{
	"id": "0573b4a9-ace0-4d7b-8774-c40085566cc5",
	"created_at": "2026-04-06T00:17:57.368806Z",
	"updated_at": "2026-04-10T13:11:30.879735Z",
	"deleted_at": null,
	"sha1_hash": "72c966022889970f1f484508b552fbcace17a679",
	"title": "Study of the Belonard Trojan, exploiting zero-day vulnerabilities in Counter-Strike 1.6",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 376177,
	"plain_text": "Study of the Belonard Trojan, exploiting zero-day vulnerabilities in\r\nCounter-Strike 1.6\r\nPublished: 2019-03-11 · Archived: 2026-04-05 14:30:27 UTC\r\nMarch 11, 2019\r\nIntroduction\r\nThe game Counter-Strike 1.6 was released by Valve Corporation back in 2000. Despite its rather considerable age,\r\nit still has a large fan base. The number of players using official CS 1.6 clients reaches an average of 20,000\r\npeople online, while the overall number of game servers registered on Steam exceeds 5,000. Selling, renting, and\r\npromoting game servers is now deemed an actual business, and these services can be purchased on various\r\nwebsites. For example, raising a server’s rank for a week costs about 200 rubles, which is not much, but a large\r\nnumber of buyers make this strategy a rather successful business model.\r\nMany owners of popular game servers also raise money from players by selling various privileges such as\r\nprotection against bans, access to weapons, etc. Some server owners advertise themselves independently, while\r\nothers purchase server promotion services from contractors. Having paid for a service, customers often remain\r\noblivious as to how exactly their servers are advertised. As it turned out, the developer nicknamed, “Belonard”,\r\nresorted to illegal means of promotion. His server infected the devices of players with a Trojan and used their\r\naccounts to promote other game servers.\r\nThe owner of the malicious server uses the vulnerabilities of the game client and a newly written Trojan as a\r\ntechnical foundation for their business. The Trojan is to infect players’ devices and download malware to secure\r\nthe Trojan in the system and distribute it to devices of other players. For that, they exploit Remote Code Execution\r\n(RCE) vulnerabilities, two of which have been found in the official game client and four in the pirated one.\r\nOnce set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and\r\ncreates proxies on the infected computer to spread the Trojan. As a rule, proxy servers show a lower ping, so other\r\nplayers will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server\r\nwhere their computer become infected with Trojan.Belonard.\r\nUsing this pattern, the developer of the Trojan managed to create a botnet that makes up a considerable part of the\r\nCS 1.6 game servers. According to our analysts, out of some 5,000 servers available from the official Steam client,\r\n1,951 were created by the Belonard Trojan. This is 39% of all game servers. A network of this scale allowed the\r\nTrojan’s developer to promote other servers for money, adding them to lists of available servers in infected game\r\nclients.\r\nWe previously reported a similar incident with CS 1.6, where a Trojan could infect a player’s device via a\r\nmalicious server. However, a user then had to approve the download of malicious files, while this time, a Trojan\r\nattacks devices unnoticed by the users. Doctor Web have informed Valve about these and other vulnerabilities of\r\nthe game, but as of now, there is no data on when the vulnerabilities will be fixed.\r\nhttps://news.drweb.com/show/?i=13135\u0026c=23\u0026lng=en\u0026p=0\r\nPage 1 of 12\n\nInfection of a client\r\nTrojan.Belonard consists of 11 components and operates under different scenarios, depending on the game client.\r\nIf the official client is used, the Trojan infects the device using an RCE vulnerability, exploited by the malicious\r\nserver, and then establishes in the system. A clean pirated client is infected the same way. If a user downloads an\r\ninfected client from the website of the owner of the malicious server, the Trojan’s persistence in the system is\r\nensured after the first launch of the game.