{
	"id": "fceaa344-0f92-4645-a367-9eadbfdebd2f",
	"created_at": "2026-04-06T00:10:17.84647Z",
	"updated_at": "2026-04-10T03:21:48.99231Z",
	"deleted_at": null,
	"sha1_hash": "813819acc85ffe02c7f90eceb8e33cbcb30c9ca7",
	"title": "The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1840678,
	"plain_text": "The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal\r\nof Malware\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 19:15:33 UTC\r\nResearch by: Lior Rochberger and Assaf Dahan\r\nIntroduction\r\nCybereason is following an active campaign to deliver an arsenal of malware that is able to steal data, mine for\r\ncryptocurrency, and deliver ransomware to victims all over the world. Due to the variety of malware types deployed in this\r\nattack, attackers are able to hit victims from all sides and do not have to limit themselves to one attack goal or another. The\r\npayloads observed in this campaign originated from different accounts in code repository platform Bitbucket, which was\r\nabused as part of the attackers delivery infrastructure.\r\nThe following malware are deployed and updated using Bitbucket by the threat actor:\r\nPredator: Predator is an information stealer that steals credentials from browsers, uses the camera to take pictures,\r\ntakes screenshots, and steals cryptocurrency wallets.\r\nAzorult: Azorult is an information stealer that steals passwords, email credentials, cookies, browser history, IDs,\r\ncryptocurrencies, and has backdoor capabilities.\r\nEvasive Monero Miner: The Evasive Monero Miner is the dropper for a multi-stage XMRig Miner that uses\r\nadvanced evasion techniques to mine Monero and stay under the radar.\r\nSTOP Ransomware: The STOP Ransomware is used to ransom the file system and is based on an open source\r\nransomware platform. It also has downloader capabilities that it uses to infect the system with additional malware.\r\nVidar: Vidar is an information stealer that steals web browser cookies and history, digital wallets, two-factor\r\nauthentication data, and takes screenshots.\r\nAmadey bot: Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information on a target\r\nmachine.\r\nIntelRapid: IntelRapid is a cryptocurrency stealer that steals different types of cryptocurrency wallets.\r\n \r\nCybereason reached out to Bitbucket Support and the malicious repositories mentioned in the report were\r\ndeactivated within a few hours. \r\nhttps://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware\r\nPage 1 of 14\n\nThe flow of the Bitbucket multi-payload attack.\r\nThis research highlights an ongoing trend with cybercriminals where they abuse legitimate online storage platforms like\r\nGithub, Dropbox, Google Drive, and Bitbucket to distribute commodity malware.\r\nIn this campaign, the attackers abuse the Bitbucket platform by creating several user accounts that are updated frequently.\r\nRegular updates to the malware stored on these accounts and the use of Themida as a packer are used to evade detection by\r\nantivirus products and thwart analysis attempts. They also use the CypherIT Autoit packer to pack Azorult and give\r\nadditional layers of protection against analysis.\r\nThis research is particularly interesting because of how the attackers infect a single target machine with multiple different\r\nkinds of malware. These kinds of commodity malware are often used for a one-off infection to steal data on the machine and\r\nsell it in underground hacking communities. However, in this attack, the attackers chose to integrate malware like coin\r\nminers and ransomware, which gives them a more persistent source of revenue. Each piece of malware in this campaign\r\nmakes the attack stronger, with additional capabilities and features for a greater impact.\r\nKey Points\r\nAbuses resource sharing platforms: The Cybereason Nocturnus team is investigating an ongoing campaign that\r\nabuses the Bitbucket infrastructure to store and distribute a large collection of different malware. The attackers aren’t\r\nsatisfied with one payload, they want to use multiple to maximize their revenue.\r\nAttacks from all sides: This campaign deploys an arsenal of malware for a multi-pronged assault on businesses. It is\r\nable to steal sensitive browser data, cookies, email client data, system information, and two-factor authentication\r\nsoftware data, along with cryptocurrency from digital wallets. It is also able to take pictures using the camera, take\r\nscreenshots, mine Monero, and in certain cases also deploy ransomware.\r\nFar Reaching: This ongoing campaign has infected over 500,000 machines worldwide thus far.\r\nModular and Constantly Updating: The attackers leverage Bitbucket to easily update payloads and distribute many\r\ndifferent types of malware at once. In order to evade detection, they have an array of user profiles and continuously\r\nupdate their repositories, at times as often as every hour.\r\nMany kinds of malware: The attackers use the Evasive Monero Miner to steal a combination of data, mine\r\ncryptocurrency, and deploy other malware including the Vidar stealer, Amadey Bot, and IntelRapid. They also use\r\nPredator the Thief, Azorult, and the STOP ransomware over the course of their activities.