{
	"id": "bdc30e1d-ed43-4806-9036-fb97d65a4864",
	"created_at": "2026-04-06T00:09:54.085361Z",
	"updated_at": "2026-04-10T13:12:16.985113Z",
	"deleted_at": null,
	"sha1_hash": "5b9b52e5a92d524378327c8700bd604320072693",
	"title": "Varenyky: Spambot à la Française",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2692872,
	"plain_text": "Varenyky: Spambot à la Française\r\nBy ESET Research\r\nArchived: 2026-04-05 17:00:09 UTC\r\nIntroduction\r\nIn May 2019, ESET researchers observed a spike in ESET telemetry data regarding malware targeting France.\r\nAfter further investigations, we identified malware that distributes various types of spam. One of them is leading\r\nto a survey that redirects to a dodgy smartphone promotion while the other is a sextortion campaign. The spam\r\ntargets the users of Orange S.A., a French ISP. We notified them before the release of this publication.\r\nWe believe the spambot is under heavy development and it has changed a lot since the first time we saw it.\r\nA mention about this threat was posted on Twitter by AnyRun; however, to the best of our knowledge no one has\r\npublished a detailed analysis of it. We named this new malware Varenyky, and on July 22nd, ESET researchers\r\nsaw it launch its first sextortion scam campaign.\r\nThis spambot is interesting because it can steal passwords, spy on its victims’ screen using FFmpeg when they\r\nwatch pornographic content online, and communication to the C\u0026C server is done through Tor, while spam is sent\r\nas regular internet traffic. This article describes the functionality of the malware.\r\nDistribution and targets\r\nDistribution\r\nVarenyky was seen for the first time early in May 2019. At this time, we unfortunately cannot tell how it was\r\ndistributed, but the more recent email phishing distribution and context suggest that the operator has been using\r\nthis technique since the beginning.\r\nOne month later, in June 2019, we saw the first malicious document that initiates the infection of the victim’s\r\ncomputer, attached to an email message (Figure 1).\r\nhttps://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/\r\nPage 1 of 16\n\nFigure 1. Screenshot of email distributing Varenyky downloader\r\nThat email states that a bill of €491.27 is available and attached. The Microsoft Word document filename contains\r\nthe word “facture” which is a French word for “bill”. Also, when the victim opens the document, it states that the\r\ndocument is protected by Microsoft Word and “requires human verification”.\r\nhttps://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/\r\nPage 2 of 16\n\nFigure 2. Malicious document\r\nThe content of the document (Figure 2) explains how to enable the “human verification”, which, in fact, is how to\r\nenable macros. For security purposes, Word macros are not enabled by default and need user interaction to\r\nexecute.\r\nOverall, the email text content, the document’s filename and the “protected” content of the document emphasize to\r\nthe recipients that they are dealing with a real bill and that they should open it. The quality of the French is very\r\ngood; overall, the document is convincing.\r\nTargets\r\nhttps://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/\r\nPage 3 of 16\n\nVarenyky targets the French. The macro (Figure 3) contained in the Word document has two purposes: the first is\r\nto filter out non-French victims based on their computers’ locale and the second is to download and execute the\r\nmalware.\r\nFigure 3. Word macro\r\nThe macro uses the function Application.LanguageSettings.LanguageID() to get the language ID of the victim’s\r\ncomputer. This ID contains the country and the language set by the user. The script checks if the value returned is\r\n1036 in decimal (or 0x40C in hexadecimal) and according to the Microsoft documentation this value corresponds\r\nto France and the French language (Figure 4).\r\nFigure 4. Language ID table\r\nThis is a good trick to fool automatic sample analyzers and to avoid drawing attention because of the limited\r\nnumber of computer configurations on which this malware will be installed.