{
	"id": "b845eec5-5c61-4914-b47c-fd0769777b59",
	"created_at": "2026-04-06T00:21:46.779001Z",
	"updated_at": "2026-04-10T03:37:22.774392Z",
	"deleted_at": null,
	"sha1_hash": "606cf748d0ff20f5dcf8d2770855666755a2eb25",
	"title": "Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3348706,
	"plain_text": "Rekoobe Backdoor Discovered in Open Directory, Possibly\r\nTargeting TradingView Users\r\nPublished: 2024-10-24 · Archived: 2026-04-05 19:46:50 UTC\r\nTABLE OF CONTENTS\r\nIntroductionDiscovery of the Open Directory \u0026 MalwareInfrastructure Analysis: TradingView Lookalike\r\nDomains and Hosting ConnectionsExpanded Network FindingsConclusionNetwork ObservablesFile Information\r\nIntroduction\r\nRekoobe is a versatile backdoor previously deployed by APT31, also known as Zirconium, amongst other\r\nadversaries involved in cyber espionage and data theft. With code partially based on the publicly available Tiny\r\nSHell, the malware has evolved to use enhanced encryption techniques and unique command-and-control\r\nconfigurations to hinder analysis and evade detection.\r\nWhile researching open directories, we uncovered two Rekoobe samples, prompting a deeper investigation into\r\nthe hosting IP. Upon further analysis, we discovered a handful of domains resembling TradingView, a widely used\r\nplatform for worldwide charting, trading, and sharing financial insights traders use.\r\nThese suspicious domains suggest a potential interest in targeting the site's community. By pivoting on shared\r\nSSH keys, we identified additional infrastructure potentially linked to this campaign and another open directory.\r\nDiscovery of the Open Directory \u0026 Malware\r\nWe found an open directory at 27.124.45[.]146:9998 running Python version 3.12.4, SimpleHTTP 0.6, which\r\nexposed two binaries: 10-13-x64.bin and 10-13x86.bin. Both files were identified as Rekoobe by Hatching Triage,\r\nand their SHA-256 hashes are as follows:\r\n10-13-x64.bin: a1c0b48199e8a47fe50c4097d86e5f43a1a1c9a9c1f7f3606ffa0d45bb4a2eb3 (renamed na.elf\r\nin Triage)\r\n10-13-x86.bin: 28382231cbfe3bf7827c1a874b3d7f18717020ced516b747a2a1bb7598eabe0b\r\nhttps://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users\r\nPage 1 of 8\n\nFigure 1: Open directory page for 27.124.45[.]146\r\nDuring dynamic analysis, both binaries attempted to communicate with the same IP address hosting the open\r\ndirectory, specifically targeting port 12345. The naming convention of the files, which follows a month-day-architecture format, is consistent with other Rekoobe samples we've seen in open directories.\r\nIn our analysis of na.elf, we observed behavior closely resembling that identified by AhnLab as \"NoodRAT\" and\r\nTrend Micro as \"Noodle RAT.\" Specifically, the file changes its process name and copies itself to the\r\n/tmp/CCCCCCCC directory, where it executes from.\r\nHowever, it's important to note that this alone does not definitively confirm that the binaries in this case are\r\nNoodRAT or Noodle RAT. The similarities in behavior could indicate the work of a copycat, but additional\r\nanalysis would be required to make a conclusive attribution.\r\nFigure 2 depicts the process tree of na.elf as seen in the Hatching Triage analysis.\r\nhttps://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users\r\nPage 2 of 8\n\nFigure 2: Triage analysis of na.elf processes\r\nBy clicking the 'Rekoobe' tag, users can easily find additional open directories hosting Rekoobe samples, as\r\nshown in Figure 1.\r\nFigure 3: Results of clicking the Rekoobe tag to find additional open directories hosting the malware\r\nhttps://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users\r\nPage 3 of 8\n\nInfrastructure Analysis: TradingView Lookalike Domains and Hosting\r\nConnections\r\nDuring our investigation into the IP address hosting the two backdoor files, we discovered several domains closely\r\nmimicking the legitimate TradingView site. These domains show slight variations in spelling that are indicative of\r\ntyposquatting attacks:\r\ntradingviewlll[.]com\r\nadmin.tradingviewlll[.]com\r\ntradingviewll[.]com\r\nadmin.tradingviewll[.].com\r\nThese minor changes, such as the addition of an extra \"I\" in tradingviewll[.]com and tradingviewlll[.]com, could\r\neasily be missed by users, making them practical for phishing or other social engineering operations.