{
	"id": "bae7cc05-4785-4e5b-be91-b3107d4d83c8",
	"created_at": "2026-04-06T00:16:52.458355Z",
	"updated_at": "2026-04-10T03:22:07.562594Z",
	"deleted_at": null,
	"sha1_hash": "552666f2f30b657a57bbd8f8f6123c4ee8e7bbde",
	"title": "BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1873432,
	"plain_text": "BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor\r\nBy Seth Goodwin, Daniel Stepanic\r\nPublished: 2024-08-01 · Archived: 2026-04-05 21:34:59 UTC\r\nBITSLOTH at a glance\r\nBITSLOTH is a newly discovered Windows backdoor that leverages the Background Intelligent Transfer Service (BITS)\r\nas its command-and-control mechanism. BITSLOTH was uncovered during an intrusion within the LATAM region earlier\r\nthis summer. This malware hasn't been publicly documented to our knowledge and while it’s not clear who’s behind the\r\nmalware, it has been in development for several years based on tracking distinct versions uploaded to VirusTotal.\r\nThe most current iteration of the backdoor at the time of this publication has 35 handler functions including keylogging\r\nand screen capture capabilities. In addition, BITSLOTH contains many different features for discovery, enumeration, and\r\ncommand-line execution. Based on these capabilities, we assess this tool is designed for gathering data from victims.\r\nKey takeaways\r\nBITSLOTH is a newly discovered Windows backdoor\r\nBITSLOTH uses a built-in Microsoft feature, Background Intelligent Transfer Service (BITS) for command-and-control communication\r\nBITSLOTH has numerous command handlers used for discovery/enumeration, execution, and collection purposes\r\nThe backdoor contains logging functions and strings consistent with the authors being native Chinese speakers\r\nDiscovery\r\nOur team observed BITSLOTH installed on a server environment on June 25th during REF8747, this was an intrusion into\r\nthe Foreign Ministry of a South American government. The intrusion was traced back to PSEXEC execution on one of the\r\ninfected endpoints. The attackers used a slew of publicly available tools for most of their operations with the exception of\r\nBITSLOTH.\r\nRINGQ\r\nIOX\r\nSTOWAWAY\r\nGODPOTATO\r\nNOPAC\r\nMIMIKATZ\r\nPPLFAULT\r\nCERTIFY\r\nOne of the primary mechanisms of execution was through a shellcode loading project called RINGQ. In a similar fashion\r\nto DONUTLOADER, RINGQ will convert any Windows executable and generate custom shellcode placing it into a file (\r\nmain.txt). This shellcode gets decrypted and executed in-memory. This technique is used bypass defenses that rely on hash\r\nblocklists or static signatures in some anti-malware products.\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 1 of 22\n\nScreenshot of RingQ demo\r\nWe observed RINGQ being used to load the IOX port forwarder. Note: The key in the image below is the hex conversion\r\nof “whoami”.\r\nRINGQ loading and executing IOX\r\nAdditionally the attackers used the STOWAWAY utility to proxy encrypted traffic over HTTP to their C2 servers. Proxy\r\ntools, tunnelers, and redirectors are commonly used during intrusions to conceal the adversary responsible for an intrusion.\r\nThese tools offer adversaries various features, including the ability to bypass internal network controls, provide terminal\r\ninterfaces, encryption capabilities as well as file transfer options.\r\nSTOWAWAY proxy usage\r\nAfter initial access, the actor moved laterally and dropped BITSLOTH in the form of a DLL ( flengine.dll ) inside the\r\nProgramData directory. The actor then executed the music-making program FL Studio ( fl.exe ). Based on the observed\r\ncall stack associated with the self-injection alert, we confirmed the threat actor used a traditional side-loading technique\r\nusing a signed version of FL Studio.\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 2 of 22\n\nc:\\windows\\syswow64\\ntdll.dll!0x770841AC\r\n c:\\windows\\syswow64\\ntdll.dll!0x7709D287\r\n c:\\windows\\syswow64\\kernelbase.dll!0x76ED435F\r\n c:\\windows\\syswow64\\kernelbase.dll!0x76ED42EF\r\n Unbacked!0x14EAB23\r\n Unbacked!0x14EA8B6\r\n c:\\programdata\\pl studio\\flengine.dll!0x74AD2F2E\r\n c:\\programdata\\pl studio\\fl.exe!0xDB3985\r\n c:\\programdata\\pl studio\\fl.exe!0xDB3E5E\r\n c:\\programdata\\pl studio\\fl.exe!0xDB4D3F\r\n c:\\windows\\syswow64\\kernel32.dll!0x76B267F9\r\n c:\\windows\\syswow64\\ntdll.dll!0x77077F4D\r\n c:\\windows\\syswow64\\ntdll.dll!0x77077F1B\r\nThis call stack was generated along with a process injection alert, and enabled researchers to extract an in-memory DLL\r\nthat was set with Read/Write/Execute(RWX) page protections.