{
	"id": "a3df5ee0-eecd-46db-ab46-f119ed07260b",
	"created_at": "2026-04-06T00:11:25.339512Z",
	"updated_at": "2026-04-10T03:23:51.601655Z",
	"deleted_at": null,
	"sha1_hash": "569a2c1d408194ba7b942ef6bcb4a13f8a912e3a",
	"title": "GitHub - jrm360seclab/aodin-vo1d-malware: AODIN X1BQ projector ships with Vo1d botnet malware - security disclosure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 125038,
	"plain_text": "GitHub - jrm360seclab/aodin-vo1d-malware: AODIN X1BQ\r\nprojector ships with Vo1d botnet malware - security disclosure\r\nBy jrm360seclab\r\nArchived: 2026-04-05 19:33:42 UTC\r\nPublic Security Disclosure | February 2026\r\nAAmmaazzoonn BB00DDGGXX5511JJPPCC\r\n MMaallwwaarree VVoo11dd BBoottnneett VViirruussTToottaall 11 / 9 3 TThhrreeaattYYeettii 99..22//1100\r\n⚠️ Warning to Amazon Buyers\r\nIf you purchased an AODIN X1BQ projector (Amazon ASIN: B0DGX51JPC), your device may be pre-infected with Vo1d botnet malware installed at the factory before you ever received it.\r\nThe device streams video perfectly with zero visible symptoms. The malware can only be detected with\r\nenterprise-grade network monitoring tools. The average consumer has no way to know their device is infected.\r\nSummary\r\nField Detail\r\nDevice AODIN X1BQ Smart Projector\r\nAmazon ASIN B0DGX51JPC\r\nPurchase Date December 7, 2025\r\nMalware Family Vo1d Botnet (residential proxy variant)\r\nFirmware projector.20250910.101755\r\nFirmware Date September 10, 2025 — pre-infected at factory\r\nOS LuminaOS (Android fork)\r\nDetection Date February 2026\r\nTime Undetected 2+ months of active daily use\r\nIndependent Verification VirusTotal 11/93 · ThreatYeti 9.2/10\r\nWhat Is Vo1d?\r\nhttps://github.com/jrm360seclab/aodin-vo1d-malware\r\nPage 1 of 9\n\nVo1d is a botnet that infects Android-based devices at the firmware or supply chain level. Once active, it silently\r\nenrolls the device as a residential proxy node — routing criminal internet traffic through the victim's home IP\r\naddress without their knowledge or consent.\r\nThe original Vo1d research was published by QiAnXin X-Lab. This disclosure documents a new delivery vector:\r\nfactory pre-infection of consumer projectors sold on Amazon.\r\nWhat criminal operators can do with your infected device:\r\nRoute their traffic through your home IP address (your IP gets flagged for abuse, not theirs)\r\nSell access to your residential IP to other criminal actors\r\nConduct fraud, credential stuffing, or scraping that traces back to you legally\r\nMaintain persistent remote access to a device inside your home network\r\nHow It Was Discovered\r\nThe device was used daily for streaming (Netflix, Hulu, Amazon Prime, Peacock) for over two months with zero\r\nvisible symptoms. No alert fired. No automated system flagged anything. The malware was completely invisible.\r\nDiscovery came through proactive threat hunting — not an automated alert. As part of learning network\r\nsecurity, a manual packet capture was performed on the home network with no specific lead and no prior\r\nsuspicion of the projector. While reviewing the captured traffic by hand, two patterns stood out:\r\n1. A consumer projector was generating DNS queries on a precise ~65-second cycle — machine-perfect\r\ntiming that no human activity produces. The domain: .o.fecebbbk[.xyz] , designed to look like\r\n.o.facebook.[com] at a quick glance\r\n2. The same device was sending traffic to an AWS IP address (44[.]205[.]227[.]254) with no user\r\ninteraction\r\nNo IDS rule triggered this. No firewall alert fired. The malware was found because I was looking — manually\r\nreviewing raw traffic with enough pattern recognition to notice that a projector had no business querying the same\r\ndomain every 65 seconds.\r\nThis is the core value of threat hunting: finding what automated systems miss. This malware had evaded detection\r\nfor over two months on a network with OPNsense and Security Onion deployed. Human analysis found it in a\r\nsingle manual capture session.