{
	"id": "9d0baa76-7a57-4e62-aa4c-ee2522e3ea5f",
	"created_at": "2026-04-06T00:11:21.293398Z",
	"updated_at": "2026-04-10T13:12:14.319414Z",
	"deleted_at": null,
	"sha1_hash": "7c8e159d7021e985c973461887763f4a3d331640",
	"title": "P2PInfect Worm Evolves to Target a New Platform",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1297951,
	"plain_text": "P2PInfect Worm Evolves to Target a New Platform\r\nBy Nozomi Networks\r\nPublished: 2024-01-17 · Archived: 2026-04-05 21:54:45 UTC\r\nA highly sophisticated strain of malware known as P2PInfect is raising new concerns in the cybersecurity\r\ncommunity. Developed in Rust, a language known for its safety and efficiency, this cross-platform worm uses\r\nseveral different methods of propagation to infect devices powered by different architectures. The malware is\r\ncapable of performing Peer-to-Peer (P2P) communications without relying on a single Command and Control\r\nserver (C\u0026C) to propagate attackers’ commands. Some strains attempt to abuse SSH while others exploit\r\nvulnerabilities in Redis, a popular in-memory database, to spread rapidly across networks.  \r\nThe most intriguing aspect of P2PInfect is its evolving nature; as researchers dig deeper to understand its goals,\r\nthe worm continues to adapt, and expand to target new architectures. Nozomi Networks Labs has identified a\r\nstrain of P2Pinfect that targets a new IoT architecture - ARM.  \r\nThis blog provides a comprehensive overview of recent P2PInfect worm operations and behavior, along with how\r\nthey have changed over time. We analyze a new set of samples to investigate the worm's defence techniques, and\r\nprovide detections at the end of the blog. By delving into the technical details and ongoing efforts to mitigate its\r\nthreats, we aim to inform and educate readers about this emerging cybersecurity threat and the broader\r\nimplications the malware holds for digital security in our interconnected world.\r\nTracking the Timeline of P2PInfect Strains\r\nAccording to our data, the first strains of this threat date back to at least July 2023. Malware authors have been\r\ngradually introducing support for more and more platforms mainly focusing on the x86-64 platform of CPUs.\r\nRedis is only officially supported in Linux, but P2PInfect creators are designing malware to spread to as many\r\nplatforms as possible. It is also feasible to install Redis in Windows machines using the Windows Subsystem for\r\nLinux (WSL) and the P2PInfect developers are aware of this. For this reason, the actors also ship Windows DLLs\r\ninside the ELF binaries to increase the number of devices they can infect.\r\nhttps://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform\r\nPage 1 of 16\n\nFigure 1. MZ-PE executable inside an ELF file.\r\nRecently, Cado Security Labs made a noteworthy discovery. They came across the first MIPS samples in the wild,\r\ndetermining that including Windows, DLLS is just one part of the strategy to broaden the potential range of\r\ntargeted devices. This revelation has expanded the scope to potentially affect a wider array of devices.