\r\nIt’s worth noting that by using this specific locale identifier, it excludes French-speaking countries other than\r\nFrance such as Belgium and Canada, which have their own identifiers.\r\nThere is also an additional language check in the downloaded executable regarding the keyboard layout. This\r\ncheck is done at the very beginning of the executable that is downloaded and run by the macro (Figure 5).\r\nhttps://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/\r\nPage 4 of 16\n\nFigure 5. Hex-Rays output of keyboard layout check\r\nOnce again, a verification is done to filter out people with a keyboard layout in English or Russian. If it matches,\r\nit displays the following message box (Figure 6) and exits.\r\nFigure 6. Message box for English and Russian keyboard layouts\r\nLet’s describe the malware’s functionality once it’s running on a system it targets.\r\nTechnical analysis \u0026 functionality\r\nOlder variants of Varenyky used the UPX packer, but recent samples use a custom packer. The custom unpacker\r\nwill first XOR its payload with a 32 character-long alphanumeric string and then decompress it using the LZNT1\r\nalgorithm, which is a variant of LZ77. The unpacked malware is never written to disk.\r\nIf the malware has not yet been installed, it will create a directory in %APPDATA% with a specific name. It's an\r\nupper-case hash made of the machine’s GUID, user name, computer name and CPU name: see Figure 7. It creates\r\na mutex named with this same hash to avoid two instances running at the same time.\r\nhttps://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/\r\nPage 5 of 16\n\nFigure 7. Functions that gather information used to compute the hash\r\nThe malicious payload will then extract multiple libraries and the Tor executable, which are embedded inside of\r\nitself, to the directory it just created. These libraries include zlib and dependencies for programs compiled with\r\nMinGW. The malware’s executable is finally copied to this directory and the original is deleted from the\r\ntemporary directory where it was downloaded via the macro.\r\nIt also makes itself persistent by adding an entry to HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run in\r\nthe Windows Registry. The mutex is released and the malware restarts itself from its directory in %AppData%.\r\nOn the second run, the malware notices that it is already installed. It will execute Tor and fetch its external IP\r\naddress using AWS’ checkip.amazonaws.com service.\r\nIt will start two threads: one that’s in charge of sending spam and another one that can execute commands coming\r\nfrom its C\u0026C server. This is where versions of the malware differ. Some variants have more threads that are\r\nsending spam at the same time and some have different functionalities when it comes to the commands that the\r\nC\u0026C server can have it execute. All communication to the C\u0026C is done through Tor at\r\njg4rli4xoagvvmw47fr2bnnfu7t2epj6owrgyoee7daoh4gxvbt3bhyd.onion using the HTTP protocol.\r\nEarly versions of the malware could receive a command to download a file and execute it. The malware was able\r\nto handle executable files, batch files and PowerShell scripts. Support for the last was later removed. The malware\r\ncould also be instructed to update itself with an executable that had to be downloaded from a specific URL. There\r\nis another command that will uninstall the malware from the computer, although it doesn’t remove the change that\r\nit made to the registry.\r\nA new command was later added, allowing the malware to deploy NirSoft’s WebBrowserPassView and Mail\r\nPassView tools. These are password recovery tools for web browser and email client passwords. They are\r\nroutinely abused by malware and thus detected by ESET as potentially unsafe applications. Both are\r\nLZNT1‑compressed executable files embedded inside the malware. They are extracted, injected into another\r\nexecutable and run once to steal the victim’s passwords, which are then exfiltrated to the C\u0026C server.