalls group 1\r\nhttps://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/\r\nPage 4 of 14\n\nFigure 3. CVE-2020-5722 exploit in hoaxcalls group 1\r\nThe flooder commands described above are based on Hoaxcalls samples in group 1. We have found other groups\r\nof the variants that are essentially the same in terms of capabilities, despite a few nuances here and there. For\r\nexample, the Hoaxcalls samples in group1 employ the Draytek and UCM scanning functionalities as part of its C2\r\nflooder command set. The samples in group 2 and 3, however, move the propagation functionalities out of the\r\nflooder commands and instead start infecting vulnerable UCM and Draytek devices upon execution. The\r\nmalicious requests sent during the infection phase are also a bit different. The figures below show the differences\r\nin the sample from different groups.\r\nFigure 4. CVE-2020-8515 exploit in hoaxcalls group 2\r\nFigure 5. CVE-2020-5722 exploit in hoaxcalls group 2\r\nhttps://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/\r\nPage 5 of 14\n\nFigure 6. CVE-2020-8515 exploit in hoaxcalls group 3\r\nFigure 7. CVE-2020-5722 exploit in hoaxcalls group 3\r\nFigure 8. Comparison of samples’ main()\r\nVulnerability Analysis\r\nCVE-2020-8515\r\nhttps://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/\r\nPage 6 of 14\n\nThe executable /www/cgi-bin/mainfunction.cgi doesn’t properly filter the keyPath parameter during\r\nauthentication, resulting in exploitable command injection. The attacker can prepend the payload with special\r\ncharacters like %27%0A to bypass the check and achieve pre-authentication command execution. The\r\nvulnerability was observed to be exploited in the wild since December last year.\r\nCVE-2020-5722\r\nThe system doesn’t properly validate the user_name parameter, resulting in SQL injection when the Forgot\r\nPassword feature queries the backend SQLite database and invokes sendMail.py via popen(). The attacker can\r\nprovide a default username such as admin followed by specific SQL strings and shell metacharacters ' or 1=1-- ; ,\r\neffectively turning this vulnerability into a command execution. According to this advisory, this vulnerability can\r\nalso be exploited through HTML injection. The first exploitation method is observed in current ongoing attacks.\r\nExploit in the Wild\r\nOur Next-Generation Firewall caught the first incident of CVE-2020-8515 exploitation on March 31, 2020 at\r\n13:51 (UTC). In addition to this attack, several bots’ attempt to propagate by exploiting CVE-2020-5722 were also\r\ncaught by our firewall. In the case of CVE-2020-8515 exploitation, the threat actor attempted to download a shell\r\nscript to the tmp directory, and execute the downloaded script, as shown in Figure 9. In the case of CVE-2020-\r\n5722 exploitation, the payload only downloads an arm7 binary and executes it, as shown in Figure 10.