\r\nLet us touch upon the process of infecting a client in more detail. A player launches the official Steam client and\r\nselects a game server. Upon connecting to a malicious server, it exploits an RCE vulnerability, uploading one of\r\nthe malicious libraries to a victim’s device. Depending on the type of vulnerability, one of two libraries will be\r\ndownloaded and executed: client.dll (Trojan.Belonard.1) or Mssv24.asi (Trojan.Belonard.5).\r\nOnce on the victim’s device, Trojan.Belonard.1 deletes any .dat files that are in the same directory with the library\r\nprocess file. After that, the malicious library connects to the command and control server, fuztxhus.valve-ms[.]ru:28445, and sends it an encrypted request to download the file Mp3enc.asi (Trojan.Belonard.2). The server\r\nthen sends the encrypted file in response.\r\nhttps://news.drweb.com/show/?i=13135\u0026c=23\u0026lng=en\u0026p=0\r\nPage 2 of 12\n\nThis is a screenshot of a decrypted data packet from the server:\r\nInstallation into the client\r\nInfection of the official or pirated client is performed using the specific feature of the Counter-Strike client. When\r\nlaunched, the game automatically downloads any ASI files from the game root.\r\nThe client downloaded from the website of the Trojan’s developer is already infected with Trojan.Belonard.10 (the\r\nfile name is Mssv36.asi), but the trojan installs in the system differently than in clean versions of game clients.\r\nAfter installation of an infected client, Trojan.Belonard.10 checks for one of its components in the user's OS. If\r\nthere is none, it drops the component from its body and downloads Trojan.Belonard.5 (the file name is\r\nMssv24.asi) into its process memory. Like many other modules, Trojan.Belonard.10 changes the date and time of\r\ncreation, modification, or access to the file, so that the Trojan’s files cannot be found by sorting the contents of the\r\nfolder by creation date.\r\nAfter installing a new component, Trojan.Belonard.10 remains in the system and acts as a protector of the client. It\r\nfilters requests, files, and commands received from other game servers and transfers data about attempted changes\r\nto the client to the Trojan developer’s server.\r\nTrojan.Belonard.5 receives information about the running process and the paths to the module in DllMain. If the\r\nprocess name is not rundll32.exe, it starts a separate threads for subsequent actions. In the running thread,\r\nTrojan.Belonard.5 creates the key [HKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\r\nNT\\\\CurrentVersion\\\\AppCompatFlags\\\\Layers] '\u003cpath to the executable file process\u003e', assigns it the value\r\n“RUNASADMIN”, and checks the module name. If it is not “Mssv24.asi”, it copies itself in the “Mssv24.asi”\r\nmodule, deletes the version with a different name, and launches Trojan.Belonard.3 (the file name is Mssv16.asi).\r\nIf the name matches, it immediately downloads and launches the Trojan.\r\nEmbedment in a clean client is performed by Trojan.Belonard.2. After download, it checks in DllMain the name of\r\nthe process in which client.dll(Trojan.Belonard.1) is loaded. If it is not rundll32.exe, it creates a thread with the\r\nkey [HKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Layers] '\u003cpath to the\r\nexecutable file process\u003e’, and assigns it the value “RUNASADMIN”. After that, it collects data about the user’s\r\ndevice and extracts information from the DialogGamePage.res file. Then it sends the collected data to the server\r\nof the Trojan developer in an encrypted format.\r\nhttps://news.drweb.com/show/?i=13135\u0026c=23\u0026lng=en\u0026p=0\r\nPage 3 of 12\n\nCollected system data structure:\r\nIn response, the server sends the Mssv16.asi file,(Trojan.Belonard.3). Meta-information about the new module is\r\nsaved in the file DialogGamePage.res, while Trojan.Belonard.5 is removed from the user’s device.