\r\nTo this discovery, we add a new set of samples that target another typical IoT architecture: ARM, something that\r\nhasn’t been reported by other researchers so far. The corresponding example SHA-256 hashes found by Nozomi\r\nNetworks Labs are the following:\r\n4421298c97f245f4e7eafb4f3873b0a95fe22682766c5dfb9c22ccfef8b91ad1\r\n8ca16968634b5c7bb0343fff806da827ad00866748fce022da9fb0addc50ee99\r\nA version of this malware that utilizes SSH protocol for propagation was intercepted by our chain of globally\r\ndistributed honeypots on November 6, 2023, something that hasn’t been observed by the researchers when the\r\nthreat was first analyzed back in July 2023. Our honeypots began recording the initial infection commands in\r\nOctober 2023, and this trend has continued to grow consistently until the current month of January 2024. The\r\nmajority of these malicious connections originate from locations in China, Hong Kong and Singapore.\r\nOn Windows, the compilation timestamps stored as part of the MZ-PE header structure of executables are\r\ncommonly used to build timelines, even though they can be forged by attackers and on newer versions of\r\nWindows don’t necessarily represent the timestamps but rather checksums. However, the ELF format of\r\nexecutables commonly found on *nix systems doesn’t even have such a field. Still, some conclusions can be made\r\nbased on the metadata left by the compiler as well as metadata from third-party systems like VirusTotal.\r\nIn addition, here we actually do have Windows executables embedded into ELF files, the only thing that is left is\r\nto automatically extract all of them. Here is an example SHA-256 hash of the same DLL found inside x86-64,\r\nARM and MIPS samples:\r\na29cb8da788a5ebaa7b8f6a6016d7233f81f9f478cf4a52e021a6d6060d09f7e\r\nWe have also uploaded it to VirusTotal to share it with the community. If its compilation timestamps (Figure 2)\r\nwere not forged by attackers, they may indicate that attackers finished developing Windows payloads months\r\nbefore the first widespread distribution in July.\r\nhttps://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform\r\nPage 2 of 16\n\nFigure 2. The compilation timestamp of the embedded Windows payload states May 2023.\r\nTurning our attention to the technical aspects of this identified threat, we've uncovered several self-defense\r\ntechniques detailed in the following section.\r\nTracing the Transformation of Malware Executables\r\nHigh-level Functionality\r\nWritten in Rust, the P2PInfect malware mainly consists of two executable modules: the smaller (~0.5Mb)\r\nauxiliary module commonly having a filename “bash” and a larger, main payload. The purpose of the former is to\r\nensure the correct work of the main payload performing all the required validations, updates and revivals where\r\nnecessary. The main payload is capable of performing various operations, including propagating and delivering\r\nother modules with filenames that speak for themselves like miner and winminer. As its name suggests, the\r\nmalware is capable of performing Peer-to-Peer (P2P) communications without relying on a single Command and\r\nControl server (C\u0026C) to propagate attackers’ commands.