{
	"id": "aa26c9ac-b5c4-40af-bef9-24cd37853883",
	"created_at": "2026-04-06T00:06:53.443688Z",
	"updated_at": "2026-04-10T13:12:40.964991Z",
	"deleted_at": null,
	"sha1_hash": "544b0b4c9060f6f96c09743823ac9d06026e7f9e",
	"title": "Bondnet Using Miner Bots as C2 - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1472555,
	"plain_text": "Bondnet Using Miner Bots as C2 - ASEC\r\nBy ATCP\r\nPublished: 2024-05-27 · Archived: 2026-04-05 16:24:59 UTC\r\nBondnet first became known to the public in an analysis report published by GuardiCore in 20171 and Bondnet’s\r\nbackdoor was covered in an analysis report on XMRig miner targeting SQL servers released by DFIR Report in\r\n20222. There has not been any information on the Bondnet threat actor’s activities thereon, but it was confirmed\r\nthat they had continued their attacks until recent times.\r\nAhnLab SEcurity Intelligence Center (ASEC) found through analyzing systems infected with Bondnet miners that\r\nthe Bondnet threat actor is still active and discovered circumstances of them configuring a reverse RDP\r\nenvironment on high-performance bots and using them as C2 servers since 2023.  The reverse RDP\r\nenvironment was established on high-performance bots that fulfilled certain conditions.  \r\nBehavior Behavior Condition\r\nAdd an adminxy account\r\nis_pc (CPU condition check)\r\nIf the CPU manufacturer is Intel\r\nIf the model number is i3, i5, i7, or i9\r\nis_pc2 (network interface condition check)\r\nhttps://asec.ahnlab.com/en/66662/\r\nPage 1 of 7\n\nIf the network interface manufacturer is Red Hat\r\narr_find_str\r\nIf the system’s language setting is one of the\r\nfollowing:\r\nRussian, Korean, English, or Japanese\r\nThe footnoted Dead Code includes a syntax\r\nDownload a reverse RDP\r\nprogram\r\nConditions for adding an adminxy account are met\r\nIf the CPU core count exceeds 10\r\nTable 1. Conditions for establishing a reverse RDP environment in the backdoor\r\nThe Bondnet threat actor used proxy servers and a fast reverse proxy (hereinafter “FRP”) tool to configure the\r\nreverse RDP environment. FRP is an open-source proxy program published on GitHub and the Bondnet threat\r\nactor modified the FRP program code before using it. The FRP program file modified by the threat actor included\r\ninformation necessary for connection including the threat actor’s proxy server address, protocol, port, and token\r\nname. \r\nAfter configuring the reverse RDP environment using the modified FRP program, the threat actor accessed the\r\ntarget system via RDP and executed two programs.   \r\nFirst, they executed the Cloudflare tunneling client.\r\nThe Cloudflare tunneling client allows tunneling between a certain port in the system it is executed in and a\r\ndomain mapped to the Cloudflare network.\r\nhttps://asec.ahnlab.com/en/66662/\r\nPage 2 of 7\n\nThe Bondnet threat actor’s C2 domain is registered on Cloudflare and the threat actor was able to use the\r\nCloudflare tunneling client to link a certain service in the target system with the C2 domain registered in\r\nCloudflare.\r\nNext, they executed an HTTP File Server (HFS) program. \r\nUpon execution, the HFS program provides a file server service to the TCP 4000 port. For the HFS program,\r\nsimilarities could be found with the threat actor’s C2 environment. It was confirmed that the reply message for\r\nrequesting a path that does not exist and the login pop-up that appears when approaching the directory path were\r\nthe same.  It is believed that the same HFS program would have been running in the C2 at the time of analysis.\r\nhttps://asec.ahnlab.com/en/66662/\r\nPage 3 of 7\n\nThe Bondnet threat actor used two programs in the affected system to create the HFS service in the target system\r\nand tried to connect the service with the Cloudflare domain via tunneling to use as a C2.\r\nHowever, the HFS program written in Golang failed to run due to environmental issues of the affected system, and\r\nthe ASEC team could not confirm the behavior of the system being converted to a C2. Although the actual\r\nhttps://asec.ahnlab.com/en/66662/\r\nPage 4 of 7\n\nconversion process could not be observed, the following circumstances lead to the conclusion that the threat actor\r\nintended to utilize a botnet system as a C2.