\r\nInstallation in the system\r\nThe process of ensuring persistence in the system starts with Trojan.Belonard.3. Once on the device, it removes\r\nTrojan.Belonard.5 and checks the process, in the context of which it runs. If it is not rundll32.exe, it saves two\r\nother Trojans to %WINDIR%\\System32\\: Trojan.Belonard.7 (the file name is WinDHCP.dll) and\r\nTrojan.Belonard.6 (davapi.dll). At the same time, unlike Trojan.Belonard.5, the seventh and sixth ones are stored\r\nwithin the Trojan in a disassembled form. The bodies of these two Trojans are divided into blocks of 0xFFFC\r\nbytes (the last block may be smaller). When saved to disk, the Trojan assembles the blocks together to obtain\r\nworking files.\r\nhttps://news.drweb.com/show/?i=13135\u0026c=23\u0026lng=en\u0026p=0\r\nPage 4 of 12\n\nHaving assembled the Trojans, Trojan.Belonard.3 creates a WinDHCP service to run WinDHCP.dll\n(Trojan.Belonard.7) in the context of svchost.exe. Depending on language settings, the OS uses texts in Russian or\nEnglish to set service parameters.\nWinDHCP service parameters:\nService name: “Windows DHCP Service” or “Служба Windows DHCP”;\nDescription: “Windows Dynamic Host Configuration Protocol Service” or “Служба протокола\nдинамической настройки узла Windows”;\nThe ImagePath parameter is specified as “%SystemRoot%\\System32\\svchost.exe -k netsvcs”, while\nServiceDll specifies the path to the Trojan library.\nAfter that, Trojan.Belonard.3 regularly checks if the WinDHCP service is running. If it is not running, it reinstalls\nthe service.\nTrojan.Belonard.7 is WinDHCP.dll with a ServiceMain exported function, installed on the infected device by an\nautorun service. Its purpose is to check the “Tag” parameter in the registry of the key\n“HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDHCP”. If it is set to 0, Trojan.Belonard.7 loads the\ndavapi.dll library (Trojan.Belonard.6) and calls its exported function, passing a pointer to a SERVICE_STATUS as\nan argument, which reflects the status of the WinDHCP service. Then it waits for 1 second and checks the “Tag”\nparameter once more. If the value does not match 0, Trojan.Belonard.7 loads the spwinres.dll library\n(Trojan.Belonard.4), which is an older version of Trojan.Belonard.6. After that, it calls spwinres.dll’s exported\nfunction, passing a pointer to a SERVICE_STATUS as an argument, which reflects the status of the WinDHCP\nservice.\nThe Trojan repeats these actions every second.\nWinDHCP service parameters from our customer’s report:\n\nValue=\"f0dd5c3aeda155767042fa9f58ade24681af5fbd45d5df9f55a759bd65bc0b7e\" /\u003e\nBefore the startup of all functions, Trojan.Belonard.6 checks the “Tag” and “Data” parameters in the WinDHCP\nservice registry. The “Data” parameter must contain an array of bytes used to generate the AES key. If there is\nnone, the Trojan uses the openssl library to generate 32 random bytes, which will later be used to generate the\nencryption key. After that, the Trojan reads the “Info” and “Scheme” parameters of the WinDHCP service. In\n“Scheme”, the Trojan stores 4 parameters, encrypted with AES. “Info” stores the SHA256 hash of the list of\ninstalled programs.\nHaving collected this data, Trojan.Belonard.6 decrypts the address of the C\u0026C server — oihcyenw.valve-ms[.]ru\n— and tries to establish a connection. If it fails, the Trojan uses DGA to generate domains in the .ru zone.\nHowever, an error in the domain generation code prevents the algorithm from creating the domains intended for\nthe Trojan developer.\nAfter sending the encrypted information, the Trojan receives a response from the server, decrypts it and saves the\ntransferred files to %WINDIR%\\System32\\. This data contains the Trojans wmcodecs.dll (Trojan.Belonard.8) and\nssdp32.dll (Trojan.Belonard.9).