{ "id": "d5fb61bd-d428-4220-bf4d-24ee96faea24", "created_at": "2026-04-06T00:07:28.873675Z", "updated_at": "2026-04-10T13:11:44.935326Z", "deleted_at": null, "sha1_hash": "597578e3affd2e7e90527d1d1ddfa65476c9a47d", "title": "Decoding RevC2 strings", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51007, "plain_text": "Decoding RevC2 strings\r\nBy Jason Reaves\r\nPublished: 2024-12-19 · Archived: 2026-04-05 22:40:35 UTC\r\n3 min read\r\nDec 19, 2024\r\nBy: Jason Reaves\r\nRecently Zscaler reported on a component being leveraged in campaigns and related to Venom Spider[1]. Some of\r\nthe recent samples we looked at appeared to have their strings obfuscated.\r\nf598477a2cac439195ccf740bb38f50c2032a80be1cfeb5d34e1577f750c72bb\r\nThe sample builds out a table using hardcoded data:\r\n@AB,0xffffffff,CDEFGHIJ456789:;\u003c=KLMNOPQ,0x00,0x01,0x02,0x3,0x4,0x5,0x6, 0x7,0x8,0x9,0xa,0xb,0xc-0x19\r\nThe table aligns with decoding in base91+, the alphabet string in the binary looks more like base95 but for\r\ndecoding we can just rip the decoding table out and use that to decode the strings. It also lets us quickly check if\r\nthe alphabet remains static by trying it over lots of samples quickly.\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nAfter the base95 decoding the result is XOR decoded using a hardcoded string, using some base91 decode code in\r\npython we can create a decoder:\r\ndecode_table = [255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,\r\ndef decode(encoded_str):\r\n ''' Decode Base91 string to a bytearray '''\r\n v = -1\r\n b = 0\r\n n = 0\r\n out = bytearray()\r\nhttps://medium.com/walmartglobaltech/decoding-revc2-strings-b3c72af07a55\r\nPage 1 of 4\n\nfor strletter in encoded_str:\r\n c = decode_table[strletter]\r\n if c == 255:\r\n continue\r\n if(v \u003c 0):\r\n v = c\r\n else:\r\n v += c*91\r\n b |= v \u003c\u003c n\r\n n += 13 if (v \u0026 8191)\u003e88 else 14\r\n while True:\r\n out += struct.pack('B', b\u0026255)\r\n b \u003e\u003e= 8\r\n n -= 8\r\n if not n\u003e7:\r\n break\r\n v = -1\r\n if v+1:\r\n out += struct.pack('B', (b | v \u003c\u003c n) \u0026 255 )\r\n return out\r\ndef decr(a):\r\n t = decode(a)\r\n key = bytearray(b'8dPtXeHtprHxQELs')\r\n for i in range(len(t)):\r\n t[i] ^= key[i%len(key)]\r\n return t\r\nDecoding strings:\r\nbytearray(b'cmd /c ')\r\nbytearray(b'dir \"%LocalAppData%\\\\Login Data\" /s /b \u0026 dir \"%appdata%\\\\Login Data\" /s /b')\r\nbytearray(b'dir \"%LocalAppData%\\\\Cookies\" /s /b \u0026 dir \"%appdata%\\\\Cookies\" /s /b')\r\nbytearray(b'C:\\\\ProgramData\\\\Temp\\\\Cookies')\r\nbytearray(b'C:\\\\ProgramData\\\\Temp')\r\nbytearray(b'SELECT host_key, name, encrypted_value, path, is_secure, is_httponly, samesite, expires_u\r\nbytearray(b'new.ocx')\r\nbytearray(b'ws://nopsec.]org:8082')\r\nAnother sample(c81d49c1907f27ea24a938ebbeb5f21bd30b4b186d99ec9c9458ce34f6bef72e):\r\nbytearray(b'cmd /c ')\r\nbytearray(b'dir \"%LocalAppData%\\\\Cookies\" /s /b \u0026 dir \"%appdata%\\\\Cookies\" /s /b')\r\nbytearray(b'C:\\\\ProgramData\\\\Temp\\\\Cookies')\r\nbytearray(b'C:\\\\ProgramData\\\\Temp')\r\nhttps://medium.com/walmartglobaltech/decoding-revc2-strings-b3c72af07a55\r\nPage 2 of 4\n\nbytearray(b'SELECT host_key, name, encrypted_value, path, is_secure, is_httponly, samesite, expires_u\r\nbytearray(b'module.ocx')\r\nbytearray(b'ws://finatick.]com:8082')\r\nContinuing to trace the samples back we found a few different versions, such as this one that writes the data to\r\ndisk:\r\na10266c38c5f24201aa68cb3b0f7f24f44f4b5df635c5e2aebddb041b00d8a8f\r\nIOCs:\r\njetmains.]com:8082\r\nzoho-cloudfront.]com:8082\r\nfinatick.]com\r\nnopsec.]org\r\nPotential distro related:\r\ncloudyvault.]org\r\ncloudmort.]com\r\nseopager.]xyz\r\ngdrive.]rest\r\nshadon.]net\r\nsharesmydrive.]com\r\nOCX filename checks:\r\nxpr.ocx\r\nnew.ocx\r\nbrain.ocx\r\ndWin.ocx\r\nfer.ocx\r\niDriver.ocx\r\nbajo.ocx\r\nmojo.ocx\r\nmodule.ocx\r\npp.ocx\r\nReferences\r\n1: https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader\r\n2: https://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nhttps://medium.com/walmartglobaltech/decoding-revc2-strings-b3c72af07a55\r\nPage 3 of 4\n\nSource: https://medium.com/walmartglobaltech/decoding-revc2-strings-b3c72af07a55\r\nhttps://medium.com/walmartglobaltech/decoding-revc2-strings-b3c72af07a55\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/walmartglobaltech/decoding-revc2-strings-b3c72af07a55" ], "report_names": [ "decoding-revc2-strings-b3c72af07a55" ], "threat_actors": [ { "id": "f2fa9952-301f-4376-ac69-743d6f2bec1e", "created_at": "2023-01-06T13:46:39.122721Z", "updated_at": "2026-04-10T02:00:03.22231Z", "deleted_at": null, "main_name": "VENOM SPIDER", "aliases": [ "badbullz", "badbullzvenom" ], "source_name": "MISPGALAXY:VENOM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434048, "ts_updated_at": 1775826704, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/597578e3affd2e7e90527d1d1ddfa65476c9a47d.pdf", "text": "https://archive.orkl.eu/597578e3affd2e7e90527d1d1ddfa65476c9a47d.txt", "img": "https://archive.orkl.eu/597578e3affd2e7e90527d1d1ddfa65476c9a47d.jpg" } }