{ "id": "11ca0258-321e-40e7-91a6-29811a89146e", "created_at": "2026-04-06T00:17:21.730384Z", "updated_at": "2026-04-10T13:12:21.075787Z", "deleted_at": null, "sha1_hash": "4d40a3c0ac3ea2171ad21a3937cef66c85a759be", "title": "Stantinko’s Proxy After Your Apache Server", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 796177, "plain_text": "Stantinko’s Proxy After Your Apache Server\r\nBy Avigayil Mechtinger\r\nPublished: 2020-11-24 · Archived: 2026-04-05 22:27:44 UTC\r\nIntro\r\nIt is common for threat actors to evolve their Linux malware. BlackTech with their new ELF_PLEAD malware\r\nand Winnti’s PWNLNX tool are recent examples. On par with this trend, we have discovered a new version of a\r\nLinux proxy trojan related to Stantinko group. The malware has just one detection in VirusTotal at the time of\r\nthis publication.\r\nStantinko group is known for targeting Windows operating systems with ongoing campaigns dating back to 2012.\r\nThe group’s malware mainly consists of coin-miners and adware botnets.\r\nIn a 2017 white paper summarizing Stantinko’s operations, researchers at ESET analyzed a Linux trojan proxy. Up\r\nuntil now, this was the only known Linux malware belonging to Stantinko.\r\nWe have identified a new version of this Linux trojan masqueraded as httpd. httpd is Apache Hypertext Transfer\r\nProtocol Server, a commonly used program on Linux servers. The sample’s version is 2.17, and the older version\r\nis 1.2*.\r\nWe believe this malware is part of a broader campaign that takes advantage of compromised Linux servers. Below\r\nwe provide a technical analysis of the malware and compare it to its previous version.\r\nTechnical Analysis\r\nThe new proxy version file name is httpd and it has only one detection in VirusTotal at the time of this writing.\r\nFigure 1 below depicts the result from VirusTotal. The sample was uploaded on November 7, 2020 from Russia,\r\none of Stantinko’s main target countries. The sample is an unstripped 64-bit ELF binary.\r\nhttps://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/\r\nPage 1 of 8\n\nFigure 1: The sample’s detection report in VirusTotal (7d2a840048f32e487f8a61d7fc1a0c39).\r\nMalware Flow\r\nUpon execution, the malware will validate a configuration file which is delivered together with the malware on the\r\ninfected machine. The malware expects the configuration file to be located at “/etc/pd.d/proxy.conf”. If the\r\nconfiguration file does not exist, or if it lacks the required structure, the malware exits without conducting any\r\nadditional malicious activity. Figure 2 below is a snippet from the configuration parsing logic. The configurations\r\nare stored as key/value pairs.\r\nhttps://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/\r\nPage 2 of 8\n\nFigure 2: ParseConfigElement function is used to parse the configuration file.\r\nThe configuration file is expected to have the following keys: proxy_ip, port, redirect_url, localhost, ip_header\r\nand request_header_log_files.\r\nAfter validating and parsing the configuration file structure, the start_demon function is called and the proxy\r\ndaemonizes itself. Then, it creates a socket and a listener to accept connections from a client. We believe the\r\nclients who interact with this Trojan are other infected machines that are part of the campaign. Figure 3 is a\r\nsnippet taken from the main function, showing the general code flow described above.\r\nhttps://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/\r\nPage 3 of 8\n\nFigure 3: Main function flow snippet\r\nOnce a client connects to the listener, the program calls the on_client_connect function. First, it checks if the\r\nrequest method is GET, POST or NOTIFY.\r\nIf the request method is GET, the program will reply with a 301 redirect HTTP response containing the\r\nredirect_url parameter from the configuration file. This means that if the C\u0026C IP is simply searched, using a\r\nbrowser for instance, the response could be misleading by redirecting to a benign website, leaving no trace of an\r\nextra payload that is used in the attack. If the request method is POST or NOTIFY, the malware will build a POST\r\nrequest to send to the C\u0026C server based on the client’s HTTP request headers and content, using the\r\ncreate_post_data function. The program will then call the mysql_server_do_request function which is in charge\r\nof sending the POST request to the C\u0026C. Figure 4 shows a snippet from the on_client_connect function.