{ "id": "ef0fc68a-8fc7-4e2c-96ad-23a691eedc80", "created_at": "2026-04-06T00:17:32.085723Z", "updated_at": "2026-04-10T03:37:09.30359Z", "deleted_at": null, "sha1_hash": "507899401301b5ef372e513b03fc8019769d0177", "title": "Glupteba Hits Routers and Updates C\u0026C Servers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 97741, "plain_text": "Glupteba Hits Routers and Updates C\u0026C Servers\r\nBy By: Jaromir Horejsi, Joseph C Chen Sep 04, 2019 Read time: 8 min (2057 words)\r\nPublished: 2019-09-04 · Archived: 2026-04-05 19:46:51 UTC\r\nWe recently caught a malvertising attack distributing the malware Gluptebaopen on a new tab. This is an older malware that\r\nwas previously connected to a campaign named Operation Windigoopen on a new tab and distributed through exploit kits to\r\nWindows users. In 2018, a security company reportedopen on a new tab that the Glupteba botnet may have been\r\nindependent from Operation Windigo and had moved to a pay-per-installopen on a new tab adware service to distribute it in\r\nthe wild. The activities of the actors behind Glupteba have been varied: they were suspected of providing proxy services in\r\nthe underground, and were identifiedopen on a new tab as using the EternalBlue exploit to move into local networks and run\r\nMonero (XMR) cryptocurrency miners.\r\nAfter looking into the recent variant of the Glupteba dropper delivered from the malvertising attack, we found that the\r\ndropper downloaded two undocumented components aside from the Glupteba malware:\r\nA browser stealer that can steal sensitive data, for example, browsing history, website cookies, and account names\r\nand passwords from browsers and send the information to a remote server.\r\nA router exploiter that attacks MikroTik routers in local network with the CVE-2018-14847open on a new tab\r\nvulnerability. It will schedule a task on the router for command and control (C\u0026C) and upload the stolen\r\nadministrator credentials to a remote server. A compromised router will be configured as a SOCKS proxy to relay\r\nmalicious traffic, matching the original purpose of the Glupteba botnet on Windows.\r\nIn addition, an interesting feature we found inside the Glupteba dropper can retrieve the latest C\u0026C domain from Bitcoin\r\ntransactions. We explain this feature further in the next sections. It seems the operators are still improving their malware and\r\nmay be trying to extend their proxy network to internet of things (IoT) devices.\r\nintel\r\nFigure 1. Glupteba campaign attack flow\r\nintel\r\nFigure 2. Pop-up malvertising on file-sharing websites downloaded Glupteba dropper\r\nAnalysis of the Glupteba dropper\r\nThe downloaded dropper binary is packed with a custom packer, written in Go programming language, and compiled to\r\nexecutable. The dropper first initializes ‘config information’ by acquiring current application information, operating\r\ninformation, hardware information, as well as some information hardcoded in binary. It creates a registry key\r\nHKEY_USERS\\\u003csid\u003e\\Software\\Microsoft\\TestApp to store all the acquired information. The result of running the config\r\ninitialization function is shown in the figure below.\r\nintel\r\nFigure 3. Registries created by the Glupteba dropper\r\nThen, the function sendParentProcesses acquires machine_guid from the registry, as well as distributor id and campaign id\r\nfrom the file name, product identification (PID), and names of parent processes. It then embeds this information in a POST\r\nrequest, encrypts it with an AES cipher, and uploads to the C\u0026C server: hxxps://\u003cserver\u003e/api/parent-processes.\r\nAfter that, the dropper checks if process is elevated and running as a SYSTEM user. If process is not elevated, it tries to\r\nexploit the fodhelper methodopen on a new tab to get it elevated. If it is elevated but not running as a SYSTEM user, it uses\r\nthe “Run as Trusted Installer” method, likely inspired by this codeopen on a new tab, which uses a stolen winlogon process\r\ntoken to run process as SYSTEM.