Rekoobe Backdoor Discovered in Open Directory, Possibly
Targeting TradingView Users
Published: 2024-10-24 · Archived: 2026-04-05 19:46:50 UTC
TABLE OF CONTENTS
IntroductionDiscovery of the Open Directory & MalwareInfrastructure Analysis: TradingView Lookalike
Domains and Hosting ConnectionsExpanded Network FindingsConclusionNetwork ObservablesFile Information
Introduction
Rekoobe is a versatile backdoor previously deployed by APT31, also known as Zirconium, amongst other
adversaries involved in cyber espionage and data theft. With code partially based on the publicly available Tiny
SHell, the malware has evolved to use enhanced encryption techniques and unique command-and-control
configurations to hinder analysis and evade detection.
While researching open directories, we uncovered two Rekoobe samples, prompting a deeper investigation into
the hosting IP. Upon further analysis, we discovered a handful of domains resembling TradingView, a widely used
platform for worldwide charting, trading, and sharing financial insights traders use.
These suspicious domains suggest a potential interest in targeting the site's community. By pivoting on shared
SSH keys, we identified additional infrastructure potentially linked to this campaign and another open directory.
Discovery of the Open Directory & Malware
We found an open directory at 27.124.45[.]146:9998 running Python version 3.12.4, SimpleHTTP 0.6, which
exposed two binaries: 10-13-x64.bin and 10-13x86.bin. Both files were identified as Rekoobe by Hatching Triage,
and their SHA-256 hashes are as follows:
10-13-x64.bin: a1c0b48199e8a47fe50c4097d86e5f43a1a1c9a9c1f7f3606ffa0d45bb4a2eb3 (renamed na.elf
in Triage)
10-13-x86.bin: 28382231cbfe3bf7827c1a874b3d7f18717020ced516b747a2a1bb7598eabe0b
https://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users
Page 1 of 8

Figure 1: Open directory page for 27.124.45[.]146
During dynamic analysis, both binaries attempted to communicate with the same IP address hosting the open
directory, specifically targeting port 12345. The naming convention of the files, which follows a month-day-architecture format, is consistent with other Rekoobe samples we've seen in open directories.
In our analysis of na.elf, we observed behavior closely resembling that identified by AhnLab as "NoodRAT" and
Trend Micro as "Noodle RAT." Specifically, the file changes its process name and copies itself to the
/tmp/CCCCCCCC directory, where it executes from.
However, it's important to note that this alone does not definitively confirm that the binaries in this case are
NoodRAT or Noodle RAT. The similarities in behavior could indicate the work of a copycat, but additional
analysis would be required to make a conclusive attribution.
Figure 2 depicts the process tree of na.elf as seen in the Hatching Triage analysis.
https://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users
Page 2 of 8

Figure 2: Triage analysis of na.elf processes
By clicking the 'Rekoobe' tag, users can easily find additional open directories hosting Rekoobe samples, as
shown in Figure 1.
Figure 3: Results of clicking the Rekoobe tag to find additional open directories hosting the malware
https://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users
Page 3 of 8

Infrastructure Analysis: TradingView Lookalike Domains and Hosting
Connections
During our investigation into the IP address hosting the two backdoor files, we discovered several domains closely
mimicking the legitimate TradingView site. These domains show slight variations in spelling that are indicative of
typosquatting attacks:
tradingviewlll[.]com
admin.tradingviewlll[.]com
tradingviewll[.]com
admin.tradingviewll[.].com
These minor changes, such as the addition of an extra "I" in tradingviewll[.]com and tradingviewlll[.]com, could
easily be missed by users, making them practical for phishing or other social engineering operations.
Figure 4: Domain overview showing typosquatting domains targeting TradingView
Unfortunately, we could not capture any active web pages associated with these domains created earlier this year.
According to the Wayback Machine, both domains returned a standard 404 Not Found Nginx response on 07
September this year. This means any web page may not have been fully deployed or is in a consistently inactive
state.
https://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users
Page 4 of 8