\r\nAfter the reverse RDP connection, there were no observed behaviors in the affected system of information\r\nleakage or internal movement\r\nThe threat actor executed the Cloudflare tunneling client and the HFS program in the target system\r\nThe threat actor’s C2 domain is linked to Cloudflare\r\nThe UI of the HFS program and that of the threat actor’s C2 are the same\r\nSome malicious files could not be downloaded from the threat actor’s C2 at the time of analysis\r\nAbout one month later, the UI of the threat actor’s C2 changed, new malicious files appeared, and deleted\r\nmalicious files were restored\r\nAfter failing to convert the affected system to a C2, the Bondnet threat actor changed the C2 UI about a month\r\nlater. It seems as if after facing failure in the target system, the threat actor used another bot to replace the C2,\r\nlikely employing another program instead of the HFS program which caused an issue in the target system.  \r\n[File Detection]\r\nCoinMiner/Win.XMRig.C5449500(2023.07.05.00)\r\nDownloader/FOMB.Agent(2024.02.27.00)\r\nDownloader/Win64.Agent.C2426880(2018.03.29.04)\r\nHackTool/Win.Agent(2024.03.15.00)\r\nHackTool/Win.Frpc.C5473755(2023.08.20.03)\r\nHackTool/Win.PassViewer.C5353351(2023.01.09.03)\r\nHackTool/Win.PassViewer.C5353353(2023.04.26.02)\r\nHackTool/Win.PstPass.C5135577(2022.08.31.02)\r\nHackTool/Win.PSWTool.R345815(2023.06.02.01)\r\nHackTool/Win32.Mailpassview.R165244(2016.07.12.09)\r\nRansomware/Win.Phobos.R363595(2023.08.28.04)\r\nTrojan/BAT.RUNNER.SC198137(2024.03.15.00)\r\nTrojan/BAT.RUNNER.SC198138(2024.03.15.00)\r\nTrojan/BAT.Runner.SC198226(2024.03.18.02)\r\nTrojan/RL.Mimikatz.R248084(2018.12.10.01)\r\nTrojan/Win.Lazardoor.R496534(2022.05.14.01)\r\nTrojan/Win32.Infostealer.C1259157(2015.11.16.06)\r\nTrojan/Win32.Infostealer.C1259157(2015.11.16.06)\r\nTrojan/Win32.Infostealer.C1259157(2020.07.17.00)\r\nTrojan/Win32.Miner.C2462674(2018.04.13.09)\r\nTrojan/Win32.Neshta.X2117(2018.03.16.06)\r\nUnwanted/Win.PassView.C5359535(2023.01.16.03)\r\nUnwanted/Win32.HackTool.C613821(2014.11.02.03)\r\nUnwanted/Win32.Masscan.C3122810(2019.12.06.00)\r\nUnwanted/Win32.Passview.C568442(2014.09.23.00)\r\nUnwanted/Win32.PassView.R333746(2020.04.22.08)\r\nhttps://asec.ahnlab.com/en/66662/\r\nPage 5 of 7\n\nReference Links\r\n1 The Bondnet Army:  https://www.akamai.com/blog/security/the-bondnet-army\r\n2 SELECT XMRig FROM SQLServer: https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver\r\n3 Cloudflare Docs: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks\r\nMD5\r\n00fa7f88c54e4a7abf4863734a8f2017\r\n057d5c5e6b3f3d366e72195b0954283b\r\n0753cab27f143e009012053208b7f63e\r\n0fc84b8b2bd57e1cf90d8d972a147503\r\n15069da45e5358578105f729ec1c2d0b\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//185[.]141[.]26[.]116/hotfixl[.]ico\r\nhttp[:]//185[.]141[.]26[.]116/stats[.]php\r\nhttp[:]//185[.]141[.]26[.]116/winupdate[.]css\r\nhttp[:]//46[.]59[.]210[.]69[:]7000/\r\nhttp[:]//46[.]59[.]214[.]14[:]7000/\r\nAdditional IOCs are available on AhnLab TIP.\r\nFQDN\r\nd[.]mymst[.]top\r\nfrp[.]mymst007[.]top\r\nm[.]mymst[.]top\r\nAdditional IOCs are available on AhnLab TIP.\r\nIP\r\n223[.]223[.]188[.]19\r\n47[.]99[.]155[.]111\r\nAdditional IOCs are available on AhnLab TIP.\r\nhttps://asec.ahnlab.com/en/66662/\r\nPage 6 of 7\n\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/66662/\r\nhttps://asec.ahnlab.com/en/66662/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/66662/"
	],
	"report_names": [
		"66662"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f6306e79-ce51-4c00-a185-117c5cc18300",
			"created_at": "2024-06-19T02:00:04.380042Z",
			"updated_at": "2026-04-10T02:00:03.654879Z",
			"deleted_at": null,
			"main_name": "Bondnet",
			"aliases": [],
			"source_name": "MISPGALAXY:Bondnet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434013,
	"ts_updated_at": 1775826760,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/544b0b4c9060f6f96c09743823ac9d06026e7f9e.pdf",
		"text": "https://archive.orkl.eu/544b0b4c9060f6f96c09743823ac9d06026e7f9e.txt",
		"img": "https://archive.orkl.eu/544b0b4c9060f6f96c09743823ac9d06026e7f9e.jpg"
	}
}