\r\nThe main dropper binary has embedded a few rootkit drivers used for hiding files and processes (WinMon32.sys,\r\nWinMon64.sys, WinMonFs32.sys, WinMonFs64.sys, WinMonprocessmonitor32.sys, WinMonProcessMonitor64.sys,\r\nWinmonSystemMonitor-10-64.sys, WinmonSystemMonitor-7-10-32.sys, WinmonSystemMonitor-7-64.sys) and a few other\r\ntools taken from GitHub used to help installing the necessary drivers (dsefix.exeopen on a new tab and patch.exeopen on a\r\nnew tab.) Function executeTask processes these main commands:\r\nhide Hide task PID using embedded WinMon\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/\r\nPage 1 of 5\n\nupdate Terminate and remove current version, replace with new version\r\ncleanup Uninstall\r\nFunction mainInstall checks for installed antivirus (AV) programs, adds firewall rules, and adds defender exclusions.\r\nFunction mainPoll regularly polls the C\u0026C server for new commands. It sends a POST request to hxxps://\u003cserver\u003e/api/poll.\r\nPOST parameters look like the following (before encryption):\r\nchallenge=e94e354daf5f48ca\u0026cloudnet_file=1\u0026cloudnet_process=1\u0026lcommand=0\u0026mrt=1\u0026pgdse=0\u0026sb=1\u0026sc=0\u0026uuid=\u0026version=145\u0026wup_\r\nThe query is AES 256-encrypted.\r\nFinally, function handleCommand implements backdoor functions.\r\nFunction Task\r\nupdate  \r\nget_app_name  \r\nis_admin  \r\nprocess_is_running Queries “SELECT Name FROM Win32_Process WHERE Name =”\r\nexec  \r\ndownload  \r\nrun  \r\nrun-v2  \r\nexit  \r\nupdate Download and execute file\r\nupdate-data POST internal config to /bots/update-data\r\nupdate-cloudnet Download file from hxxp://nxtfdata[.]xyz/cl.exe, replaces cloudnet.exe file, which is Glupteba\r\nstop-wup Stop XMR mining\r\nstop-wupv Stop XMR mining\r\nstop-mrt  \r\nnotify\r\nEstablish heartbeat, notification to URL with a given time interval, notifyHTTP, notifyH,\r\nnotifyG, notifyS, notifyTCP, notifyTLS, notifyUDP\r\nnotify-host Host for notification\r\nevent-exists if Global\\\\\u003cevent name\u003e exists\r\nmutex-exists if Global\\\\\u003cmutex name\u003e exists\r\nregistry-get-startup HKEY_USERS\\%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nverify-signature Verify signature of PE file\r\nregistry-get-startup-signatures\r\nVerify signatures of PE files from startup\r\nverify-processes-signatures\r\nEnumerate processes, verify signatures\r\nget-unverified-files Calls VerifyProcessesSignatures and RegistryGetStartupSignatures, reports unverified files\r\nget-stats-wup\r\nQuery hxxp://localhost:3433/, GET cryptominer stats, wup.exe is the open-source miner for\r\nXMR\r\nupload-file File upload\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/\r\nPage 2 of 5\n\nupdate-service Download and run service\r\nget-logfile-proxy Read file \\\\proxy\\\\t\r\ninstall Download and run file, sendInstallReport\r\nget-logfile-i2pd Read file \\\\i2pd\\\\i2pd.log\r\nsc Take screenshot\r\nupdate-cdn Update C2\r\ndiscover-electrum Use hardcoded Electrum wallet; read blockchain transaction data\r\ndiscover-blockchaincome\r\nUse hardcoded Bitcoin address, discover new C2 domain encrypted in bitcoin transaction data\r\nNotable C\u0026C update capability\r\nThe backdoor mostly has standard capabilities, but one interesting feature stands out: This malware can update its C\u0026C\r\nserver address through the blockchain via the function discoverDomain.\r\nThe discoverDomain function can be run either by sending a backdoor command, or automatically by the dropper.\r\nDiscoverDomain first enumerates Electrum Bitcoin wallet servers using a publicly available list, then tries to query the\r\nblockchain script hash history of the script with a hardcoded hash.\r\nintel\r\nThis command then reveals all the related transactions.\r\nintel\r\nThen each transaction is parsed, searching for the OP_RETURNopen on a new tab instruction.\r\nintel\r\nThe pieces of data followed by OP_RETURN instruction are then used as parameters for AES decryption routine — the first\r\n12 bytes are used as the AES GCM tag, and the following 32 bytes are the encrypted data. The 32-byte long AES key is\r\nhardcoded in binary file.\r\nintel\r\nTherefore, 0f8f7cd39e1a5231b49f986b877befce0c2f558f0c1a9844833ac702cb3eba6e gets decoded to venoxcontrol[.]com,\r\nwhich is the current C\u0026C server at the time of writing this publication.\r\nThis technique makes it more convenient for the threat actor to replace C\u0026C servers. If they lose control of a C\u0026C server\r\nfor any reason, they simply need to add a new Bitcoin script and the infected machines obtain a new C\u0026C server by\r\ndecrypting the script data and reconnecting.