\r\nThe home lab tools used for investigation once the hunt began:\r\nOPNsense — firewall with full traffic logging for deep-dive analysis\r\nSecurity Onion — IDS/IPS for correlation and additional capture\r\nWireshark — packet-level protocol analysis\r\nRustScan — active port scanning of the device\r\nRapidHostBaseline -A lightweight Windows host baseline collector for defenders and investigators\r\nhttps://github.com/jrm360seclab/aodin-vo1d-malware\r\nPage 2 of 9\n\nTechnical Findings\r\nDevice Identifiers\r\nIdentifier Value\r\nMAC Address DC:95:07:CC:E0:FF\r\nFirmware Version projector.20250910.101755\r\nFirmware Build Date September 10, 2025\r\nDevice IMEI 1c001044f6828801f5a\r\nDevice UDID 44_SD-627de7eb1f73704e4497f3a6bbd9698c\r\nThe firmware build date of September 10, 2025 pre-dates the December 2025 purchase. This confirms a supply\r\nchain compromise — the infection was present before the device was sold.\r\nThree-Tier C2 Infrastructure\r\nThe malware operates a three-tier command and control system, with each tier serving a distinct purpose:\r\nTier 1 — Device Registration (Disguised as Firmware Update)\r\nWithin 2.17 seconds of powering on — before any user touches the remote — the device contacts\r\nota.triplesai.[com]:8080 over HTTP. The traffic mimics a legitimate over-the-air firmware update check, but\r\nthe payload contains the device's complete fingerprint: MAC address, IMEI, firmware version, and unique device\r\nID.\r\nThis registers the device in the botnet operator's inventory. Every infected AODIN device phones home to this\r\nserver the moment it boots.\r\nField Value\r\nDomain ota.triplesai.[com]\r\nIP 111[.]230[.]36[.]129 (Tencent Cloud)\r\nPort 8080\r\nProtocol HTTP POST\r\nTiming 2.17 seconds after boot\r\nTier 2 — Proxy Role Assignment\r\nhttps://github.com/jrm360seclab/aodin-vo1d-malware\r\nPage 3 of 9\n\nThe C2 infrastructure responds to the registration by assigning the device a specific proxy role. The response is a\r\nstructured data object containing a proxy host and port that the device will use to route criminal traffic through the\r\nvictim's home internet connection.\r\nField Value\r\nDomain sd002.jaguar-distributor.syslogcollector.[com]\r\nIP 38[.]55[.]17[.]113\r\nPort 12000\r\nProtocol HTTP\r\nVirusTotal 11/93 vendors flag as malicious\r\nThreatYeti Risk score 9.2 / 10.0\r\nTier 3 — Persistent Heartbeat Channel\r\nThe most sophisticated component. The device maintains a continuous keep-alive channel to a third C2 server\r\nusing a custom binary UDP protocol. This channel operates 24 hours a day, 7 days a week, regardless of whether\r\nanyone is using the projector.\r\nField Value\r\nDomain .o.fecebbbk[.xyz] (typosquatting — mimics .o.facebook.[com])\r\nIP 44[.]205p[.]227[.]254 (AWS us-east-1)\r\nPort 16000\r\nProtocol Custom binary UDP\r\nBeacon interval Every ~65 seconds\r\nDNS Beaconing — Observed Behavior\r\nThe device queries o.fecebbbk[.xyz] with programmatic regularity around the clock. Over a 3.5-minute\r\nobservation window, four queries were captured:\r\n17:55:08 → DNS query: .o.fecebbbk[.xyz] resolves to 44[.]205p[.]227[.]254\r\n17:56:15 → DNS query: .o.fecebbbk[.xyz] resolves to 44[.]205p[.]227[.]254 (+67 seconds)\r\n17:57:19 → DNS query: .o.fecebbbk[.xyz] resolves to 44[.]205p[.]227[.]254 (+64 seconds)\r\n17:58:27 → DNS query: .o.fecebbbk[.xyz] resolves to 44[.]205p[.]227[.]254 (+68 seconds)\r\nAverage interval: 65 seconds\r\nhttps://github.com/jrm360seclab/aodin-vo1d-malware\r\nPage 4 of 9\n\nThis regularity is machine-generated. No human activity produces timing this consistent.\r\nThe DNS responses are configured with a deliberate 60-second TTL (time-to-live). This is an evasion technique:\r\nby expiring the cached IP every minute, the botnet operators can migrate their C2 infrastructure to new IP\r\naddresses at any time and every infected device worldwide automatically follows within 60 seconds. Blocking a\r\nsingle IP is not sufficient defense.\r\nThe domain o.fecebbbk[.xyz] is a typosquatting domain designed to look like Facebook's mobile API\r\nendpoint o.facebook.[com] at a quick glance. The misspelling ( fecebbbk vs facebook ) is subtle enough to\r\nfool a network administrator scanning logs.