\r\nFigure 9. CVE-2020-8515 exploit spotted in the wild\r\nFigure 10. CVE-2020-5722 exploit spotted in the wild\r\nThe following figure shows the content of the downloaded shell script sh. Upon execution, the sh script\r\ndownloads different architectures of DDoS bot, and runs the downloaded binaries. None of the malwares was\r\navailable on Virustotal at the time of our discovery, however many of them were uploaded to Virustotal not long\r\nafter. More and more attack traffic are being detected at the time of writing, indicating that many devices are\r\nprobably infected already.\r\nhttps://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/\r\nPage 7 of 14\n\nFigure 11. Shell script that downloads and launches the bots\r\nConclusion and Mitigation\r\nHoaxcalls, a new DDOS botnet, is actively exploiting two vulnerabilities which have wide exposure in\r\nenvironments around the world. These same vulnerabilities are also actively being exploited in additional attacks,\r\naccording to other security research organizations. Unfortunately, they are also easily exploited and lead to remote\r\ncode execution; as such we advise everyone to patch as soon as possible. \r\nPalo Alto Networks customers are protected from the aforementioned vulnerabilities by the following products\r\nand services:\r\nNext-Generation Firewalls with threat prevention license can block the attacks with best practice via\r\nthreat prevention signature 57897 and 57892.\r\nWildFire can stop the malware with static signature detections.\r\nPAN-DB blocks malicious malware domains.\r\nIoCs\r\nFile (Sha256)\r\nGroup1:\r\n762ba1a2f7d62b8fc206ffb1bf39e89db651a1abb584402f9939d91a5b7899d3 arm4\r\nae447f9cad4f4909c576c577a94aa3d38be7b9636c9b7fb04a181caca42ea92b arm5\r\n8777e47ab84fb681379b2253735aa1490d69e94201d57f06334c9ddfb1063637 arm6\r\n695a0b2ef0d46027d2f106c060dade52b34e3bb7342a8eae906c7d2b15a99fc3 arm7\r\n53aaee7d0de64b71ea0c61ec62b4fb509850f915b574b2560e98692057d32a1c i486\r\nhttps://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/\r\nPage 8 of 14\n\ndf5ba0630a0fe701afccc129be7e9612cb4016dcc70273b748dad66dc152b6e9 i586\r\ne2dc3e0956a818fb22a77c50d9cfe91b7639c727db8a6838efd368ba277664b1 i686\r\nf4cf6a033aac287ff0b5171ce6f64836691b822f76705b04445f52f643da8c10 m68k\r\n72492605815c59579170adef1519231a5e3f17ada26428d20bd7948041c812a3 mips\r\n9a62763da3dc8c1de87b50271a7b446e753016f72f5631e1c6eb17ff5425e7ab mips64\r\nb7b94fac1067217914d99f2d98b34c310a6c53eb36d3a430eea5df8217c4d1f8 mpsl\r\n41ef0133acaca395ea957e796dc1b939b9825b1414541c616b8ca8bdfadb8d16 ppc\r\nc3ea39b0cc786dcda73821f60b42d84c9557e9e590d7f3b4a328eb7a6e6559f4 ppc440\r\n19270639537a2241861eae2bbf4b4095fc6e1915e4dee476d2e4f277992733fd sh\r\n82bb86e2041f4e37187ceb93bcbc48bd8311274ef33a166c6a8e0e9ffe33b585 