Figure 5: Wayback machine results for tradingviewll.com
While we can't be sure these domains were used in this campaign, they represent an interesting infrastructure
overlap when viewed alongside the presence of the Rekoobe backdoor. This could suggest an attempt to exploit
financial platforms and their user base, as many of these systems rely on Linux.
Expanded Network Findings
Continuing our deep dive into 27.124.45[.]146, we found three IP addresses linked by shared SSH keys,
suggesting a connection to our original server. This relationship was uncovered using the Hunt's Association tab,
as shown in Figure 6.
The IPs include:
27.124.45[.]231
1.32.253[.]2
27.124.45[.]211
The SSH key (fingerprint: 62497b3e96db49f4fe99db3ecf65332a69a10f9823ececabb1ce805a0e6bd5ee) for all
three was first observed by our scanners between late July and early August, and were last active on 04 October.
Like the original open directory, these servers are also hosted in Hong Kong, indicating they are likely part of the
same operational setup.
https://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users
Page 5 of 8

Figure 6: The Associations Tab in Hunt displays associated IPs that can be pivoted to enhance investigations
Among the IPs identified, 27.124.45[.]211 stood out as it also hosts an open directory (on the same port) running
the same Python and SimpleHTTP versions and the duplicate Rekoobe-detected files as the original server ending
in .146.
Figure 7: Open directory contents for 27.124.45[.]211:9998
Clicking on the button containing the three dots next to the files opens a menu for further actions, including
searching by SHA-256 to identify other locations where the file is hosted. As shown in Figure 8, this search
confirms that the two IPs--.146 and .211--are the only servers hosting these Rekoobe samples. Interestingly, our
scanners also detected the Yakit Security Tool on 27.124.45[.]211
https://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users
Page 6 of 8

We previously wrote about Yakit, an all-in-one cybersecurity application that integrates tools like Nuclei and
includes features such as man-in-the-middle (MiTM) interception and web fuzzing.
Primarily designed for legitimate security work by red teamers and researchers, Yakit's presence alongside
Rekoobe and the typosquatting domains raises concerns about how this setup could be leveraged for malicious
purposes.
Combining these elements points to activity that merits further investigation to understand the potential risks
involved fully.
Figure 8: Results of SHA-256 search across all open directories for similar files
Conclusion
In this blog post, we explored how the discovery of the Rekoobe backdoor in an open directory revealed a broader
network of potentially malicious infrastructure, lookalike domains mimicking TradingView, and additional servers
linked via shared SSH keys.
Hunting for malware in open directories can yield valuable insights into the servers behind attack campaigns. By
leveraging tools like Hunt, security teams can uncover hidden threats and expand their visibility into attacker
infrastructure.
Network Observables
IP Address ASN Domain(s)
Host
Country
Notes
27.124.45[.]146
CTG Server
Limited
tradingviewlll[.]com
admin.tradingviewlll[.]]com
tradingviewll[.]com
admin.tradingviewll[.]]com
HK
Open directory containing
two (2) Rekoobe samples.
https://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users
Page 7 of 8

IP Address ASN Domain(s)
Host
Country
Notes
1.32.253[.]2
BGPNET
Global ASN
70332[.]club
390698[.]ru
953388[.]cc
836833[.]cc
734439[.]com
56204[.]sx
49246[.]sx
836833[.]cc
94783[.]club
734439[.]com
963388[.]cc
HK
IP seen sharing SSH keys
with 27.124.45[.]146 from
2024-07-20 - 2024-10-04
27.124.45[.]231
CTG Server
Limited
N/A HK
Shared SSH keys from
2024-07-31 - 2024-10-04
27.124.45[.]211
CTG Server
Limited
N/A HK
Shared SSH keys from
2024-07-31 - 2024-10-04
File Information
File Name SHA-256
10-13-x64.bin a1c0b48199e8a47fe50c4097d86e5f43a1a1c9a9c1f7f3606ffa0d45bb4a2eb3
10-13-x86.bin 28382231cbfe3bf7827c1a874b3d7f18717020ced516b747a2a1bb7598eabe0b
Source: https://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users
https://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users
Page 8 of 8