{
	"id": "a251ff77-fbce-4b49-bbfa-1047b8e6c9c8",
	"created_at": "2026-04-10T03:20:53.278874Z",
	"updated_at": "2026-04-10T03:22:18.575367Z",
	"deleted_at": null,
	"sha1_hash": "6f84530b544721efb062ac5f24d3d57072a50c24",
	"title": "A New All-in-One Botnet: Proteus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 292785,
	"plain_text": "A New All-in-One Botnet: Proteus\r\nBy Donna Wang, Jacob (Kuan Long) Leong\r\nPublished: 2016-11-28 · Archived: 2026-04-10 03:01:51 UTC\r\nIntroduction\r\nThe ART team at Fortinet has discovered a new malware named Proteus, a multifunctional botnet written in .NET\r\nthat appears to be a proxy, coin miner, e-commerce merchant account checker, and keylogger. This particular\r\nbotnet is downloaded by the Andromeda botnet. The handful of malicious features densely packed in this new\r\nmalware also includes the ability to drop other malware. We have compiled its main features in this brief analysis.\r\nData Encryption\r\nAll C\u0026C communication is encrypted with a symmetrical algorithm. All strings used in this botnet are also\r\nencrypted using the same algorithm. Part of the encrypted hostname string is shown below:\r\nFigure 1 Partial Encrypted Hostname\r\nAnd the encrypted hostname is: http://prot{removed}twork.ml/ which is used as the C\u0026C domain.\r\nA simple decryption Algorithm is provided below:\r\nFigure 2 Decryption Algorithm\r\nPreparation \r\nThe sample arrives obfuscated, drops a copy of itself in the %AppData% folder as chrome.exe, and executes the\r\ncopy. It then creates a hardcoded mutex to ensure there is only one instance of itself running. \r\n \r\nhttps://www.fortinet.com/blog/threat-research/a-new-all-in-one-botnet-proteus.html\r\nPage 1 of 4\n\nFigure 3 Mutex Name\r\nIn order to register the botnet with the C\u0026C server, it sends an initial registration message with several pieces of\r\ninformation regarding the infected machine. The packet for registering the bot takes the format as below:\r\n{\"m\":\"\u003cEncrypted MachineName\u003e\", \"o\":\"\u003cEncrypted OperationSystem\u003e\", \"v\":\"\u003cEncrypted BotVersion\u003e\"}\r\nFigure 4 Bot Registering Function\r\nThe fingerprint consists of the processor, BIOS and baseboard information of the infected machine, as shown\r\nbelow.\r\nFigure 5 Generating Fingerprint\r\nThe bot comes with a hardcoded default fingerprint, as shown below. However, it appears that the default\r\nfingerprint is always overwritten by the above-mentioned newly generated fingerprint, which is a unique identifier\r\nfor the infected machine.  The fingerprint is included in the HTTP header in the authorization field. \r\nFigure 6 Default Fingerprint\r\nMachineName is retrieved by calling the Win32 API GetComputerName, OperatingSystem is the OS architecture\r\nx64 or x86. The BotVersion is obtained from the assembly version that the code is executing in:    \r\nFigure 7 Bot version\r\nThe C\u0026C server responses with an encrypted string that reads “successful.” Then the bot plays ping pong with the\r\nserver to make sure it’s live in order to carry out the rest of its malicious actions.\r\nhttps://www.fortinet.com/blog/threat-research/a-new-all-in-one-botnet-proteus.html\r\nPage 2 of 4\n\nFigure 8 Ping Pong\r\nFeatures \u0026 Tasks\r\nProteus creates six threads for different tasks, as follows:\r\nTask Description\r\nSocksTask creates a socket and sets up port forwarding\r\nMiningTask appears to use SHA256 miner for mining digital currency *\r\nEMiningTask appears to use CPUMiner and ZCashMiner for mining digital currency *\r\nCheckerTask validates given accounts\r\nCommandsTask kills current process or downloads and executes an executable on request\r\nLoggerTask sets up keylogger\r\nTable 1 Tasks and Descriptions\r\n* The bot verifies with the server during runtime to determine which miner to use for mining digital currency such\r\nas Bitcoin. \r\nFigure 9 Check Module for MiningTask\r\nhttps://www.fortinet.com/blog/threat-research/a-new-all-in-one-botnet-proteus.html\r\nPage 3 of 4\n\nFigure 10 Check Modules for EMiningTask\r\nFor SocksTask, MiningTask, EMiningTask and LoggerTask, the bot first sends a CheckModule message by\r\nproviding its program fingerprint and corresponding module name to the C\u0026C server.  The server then sends a\r\ncommand back to the bot, indicating whether or not the bot should proceed with the requested task. \r\nFor CheckerTask, the bot first requests an account from the C\u0026C server. If the server replies with an account to\r\nthe bot, the bot will proceed to check the given account on some well-known e-commerce websites including\r\neBay, Amazon, and Netflix.  Some of the websites are on German (.de) domains.  Similarly, for CommandsTask,\r\nthe bot first requests a command from the server and then executes the command if it is valid. \r\nConclusion\r\nThe Proteus botnet has a combination of features including coin miner, proxy server, keylogger, and many more. It\r\nis also capable of downloading and executing a file. All of this in one botnet may be even more harmful than one\r\nmight first think, as it could download anything and execute it in the infected host. Our team will continue to\r\nmonitor this botnet family and provide more information as it comes to light.\r\nSample Information\r\nMD5: 49fd4020bf4d7bd23956ea892e6860e9\r\nSHA256: d23b4a30f6b1f083ce86ef9d8ff434056865f6973f12cb075647d013906f51a2\r\nFortinet AV Detection:  MSIL/Proteus.A!tr\r\nFortinet IPS Detection:  Proteus.Botnet\r\n--Advanced Research Team, Fortinet Canada\r\nSource: https://www.fortinet.com/blog/threat-research/a-new-all-in-one-botnet-proteus.html\r\nhttps://www.fortinet.com/blog/threat-research/a-new-all-in-one-botnet-proteus.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/a-new-all-in-one-botnet-proteus.html"
	],
	"report_names": [
		"a-new-all-in-one-botnet-proteus.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775791253,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6f84530b544721efb062ac5f24d3d57072a50c24.pdf",
		"text": "https://archive.orkl.eu/6f84530b544721efb062ac5f24d3d57072a50c24.txt",
		"img": "https://archive.orkl.eu/6f84530b544721efb062ac5f24d3d57072a50c24.jpg"
	}
}