sh4\r\nb32dcd47377b781c17a6ae7c88d4e1a4294d539ba8f452d980b78a9611d1cb6f spc\r\naa69b3ac7b55fff5dde4491e4153954b31c36d528fdb390495b9bd7bc1a0c77b x86\r\nGroup2:\r\nf31c7e7be06d8d6ec13337c76ca86b3692b3f5d7632e20b725d3542b3e316e62 arm4\r\ne31d945930048f0c06a84942212e5a14b75cee7538fbf0c9c0e1759546c7f6b9 arm5\r\nded7ce9588d47885fc6a9a360e1d3561478d4be71d0971aaf76995621eb94db3 arm6\r\n0820eba0c16325b9cd24c54d6655f6d9aeb2e28b4fc82d6da598b71139aceb5e arm7\r\ndf4e8168357559280db011eaf88088a8493b6e20df4ace06069b93c6d28af3ee i486\r\n931b1e85e19b138a4a3bf3890749b8884a5ff4a6b34c1df3b9083d7f304e5694 i586\r\n06d019d1266bb345fc85df991b419474026d3e21a8b8a1328bad77fbfeb8cb00 m68k\r\n6be47cf2f418d9729cdb1eb03885ab14e07a5955e63b06062fec97b567f959de mips\r\n3c66db7df3f84633dbe6ed7b84911d7202c53968b88861f2463a152c839e89bf mips64\r\n8a77f9843174a53a5909554589177ce7e32d6a36a6c6ef868e4c118f98069641 mpsl\r\n7a5d8752049afdc8060d6a27407dcddfd9d7642c14600f586767c67afe0ef64b ppc\r\nc0df164ac0af7cca5cb02e66d181bc80ed9d58cec038b82ed170ebb75b78645f ppc440\r\n72d6846b9e004662cd7f2d10fdc66d02ca9b5eb545582529a935f6ff5cd2a9e7 sh4\r\nhttps://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/\r\nPage 9 of 14\n\n02eb5d0d8ddbd68ff459b3bb388484b841ac23cb9604b9a9e503f9dcf9c49186 spc\r\n27fc18936f445fc0d2ede1d6fb301594d352d86268b4b1590dad535c7051c5ef x86\r\nGroup3:\r\nf62819deb8fe2a96fa34137f6eb1d5e2e0a8e52594f9a51e78f4a2c13f5a7b96 arm4\r\nc0a958ea24c585d1bc99b562835e95f7d2c4a57674085df668dbbf7baa2b9fe8 arm5\r\nb6619dbeb420f4ee824115987c116540604356b115641d1f3c740846689b6a7b arm6\r\n65100dbe19870b6be1b398c6185b25d3a502dfb2b5166ba0d1a938b607ea1880 arm7\r\n527bd14dfec20820e84c64b0f0924ae1272d9d3920b38c998a131a21e53a5789 i486\r\na27c04ce5769953e860ed473641c1a562293d01b75230bbcb803d66df4512daf i586\r\n3ffc07cb1c7c08a5b43e4acfefbab9cb45df88bc9bd8dc2bcb489d350e18c8a1 i686\r\n59f71ff3d2df1f8c3f12e2844b78545de1fdfdabc1d80a7221ad75b24af986e2 m68k\r\n9fe8885439dec03cc0056324b5e2910d363ea139e7167bc9257c2cf7a9e1ba33 mips\r\n0a210410ef5f5cb85b2aa0e0530cb7763f354850f25cd9763b1154126f92c699 mips64\r\nef7b2e41bf4cbb4d99ca37f028ccae3f47a2b8e21b6fd46f15fe34d3bcf1395a mpsl\r\n20d1e4ee888c2af8ee9b169f6c32290f3c378aa616519e374c7b15b6f7e4e3cf ppc\r\neb225d38828ae996463586554ddc2d30507e9e472667ae92a61ccb13c39a42f4 ppc440\r\n73bbf4b38904cc17b5267064dda940a080965aa55a1a9d93dd36d21720ea91dc sh\r\n388acd6a1a2ce446247f88b2370fda71092bbc28f7af3cbd759d6f97b9ab26fd sh4\r\n5dbf6618d2d5e54d209f2befd4873c1c361893e822ca614cca9bad18aca75e01 spc\r\n54df5531d1fdd8bb4f1d499ccbe055506a840860fcc08bf4d31bcc8a02296113 x86\r\nOther samples making use of the same 2 