\r\nFigure 4: Domain overview showing typosquatting domains targeting TradingView\r\nUnfortunately, we could not capture any active web pages associated with these domains created earlier this year.\r\nAccording to the Wayback Machine, both domains returned a standard 404 Not Found Nginx response on 07\r\nSeptember this year. This means any web page may not have been fully deployed or is in a consistently inactive\r\nstate.\r\nhttps://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users\r\nPage 4 of 8\n\nFigure 5: Wayback machine results for tradingviewll.com\r\nWhile we can't be sure these domains were used in this campaign, they represent an interesting infrastructure\r\noverlap when viewed alongside the presence of the Rekoobe backdoor. This could suggest an attempt to exploit\r\nfinancial platforms and their user base, as many of these systems rely on Linux.\r\nExpanded Network Findings\r\nContinuing our deep dive into 27.124.45[.]146, we found three IP addresses linked by shared SSH keys,\r\nsuggesting a connection to our original server. This relationship was uncovered using the Hunt's Association tab,\r\nas shown in Figure 6.\r\nThe IPs include:\r\n27.124.45[.]231\r\n1.32.253[.]2\r\n27.124.45[.]211\r\nThe SSH key (fingerprint: 62497b3e96db49f4fe99db3ecf65332a69a10f9823ececabb1ce805a0e6bd5ee) for all\r\nthree was first observed by our scanners between late July and early August, and were last active on 04 October.\r\nLike the original open directory, these servers are also hosted in Hong Kong, indicating they are likely part of the\r\nsame operational setup.\r\nhttps://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users\r\nPage 5 of 8\n\nFigure 6: The Associations Tab in Hunt displays associated IPs that can be pivoted to enhance investigations\r\nAmong the IPs identified, 27.124.45[.]211 stood out as it also hosts an open directory (on the same port) running\r\nthe same Python and SimpleHTTP versions and the duplicate Rekoobe-detected files as the original server ending\r\nin .146.\r\nFigure 7: Open directory contents for 27.124.45[.]211:9998\r\nClicking on the button containing the three dots next to the files opens a menu for further actions, including\r\nsearching by SHA-256 to identify other locations where the file is hosted. As shown in Figure 8, this search\r\nconfirms that the two IPs--.146 and .211--are the only servers hosting these Rekoobe samples. Interestingly, our\r\nscanners also detected the Yakit Security Tool on 27.124.45[.]211\r\nhttps://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users\r\nPage 6 of 8\n\nWe previously wrote about Yakit, an all-in-one cybersecurity application that integrates tools like Nuclei and\r\nincludes features such as man-in-the-middle (MiTM) interception and web fuzzing.\r\nPrimarily designed for legitimate security work by red teamers and researchers, Yakit's presence alongside\r\nRekoobe and the typosquatting domains raises concerns about how this setup could be leveraged for malicious\r\npurposes.\r\nCombining these elements points to activity that merits further investigation to understand the potential risks\r\ninvolved fully.\r\nFigure 8: Results of SHA-256 search across all open directories for similar files\r\nConclusion\r\nIn this blog post, we explored how the discovery of the Rekoobe backdoor in an open directory revealed a broader\r\nnetwork of potentially malicious infrastructure, lookalike domains mimicking TradingView, and additional servers\r\nlinked via shared SSH keys.\r\nHunting for malware in open directories can yield valuable insights into the servers behind attack campaigns. By\r\nleveraging tools like Hunt, security teams can uncover hidden threats and expand their visibility into attacker\r\ninfrastructure.