\r\nAs we will see below, some parts of it are less static than others.\r\nSelf-Defense Techniques\r\nSamples packed with higher versions of the UPX tool generally can’t be unpacked by lower versions of it,\r\ncomplicating the analysis and detection if automated analysis systems are using outdated versions of UPX. In\r\ngeneral, attackers will use the latest version available. Interestingly, the latest variants of this malware tend to\r\nutilize a particular version of the UPX packer: 4.0.2. This version is newer than 3.94 and 3.95 which are widely\r\nused by other attackers, but well below the most recent version available, which is 4.2.2. The use of version 4.0.2.\r\nprovides an idea of how the project was developing as this version became available to the public on January 30,\r\n2023, while the next version 4.1.0 not used by attackers was released on August 8, 2023. It could mean that the\r\nmain part of the development was taking place starting from early in 2023, and after the toolset was set up, the\r\nattackers didn’t bother updating it.\r\nhttps://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform\r\nPage 3 of 16\n\nThe authors' commitment to safeguarding the samples from dynamic analysis and remediation becomes clear\r\nwhen we examine the various security measures employed in P2PInfect. In addition to disabling core dumps\r\nthrough the 'setrlimit' syscall (Figure 3) and the process debugging protection noted by Cado Security, this family\r\nof malware employs additional security measures across various layers.\r\nFigure 3. 'setrlimit’ syscall to disable core dumps.\r\nAs mentioned earlier, the “bash” binary is dropped into the system to ensure the continued “health” of the\r\nP2PInfect sample in case a new version is released or its integrity is compromised (e.g., binary modification or the\r\nmain process is not active). This “bash” binary is not downloaded from the botnet, it’s dropped from the sample.\r\nTo establish effective communication with it, the primary sample listens on the loopback address via a TCP port.\r\nThis approach can lead to a consistent behavior pattern that analysts can readily identify, and there is also the\r\npotential risk that the selected port may already be in use. To mitigate these concerns, the dropped executable is\r\nintentionally made non-functional until the malware modifies it during runtime. This measure also prevents the\r\nextraction of a functional payload from the primary executable.\r\nhttps://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform\r\nPage 4 of 16\n\nTo find the memory to be modified inside the “template bash” executable to make it ready to be executed,\r\nP2PInfect looks for two markers “thisisport” and “password12345678” to dynamically replace them with two\r\nrandom values.\r\nFigure 4. TCP port marker search.\r\nWhen the offset of the marker is found, a random port between 60100 and 60150 is generated and then an\r\nunderscore ‘_’ is appended to allow the bash executable to know where the port string ends. This TCP port range\r\nis the same as the range of ports used to communicate with other peers within the P2P network.