{ "id": "21a36882-40b0-4068-8b21-25c34c00e498", "created_at": "2026-04-06T00:18:04.282414Z", "updated_at": "2026-04-10T03:35:34.387955Z", "deleted_at": null, "sha1_hash": "6ca99d5b175eb392cc1df42bffcdeac3dd93d336", "title": "Necro Python bot adds new exploits and Tezos mining to its bag of tricks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 970507, "plain_text": "Necro Python bot adds new exploits and Tezos mining to its bag of tricks\r\nBy Vanja Svajcer\r\nPublished: 2021-06-03 · Archived: 2026-04-05 21:44:17 UTC\r\nBy Vanja Svajcer, with contributions from Caitlin Huey and Kendall McKay.\r\nNews summary\r\nSome malware families stay static in terms of their functionality. But a newly discovered malware campaign utilizing\r\nthe Necro Python bot shows this actor is adding new functionality and improving its chances of infecting vulnerable\r\nsystems. The bot contains exploits for more than 10 different web applications and the SMB protocol.\r\nCisco Talos recently discovered the increased activity of the bot discovered in January 2021 in Cisco Secure\r\nEndpoint product telemetry, although the bot has been in development since 2015, according to its author.\r\nThis threat demonstrates several techniques of the MITRE ATT\u0026CK framework, most notably Exploit Public-Facing\r\nApplication T1190, Scripting - T1064, PowerShell - T1059.001, Process Injection - T1055, Non-Standard Port -\r\nT1571, Remote Access Software - T1219, Input Capture - T1056, Obfuscated Files or Information - T1027 and\r\nRegistry Run Keys/Startup Folder - T1547.001.\r\nWhat's new? Although the bot was originally discovered earlier this year, the latest activity shows numerous changes\r\nto the bot, ranging from different command and control (C2) communications and the addition of new exploits for\r\nspreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based\r\nexploits that were not present in the earlier iterations of the code.\r\nHow did it work? The infection starts with successful exploitation of a vulnerability in one of the targeted\r\napplications or the operating systems. The bot targets Linux-based and Windows operating systems. A Java-based\r\ndownloader is also used for the initial infection stage. The malware uses a combination of a standalone Python\r\ninterpreter and a malicious script, as well as ELF executables created with pyinstaller.\r\nThe bot can connect to a C2 server using IRC and accepts commands related to exploitation, launching distributed denial-of-service attacks, configuration changes and RAT functionality to download and execute additional code or sniff network\r\ntraffic to exfiltrate the captured data.\r\nThe bot hides its presence on the system by installing a user-mode rootkit designed to hide the malicious process and\r\nmalicious registry entries created to ensure that the bot runs every time a user logs into the infected system.\r\nA significant part of the code is dedicated to downloading and running a Monero miner XMRig program. The bot also\r\ninjects the code to download and execute a JavaScript-based miner from an attacker-controlled server into HTML and PHP\r\nfiles on infected systems. If the user opens the infected application, a JavaScript-based Monero miner will run within their\r\nbrowser's process space.\r\nSo what? Necro Python bot shows an actor that follows the latest development in remote command execution exploits\r\non various web applications and includes the new exploits into the bot. This increases its chances of spreading and\r\ninfecting systems. Users need to make sure to regularly apply the latest security updates to all of the applications, not\r\njust operating systems.\r\nHere, we are dealing with a self-replicating, polymorphic bot that attempts to exploit server-side software for spreading. The\r\nbot is similar to others, like Mirai, in that it targets small and home office (SOHO) routers. However, this bot uses Python to\r\nsupport multiple platforms, rather than downloading a binary specifically compiled for the targeted system.