\r\nNetwork Observables\r\nIP Address ASN Domain(s)\r\nHost\r\nCountry\r\nNotes\r\n27.124.45[.]146\r\nCTG Server\r\nLimited\r\ntradingviewlll[.]com\r\nadmin.tradingviewlll[.]]com\r\ntradingviewll[.]com\r\nadmin.tradingviewll[.]]com\r\nHK\r\nOpen directory containing\r\ntwo (2) Rekoobe samples.\r\nhttps://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users\r\nPage 7 of 8\n\nIP Address ASN Domain(s)\r\nHost\r\nCountry\r\nNotes\r\n1.32.253[.]2\r\nBGPNET\r\nGlobal ASN\r\n70332[.]club\r\n390698[.]ru\r\n953388[.]cc\r\n836833[.]cc\r\n734439[.]com\r\n56204[.]sx\r\n49246[.]sx\r\n836833[.]cc\r\n94783[.]club\r\n734439[.]com\r\n963388[.]cc\r\nHK\r\nIP seen sharing SSH keys\r\nwith 27.124.45[.]146 from\r\n2024-07-20 - 2024-10-04\r\n27.124.45[.]231\r\nCTG Server\r\nLimited\r\nN/A HK\r\nShared SSH keys from\r\n2024-07-31 - 2024-10-04\r\n27.124.45[.]211\r\nCTG Server\r\nLimited\r\nN/A HK\r\nShared SSH keys from\r\n2024-07-31 - 2024-10-04\r\nFile Information\r\nFile Name SHA-256\r\n10-13-x64.bin a1c0b48199e8a47fe50c4097d86e5f43a1a1c9a9c1f7f3606ffa0d45bb4a2eb3\r\n10-13-x86.bin 28382231cbfe3bf7827c1a874b3d7f18717020ced516b747a2a1bb7598eabe0b\r\nSource: https://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users\r\nhttps://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users"
	],
	"report_names": [
		"rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users"
	],
	"threat_actors": [
		{
			"id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784",
			"created_at": "2023-01-06T13:46:38.953463Z",
			"updated_at": "2026-04-10T02:00:03.159523Z",
			"deleted_at": null,
			"main_name": "APT31",
			"aliases": [
				"JUDGMENT PANDA",
				"BRONZE VINEWOOD",
				"Red keres",
				"Violet Typhoon",
				"TA412"
			],
			"source_name": "MISPGALAXY:APT31",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9e6186dd-9334-4aac-9957-98f022cd3871",
			"created_at": "2022-10-25T15:50:23.357398Z",
			"updated_at": "2026-04-10T02:00:05.368552Z",
			"deleted_at": null,
			"main_name": "ZIRCONIUM",
			"aliases": [
				"APT31",
				"Violet Typhoon"
			],
			"source_name": "MITRE:ZIRCONIUM",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "74d9dada-0106-414a-8bb9-b0d527db7756",
			"created_at": "2025-08-07T02:03:24.69718Z",
			"updated_at": "2026-04-10T02:00:03.733346Z",
			"deleted_at": null,
			"main_name": "BRONZE VINEWOOD",
			"aliases": [
				"APT31 ",
				"BRONZE EXPRESS ",
				"Judgment Panda ",
				"Red Keres",
				"TA412",
				"VINEWOOD ",
				"Violet Typhoon ",
				"ZIRCONIUM "
			],
			"source_name": "Secureworks:BRONZE VINEWOOD",
			"tools": [
				"DropboxAES RAT",
				"HanaLoader",
				"Metasploit",
				"Mimikatz",
				"Reverse ICMP shell",
				"Trochilus"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "dc7ee503-9494-4fb6-a678-440c68fd31d8",
			"created_at": "2022-10-25T16:07:23.349177Z",
			"updated_at": "2026-04-10T02:00:04.552639Z",
			"deleted_at": null,
			"main_name": "APT 31",
			"aliases": [
				"APT 31",
				"Bronze Vinewood",
				"G0128",
				"Judgment Panda",
				"Red Keres",
				"RedBravo",
				"TA412",
				"Violet Typhoon",
				"Zirconium"
			],
			"source_name": "ETDA:APT 31",
			"tools": [
				"9002 RAT",
				"Agent.dhwf",
				"AngryRebel",
				"CHINACHOPPER",
				"China Chopper",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"GrewApacha",
				"HOMEUNIX",
				"HiKit",
				"HidraQ",
				"Homux",
				"Hydraq",
				"Kaba",
				"Korplug",
				"McRAT",
				"MdmBot",
				"Moudour",
				"Mydoor",
				"PCRat",
				"PlugX",
				"RedDelta",
				"Roarur",
				"Sakula",
				"Sakula RAT",
				"Sakurel",
				"SinoChopper",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trochilus RAT",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434906,
	"ts_updated_at": 1775792242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/606cf748d0ff20f5dcf8d2770855666755a2eb25.pdf",
		"text": "https://archive.orkl.eu/606cf748d0ff20f5dcf8d2770855666755a2eb25.txt",
		"img": "https://archive.orkl.eu/606cf748d0ff20f5dcf8d2770855666755a2eb25.jpg"
	}
}