\r\nhttps://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform\r\nPage 5 of 16\n\nFigure 5. Random TCP port generation between 60100 and 60150.\r\nThe password marker is replaced with 16 random characters that will be used to encrypt the communication\r\nbetween both executables. This additional layer of protection provides an additional level of protection to conceal\r\nthe transmitted content from curious eyes.\r\nFinally, lots of main ELF payloads are distributed inside wrapper ELF files that just print a famous “Hello,\r\nWorld!” message pretending this is its only functionality.\r\nhttps://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform\r\nPage 6 of 16\n\nFigure 6. A short main function of the wrapper ELF sample.\r\nAn example of it would be a sample d1ad42ab5289447cbd803e186d2115e1b2ea3bf3486dc92c7ef5153f572dfd65\r\ncontaining the main P2PInfect payload\r\n32365440cbe93909b1dfd4364bcdb0c31953f4d6be97a675eb3984126cc49295 inside (Figure 9).\r\nhttps://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform\r\nPage 7 of 16\n\nFigure 7. Embedded main P2Pinfect playload.\r\nOnce the device is infected it's ready to spread to other devices. To infect new targets, P2PInfect executes a\r\nbruteforce attack against the device with the SSH server and, after a successful login, different commands are\r\nexecuted to download and run the malware (Figure 8).\r\nFigure 8. Bash command executed to infect the device after successful login.\r\nAn example of such a sample is the following, illustrated in Figure 9:\r\n9ec9d3f720a752b9ab928e1c395c778d3da652442d0f0ae09552efc2f57ee6de\r\nFigure 9. A record from one of the honeypots spotting this sample of P2PInfect.\r\nConclusion\r\nThe P2PInfect malware family continues to expand its reach across various architectures and platforms,\r\nrepresenting a significant and evolving threat in the realm of cybersecurity. Its unique characteristics, such as its\r\nuse of Rust and exploitation of Redis vulnerabilities, highlight the ongoing challenges presented by modern\r\nmalware.\r\nhttps://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform\r\nPage 8 of 16\n\nWhile researchers and cybersecurity experts are making strides in understanding and combating this worm,\r\nP2PInfect serves as a stark reminder of the dynamic nature of cyber threats and the importance of staying ahead in\r\nthe ever-evolving cybersecurity landscape. As we forge ahead, it is crucial for individuals and organizations alike\r\nto remain informed and proactive in their cybersecurity practices to mitigate the risks posed by such sophisticated\r\nthreats.\r\nDetections\r\nYARA\r\n// Created by Nozomi Networks Labs\r\nrule p2pinfect_linux {  \r\nmeta:        \r\n   author = \"Nozomi Networks Labs\"        \r\n   date = \"2023-12-13\"        \r\n   x_threat_name = \"P2PInfect\"        \r\n   name = \"P2PInfect - WORM\"        \r\n   description = \"Multiplatform worm that targets Redis servers.