exploits:\r\n02eb5d0d8ddbd68ff459b3bb388484b841ac23cb9604b9a9e503f9dcf9c49186\r\n06d019d1266bb345fc85df991b419474026d3e21a8b8a1328bad77fbfeb8cb00\r\n07b71cd9093e22fd89e2e0ce9c4a67f93675bb227724b4f7542ab66c67097d45\r\n0820eba0c16325b9cd24c54d6655f6d9aeb2e28b4fc82d6da598b71139aceb5e\r\n0a1951d5488b70e5f9c504c8134adfff5cbd52c5bee87b41a69ba46c978751aa\r\nhttps://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/\r\nPage 10 of 14\n\n0de057cd8075a7a95dc7ce18632c2a342d69fa26700c52ccc256dc0bf37198c7\r\n0deb223ebb948619f0f6de334c2f7e0390547e0f905d54556c29605b3d6b8a26\r\n19409cb3169c3bfad4e65a1c4d18df855c87eff63683bd2b93aa36dee746cef8\r\n256db410dcc76f2ada308a20a6cfa489a26a5b7aac44ed122d12ac66c8070c7f\r\n27fc18936f445fc0d2ede1d6fb301594d352d86268b4b1590dad535c7051c5ef\r\n293d534fca05c2383849d50eb77a4e61c0b30b91f02dc9dd89fb7bf826eb83e5\r\n2cac4daa388fbacc05ae0f99e9c146c18e70e89ab95b6ae649abddca9f801267\r\n302af2e17c4ecdc468ab59b8f86d5b3adb824406685027d297f63bd7a7c80685\r\n323fb07dfd54a485665468d97a94dcdbdb4c469c5a1a7af9e15f83a7d667f4ea\r\n34322b2641c5dba9e044d3acd855da3943fc456dc9be05cc402f1ab730d97321\r\n3a2138786d012af66ac49e4ae3de97efb852006ecdd356da40a5c98d1cfbd872\r\n3b9d527d7e67465d78b14e4a628e68903de01127e7409afce61d4ca7ba0dfbbf\r\n3c66db7df3f84633dbe6ed7b84911d7202c53968b88861f2463a152c839e89bf\r\n3d96d12f434173e0c5691f26c980b1157dd84f77df98de61f2f214fbb34c0a84\r\n41ef0133acaca395ea957e796dc1b939b9825b1414541c616b8ca8bdfadb8d16\r\n41f98a985173d4f92f97f7b6d679b3078b0288caafcbf3033209b9e08aacd721\r\n488821f7809673e380e50a8eec24db5bb00b4cfe9176ec85bdf8b17eca13ebcf\r\n48a595e19720dcd6a57aa8647422a21a4680a3642e4bee8975a5f17da71b6994\r\n49344ceb14a65041a09530d5d21498c0efb7c52acb8b0f06b6983922e4edfe41\r\n50cff66f9e2a20f78d7e76c8db316c6e9bd09c019f80ac91c9e3016d26abfeb4\r\n51138ebb4e773e822ceace1b571d4a72269ada92d6ddec8639ba1d558ffa7d35\r\n523cfd05d0b10607bccf1a76bc9dc208a267be18dc274653a2300fb73d805e3b\r\n53aaee7d0de64b71ea0c61ec62b4fb509850f915b574b2560e98692057d32a1c\r\n5d9e24cdd842e6f8439c86b533c842ab41c4ddb6909301b52cda9430f7bb86a7\r\n6330b698bca0fcfbf2883c597454dcec7ade3a5bf6d25f5770e4f37100e17bde\r\n66e65a7273221bed3a7bd34d01ba87182e4940cf8d61ce6a440cfb4a88496855\r\nhttps://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/\r\nPage 11 of 14\n\n695a0b2ef0d46027d2f106c060dade52b34e3bb7342a8eae906c7d2b15a99fc3\r\n6be47cf2f418d9729cdb1eb03885ab14e07a5955e63b06062fec97b567f959de\r\n72492605815c59579170adef1519231a5e3f17ada26428d20bd7948041c812a3\r\n72d6846b9e004662cd7f2d10fdc66d02ca9b5eb545582529a935f6ff5cd2a9e7\r\n762ba1a2f7d62b8fc206ffb1bf39e89db651a1abb584402f9939d91a5b7899d3\r\n77d3d79c2c53b88b557f1aad6bae6f9d6ec92c1b1c043a95894620bbbbfce4be\r\n79f59593d4a1a669bf8e2ef8749eb556303fbcaed032c67a52b03b696fe2f8de\r\n7a5d8752049afdc8060d6a27407dcddfd9d7642c14600f586767c67afe0ef64b\r\n7dc6eea0dd325291a06c7769b268fca01bb3d89f0e86ba4c4633bc17751a383f\r\n822dd6afb32059b6235ad56f931457bf82b824c977f47abc446102fe7c0647b3\r\n82bb86e2041f4e37187ceb93bcbc48bd8311274ef33a166c6a8e0e9ffe33b585\r\n837cf1d050c89e28d0a847307641c2ad9ffc94d31f692dbdf496982e951e0fdf\r\n84492d0457a2a1f57afd965c64c40ee63fcb3054754bdfae5046c0b940750582\r\n8777e47ab84fb681379b2253735aa1490d69e94201d57f06334c9ddfb1063637\r\n8a77f9843174a53a5909554589177ce7e32d6a36a6c6ef868e4c118f98069641\r\n8f5543556ed0929a755b512d58fc97643d4f3685b7b01f6e18c291e35ceb54cf\r\n931b1e85e19b138a4a3bf3890749b8884a5ff4a6b34c1df3b9083d7f304e5694\r\n97694a5bf3585ef6d1a4cb8841872fedc557bd19ee159015a74bf964fa73dde0\r\n97b13f8e073bf88557cf4263f5dabded8e9979e0f1aadae449241655ed0d8499\r\n992b72da60cc4f1756b0a6342e5e71979f54ef6eba22c4faf7106e894ca062cd\r\n9a62763da3dc8c1de87b50271a7b446e753016f72f5631e1c6eb17ff5425e7ab\r\n9e4bf806a3f6986a981fd2fb8a14f99008fda1fd38738316d12d2a742096b6e9\r\naa69b3ac7b55fff5dde4491e4153954b31c36d528fdb390495b9bd7bc1a0c77b\r\nae447f9cad4f4909c576c577a94aa3d38be7b9636c9b7fb04a181caca42ea92b\r\nae692f3134e0fddbdf0cc41e176ede7d2a525fa8155b7b4724956ba2d51d7589\r\naef1d674b7b21e3210dba61028083a6537406922b87730b9494f3a3f75eb07a3\r\nhttps://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/\r\nPage 12 of 14\n\nb32dcd47377b781c17a6ae7c88d4e1a4294d539ba8f452d980b78a9611d1cb6f\r\nb3afdfdd65e8d21e5a6d35969c9d315ee6f937364adaabebb5913e642d6feede\r\nb7b94fac1067217914d99f2d98b34c310a6c53eb36d3a430eea5df8217c4d1f8\r\nb8fefd64070ae89ac7d6e9f1423bcf14785d7c5ff2d7417451264710f30b54cc\r\nc0df164ac0af7cca5cb02e66d181bc80ed9d58cec038b82ed170ebb75b78645f\r\nc3ea39b0cc786dcda73821f60b42d84c9557e9e590d7f3b4a328eb7a6e6559f4\r\ncf0ec3f0ee8f7d538e3fa2d678d90fea26907ccf56a9dd77a7056d57b0c63bdb\r\nd183596356b00d86bd6a3b647b170978e47d39a3e8cb33d6e30fbb8af111e314\r\nd48b0c35cc931dd84664824a14b1675978b40bcaeee8aab2b06eaa0a7b41d8f3\r\nded7ce9588d47885fc6a9a360e1d3561478d4be71d0971aaf76995621eb94db3\r\ndf4e8168357559280db011eaf88088a8493b6e20df4ace06069b93c6d28af3ee\r\ndf5ba0630a0fe701afccc129be7e9612cb4016dcc70273b748dad66dc152b6e9\r\ne07fe92781177ca0baf00bd456e9dabe6496ae86df1db2bd5ff5e2dcbbbee158\r\ne11ca4bde56d2c7711a777421b445a53601516142dc949f97477f0c1458bff1e\r\ne2dc3e0956a818fb22a77c50d9cfe91b7639c727db8a6838efd368ba277664b1\r\ne31d945930048f0c06a84942212e5a14b75cee7538fbf0c9c0e1759546c7f6b9\r\ne32106c161081bcea765017657215c5f97f837dc68aa51ff0f24ce9fefaac7e3\r\ne54d1842519820f02ab8e1560f666f112d636de74c11729b41739dfb316fa3a5\r\ne9bd90e5807af36bc2cca9769188a39050aa7ae6c193e67c588a73a555149f71\r\neab4b5a1f32cbd0840adb19e8f189019fbf9b20508883a15d3bdecd90bffad28\r\nf21a9dc8f9c16a942e9c18729813bd3fb9f6e1408df68731160d7fe506f29bc6\r\nf31c7e7be06d8d6ec13337c76ca86b3692b3f5d7632e20b725d3542b3e316e62\r\nf4cf6a033aac287ff0b5171ce6f64836691b822f76705b04445f52f643da8c10\r\nNetwork\r\n178[.]32[.]148[.]5:1337 (Command and Control)\r\n18[.]185[.]109[.]135:1337 (Command and Control)\r\nhttps://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/\r\nPage 13 of 14\n\n192[.]3[.]45[.]185 (Malware Hosting Server)\r\n164[.]132[.]92[.]180(Malware Hosting Server)\r\nirc[.]hoaxcalls[.]pw (Malware Hosting Server)\r\nSource: https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/\r\nhttps://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/"
