{
	"id": "e7db360d-4fb9-4945-92d6-1ebf4301a944",
	"created_at": "2026-04-10T03:21:12.692139Z",
	"updated_at": "2026-04-10T03:22:16.877841Z",
	"deleted_at": null,
	"sha1_hash": "50b29fa378a37d125719b626ce9843149fccaaa1",
	"title": "Gitlab RCE Stealth Shellbot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 183168,
	"plain_text": "Gitlab RCE Stealth Shellbot\r\nBy Brian Stadnicki\r\nPublished: 2022-01-13 · Archived: 2026-04-10 03:04:58 UTC\r\nLast year, a major RCE was found in GitLab, CVE-2021-22205, where GitLab versions \u003e= 11.9 and \u003c13.10.3\r\nwere affected due to improper image validation before passing it to a file parser.\r\nThe DjVu image is considered a legacy format, so not much attention has been paid to it. The GitLab RCE\r\ndepends on a vulnerability in ExifTool, CVE-2021-22204, where improper parsing of annotations, including a\r\ndangerous eval to add quotes to a string, caused an RCE. A patch was created on the 13th April 2021 in this\r\ncommit.\r\nThe script clears the temporary memory file system and creates the folder /dev/shm/kthzabor , which is an\r\nattempt to prevent the kthzabor mining malware from working.\r\nMany processes are attempted to be killed, such as databases, miners, various other malware, task managers and\r\nboth defensive and offensive security tools.\r\npbotbyjanhotzu is likely a competing malware, but it doesn’t appear to have been reported on.\r\nhttps://brianstadnicki.github.io/posts/malware-gitlab-perlbot/\r\nPage 1 of 4\n\nAny processes listening on ports associated with mining malware are also killed.\r\nProcesses with names possibly linked to mining malware such as sysrv-hello are killed. Mining processes are\r\noften very simply, where a regular script is executed with the pool ip address as an argument, so these are also\r\nkilled.\r\nFinally a perl script is fetched and executed.\r\nThe payload itself appears to be called “Stealth Shellbot”, which appears to have been in use since at least the\r\n23rd Nov 2015. It appears to be adapted from “ShellBOT”, found on github. The authors may be Portuguese.\r\nThe bot connects to an IRC server and joins a channel.\r\nCommands\r\nhttps://brianstadnicki.github.io/posts/malware-gitlab-perlbot/\r\nPage 2 of 4\n\nCommand Action\r\nVERSION Sends back the bot version\r\nPING Sends back PONG\r\nportscan Scans ports 21, 22, 23, 25, 53, 80, 110, 143 on a host\r\ndownload Downloads a payload\r\nfullportscan Scans a port range on a host\r\nudp UDP flood\r\nudpfaixa UDP range flood\r\nconback Opens a reverse shell\r\noldpack Sends back a status message\r\nThe main evasion technique used is changing the process name to “/usr/local/apache/bin/httpd -DSSL”.\r\nHash:\r\n0d00200acb2caf4e2bc52285795bb13cb916fc051550c8e9dd3a19897068a494\r\n9e52e0b8a9d3a3de2159c03974f0b778fe4c910fa09e7084435031f34cc0ff0e\r\n7b4ef0d14bec12844653b4dbaed7db96bcdd04bbc755d4b42970a065a9a3886d\r\nURL:\r\nhttp://82.165.155.100/san\r\nhttp://82.165.155.100/ba.sh\r\nProcesses killed:\r\nmysqldd\r\nmonero\r\nkinsing\r\nsshpass\r\nsshexec\r\nattack\r\ndovecat\r\nkthzabor\r\ndonate\r\n‘scan.log’\r\nhttps://brianstadnicki.github.io/posts/malware-gitlab-perlbot/\r\nPage 3 of 4\n\nxmr-stak\r\ncrond64\r\nstratum\r\n/tmp/java\r\npastebin\r\n/tmp/system\r\nexcludefile\r\nagettyd\r\n/var/tmp\r\n‘./python’\r\n‘./crun’\r\n‘./.’\r\n‘118/cf.sh’\r\n‘.6379’\r\n’load.sh'\r\n‘init.sh’\r\n‘solr.sh’\r\n‘.rsyslogds’\r\npnscan\r\nmasscan\r\nkthreaddi\r\nsysguard\r\nkthreaddk\r\nkdevtmpfsi\r\nnetworkservice\r\nsysupdate\r\nphpguard\r\nphpupdate\r\nnetworkmanager\r\nknthread\r\nmysqlserver\r\nwatchbog\r\nxmrig\r\n/dev/shm\r\npbotbyjanhotzu\r\nldr.sh\r\nSource: https://brianstadnicki.github.io/posts/malware-gitlab-perlbot/\r\nhttps://brianstadnicki.github.io/posts/malware-gitlab-perlbot/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://brianstadnicki.github.io/posts/malware-gitlab-perlbot/"
	],
	"report_names": [
		"malware-gitlab-perlbot"
	],
	"threat_actors": [],
	"ts_created_at": 1775791272,
	"ts_updated_at": 1775791336,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/50b29fa378a37d125719b626ce9843149fccaaa1.pdf",
		"text": "https://archive.orkl.eu/50b29fa378a37d125719b626ce9843149fccaaa1.txt",
		"img": "https://archive.orkl.eu/50b29fa378a37d125719b626ce9843149fccaaa1.jpg"
	}
}