\"        \r\n   reference = \"https://www.cadosecurity.com/redis-p2pinfect/\"        \r\n   x_mitre_technique = \"T1190, T1059, T1107, T1068, T1071\"        \r\n   tlp = \"green\"        \r\n   hash = \"6d0e4c03cf4731b9b05c3e575a92db9beabccf243263d703c7b332597c8ed591\"\r\nstrings:\r\n   $str_0 = \"\\x00need_slow_targets\" ascii\r\n   $str_1 = \"\\x00need_fast_targets\" ascii\r\n   $str_2 = \"\\x00attacker_not_valid_secs\" ascii\r\n   $str_3 = \"\\x00file_servers_online_check_delay_secs\" ascii\r\n   $str_4 = \"ReloadConfstruct\" ascii fullword\r\n   $str_5 = \"Failed to disable core-dumps via rlimit\" ascii\r\n   $str_6 = \"Failed to check tracer presence via /proc/self/status\" ascii\r\nhttps://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform\r\nPage 9 of 16\n\n$str_7 = \"AWS_ACCESS_KEY_ID=\\\"?(.*?)\\\"?[\" ascii\r\n   $big_num = {433ce8229fc5f04b}\r\ncondition:\r\n   uint32(0) == 0x464c457f and (3 of ($str_*) or $big_num)\r\n}\r\n// Created by Nozomi Networks Labs\r\nrule p2pinfect_dll {    \r\nmeta:        \r\n    author = \"Nozomi Networks Labs\"        \r\n    date = \"2023-12-20\"        \r\n    x_threat_name = \"P2PInfect\"        \r\n     name = \"P2PInfect - WORM\"        \r\n     description = \"Multiplatform worm that targets Redis servers.\"        \r\n     reference = \"https://www.cadosecurity.com/redis-p2pinfect/\"        \r\n     x_mitre_technique = \"T1190, T1059, T1107, T1068, T1071\"        \r\n     tlp = \"green\"        \r\n     hash = \"a29cb8da788a5ebaa7b8f6a6016d7233f81f9f478cf4a52e021a6d6060d09f7e\"    \r\nstrings:        \r\n      $exp_dll = \"\\x00exp.dll\\x00\"        \r\n      $rm_onload = \"\\x00RedisModule_OnLoad\\x00\"        \r\n      $system_exec = \"\\x00system.exec\\x00\"        \r\n      $redis_module = \"\\x00RedisModule_\"        \r\n      $onexit_table = \"onexit_table\" fullword        \r\n      $lookup_func = \"RtlLookupFunctionEntry\" fullword    \r\ncondition:        \r\n      uint16(0) == 0x5a4d and all of them and #redis_module \u003e 20\r\n}\r\nhttps://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform\r\nPage 10 of 16\n\nIPs\r\n117.45.170[.]79\r\n118.122.1[.]20\r\n120.222.158[.]89\r\n124.127.58[.]234\r\n124.88.250[.]55\r\n183.233.174[.]44\r\n193.151.148[.]30\r\n218.56.32[.]85\r\n35.220.253[.]187\r\n36.110.27[.]178\r\n36.7.171[.]21\r\n43.128.15[.]83\r\n43.133.238[.]3\r\n43.134.161[.]34\r\n43.134.225[.]133\r\n43.135.173[.]88\r\n43.155.137[.]204\r\n43.155.142[.]210\r\n43.155.169[.]55\r\n43.155.183[.]210\r\n43.155.85[.]140\r\n43.156.18[.]95\r\n43.159.50[.]150\r\n47.106.228[.]20\r\n47.113.222[.]202\r\nhttps://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform\r\nPage 11 of 16\n\n61.157.177[.]227\r\n61.49.105[.]174\r\n62.234.11[.]186\r\n8.134.178[.]4\r\n8.137.14[.]175\r\n8.217.135[.]13\r\n8.218.146[.]78\r\n8.219.52[.]90\r\nURLs\r\nhxxp://103.219.60.221:60146/linux\r\nhxxp://110.191.238.10:60110/linux\r\nhxxp://110.39.11.163:60108/linux\r\nhxxp://118.44.95.82:60104/linux\r\nhxxp://133.242.68.165:60144/linux\r\nhxxp://150.138.83.155:60124/linux\r\nhxxp://154.0.31.161:60106/linux\r\nhxxp://159.65.54.223:60104/linux\r\nhxxp://18.183.15.88:60103/linux\r\nhxxp://193.148.252.194:60119/linux\r\nhxxp://20.191.185.44:60101/linux\r\nhxxp://27.191.237.5:60127/linux\r\nhxxp://43.132.150.184:60134/linux\r\nhxxp://43.155.153.147:60118/linux\r\nhxxp://45.138.174.199:60117/linux\r\nhxxp://47.236.101.172:60119/linux\r\nhxxp://47.245.92.210:60147/linux\r\nhttps://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform\r\nPage 