{
	"id": "211ebdad-b34b-4148-bcc7-325b4bd1f99a",
	"created_at": "2026-04-06T00:12:39.131643Z",
	"updated_at": "2026-04-10T03:27:56.108526Z",
	"deleted_at": null,
	"sha1_hash": "656eabfc6ddaa1ae17462fe5760d912e2733a724",
	"title": "RUBYCARP: A Detailed Analysis of a Sophisticated Decade-Old Botnet Group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3268502,
	"plain_text": "RUBYCARP: A Detailed Analysis of a Sophisticated Decade-Old\r\nBotnet Group\r\nBy Sysdig Threat Research Team\r\nPublished: 2024-04-09 · Archived: 2026-04-05 15:43:41 UTC\r\nFalco Feeds extends the power of Falco by giving open source-focused companies\r\naccess to expert-written rules that are continuously updated as new threats are\r\ndiscovered.\r\nlearn more\r\nThe Sysdig Threat Research Team (Sysdig TRT) recently discovered a long-running botnet operated by a\r\nRomanian threat actor group, which we are calling RUBYCARP. Evidence suggests that this threat actor has been\r\nhttps://sysdig.com/blog/rubycarp-romanian-botnet-group/\r\nPage 1 of 15\n\nactive for at least 10 years. Its primary method of operation leverages a botnet deployed using a variety of public\r\nexploits and brute force attacks. This group communicates via public and private IRC networks, develops cyber\r\nweapons and targeting data, and uses its botnet for financial gain via cryptomining and phishing. This report\r\nexplores how RUBYCARP operates and its motivations.  \r\nRUBYCARP, like many threat actors, is interested in payloads that enable financial gain. This includes\r\ncryptomining, DDoS, and Phishing. We have seen it deploy a number of different tools to monetize its\r\ncompromised assets. For example, through its Phishing operations, RUBYCARP has been seen targeting credit\r\ncards. As we have seen with other threat actors, it has a diversified set of illicit income streams.\r\nAttribution\r\nRUBYCARP, the name we have given this group, is a financially-motivated threat actor group that is most likely\r\nRomanian. RUBYCARP may be related to the Outlaw advanced persistent threat (APT), as it does share many of\r\nthe same tactics, techniques, and procedures (TTPs). However, since these shared TTPs are common across many\r\nbotnet operators, we cannot definitively make this conclusion. RUBYCARP leverages Shellbot often during its\r\noperations, which can also cause attribution confusion since this tool is a common choice among threat actors.\r\nIn the murky world of cybercriminal threat intelligence, there is often a lot of crossover in both tools and\r\ntargeting. In the recent advisory from CISA, the Androxgh0st threat actor's choice to exploit Laravel is discussed.\r\nThis is another example of cybercriminal overlap, with RUBYCARP notably targeting the same framework\r\nvulnerabilities. Many of these threat actors are fighting it out over the same target space, making it difficult to\r\nattribute attacks.\r\nWhat is RUBYCARP?\r\nFor months, Sysdig TRT's has been tracking RUBYCARP through the targeting and exploitation of Laravel\r\napplications vulnerable to CVE-2021-3129. This led to evidence of SSH Brute forcing as another way the group\r\ngained access to its targets. Recently, we also discovered evidence of the threat actor targeting WordPress sites\r\nusing dumps of usernames and passwords. RUBYCARP continues to add new exploitation techniques to its\r\narsenal in order to build its botnets.\r\nhttps://sysdig.com/blog/rubycarp-romanian-botnet-group/\r\nPage 2 of 15\n\nOnce access is obtained, a backdoor is installed based on the popular Perl Shellbot. The victim's server is then\r\nconnected to an IRC server acting as command and control, and joins the larger botnet. During RUBYCARP's\r\nreconnaissance phase, we found 39 variants of the Perl file (shellbot), but only eight were in VirusTotal. This\r\nmeans that only a few campaigns were previously detected. The modifications of the files are:\r\nA nickname is used to join the IRC server\r\nThe channel where the victim joins is often marked by either a platform name (e.g., apache) or a member\r\nname (e.g., juice)\r\nSometimes auth is added\r\nThe IRC server\r\nCampaigns\r\nAfter connecting to the IRC server, we discovered the actual number of compromised hosts at over 600. On the\r\nother hand, by not properly configuring the connection to the server, RUBYCARP has a detection system to kick\r\nout unexpected/unwanted users of the server and ban their IP to prevent new connections. It tries to keep the\r\nnetwork hidden as much as possible.