{
	"id": "a12a7bc7-bd95-4898-a8a3-1b1a7c580b1c",
	"created_at": "2026-04-06T00:17:24.937693Z",
	"updated_at": "2026-04-10T13:11:47.663212Z",
	"deleted_at": null,
	"sha1_hash": "52150a9a0585c074624246eb061e0c64465d57b8",
	"title": "DiamondFox modular malware – a one-stop shop",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50518,
	"plain_text": "DiamondFox modular malware – a one-stop shop\r\nBy bferrite\r\nPublished: 2017-05-10 · Archived: 2026-04-05 22:53:14 UTC\r\nCheck Point researchers have conducted a thorough investigation of the DiamondFox malware-as-a-service in\r\ncollaboration with Terbium Labs, a Dark Web Data Intelligence company. The report includes a review of the\r\nmalware’s sales procedure and customer reviews, as well as a full technical analysis of its multiple plugins. For\r\nthe full DiamondFox report click here.\r\nCheck Point Threat Intelligence teams constantly track the latest attack trends, campaigns and attack methods to\r\nmaintain an up-to-date and  accurate view of the cyber threat landscape.\r\nIn recent years, an effective new business method has penetrated the thriving malware and attack tools market and\r\nled to the establishment of an entire industry – malware-as-a-service. This provides unskilled threat actors an easy\r\nentrance to the cyberattack world, and enables each user to start their own attack campaign without any technical\r\nknowledge. Drive-by attack methods, ransomware, banking Trojans and a variety of attack tools are now traded in\r\nunderground forums and use a wide range of payment methods.\r\nDiamondFox, a modular botnet offered for sale on various underground forums, is an outstanding demonstration\r\nof the many advantages of this business module. By purchasing a single product, the buyer is granted access to a\r\nvariety of capabilities, in the form of plugins, and can plan and execute multiple campaigns: a tailored espionage\r\ncampaign, a credentials theft campaign, which can be the basis of an extensive monetary theft operation, and even\r\na simple, yet highly effective distributed denial of service (DDoS) attack.\r\nTogether with Terbium Labs, a Dark Web Data Intelligence company, we reviewed the DiamondFox malware’s\r\ncapabilities, sales procedure and user experience. This report also includes a full technical analysis of the\r\nmalware’s functionality, network communications and multiple plugins.\r\nMalware ecosystem\r\nLooking at the full list of capabilities of the latest version of DiamondFox, the Crystal version, this highly\r\nmodular malware seems to cover everything from keylogging and browser password stealing, all the way to a\r\nvariety of Distributed Denial of Service (DDoS) attack techniques through crypto currency wallet stealing.\r\nDiamondFox, one of the trendiest malware-as-a-service up for sale these days, is in fact a one-stop-shop: upon\r\npurchasing the malware for a certain period, a selection of plugins becomes accessible. All that’s left for the buyer\r\nto do is to choose which one to activate for each victim and when.\r\nDiamondFox advertisement, dated April 2016\r\nThe ad displayed above, which presents the latest version of DiamondFox, includes a detailed explanation about\r\nthe malware loader, the user panel and the actual core of DiamondFox – the plugins.\r\nhttp://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/\r\nPage 1 of 3\n\nIt also includes a carefully updated Changelog, which provides the potential buyers a detailed explanation about\r\nthe improvements and features added to each of the versions.\r\nAt this point, after examining the highly successful Cerber Ransomware-as-a-service and the user-friendly\r\nSundown Exploit Kit, there is no need to elaborate about the management panel granted to each user who\r\npurchases the malware. It goes without saying that the DiamondFox user panel is comprehensive and secured, and\r\nprovides users real-time infection statistics as well as control over the activation of the plugins. Moreover, most of\r\nthe DiamondFox advertisements guarantee free updates and support.\r\nDiamondFox user panel screenshots\r\nDiamondFox user panel screenshots, single victim view\r\nSo far, the DiamondFox botnet seems like the perfect solution for any actor seeking an easy way to initiate their\r\nown campaigns. DiamondFox offers a range of plugins, which provide the user several data theft possibilities, and\r\nthe ability to self-spread via removable devices and social networks. DiamondFox can definitely be used as the\r\nbasis of a monetary theft operation, or a tailored espionage campaign. Furthermore, it appears that the official\r\nmalware vendor, an actor dubbed ‘Edbitss’, is truly invested in the improvement of the malware, as all updates,\r\nchanges and fixes are carefully documented and shared with the potential buyers. Edbitss is clearly very\r\nresponsive in all of the observed threads. Several customer reviews validate this impression and describe a quality,\r\nfully functioning product:\r\nDiamondFox customer review\r\nHowever, other reviews tell an entirely different story:\r\nDiamondFox customer review\r\nWe can’t help but wonder which side is telling the truth.\r\nAs mentioned previously, Edbitss is the official DiamondFox vendor, based on evidence from the ads referred to\r\nin this report. The actor uses the same Jabber address in all of the observed ads, both on the clear web and on the\r\nDarknet: [email protected]. However, different contact details were observed throughout the various ads, each\r\nusing a top level domain linking the actor to another country. The actor claims to be located in Russia and appears\r\nto be fluent in Russian. However during the investigation, we came across a clear web landing page established by\r\nthe actor in March 2016, on the domain ‘blogspot.mx’, the Mexican website of the highly popular blog-publishing\r\nservice. From this, there is a high possibility the actor could live in Mexico.\r\nCheck Point customers are protected from DiamondFox by the following security technologies:\r\nThe Antivirus Software Blade blocks every currently known variant of DiamondFox.\r\nThe Anti-Bot Software Blade detects and blocks any attempt to communicate with DiamondFox’s C\u0026C\r\naddresses.\r\nIndicators of Compromise are provided in the DiamondFox report and the detailed Appendices.\r\nhttp://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/\r\nPage 2 of 3\n\nSource: http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/\r\nhttp://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/"
	],
	"report_names": [
		"diamondfox-modular-malware-one-stop-shop"
	],
	"threat_actors": [
		{
			"id": "f5fb4dc1-5777-4021-b9c2-4866246e4d74",
			"created_at": "2022-10-25T16:07:24.323585Z",
			"updated_at": "2026-04-10T02:00:04.935102Z",
			"deleted_at": null,
			"main_name": "Terbium",
			"aliases": [],
			"source_name": "ETDA:Terbium",
			"tools": [
				"Depriz"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "fec1dd86-d929-4691-b9ca-f804fb22971b",
			"created_at": "2023-01-06T13:46:38.5052Z",
			"updated_at": "2026-04-10T02:00:03.004846Z",
			"deleted_at": null,
			"main_name": "TERBIUM",
			"aliases": [],
			"source_name": "MISPGALAXY:TERBIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434644,
	"ts_updated_at": 1775826707,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/52150a9a0585c074624246eb061e0c64465d57b8.pdf",
		"text": "https://archive.orkl.eu/52150a9a0585c074624246eb061e0c64465d57b8.txt",
		"img": "https://archive.orkl.eu/52150a9a0585c074624246eb061e0c64465d57b8.jpg"
	}
}