\nApart from the above functions, Trojan.Belonard.6 also triggers the following actions at random intervals:\nSearch for running Counter-Strike clients;\nLaunch of Trojan.Belonard.9;\nConnecting to the developer’s server.\nPeriods can be changed at the command from the C\u0026C server.\nPayload and distribution\nBelonard also installs in new game clients found on the device. This is performed by Trojan.Belonard.8 and\nTrojan.Belonard.6.\nTrojan.Belonard.8 initializes a container with data about Counter-Strike 1.6 client file names and their SHA256\nhashes. Trojan.Belonard.6 starts to search for installed game clients. If the Trojan finds a running client, it checks\nthe list of files and their SHA256 hashes against the data received from Trojan.Belonard.8. If it does not match,\nTrojan.Belonard.8 ends the clean client process, and then drops the file hl.exe to the game directory. This file is\nonly needed to display the following error message upon loading the game “Could not load game. Please try again\nat a later time.” This allows the Trojan to gain time for replacing the files of the client. When it is done, the Trojan\nreplaces hl.exe with a working file and the game starts without an error.\nThe Trojan deletes the following client files:\nhttps://news.drweb.com/show/?i=13135\u0026c=23\u0026lng=en\u0026p=0\nPage 6 of 12\n\n\u003cpath\u003e\\\\valve\\\\dlls\\\\*\r\n\u003cpath\u003e\\\\cstrike\\\\dlls\\\\*\r\n\u003cpath\u003e\\\\valve\\\\cl_dlls\\\\*\r\n\u003cpath\u003e\\\\cstrike\\\\cl_dlls\\\\*\r\n\u003cpath\u003e\\\\cstrike\\\\resource\\\\*.res\r\n\u003cpath\u003e\\\\valve\\\\resource\\\\*.res\r\n\u003cpath\u003e\\\\valve\\\\motd.txt\r\n\u003cpath\u003e\\\\cstrike\\\\resource\\\\gameui_english.txt\r\n\u003cpath\u003e\\\\cstrike\\\\resource\\\\icon_steam.tga\r\n\u003cpath\u003e\\\\valve\\\\resource\\\\icon_steam.tga\r\n\u003cpath\u003e\\\\cstrike\\\\resource\\\\icon_steam_disabled.tga\r\n\u003cpath\u003e\\\\valve\\\\resource\\\\icon_steam_disabled.tga\r\n\u003cpath\u003e\\\\cstrike\\\\sound\\\\weapons\\\\fiveseven_reload_clipin_sliderelease.dll\r\n\u003cpath\u003e\\\\cstrike_russian\\\\sound\\\\weapons\\\\fiveseven_reload_clipin_sliderelease.dll\r\n\u003cpath\u003e\\\\cstrike_romanian\\\\sound\\\\weapons\\\\fiveseven_reload_clipin_sliderelease.dll\r\nDepending on the OS language settings, the Trojan downloads English or Russian game menu files.\r\nModifications to the game client contain files of Trojan.Belonard.10, as well as an advertisement of the Trojan\r\ndeveloper’s websites. When a player starts the game, their nickname will change to the address of the website\r\nwhere an infected game client can be downloaded, while the game menu will show a link to the VKontakte CS 1.6\r\ncommunity with more than 11,500 subscribers.\r\nThe Trojan’s payload is to emulate a number of fake game servers on the user’s device. To do this, the Trojan\r\ntransfers information about the game client to the developer’s server and receives encrypted parameters for\r\ncreating fake servers in response.\r\nhttps://news.drweb.com/show/?i=13135\u0026c=23\u0026lng=en\u0026p=0\r\nPage 7 of 12\n\nTrojan.Belonard.9 creates proxy game servers and registers them with the Steam API. Game server ports are\r\ndefined sequentially from the lowest value of game_srv_low_port specified by the server. The server also sets the\r\nvalue for fakesrvbatch, which determines the number of protocol emulator threads. The emulator supports basic\r\nrequests to a Goldsource engine game server: A2S_INFO, A2S_PLAYER, A2A_PING, receiving the “challenge\r\nsteam/non-steam client” request, as well as the “connect” command of the Counter-Strike client. After responding\r\nto the “connect” command, the Trojan tracks the first and the second packet from the client.\r\nAfter exchanging packets, the Trojan sends the last packet, svc_director, with a DRC_CMD_STUFFTEXT type of\r\nmessage, which enables the execution of arbitrary commands of the Counter-Strike client. This issue has been\r\nknown to Valve since 2014 and has not been fixed yet. Thus, attempting to connect to the game proxy server, the\r\nplayer will be redirected to the malicious server. After that, the Trojan developer will be able to exploit the\r\nvulnerabilities of the user's game client to install Trojan.Belonard.