12 of 16\n\nhxxp://50.17.152.237:60129/linux\r\nhxxp://61.160.213.239:60147/linux\r\nhxxp://74.208.103.29:60116/linux\r\nhxxp://8.134.144.81:60147/linux\r\nhxxp://8.217.0.228:60140/linux\r\nhxxp://8.218.146.1:60115/linux\r\nhxxp://89.168.78.92:60130/linux\r\nSHA-256 hashes\r\n000bf4ef861996b4b11451beec52c79ef4ec68ec56ec38dfd1481b7fbea96911\r\n006aaab764e9b249c98cae072872a8b2b1bd8c6a8a44fb9682722cc2cc830ce0\r\n0111f06b27c95361a8222cd1e80957fb232c799ba93950dfae65ab1c972f7b3a\r\n030789780e91092f1934239ec4d5c2c2ca17d9e3889daac76178107b15b199f6\r\n04c3d68ccc274b82bdd59e7fbdc1d314b9ece6dc5ba8e96ed383a159284036d4\r\n070bab71b39062c686a40856a2d2198642e4c4d565636ab0cc52d5bdb4395fea\r\n07501540d43527f9c0417629162edeeeb66cbb6bb545d20cec86dcad296f621d\r\n0c1045eaa5241ae599ce551d2f618e1d3648cd647ecf5b4f5f59fd4da1d1cd03\r\n0ecfa32eaa13cc010784d46ba1e68e7d951dc7d95a38da1a2a54e7c22fa7c89b\r\n103e2ba056d4b2a074e82902f31b17100aece6d0e0e9dfb0b6e2d102fe6f9dcb\r\n10dc62048cfd3392178fc351f89271a98bdc3df750a4beb60a0f9763ef6cc70f\r\n150df742a24ef6b146d468d67ae453b73a05e0275c995afcf05654f8dca3b9df\r\n15542fe695b3beabe329934b4be5bafcc6a7bed70a4b9b46a2777ae07032b569\r\n1c2363532c8b83243bb1933d7213ceb80e9a095280a26175421a70ef3b7834e9\r\n1e2686c1a674630311fdab9b74df54605309076b6d2c3acb4dbc0e7c0080bfa4\r\n1e963c97bfa850522984b09e80c1be7bcd372ad527bcfdd0787922d27fdb253d\r\n22fe687809d73835d943deb396a84152615cec56d483072de68c0e734446b8b1\r\n23fd0e7b1560cdd41df020456fc7ca8ada49c80fdcaa73880779f18b5dc6d954\r\n24e9524c3c2f23f9cfd34919881f06c6312a0d3c96459bb995b325aa24caeb69\r\n25620e3539baa874e66cd3e87a225d88378abacdf4c2b962acdb3e86ceb936eb\r\n286f87b793f6f86d24d500d22cf103285c1e3aad5193ac0027d5c826ff9952ef\r\n2ce525ef39f57a3e232eb7a08bec5afde05ebbe5f1794c6260b812ddffebb7e8\r\n2e895366e84312413a157d5cd1e01440d54d0108fcb95ec4c455cdc019b31200\r\n3034fee705440af41d7ed3f25e5c5af4d11d2ca066dbd797032bd63f5f433626\r\n317115f0f0e11c6693cc010f260138d3364cefc41662d5fce825517ae3675080\r\n32365440cbe93909b1dfd4364bcdb0c31953f4d6be97a675eb3984126cc49295\r\n3814554e9b418c25ed1548d3282d56a96e1021608cb5133e6875b104c5e7113e\r\n39c6e11c8a50d28536423cd34153c323c34d0166805c4157490c834fe3b75ae3\r\n3a43116d507d58f3c9717f2cb0a3d06d0c5a7dc29f601e9c2b976ee6d9c8713f\r\nhttps://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform\r\nPage 13 of 