\r\nBrowser stealer component\r\nOne observed component from the recent Glupteba variant is called “updateprofile”, which is a browser profile, cookies, and\r\npassword extractor. The Chrome, Opera, and Yandex browsers are targeted — cookies, history, and other profile files are\r\nzipped and uploaded to the information collection server to path /api/log. Similar to the main dropper, this component is also\r\nwritten in Go, compiled to be executable, and packed with a UPX packer.\r\nAnother version of the browser stealer is called “vc.exe”. Its goal is to extract browser passwords and cookies and post the\r\nextracted data to the information collection server to path /bots/post-en-data?uuid=.\r\nRouter exploiter component\r\nAnother component we found downloaded by the Glupteba dropper is a router exploiter, which is also developed with Go\r\nlanguage. It looks into the default gateway of the victim’s network. The list of default IP gateways is obtained by calling\r\nWMI command “SELECT DefaultIPGateway FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = true”.\r\nIn addition to these addresses, the following three default addresses are added: 192.168.88.11, 192.168.0.1, 192.168.1.1.\r\nOnce the component successfully connects to the device listening on port 8291, it then attempts to exploit the device with\r\nthe CVE-2018-14847open on a new tab vulnerability, which affects the RouterOS system used on MikroTik routers. The\r\nexploit code was likely inspired by this code on exploit-dbopen on a new tab. It allows the attackers to grab the\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/\r\nPage 3 of 5\n\nadministrator’s credentials from unpatched routers. The grabbed account names and passwords are stored in a JSON object,\r\nencrypted, and POSTed to /api/router path of the C\u0026C server.\r\nintel\r\nOnce credentials are successfully obtained, a task is added to the scheduler of the router. There are three methods\r\nimplemented to add a scheduler task: using WinBox protocol, using SSH, or using API.\r\nintel\r\nFigure 4. Example of scheduled task added by Glupteba campaign to compromised MikroTik routers\r\nThe router exploiter component scheduled a task named “U6” on compromised routers for command and control. The task\r\nwill regularly check a C\u0026C URL every 10 minutes and execute the content downloaded from it. The C\u0026C URL is appended\r\nwith a unique UUID, which is the same as the bot ID of Glupteba on the victim’s machine. The URL usually returns an\r\nHTTP 404 error; but when the bot master sends a command, it returns an RSCopen on a new tab file, which is the format of\r\nthe RouterOS configuration.\r\nThe file is the command from the bot master to control the router. In the attack we analyzed, we saw the C\u0026C server send\r\nmultiple RSC files step by step to configure the compromised router to be a SOCKS proxy. Here are the steps:\r\nThe first configuration changed the period of “U6” task schedule from 10 minutes to every 15 seconds.\r\nintel\r\nThe second configuration disabled services, including winbox, telnet, api, and api-ssl. This is most likely to prevent\r\nthe router from being compromised by other attackers through the same vulnerability. Then it opened the SSH and\r\nSOCKS services, which are listening on randomly assigned ports, and created a firewall rule to accept external\r\nconnection to the SOCKS port.\r\nintel\r\nThe third configuration removed the existing SOCKS access list on the compromised router.\r\nintel\r\nThe fourth configuration added a new SOCKS access list to limit the service so that it only accepts connections from\r\nspecified IP ranges. These ranges are probably where the attackers’ servers are.\r\nintel\r\nRelayed traffic on compromised routers\r\nAfter the above-mentioned setups, the compromised router became a SOCKS proxy for the attackers to relay traffic. We\r\nmonitored a compromised router to see what kind of traffic is transferred. The first remote connection routed through the\r\nSOCKS proxy is from a server, which likely belongs to the attackers. This server queries “http://ip-api[.]com/json”, which\r\nreturns the IP address of the current SOCKS proxy server. This query is sent repeatedly, probably to monitor the SOCKS\r\nproxy service.