{
	"id": "1ff76d7a-03b3-4ba3-bf03-60fd77c81b1c",
	"created_at": "2026-04-06T00:11:22.416784Z",
	"updated_at": "2026-04-10T13:13:08.746Z",
	"deleted_at": null,
	"sha1_hash": "51ab42cc818f313fa5fee9f0662c81060b16a03d",
	"title": "360 Netlab Blog - Network Security Research Lab at 360",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 156614,
	"plain_text": "360 Netlab Blog - Network Security Research Lab at 360\r\nBy lvxing\r\nPublished: 2024-06-14 · Archived: 2026-04-05 18:51:45 UTC\r\n警惕：魔改后的CIA攻击套件Hive进入黑灰产领域\r\n概述 2022年10月21日，360Netlab的蜜罐系统捕获了一个通过F5漏洞传播，VT 0检测的可疑ELF文件\r\nee07a74d12c0bb3594965b51d0e45b6f，流量监控系统提示它和IP45.9.150.144产生了SSL流量，而且双方都\r\n使用了伪造的Kaspersky证书，这引起了我们的关注。经过分析，我们确认它由CIA被泄露的Hive项目\r\nserver源码改编而来。这是我们首次捕获到在野的CIA HIVE攻击套件变种，基于其内嵌Bot端证书的\r\nCN=xdr33， 我们内部将其命名为xdr33。关于CIA的Hive项目，互联网中有大量的源码分析的文章，读者\r\n可自行参阅，此处不再展开。 概括来说，xdr33是一个脱胎于CIA Hive项目的后门木马，主要目的是收集\r\n敏感信息，为后续的入侵提供立足点。从网络通信来看，xdr33使用XTEA或AES算法对原始流量进行加\r\n密，并采用开启了Client-Certificate Authentication模式的SSL对流量做进一步的保护；从功能来说，主要有\r\nbeacon，trigger两大任务，其中beacon是周期性向硬编码的Be\r\nSource: https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/\r\nhttps://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "ZH",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/"
	],
	"report_names": [
		"blackrota-an-obfuscated-backdoor-written-in-go-en"
	],
	"threat_actors": [],
	"ts_created_at": 1775434282,
	"ts_updated_at": 1775826788,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/51ab42cc818f313fa5fee9f0662c81060b16a03d.pdf",
		"text": "https://archive.orkl.eu/51ab42cc818f313fa5fee9f0662c81060b16a03d.txt",
		"img": "https://archive.orkl.eu/51ab42cc818f313fa5fee9f0662c81060b16a03d.jpg"
	}
}