\r\nBITSLOTH overview\r\nDuring our analysis, we found several older BITSLOTH samples demonstrating a record of development since December\r\n2021. Within this project, the malware developer chose notable terminology– referring to BITSLOTH as the Slaver\r\ncomponent and the command and control server as the Master component. Below is an example of one of the PDB file\r\npaths linked to BITSLOTH that depicts this:\r\nPDB linked to BITSLOTH sample\r\nBITSLOTH employs no obfuscation around control flow or any kind of string encryption.\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 3 of 22\n\nBITSLOTH strings\r\nBoth older and recent samples contain strings used for logging and debugging purposes. As an example at startup, there is\r\na string referenced in the read-only section ( .rdata ).\r\nDebugging\r\nThis Simplified Chinese wide-character string translates to: Note: There is already a program running, do not run it\r\nagain…\r\nString left by developer\r\nThese small snippets contained within BITSLOTH help shed light on the development and prioritization of features, along\r\nwith what appear to be operator instructions. In the latest version, a new scheduling component was added by the\r\ndeveloper to control specific times when BITSLOTH should operate in a victim environment. This is a feature we have\r\nobserved in other modern malware families such as EAGERBEE.\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 4 of 22\n\nBITSLOTH scheduling component\r\nBITSLOTH code analysis\r\nBITSLOTH is a backdoor with many different capabilities including:\r\nRunning and executing commands\r\nUploading and downloading files\r\nPerforming enumeration and discovery\r\nCollecting sensitive data through keylogging and screen capturing\r\nMutex\r\nBITSLOTH uses a hard-coded mutex ( Global\\d5ffff77ff77adad657658 ) within each sample to ensure only one instance\r\nis running at a time.\r\nMutex used by BITSLOTH\r\nCommunication\r\nBITSLOTH adopts a traditional client/server architecture, the developer refers to the client as the Slaver component and\r\nthe command and control server (C2) as the Master component. The developer embeds the IP/port of the C2 server in\r\neach sample with a front-loaded string ( rrrr_url ). This string acts as a key to identify the C2 configuration in itself\r\nwhile running in memory, this is used when updating the C2 server.\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 5 of 22\n\nBelow are the configurations in several samples our team has observed, the threat actor configures both internal and\r\nexternal IP ranges.\r\nrrrr_url216.238.121[.]132:8443\r\nrrrr_url192.168.1[.]125:8443\r\nrrrr_url192.168.1[.]124:8443\r\nrrrr_url45.116.13[.]178:443\r\nOne of the defining features of BITSLOTH is using the Background Intelligent Transfer Service (BITS) for C2. While this\r\nfeature has been designed to facilitate the network transfer of files between two machines, it’s been abused by multiple\r\nstate-sponsored groups and continues to fly under the radar against organizations. This medium is appealing to adversaries\r\nbecause many organizations still struggle to monitor BITS network traffic and detect unusual BITS jobs.\r\nWindows has a system administration feature called Background Intelligent Transfer Service (BITS) enabling\r\nthe download and upload of files to HTTP web servers or SMB shares. The BITS service employs multiple\r\nfeatures during the file transfer process such as the ability to pause/resume transfers, handling network\r\ninterruptions, etc. BITS traffic is usually associated with software updates therefore wrongfully implied as\r\ntrusted. Many organizations lack visibility into BITS network traffic making this an appealing target.\r\nThe BITS API is exposed through Window’s Component Object Model (COM) using the IBackgroundCopyManager\r\ninterface. This interface provides capabilities to create new jobs, enumerate existing jobs in the transfer queue, and access\r\na specific job from a transfer queue.