\r\nhttps://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html\r\nPage 1 of 13\n\nTechnical details\r\nNecro bot history and introduction CheckPoint first documented the Necro Python bot in January this year, and\r\nagain by Netlab 360 in March. Necro, also known as Necromorph and FreakOut, uses IRC for communication with\r\nits C2 server and contains functionality to spread by exploiting vulnerabilities in applications, operating systems and\r\nby brute-forcing passwords over the SSH protocol.\r\nIts main payloads are DDoS attacks, sniffing and exfiltration of network traffic using a SOCKS proxy and installation of\r\ncryptocurrency mining software XMRig to mine Monero. The mining functionality also injects itself via JavaScript code to\r\ndownload and launch script-based Monero miner code.\r\nVisibility in product telemetry While researching malicious activity in Cisco Secure products, we spotted a somewhat\r\nunusual command line executed on several endpoints running Immunet. Based on the path from where the command\r\nwas executed, it seemed like the parent process was a web application based on the Oracle WebLogic application\r\nserver.\r\nNecro bot download activity on a Windows system.\r\nThe code uses PowerShell functionality to download and run a statically linked standalone distribution of Python with all the\r\nmodules required to run the next file, setup.py, included.\r\nThe command is slightly different on a Linux system and uses shell commands to download and install the bot and a variant\r\nof the XMRig Monero-mining client to participate in a mining pool. The Monero miner is installed by creating a hidden\r\nshell script, .bootstrap.sh. The script downloads the XMRig client from the Necro download site and moves it into a hidden\r\nfolder, \".2,\" with the filename \"sshd\" and launches it with the appropriate parameters.\r\nNecro activity on a Linux system as seen by Cisco Secure Endpoint.\r\nSetup.py is an obfuscated, mildly polymorphic bot that uses several methods to spread.\r\nOnce the code is opened, it's obvious that the strings are obfuscated while the variable, function and class names are\r\nrandomly generated. The obfuscation is relatively easy to remove, and we will describe Necro's polymorphic engine in more\r\ndetail later.\r\nhttps://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html\r\nPage 2 of 13\n\nA snippet of obfuscated Necro bot code.\r\nWhen Necro launches, it creates a mutex that prevents it from running multiple instances of the process on an infected\r\nsystem. The mutex name is \"internationalCyberWarefare\", which became \"internationalCyberWarefareV3\" in newer\r\nversions.\r\nSpreading\r\nNetwork choice The bot spreads by randomly generating network ranges for scanning. The locally allocated network ranges starting with\r\n10,127,169,172,192,233,234 are excluded from the scanning attempts. Scanning begins when the bot is launched, but it can also be executed\r\nby receiving a scanning command over IRC from the C2 server.\r\nThe bot contains a hardcoded list of TCP ports to scan. This list can be augmented by an appropriate command from the C2\r\nserver. The initial port list in the samples we observed was 22, 80, 443, 7001, 8080, 8081 and 8443.\r\nOnce an IP address is generated, the bot will connect to a list of ports and attempt to spread either by using a hardcoded list\r\nof SSH credentials and issuing a remote command if a login attempt is successful or by exploiting many vulnerabilities in\r\nvarious applications and the Windows operating system (over SMB).\r\nExploitation of applications Earlier versions of Necro exploited the following vulnerabilities in web applications:\r\nLifearay - Liferay Portal - Java Unmarshalling via JSONWS RCE\r\nLaravel RCE (CVE-2021-3129)\r\nWebLogic RCE (CVE-2020-14882)\r\nTerraMaster TOS\r\nLaminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0: This vulnerability is disputed but it is still\r\nincluded with the bot code in the latest variants.