{
	"id": "ff48fe5a-871e-45d5-9662-085041067faf",
	"created_at": "2026-04-06T00:08:33.316787Z",
	"updated_at": "2026-04-10T03:20:27.733376Z",
	"deleted_at": null,
	"sha1_hash": "5bf97591c9e970a41e15e6cc4fc70665b7bf8e91",
	"title": "DevOpt | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1493568,
	"plain_text": "DevOpt | ThreatLabz\r\nBy Shatak Jain, Meghraj Nandanwar\r\nPublished: 2023-04-18 · Archived: 2026-04-05 22:44:01 UTC\r\nAdditional Analysis\r\nAfter analyzing the malware, our observations revealed that it contains numerous capabilities. The following\r\nfunctionalities were observed:\r\nPersistence\r\nPersistence refers to a malware's capability to remain active on a system even after a reboot or shutdown. This can\r\nbe achieved by adding entries to the Windows Registry or by creating scheduled tasks. Once a malware establishes\r\npersistence, it can continue to operate in the background and carry out malicious activities undetected by the user.\r\nUpon closer observation, researchers noticed that the malware replicated itself in the Startup folder, enabling it to\r\ninitiate automatically whenever the computer is powered on. Further observations of different versions revealed\r\nthat it duplicates itself with a name devopt[random 2 digits].exe under the following path:\r\nC:\\Users\\User\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. \r\n \r\nFig 3. - Persistence mechanism\r\nClipper\r\nA clipper malware is created to pilfer confidential data from victims. Once it is installed on a victim's device, it\r\ncan record the clipboard data, which can potentially be used to steal other sensitive information like login\r\ncredentials, credit card numbers, or other financial data.\r\nResearchers noticed that the malware generates a file called 'clippa.dan' in the C:\\User\\[User] directory, which\r\nlogs all the information copied to the clipboard.\r\nFig 4. - Clipper logging data from the system\r\nhttps://www.zscaler.com/blogs/security-research/introducing-devopt-multifunctional-backdoor-arsenal\r\nPage 1 of 5\n\nStealer\r\nA stealer malware is created to pilfer sensitive information, such as login credentials, credit card details, and other\r\npersonal data. Once it is installed on a victim's device, it can monitor the user's activity and steal sensitive\r\ninformation.\r\nThe malware generates two files, namely 'cdck.bin' and 'bdck.bin,' in the C:\\User\\[User] directory, which steal\r\nthe credentials, cookies, history, and version information of the two specific browsers, respectively.\r\n1. Chrome browser data collected from infected system: \r\n[C:\\Users\\User\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network\\Cookies]\r\n[C:\\Users\\User\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History]\r\n[C:\\Users\\User\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data]\r\n[C:\\Users\\User\\AppData\\Local\\Google\\Chrome\\User Data\\Last Version]\r\n      2. Yandex data collected from infected system: \r\n[C:\\Users\\User\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\Default\\Network\\Cookies]\r\n[C:\\Users\\User\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\Default\\Network\\History]\r\n[C:\\Users\\User\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\Default\\Ya Passman Data]\r\n[C:\\Users\\User\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\Default\\Ya Autofill Data]\r\nKeylogger\r\nKeylogger malware is specifically designed to capture every keystroke made by a user on their device. This can be\r\nused to steal sensitive information like login credentials, credit card details, and other personal data.\r\nIn this case, the malware creates a file named ‘Kebba.dan’ in the C:\\User\\[User] directory to log the keystrokes\r\nof the user.\r\nFig 5. - Keylogger logging keystrokes\r\nGrabber\r\nhttps://www.zscaler.com/blogs/security-research/introducing-devopt-multifunctional-backdoor-arsenal\r\nPage 2 of 5\n\nFig 6. - Grabber enumerating the Directories for stealing file contents\r\nGrabber malware is created to illicitly obtain files and other data from an infected device. It targets text, Word,\r\nExcel, and RTF files stored in the Document, Download, or Desktop directories, and saves the stolen data in a file\r\nnamed “grb.bin” located at C:\\User\\[User] directory.\r\nFig 7. - Grabber File contents stealing data \r\nDropped text file \r\nIn previous versions of this backdoor, researchers observed that it drops a file called ‘unpacked.dt’ in the ‘data’\r\nfolder of the current directory. This file is likely designed to confuse malware analysts because it appears to be an\r\nencoded malicious payload, but in reality, it contains randomly generated alphanumeric strings. In newer versions\r\nof the backdoor, a similar file named ‘0.txt’ is dropped in the current directory, which contains random strings that\r\nare hardcoded into the malware itself.\r\nhttps://www.zscaler.com/blogs/security-research/introducing-devopt-multifunctional-backdoor-arsenal\r\nPage 3 of 5\n\nFig 8. - Generating random alphanumeric strings for unpacked.dt file\r\nConfiguration File\r\nThe researchers noted the presence of a configuration file named \"Winkeyjet.ini\" that was dropped in the Users\r\ndirectory. This file contains information about the compromised system, such as the name of the operating system,\r\na unique Device_ID, and the version number (Version) that represents the major version information of the\r\ncompromised system. Additionally, the file includes the malware's hardcoded own version (OwnVer). The\r\nconfiguration file also specifies the Command and Control (CnC) server, which is responsible for providing\r\ninstructions to the malware once it has been successfully installed.\r\nFig 9. - Configuration file generated recording the device and version information \r\nAdditional investigation has uncovered that certain malwares that are still in the early stages of development are\r\ndisplaying a message box that contains the text \"putin Xyilo\", which is a slogan that ridicules Russian President\r\nVladimir Putin.\r\nhttps://www.zscaler.com/blogs/security-research/introducing-devopt-multifunctional-backdoor-arsenal\r\nPage 4 of 5\n\nFig 10. - Msgbox displayed in underdeveloped versions of malware\r\nSource: https://www.zscaler.com/blogs/security-research/introducing-devopt-multifunctional-backdoor-arsenal\r\nhttps://www.zscaler.com/blogs/security-research/introducing-devopt-multifunctional-backdoor-arsenal\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/introducing-devopt-multifunctional-backdoor-arsenal"
	],
	"report_names": [
		"introducing-devopt-multifunctional-backdoor-arsenal"
	],
	"threat_actors": [],
	"ts_created_at": 1775434113,
	"ts_updated_at": 1775791227,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5bf97591c9e970a41e15e6cc4fc70665b7bf8e91.pdf",
		"text": "https://archive.orkl.eu/5bf97591c9e970a41e15e6cc4fc70665b7bf8e91.txt",
		"img": "https://archive.orkl.eu/5bf97591c9e970a41e15e6cc4fc70665b7bf8e91.jpg"
	}
}