\r\nCustom Binary Heartbeat Protocol — Observed Behavior\r\nImmediately after each DNS resolution, the device sends UDP traffic to port 16000 using a custom binary\r\nprotocol with an identifiable structure. The following describes the observed protocol behavior without\r\nreproducing raw capture data:\r\nDevice Check-In Message (32 bytes): The device sends a fixed-size 32-byte packet containing a protocol magic\r\nidentifier ( 0x0000CD ) at a consistent offset, followed by a message type field indicating a check-in/ping\r\n( 0x0001 ). The remainder of the packet is empty — the device is simply announcing it is online and requesting\r\nany pending commands.\r\nC2 Server Acknowledgment (36 bytes): The C2 server responds with a 36-byte packet using the same magic\r\nidentifier and a response message type ( 0x0002 ). A status field filled with 0xFF bytes signals no pending\r\ncommands. A 4-byte field at the end of each response contained the victim's public IP address — confirming the\r\nbotnet operators had logged this home's IP in their proxy inventory.\r\nThe magic identifier 0x0000CD is the Vo1d protocol's fingerprint. Any UDP traffic on port 16000 containing\r\nthese bytes at the correct offset is Vo1d botnet heartbeat traffic. This is the basis for the detection signatures below.\r\nThe device retried the heartbeat every 9 to 21 seconds with gradually increasing intervals (exponential backoff),\r\nindicating the malware was attempting to establish a persistent proxy tunnel.\r\nOpen Port Profile (RustScan)\r\nAn active scan of the device revealed 13 simultaneously open network ports — an exact match to the\r\ndocumented Vo1d botnet signature:\r\n7000 7002 7102 7889 7890 8890 9528\r\n10008 10012 10013 45199 55556 62110\r\nNo legitimate consumer projector requires 13 open network ports. This port profile is a standalone indicator of\r\ncompromise. Any device on your network matching this profile should be treated as infected.\r\nhttps://github.com/jrm360seclab/aodin-vo1d-malware\r\nPage 5 of 9\n\nResidential Proxy Confirmation\r\nThe C2 server's response packets contained the victim's public IP address embedded as session data. This\r\nconfirms that the botnet operators had successfully registered this home's IP in their proxy catalog. The device had\r\nbeen actively routing traffic through this residential IP address for the entire 2+ months it was running.\r\nIndependent Verification\r\nAll findings can be independently verified right now:\r\nPlatform What to Check Result\r\nVirusTotal jaguar-distributor.syslogcollector.[com] 11 of 93 vendors flag as malicious\r\nThreatYeti 38[.]55[.]17[.]113 Risk score 9.2 / 10.0\r\nRustScan Scan any AODIN X1BQ at [device-ip] Will show 13 Vo1d-signature ports\r\nIndicators of Compromise (IOC)\r\nMalicious Domains\r\nota.triplesai.[com]\r\nsyslogcollector.[com]\r\njaguar-distributor.syslogcollector.[com]\r\nsd001.jaguar-distributor.syslogcollector.[com]\r\nsd002.jaguar-distributor.syslogcollector.[com]\r\nsd003.jaguar-distributor.syslogcollector.[com]\r\n.o.fecebbbk[.xyz]\r\nfecebbbk[.xyz]\r\nMalicious IP Addresses\r\n111[.]230[.]36[.]129 Tencent Cloud Fake OTA server\r\n38[.]55[.]17[.]113 Unknown C2 registration / proxy assignment\r\n38.55.17.150 Unknown Proxy traffic endpoint\r\n44[.]205p[.]227[.]254 AWS us-east-1 UDP heartbeat C2\r\nMalicious Ports\r\n8080 Fake OTA HTTP registration\r\n12000 C2 proxy assignment\r\nhttps://github.com/jrm360seclab/aodin-vo1d-malware\r\nPage 6 of 9\n\n21001 Proxy traffic routing\r\n16000 Vo1d UDP heartbeat protocol\r\nVo1d Port Signature (device scan)\r\n7000, 7002, 7102, 7889, 7890, 8890, 9528,\r\n10008, 10012, 10013, 45199, 55556, 62110\r\nBinary Protocol Fingerprint\r\nUDP traffic to port 16000 containing bytes 0x00 0x00 0xCD at payload offset 1–3\r\n= Vo1d botnet heartbeat protocol\r\nDetection Rules (Suricata / Security Onion)\r\n# Vo1d DNS beacon detection\r\nalert dns any any -\u003e any any (\r\n msg:\"Vo1d Botnet DNS Beacon - fecebbbk[.xyz]\";\r\n dns.query; content:\"fecebbbk[.xyz]\";\r\n sid:1000030; rev:1;\r\n)\r\n# Vo1d binary protocol magic bytes\r\nalert udp any any -\u003e any 16000 (\r\n msg:\"Vo1d Botnet UDP Heartbeat - Magic Bytes\";\r\n content:\"|00 00 cd|\"; offset:1; depth:3;\r\n sid:1000031; rev:1;\r\n)\r\n# Vo1d fake OTA registration\r\nalert http any any -\u003e 111[.]230[.]36[.]129 8080 (\r\n msg:\"Vo1d Botnet Fake OTA Registration\";\r\n sid:1000032; rev:1;\r\n)\r\n# Vo1d C2 registration server\r\nalert tcp any any -\u003e 38[.]55[.]17[.]113 12000 (\r\n msg:\"Vo1d Botnet C2 Registration\";\r\n sid:1000033; rev:1;\r\n)\r\n# DNS beaconing pattern