\r\nIt is worth mentioning that Trojan.Belonard.9 contains a bug, which allows us to detect fake game servers, created\r\nby the Trojan. Moreover, some of those servers can be identified by the name: in the “Game” column, the fake\r\nserver will have a string “Counter-Strike n”, where n can be a number from 1 to 3.\r\nhttps://news.drweb.com/show/?i=13135\u0026c=23\u0026lng=en\u0026p=0\r\nPage 8 of 12\n\nEncryption\r\nBelonard uses encryption to store data in the Trojan and communicate with the server. It stores the encrypted name\r\nof the C\u0026C server, as well as some lines of code and library names. There is one encryption algorithm with\r\ndifferent constants for individual modules of the Trojan. The older versions of the Trojan used another algorithm\r\nto encrypt lines of code.\r\nDecryption algorithm in Trojan.Belonard.2:\r\ndef decrypt(d):\r\ns = ''\r\nc = ord(d[0])\r\nfor i in range(len(d)-1):\r\nc = (ord(d[i+1]) + 0xe2*c - 0x2f*ord(d[i]) - 0x58) \u0026 0xff\r\ns += chr(c)\r\nreturn s\r\nDecryption algorithm from the older versions:\r\ndef decrypt(data):\r\ns = 'f'\r\nfor i in range(0,len(data)-1):\r\ns += chr((ord(s[i]) + ord(data[i]))\u00260xff)\r\nprint s\r\nBelonard uses a more sophisticated encryption to exchange data with the command and control server. Before\r\nsending the information to the server, the Trojan turns it into a different structure for each module. Collected data\r\nis encrypted by RSA using the public key stored within the malware. However, it must be mentioned that RSA is\r\nused for encryption of first 342 bytes of data only. If a module sends a packet of data larger than 342 bytes, only\r\nthis much will be encrypted by RSA; the rest of the data will be encrypted by AES. The data for AES key is stored\r\nin a part, encrypted by RSA key. The data for AES key is stored in a part, encrypted by RSA key, along with the\r\ndata needed for generating AES key, which is used by C\u0026C server for encrypting its answers.\r\nhttps://news.drweb.com/show/?i=13135\u0026c=23\u0026lng=en\u0026p=0\r\nPage 9 of 12\n\nThen, after a zero byte added at the beginning of the packet, the data is sent to the C\u0026C server. To which the\r\nserver replies with an encrypted packet that contains information about the size of the payload and its SHA256\r\nhash in its header, which is needed to be verified against the AES key.\r\nThe server may reply with\r\n#pragma pack(push,1)\r\nstruct st_payload\r\n{\r\n_BYTE hash1[32];\r\n_DWORD totalsize;\r\n_BYTE hash2[32];\r\n_DWORD dword44;\r\n_DWORD dword48;\r\n_DWORD dword4c;\r\n_WORD word50;\r\nchar payload_name[];\r\n_BYTE payload_sha256[32];\r\n_DWORD payload_size;\r\n_BYTE payload_data[payload_size];\r\n}\r\n#pragma pack(pop)\r\nDecryption is performed with AES in a CFB mode with a block size of 128 bits and the key sent earlier to the\r\nserver. The first 36 bytes of data are decrypted first, including the last DWORD value that shows the actual\r\npayload with the header. The DWORD value adds to the AES key and is hashed using SHA256. The resulting\r\nhash must match the first 32 decrypted bytes. The rest of the received data is decrypted only after this.\r\nBotnet shutdown\r\nDoctor Web’s analysts took all necessary measures in order to neutralize the Belonard trojan and stop botnet from\r\ngrowing. The delegation of the domain names used by the malware developer was suspended with the help of\r\nREG.ru domain name registrar. Since redirection from a fake game server to the malicious one happened via\r\ndomain name, CS 1.6 players will no longer be in danger of connecting to the malicious server and getting\r\ninfected by the Belonard trojan. This interrupted work of almost all the components of the malware.