\r\nhttps://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/\r\nPage 6 of 16\n\nThe most recently added command will create a hidden desktop on the victim’s computer. The malware can be\r\ndirected to start various applications that have a graphical interface, such as web browsers and the Windows Run\r\ndialog on this invisible desktop. It has the ability to accomplish various tasks, such as navigating menus, reading\r\ntext, taking screenshots, clicking on the screen, and also minimizing, restoring and maximizing windows.\r\nThe C\u0026C commands are summarized in Table 1.\r\nTable 1. List of commands that can\r\nbe sent by the C\u0026C server\r\n#colspan#\r\nCommand name Description\r\nDL_EXEC Downloads a file (.exe or .bat) that the malware will execute\r\nUPDATE Downloads an executable to replace the malware’s executable\r\nUNINSTALL Removes the malware from the computer’s disk\r\nNIRSOFT\r\nExtracts NirSoft’s WebBrowserPassView and Mail PassView, runs\r\nthem once and sends the results to the C\u0026C server\r\nHIDDEN_DESK Creates a hidden desktop to accomplish various tasks\r\nA feature that made an appearance and was modified in subsequent versions finally to be removed was a function\r\nthat made the malware scan the title of the open windows on the computer. If the malware found a porn-related\r\nword in French or the word “bitcoin” in the title of a window, it sent the window’s title to its C\u0026C server.\r\nFigure 8. Words that the malware looked for\r\nThis feature was later changed so that when encountering the word “sexe”, the malware would record the\r\ncomputer’s screen using an FFmpeg executable that it previously would have downloaded through the Tor\r\nnetwork. The video was uploaded to the C\u0026C server after it was recorded.\r\nThese videos could have been used for convincing sexual blackmail; a practice called sextortion. It’s unknown if\r\nthese videos were recorded out of curiosity by the author(s) of the spambot or with an intention to monetize them\r\nthrough sextortion. Different versions of this malware used different strings to identify itself to the C\u0026C server.\r\nOne of them was “Bataysk”, which is a Russian city known to have a \"monument that shows a man's hand\r\ngripping a nubile female breast\". Another sample identified with “PH”, which probably stands for the initials of a\r\npopular pornography website. And another version identified with the string “Gamiani_MON”; Gamiani is a\r\nFrench erotic novel and “MON” probably means “monitoring”.\r\nC\u0026C server home page\r\nhttps://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/\r\nPage 7 of 16\n\nOver time, many changes were made to what appears to be the C\u0026C server’s login panel. At first (Figure 9), it\r\ndisplayed the VADE RETRO SATANA verse in Latin and a red-eyed statue of Marianne, a national\r\npersonification of the French Republic. On the upper-right, the sign in German reads “Stop – State border – No\r\nentry”. The word “войти” on the button below the keypad means “login” in Russian and Ukrainian.\r\nFigure 9. First version of the login panel\r\nIt was later updated to play the song \"F*ck them all\" by Mylène Farmer when viewing the web page (Figure 10).\r\nhttps://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/\r\nPage 8 of 16\n\nFigure 10. C\u0026C server login panel with song player added\r\nIn the last update that added content, seen in Figure 11, the C\u0026C login panel displays dancing parrots with a\r\nSerbian flag. It makes a reference to OCaml, a programming language created by French people. Ricard is a\r\nreference to the 1963 movie The Pink Panther. On the lower-right, it says, in French “Alcohol abuse is dangerous\r\nfor your health, drink with moderation”, which is the official warning on alcohol advertisements in France. The\r\npicture above the warning shows a Jelen pivo pale lager from a Serbian brewery. The song that plays is now\r\n“Opa!” by the Russian band Diskoteka Avariya.\r\nhttps://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/\r\nPage 9 of 16\n\nFigure 11. Screenshot of the login panel of the C\u0026C server\r\nAt the time of publication of this blogpost, the login panel has been uncluttered and only the keypad remains.