\r\nInitializing IBackgroundCopyManager interface\r\nAfter initialization, BITSLOTH cancels any existing BITS jobs on the victim machine that match the following display\r\nnames:\r\nWU Client Download\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 6 of 22\n\nWU Client Upload\r\nWU Client Upload R\r\nThese names are used by the developer to blend in and associate the different BITS transfer jobs with their respective\r\nBITS job type. By canceling any existing jobs, this allows the execution of the malware to operate from a clean state.\r\nSwitch statement inside BITSLOTH to process BITS job\r\nBelow are the Microsoft definitions matching the type of BITS job:\r\nBG_JOB_TYPE_DOWNLOAD - Specifies that the job downloads files to the client.\r\nBG_JOB_TYPE_UPLOAD - Specifies that the job uploads a file to the server.\r\nBG_JOB_TYPE_UPLOAD_REPLY - Specifies that the job uploads a file to the server, and receives a reply file\r\nfrom the server application.\r\nAfter canceling any existing jobs, the MAC address and operating system information are retrieved and placed into global\r\nvariables. A new thread gets created, configuring the auto-start functionality. Within this thread, a new BITS download job\r\nis created with the name ( Microsoft Windows ).\r\nBITS job creation for auto-start functionality\r\nThis download job sets the destination URL to http://updater.microsoft[.]com/index.aspx . While this domain is not\r\nroutable, BITSLOTH masquerades this BITS job using a benign looking domain as a cover then uses SetNotifyCmdLine\r\nto execute the malware when the transfer state is changed.\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 7 of 22\n\nSetting up BITS persistence via SetNotifyCmdLine\r\nInterestingly, this unique toolmark allowed us to pivot to additional samples showing this family has been in circulation\r\nfor several years.\r\nVirusTotal relationships from embedded Microsoft URL\r\nAt this point, the malware has now been configured with persistence via a BITS job named Microsoft Windows . Below is\r\na screenshot of this job’s configuration showing the notification command line set to the BITSLOTH location\r\n( C:\\ProgramData\\Media\\setup_wm.exe )\r\nBITSLOTH persistence job\r\nOnce BITSLOTH becomes active, it will start requesting instructions from the C2 server using the WU Client Download\r\njob. This request URL is generated by combining the MAC address with a hard-coded string ( wu.htm ). Below is an\r\nexample URL:\r\nhttps://192.168.182.130/00-0C-29-0E-29-87/wu.htm\r\nIn response to this request, the malware will then receive a 12-byte structure from the C2 server containing a unique ID for\r\nthe job, command ID for the handler, and a response token. Throughout these exchanges of file transfers, temporary files\r\nfrom the victim machine are used as placeholders to hold the data being transmitted back and forth, BITSLOTH uses a\r\nfilename starting with characters ( wm ) appended by random characters.\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 8 of 22\n\nData exchange through temporary files\r\nCommand functionality\r\nBITSLOTH uses a command handler with 35 functions to process specific actions that should be taken on the victim\r\nmachine. The malware has the option to be configured with HTTP or HTTPS and uses a hardcoded single byte XOR\r\n( 0x2 ) to obfuscate the incoming instructions from the C2 server. The outbound requests containing the collected victim\r\ndata have no additional protections by the malware itself and are sent in plaintext.\r\nIn order to move fast, our team leveraged a helpful Python implementation of a BITS server released by SafeBreach Labs.\r\nBy setting the C2 IP to our loopback address inside a VM, this allowed us to get introspection on the network traffic.\r\nBITSLOTH command handler\r\nThe handlers all behave in a similar approach performing a primary function then writing the data returned from the\r\nhandler to a local temporary file. These temporary files then get mapped to a BITS upload job called WU Client Upload .\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 9 of 22\n\nEach handler uses its own string formatting to create a unique destination URL. Each filename at the end of the URL uses\r\na single letter to represent the type of data collected from the host, such as P.bin for processes or S.bin for services.