\r\nThe last active domain of this botnet is chat[.]juicessh[.]pro, and we were able to obtain the information below:\r\nIt was created on Monday, May 1, 2023 at 04:30:05 UTC\r\n624 nicks [2 ops, 0 halfops, 0 voices, 622 normal]\r\nVICTIMS by channel at the moment of writing:\r\n#juscan1, 176 victims\r\n#cfs, 11 victims\r\n#php3, 34 victims\r\n#sb, 33 victims\r\nhttps://sysdig.com/blog/rubycarp-romanian-botnet-group/\r\nPage 3 of 15\n\nBased on naming schemes and connection configuration, the apparent group would be composed of users like\r\n\"juice,\" \"cartier,\" or \"aridan,\" but there could be more, where each one might be dedicated to a purpose,\r\ncryptomining, customized tools, etc. During our investigation, we determined that its IRC server of choice for\r\npublic and private hosting is undernet.org. The active private IRC networks are chat[.]juicessh[.]pro and\r\nsshd[.]run.\r\nThe infrastructure we discovered for RUBYCARP is comprised of a significant number of malicious IPs and\r\ndomains, rotated regularly and often replaced and emptied of its malicious content as soon as any potential\r\nresearch activity was detected. A full infrastructure list is available here.\r\nHow does RUBYCARP Operate?\r\nRUBYCARP uses multiple IRC networks for general communications, but also to manage its botnets and\r\ncoordinate cryptomining campaigns. An outline of its organization when managing botnets would be as follows:\r\nhttps://sysdig.com/blog/rubycarp-romanian-botnet-group/\r\nPage 4 of 15\n\nIn one of the logs we acquired, RUBYCARP tends to share the tools it is using, which include many of the tools\r\nwe have been able to collect through our honeypot, such as:\r\nBanner\r\nMasscan\r\nX (kernel module)\r\nbrute\r\nCommunications\r\nPrivate IRC\r\nFor managing its botnet, RUBYCARP uses a collection of private IRC servers and seems to rotate them regularly.\r\n\"Juice.baselinux.net,\" \"chat.juicessh.pro,\" and others are the latest active ones at the time of writing. Each\r\nRUBYCARP campaign gets its own IRC channel and the bots within each channel are then named according to a\r\npredefined scheme. We were able to map the observed servers and their respective channels, although,\r\nunfortunately, not all of them are still active or accessible.\r\nPublic IRC\r\nMembers\r\nMembers of RUBYCARP mainly communicate through an Undernet IRC channel called #Cristi. Public logs for\r\nthe channel show a user (and admin) \"_juice\" interacting with other members of the group in Romanian; we can\r\nalso see that the channel topic is related to previous or current campaigns, available below.\r\nhttps://sysdig.com/blog/rubycarp-romanian-botnet-group/\r\nPage 5 of 15\n\nWhile we monitored the chats, both actors, juice and Eugen, who own the channel #Eugen from which we\r\ncollected most of the mining setup evidence, were present in channel #Cristi.\r\nWithin the user base of the channel #Cristi, which at the time of writing contained 280 users, we identified\r\nmultiple familiar names of actors who attacked our honeypot. For example, \"Catalin\" attacked our honeypot on\r\nJan. 8, 2024 from IP 80[.]83[.]124[.]150. The following image is of the website hosted there at the time of the\r\nattack. Notice the attribution to \"Catalin\" at the bottom.\r\nhttps://sysdig.com/blog/rubycarp-romanian-botnet-group/\r\nPage 6 of 15\n\nAnother one is \"aridan,\" who we observed in previous attacks with the domain \"aridan.men.