\r\n“You’ve got mail”\r\nThis spambot will send emails using the SMTP protocol through port 25 and only targets the customers of the\r\nFrench ISP Orange. Each bot receives instructions from the C\u0026C server in order to craft an email, including the\r\nbody of the message, a list of email addresses to spam and the server to use to send the emails. The mail servers\r\nused to relay the spam don’t look like they belong to the malicious actors; they look like servers that have not\r\nbeen properly secured and they don’t require authentication.\r\nFigure 12. Two different spam emails\r\nSpam messages sent by this spambot are as simple as “If this message doesn’t show up correctly, click here” or\r\n“Please follow the link: \u003cURL\u003e” (Figure 12). There are also emails with attachments. These links lead to a scam,\r\nhttps://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/\r\nPage 10 of 16\n\nwhich is a survey (Figure 13) where the victim always “wins” a promotion for a recent smartphone.\r\nFigure 13. Survey where the victim always wins a smartphone\r\nThe link takes victims to a site where they apparently have a chance to “win” a prize such as an iPhone X, a\r\nGalaxy S9 or S10+ for €2 or less (Figure 14). To win, they need “only” enter their personal information; name,\r\naddress, city, email and phone number. The email address that is entered may not work if it’s not what the web\r\npage expects, but if successful, the victims will be asked to enter their credit card information including its\r\nvalidation numbers.\r\nPeople should avoid providing their credit card information to websites they don’t know for deals that are too\r\ngood to be true. Such deals are often a scheme to get unwitting users' credit card information in order to charge\r\nthem monthly fees, which the user can sometimes learn about by scrutinizing the fine prints. Legitimate contests\r\ndon’t charge winners a fee so they can claim their prize.\r\nFigure 14. Scam pages with smartphones\r\nAlthough Varenyky has the ability to record a video of the display while the computer’s user is probably viewing\r\npornography, so far we have seen no evidence of the malware operator leveraging such video. However,\r\ncoincidentally, on July 22nd we saw Varenyky start a sextortion scam campaign. It is important to note that this\r\ncampaign is an example of the common sextortion scam that has been widely documented and does not appear to\r\nbe related to Varenyky’s partial ability to carry out the functions of the fictitious malware described in these scam\r\nemails. Figure 15 depicts the scam message we saw Varenyky sending. These emails consist of three JPG images\r\nthat are used to bypass text-based spam filters.\r\nhttps://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/\r\nPage 11 of 16\n\nFigure 15. Screenshot of the sextortion's email\r\nThis email claims that the author, who is a hacker, has gained access to the victim’s computer through a virus that\r\nwas caught while visiting an adult website (the translation of this is much like that in the English version\r\ndocumented here). It says that the victim has particular tastes in pornography and that the hacker has gained\r\nhttps://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/\r\nPage 12 of 16\n\nremote control over the victim’s computer. The email also says a video has been made where on one half of the\r\nscreen is a recording of the victim’s browser and the other half is a recording from the webcam of “you having...\r\nfun”.\r\nFurthermore, the email says a copy has been made of the victim’s contact list, pictures, passwords, bank account\r\ndata and more. It promises that the recipient of this email is not the only victim and that the victim will be left\r\nalone once €750 are paid in bitcoin to the BTC address 1PBpawAYJG7FfAxmTagU34CfEFoNobb1Re\r\nThe email says the victim has 72 hours to pay before the video is sent to family, colleagues, posted on Facebook,\r\nTwitter and elsewhere. It is said that changing passwords, deleting the virus, sending the computer for repair or\r\ncleaning the computer will be useless because the victim’s data is on a remote server (“Don't think I’m a fool”).\r\nFor proof, the victim can answer “Yes” to the email so the video is sent to six of their most valuable contacts.\r\nThe email ends with “This offer is non-negotiable, do not waste my time and yours, think about the consequences\r\nof your actions”.