\r\nAfter the first check on the router status, we started seeing different servers with two types of traffic connected to the proxy.\r\nThe first one is spam traffic. We saw a remote server establish SMTPopen on a new tab connections to different mail servers\r\nthrough the SOCKS proxy of compromised routers. If a mail server accepted the connection, that remote server started to\r\nsend spam mail. The spam mail delivered seems to be related to the notorious “Canadian Pharmacyopen on a new tab”\r\nspam.\r\nintel\r\nFigure 5. Example of spam traffic sent through a compromised router\r\nintel\r\nFigure 6. “Canada Pharmacy” website redirected from spam mail\r\nBesides the spam traffic, we saw other traffic from a set of remote servers that were repeatedly connecting to Instagram.\r\nHowever, the traffic sent through was protected by HTTPS encryption. We can’t decrypt it and don’t know what exactly\r\nthese connections are for. One theory is that it is the password-reuse attack hitting Instagram. It was previously reportedopen\r\non a new tab to be one type of malicious traffic proxied through the Glupteba botnet.\r\nintel\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/\r\nPage 4 of 5\n\nFigure 7. Example of Instagram connection (HTTPS-encrypted) relayed by a compromised router\r\nAs mentioned, Glupteba still seems to be evolving and adding capabilities. New techniques, such as updating C\u0026C servers\r\nthrough data obtained from Bitcoin transactions, show that the malicious actors behind this malware are adopting little-used\r\ntechniques to try and keep their malware active. Since it is already proven to be an information stealer and a proxy for\r\nmalicious spam, users and enterprises should be wary of this threat.\r\nSecurity recommendations\r\nMalvertising is a widespread threat that can affect users and businesses alike. A multilayered approach to security is\r\nimportant — from the gateway, endpoints, networks, and servers. Trend Micro solutions powered by XGen™ security, such\r\nas Trend Micro™ Securityopen on a new tab and Trend Micro Network Defenseopen on a new tab, can detect related\r\nmalicious files and URLs and protect users’ systems. Trend Micro Smart Protection Suitesopen on a new tab and Trend\r\nMicro Worry-Free™ Business Securityopen on a new tab, which have behavior monitoring capabilitiesopen on a new tab,\r\ncan additionally protect from these types of threats by detecting malicious files, as well as blocking all related malicious\r\nURLs.\r\nSecurity should be top of mind when setting up routers — most devices across homes and offices are connected to these\r\ndevices and can be affected if a router is compromised. Although manufacturers playopen on a new tab important roles in\r\nsecuring routers and other devices, users and businesses can adopt good security practicesopen on a new tab to defend\r\nagainst threats. Also, deploying tools that provide additional securityopen on a new tab to home networks and devices\r\nconnected to them further strengthens defenses.\r\nFor a full list of the Indicators of Compromise for this malware, please see this document.\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin\r\n-transactions/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/" ], "report_names": [ "glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions" ], "threat_actors": [ { "id": "1934b371-2525-4615-a90a-772182bc4184", "created_at": "2022-10-25T15:50:23.396576Z", "updated_at": "2026-04-10T02:00:05.341979Z", "deleted_at": null, "main_name": "Windigo", "aliases": [ "Windigo" ], "source_name": "MITRE:Windigo", "tools": [ "Ebury" ], "source_id": "MITRE", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "3844202f-b24a-4e16-b7b9-dfe8c0a44d5d", "created_at": "2022-10-25T16:07:24.526179Z", "updated_at": "2026-04-10T02:00:05.023222Z", "deleted_at": null, "main_name": "Operation Windigo", "aliases": [ "G0124" ], "source_name": "ETDA:Operation Windigo", "tools": [ "CDorked", "CDorked.A", "Calfbot", "Ebury" ], "source_id": "ETDA", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434652, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/507899401301b5ef372e513b03fc8019769d0177.pdf", "text": "https://archive.orkl.eu/507899401301b5ef372e513b03fc8019769d0177.txt", "img": "https://archive.orkl.eu/507899401301b5ef372e513b03fc8019769d0177.jpg" } }