\r\nBeyond that, Dr.Web’s virus database was updated with entries to detect all the Belonard components. The\r\nmodules that switched to DGA are currently monitored. After all the necessary actions were taken, the sinkhole\r\nserver registered 127 infected game clients. In addition to that, our telemetry showed that Dr.Web anti-virus\r\ndetected modules of the Trojan.Belonard on 1004 devices of our clients.\r\nAt the present moment, Belonard botnet can be considered neutralized; but in order to ensure the safety of\r\nCounter-Strike game clients, it is necessary to close current vulnerabilities.\r\nIndicators of compromise\r\nhttps://news.drweb.com/show/?i=13135\u0026c=23\u0026lng=en\u0026p=0\r\nPage 10 of 12\n\nSHA-1 hashes\r\n8bbc0ebc85648bafdba19369dff39dfbd88bc297 - Backdoored Counter-Strike 1.6 client\r\n200f80df85b7c9b47809b83a4a2f2459cae0dd01 - Backdoored Counter-Strike 1.6 client\r\n8579e4efe29cb999aaedad9122e2c10a50154afb - Backdoored Counter-Strike 1.6 client\r\nce9f0450dafda6c48580970b7f4e8aea23a7512a - client.dll - Trojan.Belonard.1\r\n75ec1a47404193c1a6a0b1fb61a414b7a2269d08 - Mp3enc.asi - Trojan.Belonard.2\r\n4bdb31d4d410fbbc56bd8dd3308e20a05a5fce45 - Mp3enc.asi - Trojan.Belonard.2\r\na0ea9b06f4cb548b7b2ea88713bd4316c5e89f32 - Mssv36.asi - Trojan.Belonard.10\r\ne6f2f408c8d90cd9ed9446b65f4b74f945ead41b - FileSystem.asi - Trojan.Belonard.11\r\n15879cfa3e5e4463ef15df477ba1717015652497 - Mssv24.asi - Trojan.Belonard.5\r\n4b4da2c0a992d5f7884df6ea9cc0094976c1b4b3 - Mssv24.asi - Trojan.Belonard.5\r\n6813cca586ea1c26cd7e7310985b4b570b920803 - Mssv24.asi - Trojan.Belonard.5\r\n6b03e0dd379965ba76b1c3d2c0a97465329364f2 - Mssv16.asi - Trojan.Belonard.3\r\n2bf76c89467cb7c1b8c0a655609c038ae99368e9 - Mssv16.asi - Trojan.Belonard.3\r\nd37b21fe222237e57bc589542de420fbdaa45804 - Mssv16.asi - Trojan.Belonard.3\r\n72a311bcca1611cf8f5d4d9b4650bc8fead263f1 - Mssv16.asi - Trojan.Belonard.3\r\n73ba54f9272468fbec8b1d0920b3284a197b3915 - davapi.dll - Trojan.Belonard.6\r\nd6f2a7f09d406b4f239efb2d9334551f16b4de16 - davapi.dll - Trojan.Belonard.6\r\na77d43993ba690fda5c35ebe4ea2770e749de373 - spwinres.dll - Trojan.Belonard.4\r\n8165872f1dbbb04a2eedf7818e16d8e40c17ce5e - WinDHCP.dll - Trojan.Belonard.7\r\n027340983694446b0312abcac72585470bf362da - WinDHCP.dll - Trojan.Belonard.7\r\n93fe587a5a60a380d9a2d5f335d3e17a86c2c0d8 - wmcodecs.dll - Trojan.Belonard.8\r\n89dfc713cdfd4a8cd958f5f744ca7c6af219e4a4 - wmcodecs.dll - Trojan.Belonard.8\r\n2420d5ad17b21bedd55309b6d7ff9e30be1a2de1 - ssdp32.dll - Trojan.Belonard.9\r\nFile names\r\nclient.dll - Trojan.Belonard.1\r\nMp3enc.asi - Trojan.Belonard.2\r\nMssv16.asi - Trojan.Belonard.3\r\nspwinres.dll - Trojan.Belonard.4\r\nMssv24.asi - Trojan.Belonard.5\r\ndavapi.dll - Trojan.Belonard.6\r\nWinDHCP.dll - Trojan.Belonard.7\r\nwmcodecs.dll - Trojan.Belonard.8\r\nssdp32.dll - Trojan.Belonard.9\r\nMssv36.asi - Trojan.Belonard.10\r\nFileSystem.asi - Trojan.Belonard.11\r\nDomain names\r\ncsgoogle.ru\r\netmpyuuo.csgoogle.ru\r\nhttps://news.drweb.com/show/?i=13135\u0026c=23\u0026lng=en\u0026p=0\r\nPage 11 of 12\n\njgutdnqn.csgoogle.ru\r\nhl.csgoogle.ru\r\nhalf-life.su\r\nplay.half-life.su\r\nvalve-ms.ru\r\nbmeadaut.valve-ms.ru\r\nfuztxhus.valve-ms.ru\r\nixtzhunk.valve-ms.ru\r\noihcyenw.valve-ms.ru\r\nsuysfvtm.valve-ms.ru\r\nwcnclfbi.valve-ms.ru\r\nreborn.valve-ms.ru\r\nIP addresses\r\n37.143.12.3\r\n46.254.17.165\r\nSource: https://news.drweb.com/show/?i=13135\u0026c=23\u0026lng=en\u0026p=0\r\nhttps://news.drweb.com/show/?i=13135\u0026c=23\u0026lng=en\u0026p=0\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://news.drweb.com/show/?i=13135\u0026c=23\u0026lng=en\u0026p=0"
	],
	"report_names": [
		"?i=13135\u0026c=23\u0026lng=en\u0026p=0"
	],
	"threat_actors": [],
	"ts_created_at": 1775434677,
	"ts_updated_at": 1775826690,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/72c966022889970f1f484508b552fbcace17a679.pdf",
		"text": "https://archive.orkl.eu/72c966022889970f1f484508b552fbcace17a679.txt",
		"img": "https://archive.orkl.eu/72c966022889970f1f484508b552fbcace17a679.jpg"
	}
}