\r\nhttp://192.168.182.130/00-0C-29-0E-29-87/IF/P.bin\r\nBelow is an example screenshot showing the process enumeration handler with the string formatting and how this data is\r\nthen linked to the BITS upload job.\r\nBITSLOTH handler for running processes\r\nThis link to the exfiltrated data can also be observed by viewing the BITS upload job directly. In the screenshots below, we\r\ncan see the destination URL (C2 server) for the upload and the temporary file ( wm9F0C.tmp ) linked to the job.\r\nBITS upload job configuration\r\nIf we look at the temporary file, we can see the collected process information from the victim host.\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 10 of 22\n\nContents of temporary file holding exfiltrated data\r\nSoon after the upload job is created, the data is sent over the network through a BITS_POST request containing the\r\ncaptured data.\r\nOutbound BITS_POST request\r\nCommand handling table\r\nCommand ID Description\r\n0 Collect running processes via WTSEnumerateProcessesW\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 11 of 22\n\nCommand ID Description\r\n1 Get Windows services via EnumServicesStatusW\r\n2 Get system information via systeminfo command\r\n3 Retrieve all top-level Windows via EnumWindows\r\n5 Collect file listings\r\n6 Download file from C2 server\r\n7 Upload file to C2 server\r\n10 Terminate itself\r\n11 Set communication mode to HTTPS\r\n12 Set communication mode to HTTP\r\n13 Remove persistence\r\n14 Reconfigure persistence\r\n15 Cancel BITS download job ( WU Client Download )\r\n16 Remove persistence and delete itself\r\n17 Thread configuration\r\n18 Duplicate of handler #2\r\n19 Delete file based on file path\r\n20 Delete folder based on file path\r\n21 Starts terminal shell using stdin/stdout redirection\r\n22 Resets terminal handler (#21)\r\n23 Runs Windows tree command\r\n24 Updates BITSLOTH, delete old version\r\n25 Shutdown the machine via ExitWindowsEx\r\n26 Reboot the machine via ExitWindowsEx\r\n27 Log user off from the machine via ExitWindowsEx\r\n28 Terminate process based on process identifier (PID)\r\n29 Retrieves additional information via msinfo32 command\r\n30 Execute individual file via ShellExecuteW\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 12 of 22\n\nCommand ID Description\r\n34 Create new directory via CreateDirectoryW\r\n41 Upload data to C2 server\r\n42 Checks for capture driver via capGetDriverDescriptionW\r\n43 Take screenshots of victim machine desktop\r\n44 Record keystrokes from victim machine\r\n45 Stop recording screenshot images\r\n46 Stop keylogger functionality\r\nBackdoor functionality\r\nBITSLOTH includes a wide range of post-compromise capabilities for an adversary to operate within a victim\r\nenvironment. We will focus on the more significant capabilities by grouping them into different categories.\r\nDiscovery/enumeration\r\nA portion of the BITSLOTH handlers are focused on retrieving and enumerating data from victim machines. This\r\nincludes:\r\nRetrieving process information via WTSEnumerateProcessesW\r\nCollecting Windows services via EnumServicesStatusW\r\nEnumerating all top-level Windows via EnumWindows with a callback function\r\nRetrieving system information via windows utilities such as systeminfo and msinfo32\r\nBITSLOTH handler used to collect system information\r\nIn many of the handlers, the locale version is configured to chs (Chinese - Simplified).\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 13 of 22\n\nRetrieve Windows information\r\nBITSLOTH has a couple custom enumeration functions tied to retrieving file listings and performing directory tree\r\nsearches. The file listing handler takes a custom parameter from the operator to target specific folder locations of interest:\r\nGET_DESKDOP → CSIDL_DESKTOPDIRECTORY (Desktop)\r\nGET_BITBUCKET -\u003e CSIDL_BITBUCKET (Recycle Bin)\r\nGET_PERSONAl -\u003e CSIDL_MYDOCUMENTS (My Documents)\r\nFile listing parameters via BITSLOTH\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 14 of 22\n\nBITSLOTH also has the ability to collect entire directory/file listings on the machine for every file by using the Windows\r\ntree utility. This handler loops across the alphabet for each drive letter where the data is then saved locally in a temporary\r\nfile named aghzyxklg .