\r\nhttps://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/\r\nPage 4 of 8\n\nFigure 4: Snippet from on_client_connect function  \r\nThe POST request is sent to one of the following paths on the C\u0026C server:\r\n/kbdmai/index.php\r\n/kbdmai/dht/index.php\r\n/kbdmai/DRTIPROV/index.php\r\n/kbdmai/winsvc/index.php\r\n/kbdmai/anti_rstrui/index.php\r\nThe path is selected in the detect_proxy_script function based on the data sent from the client. We believe that\r\neach path delivers a different payload as part of the campaign’s attack chain. The C\u0026C IP address is stored as the\r\nproxy_ip parameter in the config file. Finally, the proxy forwards the C\u0026C response back to the client. Figure 5\r\nemphasizes the attack flow at a high level.\r\nhttps://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/\r\nPage 5 of 8\n\nFigure 5: Attack Flow\r\n1. An infected client sends a POST or NOTIFY HTTP request to the proxy\r\n2. The proxy parses the request and passes on a POST request to the attacker’s server\r\n3. The attacker’s server replies to the proxy and the proxy passes on the response to the client\r\n4. A non-infected machine sends a GET request to the proxy\r\n5. The proxy replies with a 301 Redirect to a preconfigured URL\r\nVersions Comparison\r\nWith a nearly three year difference between the two versions, the trojan proxies have similar purpose but they are\r\nnot identical. In this section we will compare version 1.2* and 2.17 based on three criteria: Parameters,\r\nfunctionality, and ELF structure.\r\nParameters\r\nThe new version (2.17) uses a configuration file that is dropped on the victim’s machine together with the\r\nmalware. The configuration file contains the C\u0026C IP address together with other parameters. In the old version\r\n(1.2*) the C\u0026C is hardcoded in the binary, making it easier to block the campaign’s traffic once the binary is\r\ndetected.\r\nFunctionality\r\nIn addition to the proxy functionality, the old version receives files and self update commands from the C\u0026C. The\r\nnew version is more simple in that it only functions as a proxy.\r\nELF Structure\r\nhttps://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/\r\nPage 6 of 8\n\nBoth versions 1.2* and 2.17 are unstripped and include debug symbols. The old version is statically linked,\r\nwhereas the new version is dynamically linked.\r\nThe Stantinko Connection\r\nAfter uploading the file to Intezer Analyze we noticed that the new variant shares several function names with the\r\nold one. These functions, such as get_binary_full_path and read_variable_string, are not called statically in the\r\nnew version. We are almost certain these functions are leftover from the previous variant.\r\nFigure 6: String reuse between the Linux versions\r\nInterestingly, the C\u0026C paths hint at some of Stantinko’s earlier campaigns based on ESET’s research. An example\r\nof the hard coded paths is shown in Figure 7. The root directory name is kbdmai. “KDBMAI.dll” is a malware\r\nfilename used by Stantinko in 2012. Also, the malware’s C\u0026C was hosted on kdbmai[.]net. Another interesting\r\ndirectory is DRTIPROV. DRTIPROV is part of a Program Database (pdb) path from one of the group’s Windows\r\nmalware.\r\nFigure 7: Path hard coded in the detect_proxy_script function\r\nWrap-Up\r\nhttps://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/\r\nPage 7 of 8\n\nStantinko is the latest malware targeting Linux servers to fly under the radar, joining threats such as Doki,\r\nIPStorm and RansomEXX.\r\nThe code from the new Stantinko sample is now indexed in Intezer’s Genome Database.\r\nI want to thank Nicole Fishbein and Joakim Kennedy for their contributions to this analysis.\r\nIOCs\r\nNew version: 2.17\r\n1de81bf6ee490b6bebe9f27d5386a48700e8431f902f4f17d64ddc5d8509ca7a\r\nOld version: 1.2*\r\n889aa5a740a3c7441cdf7759d4b1c41c98fd048f4cf7e18fcdda49ea3911d5e5\r\n968b41b6ca0e12ea86e51e0d9414860d13599cd127ad860e1c52c2678f4f2cb9\r\n43a6894d5953b37f92940d5c783c9977690f358b5e25bba8c096fa54657bb2e5\r\na305d488733d50ea92a2794cb6e0aa9d1d176e2c8906305ea48ff503fc2eb276\r\nSource: https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/\r\nhttps://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/" ], "report_names": [ "stantinkos-proxy-after-your-apache-server" ], "threat_actors": [ { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434641, "ts_updated_at": 1775826741, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4d40a3c0ac3ea2171ad21a3937cef66c85a759be.pdf", "text": "https://archive.orkl.eu/4d40a3c0ac3ea2171ad21a3937cef66c85a759be.txt", "img": "https://archive.orkl.eu/4d40a3c0ac3ea2171ad21a3937cef66c85a759be.jpg" } }