16\n\n3d8712914d2f1525ef89cc15002c63e3ec533db38c87c272ff704218b68c737c\r\n3e7233085678ca016ce6228cb50d735e4175533843be0b36012c853083938906\r\n40cc94f348dca65b36ce74b6be9f225b25491f04f4d764ab7b0214b59d7407de\r\n412f87a2a4245c371e428607dec3cb6c22c15d387dc5db69cd47146e15090216\r\n42fb6c13c0ece7133e79dc055b0acb96007a50255ceba6861cc31a987b3e5987\r\n43ca01e3123ebdfc546d4edfc7eb06d020757ad9b98b2fef3f49e4632362a672\r\n4421298c97f245f4e7eafb4f3873b0a95fe22682766c5dfb9c22ccfef8b91ad1\r\n44e6811fa8a44b2f5f1b60acbbc3f116e90f2d35ff418551c034fc9d9b96bb4c\r\n470bc66a0e13ce093e1aef9843b7903e7c01b252b9bd4b11551d25437c6210e1\r\n47714c45c9172f914e783b49c143daa433356a828526f38071db11743cc96ef7\r\n491b859987de3835f77b21d737df5c8c201ccc1d25f48e07803cc73d9e9e336e\r\n4b259143cf710d62b5d8767fcc4c5434fd8684334519dc4045c430ee73a9398b\r\n4cb3c2f676c158d1d84ed1c2b4600157bb848e29e13fde615ab4675e433d4905\r\n4e5bb1db1e306c9e7324195d083abcdb55b4ed1689a498e35ad7ef46650c45e4\r\n4f4b6391f66b388c0e0d5b0c2ba775e9402434af115dfa9455423c72efc0f27f\r\n50f76c9dea3255b9e4d33c02df0ae8d32cf8909bae6103770afdb44bb2f78f64\r\n532dd10bde4bfa9a5032231449ec15d94ed8cbf128b24cacdcef3370039e8ded\r\n537a0f4c1a490f769780b9a378414e06c6c4bc1ec1e70109adafadb43fe5648f\r\n54ecbd099384f39fd1055133b7a6ef8f64a6c1a76b1bef712da4f69c9bfa3f77\r\n55385b542cbe730199159ef403d7292efd8f5d439da4a3f8fff84e94fb0b6abe\r\n59c49add8a988087c2cc8dc6c783465990c94ce82608b1eee1dadd30bf2604aa\r\n5cf9b01fb73e16f1b8cd2bd4846a829d9d4d9f3270d8644065ce9b67e32b85c9\r\n68f7104eb6591175866b79784b14d81f587508574537a376a7c92f3563241973\r\n69d83816f675f70f3e703a260504c50df341acd46f8470bb4357a9fde8a7d3d2\r\n6a22025d0309d9cf0923fe633b15d6a73ff7b66000e8797a637224269dcddde2\r\n6ae60971d812d7dad63af579faeee3fd2aa03bc0528765b3477ccef6cc92010f\r\n6d0e4c03cf4731b9b05c3e575a92db9beabccf243263d703c7b332597c8ed591\r\n6fa48f060e313c108cc74da76a6b4ab3073a4f352c7ff4a4650eec7fd9042b1c\r\n71f7b35c831207eb2f479d3c3eaf37cc54717cf55e6be00b85a6a8376d61839f\r\n759d79f7f5ac7fd8bab551bf78c6e28c169c72bdb463642e3732b5dcfa0dd753\r\n7819a5217c6d91e828128afdae760147714604c74c5c315ee51dc65d4aaecf72\r\n796e84ed257f40cd8b77968839051ea815a027a9e5210298cc491c2ebfa9f4c3\r\n79f99b9df8626b3bd28ccea20e111081cc886b4d41a0eafb53412231a0c44da7\r\n7ca878dc7c8a9b9e9b54faf9b1b354e657ad890ba2cf67b26f3d66d1a7757479\r\n7d22d02813997c6403159593589efb00d172e22143bbe436ea2df06a130a3445\r\n83216df7dcb8760e451c4bb8db5a520a64c5bae589d0712203c3ab03086eeae0\r\n8594830664b030dd772449279a1738ebbbb419798b0ec5dc547518b954d38877\r\n8ca16968634b5c7bb0343fff806da827ad00866748fce022da9fb0addc50ee99\r\n8df14ce418fcede6be48ddaa16517c6f5249888f654680a85c43850914f0a959\r\n9659f5e59c17163b48431bd98b34d5185ae534d27e0bb5f42ff2edc9335931b3\r\n9883db5f74aa42af6a8ae387e9f54c5f1f2c6a7dd032b58c88ab742670ce00f9\r\n99afa8c5b0a61669fb9c960b97568aca175a35fadd60129ee441dd55ee27c20f\r\nhttps://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform\r\nPage 14 of 16\n\n9b35e4bb82b36c81a064b1178f38926f82b767ccd07b0838be536876b56bc852\r\n9dd1b238c27ec151bf76da9a825875ff190480813876ad68cebf6a1cddd552a6\r\n9ec9d3f720a752b9ab928e1c395c778d3da652442d0f0ae09552efc2f57ee6de\r\n9f2686ea42fdbb538ed55efa73896996005b5649cedb91be8907e3143be43d8a\r\n9f2efc2cb95ca881b534c55e54b57ef1992fddd3078035e15a8ba3f9a41a2f33\r\na29cb8da788a5ebaa7b8f6a6016d7233f81f9f478cf4a52e021a6d6060d09f7e\r\na6cc37de6c8e5b83b9f70b1332ec24e3913c97d511ac21eae2141053ba926508\r\naa9d34bbd2743dd5299d8cc1e7f24a54955d7d54cc3bfd45424e32fbcc540d62\r\nab3163775d27efa38a60b1f4fdcedcf0d3c493ccd72a06