\r\nTree listing via BITSLOTH\r\nThe tree data is then compressed and sent to the C2 server with a .ZIP extension. Below is an example of the collected\r\ndata. This data can help pinpoint sensitive files or provide more context about the target environment.\r\nExample of data collected through GetDirectoryTree handler\r\nCollection\r\nIn terms of collection, there are a few handlers used for actively gathering information. These are centered around\r\ncapturing screenshots from the desktop and performing keylogging functionality.\r\nBITSLOTH implements a lightweight function used to identify capture recording devices, this appears to be a technique to\r\ncheck for a camera using the Windows API (capGetDriverDescriptionW).\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 15 of 22\n\nHandler that records capture devices\r\nBITSLOTH has the ability to take screenshots based on parameters provided by the operator. Input to this function uses a\r\nseparator ( || ) where the operator provides the number of seconds of the capture interval and the capture count. The\r\nimages are stored as BMP files with a hard coded name ciakfjoab and compressed with the DEFLATE algorithm using\r\na .ZIP archive. These timestamped zipped archives are then sent out to the C2 server.\r\nThe handler leverages common screenshot APIs such as CreateCompatibleBitmap and BitBlt from Gdi32.dll .\r\nBITSLOTH screen capture using Windows APIs\r\nFor recording keystrokes, BITSLOTH uses traditional techniques by monitoring key presses using\r\nGetAsyncKeyState/GetKeyState. The handler has an argument for the number of seconds to perform the keylogging.\r\nThis data is also compressed in a .ZIP file and sent outbound to the C2 server.\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 16 of 22\n\nKeylogger functionality inside BITSLOTH\r\nExecution / Maintenance\r\nBITSLOTH has multiple capabilities around maintenace and file execution as well as standard backdoor functionalities\r\nsuch as:\r\nCapability to execute files stand-alone via ShellExecuteW\r\nWindows terminal capability to execute commands and read data back via pipes\r\nCreate directories, perform reboots, shutdown the machine, terminate processes\r\nPerform file upload and download between C2 server\r\nModify BITSLOTH configuration such as communication modes, update C2 URL, turn off keylogging/screenshot\r\nfeatures\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 17 of 22\n\nBITSLOTH’s CMD terminal\r\nBITSLOTH pivots\r\nBITSLOTH appears to be actively deployed. We identified another BITSLOTH C2 server ( 15.235.132[.]67 ) using the\r\nsame port ( 8443 ) with the same SSL certificate used from our intrusion.\r\nShodan SSL certificate matches\r\nWhile it’s not exactly clear who’s behind BITSLOTH, there was a large amount of activity of VirusTotal uploads occurring\r\non December 12, 2021. With around 67 uploads over 24 hours from one submitter ( 1fcc35ea ), we suspect someone\r\nlinked to this project was validating detections, making modifications, and uploading different versions of BITSLOTH to\r\nVirusTotal. One sample was packed with VMProtect, others stripped of functionality, some uploads were debug builds,\r\netc.\r\nBITSLOTH - VirusTotal Submitter (1fcc35ea)\r\nA lot of time has passed since then, but it is interesting seeing this family show up in a recent intrusion. Whatever the\r\nobjective behind this malware, it's surprising that this family remained under the radar for so many years.\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 18 of 22\n\nDifferent PDB paths from BITSLOTH uploads\r\nREF 8747 through MITRE ATT\u0026CK\r\nElastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that advanced\r\npersistent threats use against enterprise networks.\r\n[h4] Tactics Tactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for\r\nperforming an action.\r\nCollection\r\nCommand and Control\r\nDiscovery\r\nExecution\r\nExfiltration\r\nPersistence\r\nTechniques\r\nTechniques represent how an adversary achieves a tactical goal by performing an action.