\r\nThe latest variants, observed on May 11 and 18 include additional exploits in its arsenal:\r\nVestaCP — VestaCP 0.9.8 - 'v_sftp_licence' Command Injection\r\nZeroShell 3.9.0 — 'cgi-bin/kerbynet' Remote Root Command Injection\r\nSCO Openserver 5.0.7 — 'outputform' Command Injection\r\nGenexis PLATINUM 4410 2.1 P4410-V2-1.28 — Remote Command Execution vulnerability\r\nOTRS 6.0.1 — Remote Command Execution vulnerability\r\nVMWare vCenter — Remote Command Execution vulnerability\r\nNrdh.php remote code execution exploit for an app we could not find\r\nhttps://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html\r\nPage 3 of 13\n\nVesta Control Panel command injection is one of the several newly included exploits.\r\nThe version released on May 18 also included Python versions of EternalBlue (CVE-2017-0144) and EternalRomance\r\n(CVE-2017-0147) exploits with a Windows download command line as the payload.\r\nThe addition of new exploits shows that the actor is actively developing new methods of spreading and following the latest\r\nvulnerabilities with published PoCs.\r\nIn the newest instances discovered on May 22, the bot improved its ability to supply credentials for SMB but excluded it\r\nfrom the main exploit function. The usernames and passwords are now in a separate two arrays and extended to include\r\nmany other usernames and passwords. The exploitation function of this sample does not contain EternalBlue and\r\nEternalRomance but attempts to connect over SMB (port 445) and create a service remotely to download and run the main\r\nbot file.\r\nThis latest sample is a pyinstaller-generated sample but is PE file rather than ELF, which was seen previously.\r\nSSH The bot contains a list of credentials used when an SSH login is attempted. The SSH connection attempt will only be executed if the\r\nParamiko Python SSH module is previously successfully installed. For that purpose, Necro will attempt to download and install a Python\r\nmodule version of pip package manager which is then used to download and install Paramiko.\r\nA hardcoded list of credentials is used for SSH brute-forcing attacks.\r\nMultiplatform awareness (Linux, Windows, Linux ELF standalone, Java-based downloader)\r\nApart from being aware of Windows and using Windows for spreading (not mining), we found a truly multi-platform Java class that can run\r\nhttps://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html\r\nPage 4 of 13\n\non any operating system but checks if it is running on Windows or Linux. The class simply downloads the Necro bot from the download\r\nserver and launches it appropriately, depending on the underlying operating system.\r\nNecro also has a Java class downloader.\r\nPersistency If run on Windows, Necro will ensure that the bot is run when a user logs into the system or when the system is restarted by\r\nsetting the following registry values to point to the pyinstaller created sample or to the python stand-alone executable which is used to run the\r\nmalicious script setup.py.\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\System explore\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\System explore\r\nThe filename is \"$6829.exe\", required for the file to be hidden by the rootkit downloaded and installed by the bot. The file's\r\nattributes are set to hidden.\r\nOn Linux, the bot first changes the DNS resolver configuration to point to Cloudflare DNS servers, 1.0.0.1 and 1.1.1.1,\r\npotentially to avoid the detection of its activity in the local DNS server logs.\r\nPersistence is ensured by modifying the /etc/rc.local script to include commands to launch the bot when the system is\r\nbooted.\r\nDetection avoidance The author of the bot seems to be keen on making it more difficult to detect. It added a\r\npolymorphic engine that changes the script code with every iteration and user mode rootkit to hide the presence of\r\nmalicious files, processes and registry entries. This approach may work well against rudimentary detection methods\r\nsuch as checksum-based detection but fails when faced with modern detection engines and XDR products.\r\nPolymorphic engine Python has, by default, a built-in module that allows the developer to view the code in a way it would be seen by the\r\ninterpreter before it gets compiled to bytecode. The AST module is relatively poorly documented but generates an abstract syntax tree object\r\nfrom the source code that may allow runtime modification of the code, as it is also implemented by Necro's polymorphic engine.