\r\nAll the email addresses that were seen being targeted are on the domains wanadoo.fr and orange.fr; both are\r\noperated by the French ISP Orange S.A. A single bot can send as many as 1500 emails an hour.\r\nAt the time of publication, the bitcoin address in the scam email had received four payments. The bitcoin address\r\nhas been already reported on bitcoinabuse.com for sextortion (Figure 16).\r\nhttps://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/\r\nPage 13 of 16\n\nFigure 16. Screenshot of the bitcoin address reported on BitcoinAbuse\r\nConclusion\r\nThis spambot is not very advanced, but the context and story around it make it interesting. We can assume from\r\nthe fact that it targets France could indicate that the operator has some French understanding, reading or speaking\r\nthe language, or maybe both. However, the Word document showed us a lack of attention in the operator’s work.\r\nIn the macro, the operator forgot to change the value of the test_debug variable, which means that the malware\r\nwill be downloaded whatever the language ID is (French or not French).\r\nThere are many functions related to possible extortion or blackmail of victims watching pornographic content, but\r\ndespite having sent unrelated sextortion scam emails, the operator has not leveraged these as far as we can tell.\r\nhttps://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/\r\nPage 14 of 16\n\nMany functions have been added and then quickly removed across many different versions in a short period of\r\ntime (two months). This shows that the operators are actively working on their botnet and are inclined to\r\nexperiment with new features that could bring a better monetization of their work.\r\nWe recommend that people be careful when they open attachments from unknown sources. Keep system as well\r\nas security software up to date.\r\nAcknowledgments\r\nThanks to Alexandre-Xavier Labonté-Lamoureux for the technical analysis.\r\nThanks to our peers at proofpoint.com for allowing us to use a screenshot of the phishing email.\r\nIndicators of Compromise (IoCs)\r\nHashes (SHA-1) ESET detection names\r\n0970BDE765CB8F183CF68226460CDD930A596088 Win32/Varenyky.A\r\n09EFD54E3014A7E67F0FCAA543F826AC06BBE155 Win32/Varenyky.A\r\n1C27359023B7195AC739641BBC53789A0BA4A244 Win32/Varenyky.A\r\n1D52D26FC2E7E24FA68F36FA04B36D9516DF036F Win32/Varenyky.A\r\n21128D4E7124FD8F1D1A62FCC01F5D5F6C653811 Win32/Varenyky.A\r\n25FF8154F1CEB0C8E13A3F0F72D855B40819D26B Win32/Varenyky.A\r\n36D9AEF26D9B7E40F1140BB62FF6C76110791FAD Win32/Varenyky.A\r\n6A9213A89708D2D304371A00678755F2C6AFE42B Win32/Varenyky.A\r\n722FE03B7ECA8C11C73CF7206EF0E9A11E857182 Win32/Varenyky.A\r\n7F04B6418E31967C12D30150D1CAE7F48980ED08 Win32/Varenyky.A\r\n93D51AC86C5ED207DD6E77B2E767CDEB23106925 Win32/Varenyky.A\r\n9987B0072EF9850CAB869981B05B85284FDDEE92 Win32/Varenyky.A\r\nA9B04941548917BD67CAA533F5078B75D65DD1EE Win32/Varenyky.A\r\nABF3AC24BE92ABE3425379418CF53AA65F370279 VBA/TrojanDownloader.Agent.OAW\r\nAC1EB847A456B851B900F6899A9FD13FD6FBEC7D Win32/Varenyky.A\r\nB855C03A47901C52C901FFF606F90BC1C262EB87 Win32/Varenyky.A\r\nC32552EFEDAC932AD53DB4569569780782B04704 Win32/Varenyky.A\r\nhttps://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/\r\nPage 15 of 16\n\nPDB paths\r\nC:\\NoCy\\Release\\Varenyky.pdb\r\nC:\\Users\\lenovo\\Desktop\\NoCy\\Release\\Varenyky.pdb\r\nC:\\UnTroueCunTroueKhouya\\Release\\UnTroueCunTroueKhouya.pdb\r\nNetwork\r\nartisticday[.]icu\r\nastonishingwill[.]icu\r\ndirectfood[.]icu\r\ngradualrain[.]icu\r\nproapp[.]icu\r\nprovincialwake[.]icu\r\nshrek[.]icu\r\nthinstop[.]icu\r\njg4rli4xoagvvmw47fr2bnnfu7t2epj6owrgyoee7daoh4gxvbt3bhyd[.]onion\r\nSource: https://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/\r\nhttps://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/"
	],
	"report_names": [
		"varenyky-spambot-campaigns-france"
	],
	"threat_actors": [],
	"ts_created_at": 1775434194,
	"ts_updated_at": 1775826736,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5b9b52e5a92d524378327c8700bd604320072693.pdf",
		"text": "https://archive.orkl.eu/5b9b52e5a92d524378327c8700bd604320072693.txt",
		"img": "https://archive.orkl.eu/5b9b52e5a92d524378327c8700bd604320072693.jpg"
	}
}