\"\r\nThe most recurring IRC admins we found within the Shellbot configuration files are \"juice,\" \"MUIE,\" and\r\n\"Smecher,\" who also each have their own respective channels for malicious operations. \"juice\" has been the most\r\nprolific in setting up new malicious Shellbot configurations, new servers, and new victim channels. Below is the\r\nWHOIS screenshot for the #Cristi channel members we've identified:\r\njuice_, admin\r\nSmecher, admin\r\nhttps://sysdig.com/blog/rubycarp-romanian-botnet-group/\r\nPage 7 of 15\n\nMUIE, admin\r\nAridan, member\r\nCatalin, member\r\nDog, developer\r\nRUBYCARP's Motivations\r\nCryptomining\r\nRUBYCARP uses its own pools for mining that are hosted on the same domains where it has created the IRC\r\nserver to control the bots. These custom mining pools allow it to avoid detection from IP-based blocklists, and the\r\nusage of common and random ports provides another layer of stealth from simple detection systems. We've also\r\ndiscovered that it has not focused on a single cryptocurrency or mining tool but, instead, has several miners and\r\nwallets with activity. All the following IoCs are related to the \"juice\" threat actor.\r\nhttps://sysdig.com/blog/rubycarp-romanian-botnet-group/\r\nPage 8 of 15\n\nMining Pools:\r\njuicessh[.]space:443\r\njuicessh[.]space:4430\r\njuicessh[.]space:5332\r\n91[.]208.206.118:443\r\n194[.]163.141.243:4430\r\nsshd[.]baselinux[.]net\r\nrun[.]psybnc[.]org:443\r\nKnown miners\r\nNanoMiner\r\nXMrig\r\nCryptocurrencies\r\nMonero\r\nEthereum\r\nRavencoin\r\nThe Ravencoin wallet has been particularly prolific. From a wallet checker, its total amount in USD would be over\r\n$22,800 received. The wallet has a large number of transactions associated with it and has been active since\r\nFebruary 2022, and the last available transaction was mined on March 12, 2024.\r\nThere are also several exchanges of wallet information among the members, in an attempt to show how much they\r\nhave gained from these malicious campaigns. In the excerpt below, user \"porno\" claimed to have gained\r\n0.00514903 BTC, around $360 USD, within 24 hours.\r\nC3Bash\r\nOn top of the already known miners we observed above, we also encountered a custom command-line miner set\r\nup called simply \"miner,\" which we named \"C3Bash\" due to the self-labeling we found. The script in question is\r\nsigned by \"Juice\" and it allows a potential user to set up its wallet address with a command line argument, as well\r\nas any miner of choice.\r\nOnce the user has set up its configurations, the script takes care of downloading, installing, and running the miners\r\nin the background, also alerting the user if the script gets killed by an antivirus or simply removed. It also suggests\r\nwhat the CPU usage should be compared to the host, probably to avoid detection. On a victim device, this may\r\nresult in the running of multiple miners at the same time, effectively reducing both the time it takes for the\r\nhttps://sysdig.com/blog/rubycarp-romanian-botnet-group/\r\nPage 9 of 15\n\nattacker to execute the malicious payload and the chances of it being detected, as the execution will now rely on a\r\nsingle script.\r\nThe script at the moment supports miners XMRig/Monero, and the script itself was hosted on a now-dead domain\r\n\"download[.]c3bash[.]org.\"\r\nPhishing\r\nWe found evidence that RUBYCARP also executes phishing operations to steal financially valuable assets, such\r\nas credit card numbers. Based on logs, it appears that it is using this to fund its infrastructure but it is reasonable to\r\nthink RUBYCARP also uses these for other purposes, or possibly to sell.\r\nIn one of the attacks we received against our honeypot in December 2023, we identified a phishing template\r\n(letter.html) targeting Danish users and impersonating the Danish logistics company \"Bring.\"\r\nWe also discovered a PHP script, named \" ini.inc ,\" used to send those phishing emails. An email.txt file was\r\nfound that contained two potential compromised email accounts from which the attackers would send emails:\r\n\"test@lufaros[.]com\" and \"maria@cenacop[.]com.\" At the time of this writing, the domain \"lufaros[.]com\" is\r\nmarked as Malicious on VirusTotal.\r\nhttps://sysdig.com/blog/rubycarp-romanian-botnet-group/\r\nPage 10 of 15\n\nAnalyzing the shellbot code shows that it has specific commands to send emails, and it is likely that this is the\r\ntemplate used in the campaigns:\r\nsendraw($IRC_cur_socket, \"PRIVMSG $printl :!u sendmail \u003csubject\u003e \u003csender\u003e \u003crecipient\u003e \u003cmessage\u003e\");\r\nWe identified 36 text files containing hundreds of Danish email addresses, some of which were present in both old\r\nand recent data leaks. It is reasonable to think that the email addresses may have been the target of the phishing\r\ntemplate shown above.