\r\nThe engine uses the AST module to find all variables, all function definitions and class definitions and builds a list of names\r\nfor each type of object in the syntax tree. The engine also implements a class which gets called when AST nodes are visited.\r\nIts task is to find ascii strings and obfuscate the strings using a simple xor operation. Once obfuscated the strings are\r\nconverted first compressed using zlib and then converted into escaped strings, which can be later easily decoded in Python.\r\nhttps://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html\r\nPage 5 of 13\n\nUnobfuscated polymorphic engine.\r\nHere, we see the polymorphic engine as reversed, with meaningful variable names and in the second screenshot we see the\r\nsame engine after it is obfuscated and randomized. This obfuscation method may fool simple checksum-based detection\r\nmethods but there is still enough static code and some issues with the engine itself that allow for easy detection using simple\r\npattern matching.\r\nIdentical snippet (as above) of the polymorphic engine after obfuscation.\r\nThe polymorphic engine is run every time the Necro bot is started. It reads its own file and morphs it to create a new variant.\r\nThe engine can also be invoked from the C2 server.\r\nA variant of r77 rootkit If the infected operating system is Windows, the bot will generate reflective DLL loading shellcode, enumerate all\r\nrunning processes and inject a user mode rootkit DLL based on a variant of r77 rootkit allegedly put together by the Necro bot author.\r\nThe rootkit first checks for the presence of packet capturing DLLs in memory to detect potential analysis environments and\r\nquit execution. Otherwise, the rootkit uses the Hacker disassembler engine to place hooks for the following ntdll.dll\r\nfunctions:\r\nNtUserQueryWindow — Prevent hidden process window enumeration\r\nNtUserGetForegroundWindow — Prevent hidden process window enumeration, same as the previous hook\r\nNtOpenProcess — Deny access to the hidden process by process handle\r\nhttps://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html\r\nPage 6 of 13\n\nNtQuerySystemInformation — Prevent process enumeration and hidden process handles access\r\nNtQueryDirectoryFile — Hide process module on disk\r\nNtEnumerateValueKey — Hide registry values protected by the rootkit\r\nNtDeleteValueKey — Prevent deletion of registry values protected by the rootkit The default string in the rootkit\r\nsource code for matching the process, file and registry value names for hiding is \"$6829\", and this is not changed in\r\nthe binary versions of the rootkit DLL used by Necro.\r\nMining\r\nXmrig Apart from conducting DDoS attacks, the main function of the bot is to install cryptocurrency mining software in order to mine\r\nMonero cryptocurrency. This is done either by installing a variant of XMRig miner or by injecting JavaScript code to download a\r\nJavaScript-based miner into script-based files.\r\nThe address used as a username for supportxmr.com mining pool is\r\n45iHeQwQaunWXryL9YZ2egJxKvWBtWQUE4PKitu1VwYNUqkhHt6nyCTQb2dbvDRqDPXveNq94DG9uTndKcWLYNoG2uonh\r\nwhich has also been used by some other malware samples, developed predominantly using AutoIt compiled scripts\r\nsubmitted to VirusTotal throughout 2020.\r\nThe functionality to download XMRig and infect files is only available for Linux-based infected systems and not on\r\nWindows.\r\nInfecting script files\r\nIf the operating system is not Windows, Necro will traverse the file system to find any files with .htm, .html, .php or .js\r\nextensions and add code to download and run a miner loader from an attacker-controlled host.\r\nNecro attempts to inject its code into .htm, .html, .js and .php files.\r\nThe injected code is randomized and the loaded script is heavily obfuscated. Once deobfuscated, the strings reveal the final\r\nlocation of the mining payload, which is\r\nhxxps://cloud-miner[.]de/tkefrep/tkefrep[.]js?tkefrep=bs?nosaj=faster.xmr2. The attacker-controlled server hosting the miner\r\nloader as well as C2 for the Javascript portion of the bot on hxxps://ublock-referer[.]dev/. This server also hosts the main\r\nloader campaign.js, referenced in the infection code.