threshold (3+ queries in 5 minutes)\r\nalert dns any any -\u003e any 53 (\r\nhttps://github.com/jrm360seclab/aodin-vo1d-malware\r\nPage 7 of 9\n\nmsg:\"Vo1d Botnet DNS Beaconing Pattern\";\r\n dns.query; content:\"fecebbbk\";\r\n threshold: type both, track by_src, count 3, seconds 300;\r\n sid:1000034; rev:1;\r\n)\r\nRecommended Actions\r\nIf You Own This Device\r\n1. Power it off immediately — disconnect from your network now\r\n2. Do not factory reset — the malware lives in firmware, not user data\r\n3. Contact Amazon for a full refund citing pre-installed malware\r\n4. Check your router DNS logs for queries to any of the IOC domains above\r\n5. Contact your ISP — your IP may have been flagged for abuse traffic generated by this device\r\n6. Consider filing a report with the FBI Internet Crime Complaint Center: ic3.gov\r\nIf You Are a Network Administrator\r\n1. Block all IOC domains and IPs at your perimeter firewall immediately\r\n2. Load the Suricata rules above into your IDS\r\n3. Scan your network for devices matching the 13-port Vo1d signature\r\n4. Alert any users who may have purchased AODIN devices\r\nIf You Are a Security Researcher\r\nMachine-readable IOC files are in the /iocs/ directory. Detection rules are in /mitigation/ . If you have\r\nadditional findings about AODIN devices or Vo1d variants, please open an issue or submit a pull request.\r\nInvestigation Timeline\r\nDate Event\r\nSept 10, 2025 Malware baked into firmware (confirmed by firmware build timestamp)\r\nDec 7, 2025 Device purchased on Amazon, listed as new\r\nDec 2025 – Feb 2026 Device used daily for streaming — malware active, completely undetected\r\nFeb 2026 Manual packet capture performed as a proactive threat hunting exercise\r\nFeb 2026 DNS beaconing pattern identified by hand — no automated alert triggered\r\nFeb 2026 Full investigation completed — device permanently powered off\r\nhttps://github.com/jrm360seclab/aodin-vo1d-malware\r\nPage 8 of 9\n\nDate Event\r\nFeb 2026 Public disclosure published\r\nAbout This Disclosure\r\nThis disclosure was conducted by a private individual who purchased this device as a consumer. The investigation\r\nbegan as a proactive threat hunting exercise — a manual packet capture performed with no prior suspicion, as\r\npart of a self-directed learning journey in network security.\r\nNo automated alert triggered this investigation. The malware was identified through manual traffic analysis:\r\nrecognizing that a consumer projector was querying the same domain every 65 seconds with machine-perfect\r\ntiming. That pattern recognition, applied to a routine packet capture, uncovered factory-installed botnet malware\r\nthat had operated silently for over two months.\r\nAll findings were independently verified through public threat intelligence platforms before disclosure. The\r\nAmazon product listing was confirmed active at time of publication. A formal complaint has been submitted to\r\nAmazon requesting immediate removal of ASIN B0DGX51JPC.\r\nRaw network capture files are not published in this repository. Traffic analysis was performed and\r\ndocumented, but raw captures are withheld to protect victim privacy. The behavioral descriptions above accurately\r\nand completely represent all observed malicious activity.\r\nRelated Research\r\nQiAnXin X-Lab — Original Vo1d Botnet Research\r\nVirusTotal — jaguar-distributor.syslogcollector.[com]\r\nThreatYeti — 38.55.17.113\r\nContributing\r\nIf you own an AODIN device and want to check whether it is infected, see CONTRIBUTING.md for step-by-step\r\ninstructions. Community verification of additional affected devices is welcome.\r\nPublished for public safety and security research purposes.\r\nSource: https://github.com/jrm360seclab/aodin-vo1d-malware\r\nhttps://github.com/jrm360seclab/aodin-vo1d-malware\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/jrm360seclab/aodin-vo1d-malware"
	],
	"report_names": [
		"aodin-vo1d-malware"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434285,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/569a2c1d408194ba7b942ef6bcb4a13f8a912e3a.pdf",
		"text": "https://archive.orkl.eu/569a2c1d408194ba7b942ef6bcb4a13f8a912e3a.txt",
		"img": "https://archive.orkl.eu/569a2c1d408194ba7b942ef6bcb4a13f8a912e3a.jpg"
	}
}