\r\nWithin the same data, we also identified a Zip file named \"remote_code.zip.\" Once extracted, the archive contains\r\na logo image of the European bank Nets. Within the same folder, there are also SVG files containing an \"ID\r\nCheck\" verification image and a Visa logo. More images were also found containing a mobile phone layout, as\r\nshown below, effectively emulating a Nets home banking application. These would be used to build a convincing\r\nphishing landing page.\r\nArchives\r\nhttps://sysdig.com/blog/rubycarp-romanian-botnet-group/\r\nPage 11 of 15\n\nhttps://sysdig.com/blog/rubycarp-romanian-botnet-group/\r\nPage 12 of 15\n\nArchive content\r\nFinally, we also found direct evidence of a new domain purchase. In an excerpt below, it is possible to see how the\r\nuser \"dog\"/\"cartier\" is preparing to purchase a new potential domain with stolen credit card data.\r\nhttps://sysdig.com/blog/rubycarp-romanian-botnet-group/\r\nPage 13 of 15\n\nThe screenshot above shows a conversation where user \"dog\" lists files which we believe it has stolen. The\r\nfilenames seem a clear reference to Swedish bank Swish, and the timestamp in the filenames suggests they may\r\nhave been stolen in 2016. \"Dog\" also provided credit card information to be used, presumably, by other members.\r\nThese were printed in clear text within the channel, and have been redacted as they contained payment\r\ninformation.\r\nGiven the evidence above, it is plausible that the attackers may rely on phishing templates to collect payment\r\ninformation. It is safe to assume the phishing targets European entities, such as Swish Bank, Nets Bank, and Bring\r\nLogistics, among others.\r\nConclusion\r\nRUBYCARP is a group of Romanian threat actors who have been active for almost a decade. Attribution is always\r\ndifficult, but they are most likely Romanian and may have some crossover with the \"Outlaw APT\" group and\r\nhttps://sysdig.com/blog/rubycarp-romanian-botnet-group/\r\nPage 14 of 15\n\nothers who leverage the Perl Shellbot. These threat actors are also involved in the development and sale of cyber\r\nweapons, which isn't very common. They have a large arsenal of tools they have built up over the years which\r\ngives them quite a range of flexibility when conducting their operations.\r\nCommunications between threat actors hasn't changed very much over the years, with IRC still being very\r\npopular. There is also a community aspect to RUBYCARP which is interesting, as they help mentor people who\r\nare new to the scene. This does provide some financial benefits to the group since it can then sell them the toolset\r\nthat it has made.\r\nWhile RUBYCARP targets known vulnerabilities and conducts brute force attacks, what makes it more dangerous\r\nis its post-exploitation tools and the breadth of its capabilities (i.e., Phishing). Defending against this group\r\nrequires diligent vulnerability management, a robust security posture, and runtime threat detection.\r\nAbout the author\r\nTest drive the right way to defend the cloudwith a security expert\r\nSource: https://sysdig.com/blog/rubycarp-romanian-botnet-group/\r\nhttps://sysdig.com/blog/rubycarp-romanian-botnet-group/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://sysdig.com/blog/rubycarp-romanian-botnet-group/"
	],
	"report_names": [
		"rubycarp-romanian-botnet-group"
	],
	"threat_actors": [
		{
			"id": "30ad968f-0645-433e-ae9a-40785fc72921",
			"created_at": "2024-04-19T02:00:03.628112Z",
			"updated_at": "2026-04-10T02:00:03.616986Z",
			"deleted_at": null,
			"main_name": "RUBYCARP",
			"aliases": [],
			"source_name": "MISPGALAXY:RUBYCARP",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434359,
	"ts_updated_at": 1775791676,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/656eabfc6ddaa1ae17462fe5760d912e2733a724.pdf",
		"text": "https://archive.orkl.eu/656eabfc6ddaa1ae17462fe5760d912e2733a724.txt",
		"img": "https://archive.orkl.eu/656eabfc6ddaa1ae17462fe5760d912e2733a724.jpg"
	}
}