\r\nhttps://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html\r\nPage 7 of 13\n\nNecro injects randomized code to be served by infected server web serving apps.\r\nApart from installing miner code, the JavaScript-based bot contains additional functionality to accept commands from the\r\nC2 server and it may be used to steal data from the clipboard, by logging keystrokes and launching DoS attacks on the target\r\nspecified by the C2 server.\r\nNecro bot commands and functionality\r\nCommunication servers The bot uses different servers for different functionality, most of the servers are accessed through TOR proxies,\r\napart from the first download and install server.\r\nThe other servers are used for IRC C2 communication, for configuration purposes and for exfiltration of data collected by\r\nthe TCP sniffer that sniffs traffic proxied through the bot's SOCKS5 proxy.\r\nDNS request activity for the Necro download server\r\nbp65pce2vsk7wpvy2fyehel25ovw4v7nve3lknwzta7gtiuy6jm7l4yd.onion.ws as seen on Cisco Umbrella.\r\nDDoS The bot will accept the following DDoS related commands and attempt to launch a DoS attack against the target specified by the bot\r\nmaster:\r\nUdpflood — Launch UDP flood-based attack\r\nSynflood — Launch syn packet-based flooding attack\r\nTcpflood — Launch attack using TCP for flooding the target\r\nSlowloris — Launch a Slow loris attack\r\nHttpflood — Launch a HTTP flooder using randomly chosen user-agent string from a hardcoded list\r\nLoadamp — Download content for reflection in amplification attacks\r\nReflect — Launch amplification attack using DNS, NTP, SNMP or SSDP reflection Some earlier Necro variants\r\ncontained slightly different syntax for commands used in IRC communications.\r\nSniffer command The bot contains a sniffer that uses the socks module to proxy the captured traffic to the exfiltration data server. The sniffer\r\ncaptures the IP version, protocol, source and destination addresses, source and destination ports and the packet payload data. The command\r\nfor pausing and resuming sniffing is:\r\nSniffer (resume) — If the command contains the parameter resume, then resume sniffing, otherwise, pause.\r\nExploitation commands The exploitation commands are primarily used for spreading the bot when it's executed without any parameters. The\r\nspreading command can also be sent from the C2 server:\r\nScanner — Start or stop network scanning\r\nScannetrange — Supply a network as a parameter and used the parameter as a scan range for exploitation\r\nScanstats — Send information about the number of scanned and successfully infected endpoints\r\nClearscan — Clear the status data for the bot\r\nhttps://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html\r\nPage 8 of 13\n\nBackdoor commands The bot also contains functionality to execute the following remote access trojan (RAT)-related commands:\r\nRevshell — Launch a reverse shell and connect it to the listener set up by the attacker on Linux-based operating\r\nsystems\r\nShell — Launch a process using process.popen() function\r\nDownload — Download a file from a supplied URL\r\nExecute — First, download, then execute, the downloaded file\r\nUpdate — Update with a new bot version\r\nVisit — Visit a supplied URL\r\nDlexe — Download and execute a file\r\nKillbypid — Terminate a process with a supplied process ID\r\nConfiguration commands Configuration commands are targeted to change the configuration of the bot such as changing the list of ports used\r\nin scanning for vulnerable systems:\r\nAddport — Add a TCP port to the list of ports to connect to\r\nDelport — Remove a TCP port from the list of ports to connect to\r\nKillknight — Terminate the bot process\r\nDisable — Disable the exploitation module\r\nEnable — Enable the exploitation module\r\nGetip — Get external IP address for the bot\r\nRam — Get the RAM capacity of the infected system\r\nInfo — Get information about the infected system\r\nRepack — Call the polymorphic engine to morph the bot script file\r\nAdditional activity observed earlier - Tezos mining and installing ransomware Apart from its usual activity of mining for Monero, we have\r\nalso observed in our honeypots attempts to mine Tezos, while installing a Linux based variant. This variant also used a different download\r\nserver, which has not been used previously can6dodp[.]servepics[.]com.