ee3660d97a7725328f\r\naba5eac208c82899a9b0abe4215e42ddce8eefcd5f4186b47fb1188e306972e7\r\nad32d8b2c7bc9eec9fd183a00ebb78cbf886760347ff5e826a071fba7d5f5219\r\nb02b49b4d4c7e6fe3abae02ccfc2524347700f40e1856f6d0ec40dd247fd24f4\r\nb0a1cc6968bf9bf7f8a7f3f15a5ceace28cc0899604f2122a1e16e8c225f224a\r\nb445789bea083a1a8264ab6d8478d38a78a4dd5a32cefcc3b9367097cabfd807\r\nb46a466bef3078ee336a1fadcf62a439656ab9f68f6b3dd84ba341c9442bb96f\r\nb697d6ee591e4409548db6dfd0c4b32e1640bea01e2001d9ebd413e8f6d7dfbc\r\nb6d2a14ac7e1158c1d4b7152b7fcdb1409be7ea9866363682256f15514f037b3\r\nb9013d8429073c3abebc45d8bfb3881243e2bb6115860c947837a0563f6a6bf7\r\nbb4ef9da07041f8665d76b90dce3e7a26b3695fb0e68b94b4077a544133b8a7b\r\nbb9f1507f2fb1eeb31a79ce14728c5788a1c847b51281428a965e36d7dc24224\r\nbbfeeb48447c5861dde7cc5860920d9381492ad7a7d03242dd36f863cf50c26f\r\nbcb193953a4d3ba76ab0b516e2394a41443d53064ad06cd3b9b40bb8a3a98dfe\r\nbfd3c1a4655079a8c8a15067964b0b5b3a133c8c8e778863b70fbb4769a837b6\r\nc1ecc8c4a6a00aa00e59b23bf9cf08983aa8c4313ae62be39e91272edcdff6b4\r\nc2e6a50d7354c20d020710f9a07ea5c4ccf21a9030743bec69fe2f8538884ab0\r\nc3ef4d4441362483f9cd3cc22524f85f2c022178bdf8070f05b03a5f6177fbb2\r\nc61645672143c1369353642df218181c1843821600c095671b56aff73c082b3d\r\ncda9251a687b9629587a852deddf1d3d8d830d474a6787fa0ef123f557084a7c\r\ncfb461e10de99a2c08fe985ecaf73ea357a2dc1c47ca8c3749bc613db7a3fc02\r\nd03f1bd2a8cf7067db9a92c91cc7620dece14473ad27747488cb4491be8f6f18\r\nd14f22cb372690b2f6e77260a3717fdbd2a80346496ba1279704a4d2004df3ed\r\nd1ad42ab5289447cbd803e186d2115e1b2ea3bf3486dc92c7ef5153f572dfd65\r\nd3d5b9239d35321e3ca6b75fcda62e4d81439be5804e7bd8c78c0626aabbd328\r\nd5e17064b884584dcd075830bc50f596e4e4d3a4264342fbd5cfa8ec036d734b\r\ndf98a431664f1a1249719fd415a22ca51d3858b4b3f7f2eeb21ec688d20084b0\r\neb99f302346405ca63cac6cce8b43d86af899ef5f1bdcfaf1f55454a92c49cdd\r\nefb9845889bfb16fc99cd0a44593c2482c64e0089af8cb950ee746b3e236b2da\r\nefeb88732ad4538aafe369d6a604f6948e302a819271b4a7f817525801a2ed18\r\nf04e97fb3a053f5c6a60499e99ba58ef840b1b40882119d6cea64fa052697d82\r\nf20703057d771f5470095e063255f9ffa9fa5caafc44995b6590d6485ad647b8\r\nf54586112d54a8fd9b3f94ee199d2f05da2877ec72db7496fc464620048c7bec\r\nf6bd75914a01074be877c4a205745f170ed5d13c0d85acbd2e74c60a982f0117\r\nhttps://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform\r\nPage 15 of 16\n\nf721c8acc4436de8d8e5bfc76e654d6e982d6bda5a969c11d53c79785b30d79a\r\nfa56376c093ac3a5d5b349e6c8f02b4dc5d19b11d57103039e2b9bd861b07955\r\nfaf035ddbfc2304f7eafbc62d60f25b8460083efb21ae3642ca3e4eea0ab2fe0\r\nSource: https://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform\r\nhttps://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform"
	],
	"report_names": [
		"p2pinfect-worm-evolves-to-target-a-new-platform"
	],
	"threat_actors": [],
	"ts_created_at": 1775434281,
	"ts_updated_at": 1775826734,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7c8e159d7021e985c973461887763f4a3d331640.pdf",
		"text": "https://archive.orkl.eu/7c8e159d7021e985c973461887763f4a3d331640.txt",
		"img": "https://archive.orkl.eu/7c8e159d7021e985c973461887763f4a3d331640.jpg"
	}
}