\r\nBITS Jobs\r\nSystem Information Discovery\r\nHijack Execution Flow: DLL Side-Loading\r\nScreen Capture\r\nInput Capture: Keylogging\r\nProxy\r\nDetecting REF8747\r\nDetection\r\nThe following detection rules and behavior prevention events were observed throughout the analysis of this intrusion set:\r\nPersistence via BITS Job Notify Cmdline\r\nLSASS Access Attempt via PPL Bypass\r\nLSASS Access Attempt from an Unsigned Executable\r\nSuspicious Parent-Child Relationship\r\nCredential Access via Known Utilities\r\nShellcode Injection\r\nYARA Signatures\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 19 of 22\n\nWindows.Hacktool.Mimikatz\r\nWindows.Trojan.BITSloth\r\nWindows.Hacktool.Iox\r\nWindows.Hacktool.Rubeus\r\nWindows.Hacktool.Certify\r\nWindows.Hacktool.RingQ\r\nWindows.Hacktool.GodPotato\r\nMulti.Hacktool.Stowaway\r\nYARA\r\nElastic Security has created YARA rules to identify this activity. Below are YARA rules to identify BITSLOTH:\r\nrule Windows_Trojan_BITSLOTH_05fc3a0a {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2024-07-16\"\r\n last_modified = \"2024-07-18\"\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n threat_name = \"Windows.Trojan.BITSLOTH\"\r\n license = \"Elastic License v2\"\r\n strings:\r\n $str_1 = \"/%s/index.htm?RspID=%d\" wide fullword\r\n $str_2 = \"/%s/%08x.rpl\" wide fullword\r\n $str_3 = \"/%s/wu.htm\" wide fullword\r\n $str_4 = \"GET_DESKDOP\" wide fullword\r\n $str_5 = \"http://updater.microsoft.com/index.aspx\" wide fullword\r\n $str_6 = \"[U] update error...\" wide fullword\r\n $str_7 = \"RMC_KERNEL ...\" wide fullword\r\n $seq_global_protocol_check = { 81 3D ?? ?? ?? ?? F9 03 00 00 B9 AC 0F 00 00 0F 46 C1 }\r\n $seq_exit_windows = { 59 85 C0 0F 84 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A 02 EB ?? 56 EB }\r\n condition:\r\n 2 of them\r\n}\r\nObservations\r\nAll observables are also available for download in both ECS and STIX format in a combined zip bundle.\r\nThe following observables were discussed in this research.\r\nObservable Type Name Reference\r\n4a4356faad620bf12ff53bcfac62e12eb67783bd22e66bf00a19a4c404bf45df\r\nSHA-256\r\ns.dll BITSLOTH\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 20 of 22\n\nObservable Type Name Reference\r\ndfb76bcf5a3e29225559ebbdae8bdd24f69262492eca2f99f7a9525628006d88\r\nSHA-256\r\n125.exe BITSLOTH\r\n4fb6dd11e723209d12b2d503a9fcf94d8fed6084aceca390ac0b7e7da1874f50\r\nSHA-256\r\nsetup_wm.exe BITSLOTH\r\n0944b17a4330e1c97600f62717d6bae7e4a4260604043f2390a14c8d76ef1507\r\nSHA-256\r\n1242.exe BITSLOTH\r\n0f9c0d9b77678d7360e492e00a7fa00af9b78331dc926b0747b07299b4e64afd\r\nSHA-256\r\nsetup_wm.exe\r\nBITSLOTH\r\n(VMProtect)\r\n216.238.121[.]132\r\nipv4-\r\naddr\r\nBITSLOTH C2\r\nserver\r\n45.116.13[.]178\r\nipv4-\r\naddr\r\nBITSLOTH C2\r\nserver\r\n15.235.132[.]67\r\nipv4-\r\naddr\r\nBITSLOTH C2\r\nserver\r\nhttp ://updater.microsoft.com/index.aspx\r\nBITSLOTH\r\nfile\r\nindicator\r\nupdater.microsoft.com\r\nBITSLOTH\r\nfile\r\nindicator\r\nReferences\r\nThe following were referenced throughout the above research:\r\nhttps://github.com/SafeBreach-Labs/SimpleBITSServer/tree/master\r\nhttps://github.com/T4y1oR/RingQ\r\nhttps://github.com/EddieIvan01/iox\r\nhttps://github.com/ph4ntonn/Stowaway/\r\nAbout Elastic Security Labs\r\nElastic Security Labs is the threat intelligence branch of Elastic Security dedicated to creating positive change in the threat\r\nlandscape. Elastic Security Labs provides publicly available research on emerging threats with an analysis of strategic,\r\noperational, and tactical adversary objectives, then integrates that research with the built-in detection and response\r\ncapabilities of Elastic Security.\r\nFollow Elastic Security Labs on Twitter @elasticseclabs and check out our research at www.elastic.co/security-labs/.\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 21 of 22\n\nSource: https://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nhttps://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth"
	],
	"report_names": [
		"bits-and-bytes-analyzing-bitsloth"
	],
	"threat_actors": [],
	"ts_created_at": 1775434612,
	"ts_updated_at": 1775791327,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/552666f2f30b657a57bbd8f8f6123c4ee8e7bbde.pdf",
		"text": "https://archive.orkl.eu/552666f2f30b657a57bbd8f8f6123c4ee8e7bbde.txt",
		"img": "https://archive.orkl.eu/552666f2f30b657a57bbd8f8f6123c4ee8e7bbde.jpg"
	}
}