\r\nTezos (XTZ) mining was observed in Talos honeypots.\r\nIn a few samples we observed in our honeypot telemetry, after the mining payload is downloaded and executed using bash,\r\nwe identified mining commands that referenced a Tezos (XTZ) wallet, tz1NfDViBuZwi31WHwmJ4PtSsVtNX2yLnhG7.\r\nWhile this activity was minimal and occurred in a very short timeframe starting on May 9, it represents a newer update to\r\nthe botnet's mining capabilities.\r\nOn February 4, 2021, Talos observed PowerShell download activity in our endpoint telemetry from\r\nhxxp[:]//193[.]239[.]147[.]224/crytp.exe. Once downloaded, the AutoIT compiled executable file crytp.exe makes HTTP\r\nGET requests to several other URLs as it attempts to download additional malware onto the compromised machine. The\r\ndownload URLs host two DLL rootkit files, x86.dll and x64.dll as well as two executables, bigRANSOM.exe and x64i.exe.\r\nbigRANSOM.exe is another AutoIT based file and it may have been an attempt of the Necro actor to distribute ransomware.\r\nThe ransomware was possibly developed by the actor or a member of the group. AutoIT has been used as one of the main\r\ntools in creation of miners using the same wallet address as the Python based Necro bot. Although we have seen an attempt\r\nto distribute ransomware only once, this example points to an actor constantly experimenting with new payloads.\r\nSummary\r\nhttps://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html\r\nPage 9 of 13\n\nHigh level overview of the Necro bot and its functionality.\r\nThe bot's activity has increased at the beginning of May with additional exploits added to its arsenal. The core functionality\r\nremained the same, with IRC used for communication with the C2 server and commands designed for launching DDoS,\r\nbackdoor commands and commands for stealing and exfiltrating data.\r\nThe actors' main focus is Monero mining, which is executed by installing a variant of XMRig and by injecting code into\r\nHTML and script files to include a JavaScript miner and additional bot functionality for controlling and stealing information\r\nfrom participating browsers.\r\nNecro bot shows an actor that follows the latest development in remote command execution exploits on various web\r\napplications and includes the new exploits into the bot. This increases its chances of spreading and affecting systems. Users\r\nneed to make sure to regularly apply the latest security updates to all of the applications, not just operating systems and\r\nmonitor logs for signs of infection.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html\r\nPage 10 of 13\n\nCisco Secure Endpoint is ideally suited to prevent the execution of the malware detailed in this post. New users can try\r\nCisco Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nCisco Secure Firewall and Meraki MX can detect malicious activity associated with this threat.\r\nCisco Secure Malware Analytics helps identify malicious binaries and build protection into all Cisco Security products.\r\nCisco Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nAdditional protections with context to your specific environment and threat data are available from the Cisco Secure\r\nFirewall Management Center.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase on Snort.org.\r\nThe following SIDs have been released to detect this threat: 57693-57717.\r\nThe following ClamAV signatures have been released to detect this threat as well as tools and malware related to these\r\ncampaigns:\r\nPy.Trojan.NecroBot-9868091-0\r\nHtml.Trojan.NecroBot-9868092-1\r\nJs.Trojan.NecroBot-9868093-0\r\nJava.Trojan.NecroBot-9868094-0\r\nWin.Trojan.NecroBot-9868095-0\r\nWin.Trojan.NecroBot-9868096-0\r\nUnix.Trojan.NecroBot-9868097-0\r\nUnix.Trojan.NecroBot-9868098-0\r\nUnix.Trojan.NecroBot-9868099-0\r\nWin.Trojan.NecroBot-9868100-0\r\nhttps://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html\r\nPage 11 of 13\n\nWin.Trojan.NecroBot-9868102-0 Cisco Secure Endpoint (AMP) users can use Orbital Advanced Search to run\r\ncomplex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this\r\nthreat, click here and here.