	],
	"report_names": [
		"new-hoaxcalls-ddos-botnet"
	],
	"threat_actors": [
		{
			"id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb",
			"created_at": "2023-01-06T13:46:38.228042Z",
			"updated_at": "2026-04-10T02:00:02.883048Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"PLA Unit 61398",
				"Comment Crew",
				"Byzantine Candor",
				"Comment Group",
				"GIF89a",
				"Group 3",
				"TG-8223",
				"Brown Fox",
				"ShadyRAT",
				"G0006",
				"COMMENT PANDA"
			],
			"source_name": "MISPGALAXY:APT1",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b",
			"created_at": "2022-10-25T16:07:23.480196Z",
			"updated_at": "2026-04-10T02:00:04.626125Z",
			"deleted_at": null,
			"main_name": "Comment Crew",
			"aliases": [
				"APT 1",
				"BrownFox",
				"Byzantine Candor",
				"Byzantine Hades",
				"Comment Crew",
				"Comment Panda",
				"G0006",
				"GIF89a",
				"Group 3",
				"Operation Oceansalt",
				"Operation Seasalt",
				"Operation Siesta",
				"Shanghai Group",
				"TG-8223"
			],
			"source_name": "ETDA:Comment Crew",
			"tools": [
				"Auriga",
				"Cachedump",
				"Chymine",
				"CookieBag",
				"Darkmoon",
				"GDOCUPLOAD",
				"GLOOXMAIL",
				"GREENCAT",
				"Gen:Trojan.Heur.PT",
				"GetMail",
				"Hackfase",
				"Hacksfase",
				"Helauto",
				"Kurton",
				"LETSGO",
				"LIGHTBOLT",
				"LIGHTDART",
				"LOLBAS",
				"LOLBins",
				"LONGRUN",
				"Living off the Land",
				"Lslsass",
				"MAPIget",
				"ManItsMe",
				"Mimikatz",
				"MiniASP",
				"Oceansalt",
				"Pass-The-Hash Toolkit",
				"Poison Ivy",
				"ProcDump",
				"Riodrv",
				"SPIVY",
				"Seasalt",
				"ShadyRAT",
				"StarsyPound",
				"TROJAN.COOKIES",
				"TROJAN.FOXY",
				"TabMsgSQL",
				"Tarsip",
				"Trojan.GTALK",
				"WebC2",
				"WebC2-AdSpace",
				"WebC2-Ausov",
				"WebC2-Bolid",
				"WebC2-Cson",
				"WebC2-DIV",
				"WebC2-GreenCat",
				"WebC2-Head",
				"WebC2-Kt3",
				"WebC2-Qbp",
				"WebC2-Rave",
				"WebC2-Table",
				"WebC2-UGX",
				"WebC2-Yahoo",
				"Wordpress Bruteforcer",
				"bangat",
				"gsecdump",
				"pivy",
				"poisonivy",
				"pwdump",
				"zxdosml"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434888,
	"ts_updated_at": 1775792290,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4c49a98c5529e840eb2bc50e9c9ecf958d868afc.pdf",
		"text": "https://archive.orkl.eu/4c49a98c5529e840eb2bc50e9c9ecf958d868afc.txt",
		"img": "https://archive.orkl.eu/4c49a98c5529e840eb2bc50e9c9ecf958d868afc.jpg"
	}
}