\r\nIOCs\r\nMutexes internationalCyberWarefareV3\r\ninternationalCyberWarefare\r\nExfiltration server o4hlcckwlbcy7qhhohqswpqla6wx7c5xmsvk3k4rohknng4nofvgz5id[.]onion - port 5870 and 587\r\nConfiguration serverp2l44qilgm433bad5gbszb4mluxuejwkjaaon767m5dzuuc7mjqhcead[.]onion - port 42066\r\nq2p4b6pprex5mvzxm2xdqgo4q3hy2p4if2ljq7fcoavxvab7mpk232id[.]onion - port 52566\r\nC2 3og7wipgh3ruavi7gd6y3uzhcurazasln55hb6hboiavyk6pugkcdpqd[.]onion - port 6697\r\nDownloadServer bp65pce2vsk7wpvy2fyehel25ovw4v7nve3lknwzta7gtiuy6jm7l4yd[.]onion[.]ws\r\ncan6dodp[.]servepics[.]com\r\nJavaScript related servers ublock-referer[.]dev - Javascript bot loader and C2 for Javascript related functionality\r\nhxxps://cloud-miner[.]de/tkefrep/tkefrep[.]js?tkefrep=bs?nosaj=faster.xmr2 - URL for (legitimate) Javascript based miner\r\nMining pool details pool[.]supportxmr[.]com -\r\n45iHeQwQaunWXryL9YZ2egJxKvWBtWQUE4PKitu1VwYNUqkhHt6nyCTQb2dbvDRqDPXveNq94DG9uTndKcWLYNoG2uonhgH\r\nrx[.]unmineable[.]com - XTZ:tz1NfDViBuZwi31WHwmJ4PtSsVtNX2yLnhG7\r\nURLshxxp[:]//can6dodp[.]servepics[.]com/setup.py\r\nhxxp[:]//can6dodp[.]servepics[.]com/setup\r\nhxxp[:]//can6dodp[.]servepics[.]com/py.exe\r\nhxxp[:]//can6dodp[.]servepics[.]com/xmrig\r\nhxxp[:]//can6dodp[.]servepics[.]com/xmrig1\r\nhxxp[:]//ngiwge486ln9daoo[.]hopto[.]org/setup.py\r\nhxxp[:]//ngiwge486ln9daoo[.]hopto[.]org/py.exe\r\nhxxp[:]//bp65pce2vsk7wpvy2fyehel25ovw4v7nve3lknwzta7gtiuy6jm7l4yd[.]onion[.]ws/setup.py\r\nhxxp[:]//bp65pce2vsk7wpvy2fyehel25ovw4v7nve3lknwzta7gtiuy6jm7l4yd[.]onion[.]ws/py.exe\r\nSamples  c3fe8058ab46bd21d22f920960caae1f3b22a7aeba8d5315fb62461f4e989a7d - May 18 setup.py\r\n8797ce228b32d890773d5dbac71cefa505b788cc8b25929be9832db422d8239b - May 11 setup.py\r\nbc2126c03f2242013f58b43eb91351fba15d300385252423c52a5b18ece6a54f - setup.py\r\n97ab2092f6b5b1986536a5ba45e487f19c97f52544ff494d43bb1baf31248924 - setup.py\r\nc3fe8058ab46bd21d22f920960caae1f3b22a7aeba8d5315fb62461f4e989a7d - setup.py\r\n8130717a3d4053e2924a0393086511a41fc7777c045b45bb4f569bcbe69af8be - setup.py\r\nd65e874b247dda9845661734d9e74b921f700983fd46c3626a3197f08a3006bf - setup.py\r\n19c25ce4302050aec3c921dd5cac546e8200a7e951d570b52fe344c421105ea8 - PE pyinstaller, May 22\r\n606258f10519be325c39900504e50d79e551c7a9399efb9b22a7323da3f6aa7a - PE pyinstaller\r\n2b77b93b8e1b8ef8650957d15aaf336cf70a7df184da060f86b9892c54eefb65 - ELF pyinstaller\r\neb8b08e13aba16bd5f0d7c330493be82941210d3a6aa4856858df770f77b747d - ELF pyinstaller\r\n80659cc37cb7fb831866f7d7b0043edc6918a99590bd9122815e18abb68daa35 - ELF Pyinstaller\r\n19269ce9a0a44aca9d6b2deed7de71cf576ac611787c2af46819ca2aff44ce2a - 64 bit rootkit DLL\r\na8bb386fa3a6791e72f5ec6f1dc26359b00d0ee8cb0ce866f452b7fff6dbb319 - x86 rootkit DLL\r\nd58c3694832812bc168834e2b8b3bfcb92f85a9d4523140ad010497baabc2c3d - Java class downloader\r\ne884bd4015d1b97227074bcf6cb9e8134b7afcfb6a3db758ca4654088403430a - campaign.js loader\r\nd6403b9c069f08939fc2f9669dc7d5165ed66a1cae07788c3b27fffb30e890a0 - injected/infected HTML file\r\n9d6171cf28b5a3572587140ef483739a185895ce2b5af3246a78c2c39beed7b8 - earlier ransomware downloader\r\nhttps://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html\r\nPage 12 of 13\n\nLegitimate files 9ac075ee8e97c06feaa2e9e46e9e27bfbf69337fb3be9fd3f9478be0e06a6db5 - legitimate JavaScript miner downloaded by the\r\nNecro JavaScript component\r\nSource: https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html\r\nhttps://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html" ], "report_names": [ "necro-python-bot-adds-new-tricks.html" ], "threat_actors": [ { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434684, "ts_updated_at": 1775792134, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6ca99d5b175eb392cc1df42bffcdeac3dd93d336.pdf", "text": "https://archive.orkl.eu/6ca99d5b175eb392cc1df42bffcdeac3dd93d336.txt", "img": "https://archive.orkl.eu/6ca99d5b175eb392cc1df42bffcdeac3dd93d336.jpg" } }