\r\nhttps://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware\r\nPage 2 of 14\n\nDevastating impact: The combination of so many different types of malware exfiltrating so many different types of\r\ndata can leave organizations unworkable. This threat is able to compromise system security, violate user privacy,\r\nharm machine performance, and cause great damage to individuals and corporations by stealing and spreading\r\nsensitive information, all before infecting them with ransomware.\r\n \r\nFor a synopsis of this research, check out the Bitbucket Threat Alert.\r\nTable of Contents\r\nIntroduction \r\nKey Points \r\nAnatomy of a Multi-Stage Attack \r\nInitial Compromise via Predator Infostealer \r\nEvasive Azorult \r\nSTOP Ransomware and Vidar Stealer \r\nXMRig Miner: Old Miner New Dropper \r\nDeep-Dive Into the Dropper \r\nConclusions \r\nIOCs\r\nMITRE ATT\u0026CK BREAKDOWN\r\nAnatomy of the Multi-payload Attack\r\nInitial compromise via Predator Infostealer\r\nThis attack starts with an unsuspecting user downloading a cracked version of commercial software like Adobe Photoshop,\r\nMicrosoft Office, and others. Threat actors often target users looking for “free” commercial products by bundling legitimate\r\nsoftware with different kinds of malware. In this instance, we are seeing vast amounts of cracked software bundled with the\r\nAzorult Infostealer and Predator the Thief.\r\nPredator the Thief is an information stealer that steals sensitive data like passwords from browsers, takes pictures, takes\r\nscreenshots, and steals cryptocurrency wallets. Predator had previously been delivered via exploit kits like the RIG Exploit\r\nKit and through phishing attacks.\r\nWhen a user attempts to install the “free commercial software”, it actually drops Azorult and Predator onto the target\r\nmachine. Azorult (download.exe) immediately starts stealing information and deleting its binary to cover its tracks. After\r\nAzorult executes, Predator (dowloadx.exe) creates a connection to Bitbucket to begin downloading additional payloads.\r\nhttps://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware\r\nPage 3 of 14\n\nCybereason UI: the attack tree of the execution of the malicious zip file.\r\nWe identified the download URLs for additional payloads of Azorult and the Evasive Monero Miner from a Bitbucket\r\nrepository at hxxps://bitbucket[.]org/patrickhornvist/repo/ by unpacking Predator.\r\nDeobfuscated strings in memory from downloadx.exe show download URLs of other malware.\r\nThere are multiple additional payloads on Bitbucket:\r\n1.exe and 3.exe, both of which are Azorult information stealers with different hashes.\r\n2.exe and 8800.exe, both of which are Predator the Thief with different hashes.\r\n4.exe and 5.exe, both of which are the Evasive Monero Miner with different hashes.\r\n111.exe, the STOP ransomware.\r\nhttps://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware\r\nPage 4 of 14\n\nScreenshot of the Bitbucket repo: https://bitbucket[.]org/patrickhornvist/repo/downloads\r\nThrough research of other samples related to the campaign, we have identified additional Bitbucket repositories that are\r\nlikely created by the same threat actor with the same set of malware samples. Judging by the number of downloads, we\r\nestimate over 500,000 machines have been infected by the campaign so far, with hundreds of machines affected every hour.\r\nhttps://bitbucket[.]org/luisdomingue1/new/downloads/\r\nhttps://bitbucket[.]org/BasilCowan/new/downloads/\r\nhttps://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware\r\nPage 5 of 14\n\nIt’s worth noting that the payloads on Bitbucket are updated almost constantly by the threat actor, sometimes as often as\r\nevery few hours. This is likely done to avoid detection by traditional antivirus by replacing old binaries with fresh ones\r\nunknown to AV engines.\r\nEvasive Azorult\r\nAzorult is an information stealer that uses a quick and dirty approach to steal sensitive data. After it successfully steals\r\nsensitive information, it deletes any trace of itself by removing all associated files.\r\nAttack Flow for Azorult\r\nPredator downloads a secondary downloader which is used to download an evasive version of Azorult. In order to download\r\nAzorult, this downloader connects to hxxps://2no[.]co/2QqYb5 and downloads an encoded file in a certificate form named\r\nbolo.com.\r\nThe encoded Azorult payload, a file named bolo.com.\r\nThe downloader uses certutil.exe , a native Windows binary, to decode the payload using the living-off-the-land technique.\r\nWe have previously reported how the Ramnit trojan has been decoded using this technique. The contents of the decoded\r\npayload have another layer of obfuscation as well.\r\nThe decoded Azorult payload - grol.\r\nhttps://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware\r\nPage 6 of 14\n\nTo execute the decoded payload, the malware launches the Autoit compiler, which the threat actor renamed to lsm.com.\r\nAutoIt is a freeware scripting language used to automate the Windows GUI and general scripting. It is compatible with all\r\nversions of Windows with no prerequisites, which makes it a useful tool for attackers looking to create malware.\r\nCybereason UI: the attack tree of the evasive Azorult execution.\r\nOnce executed, Azorult scans the file system and searches for sensitive data like browser data, cookies, email clients and\r\ncryptocurrency wallets. It copies this data to the %TEMP% directory, packs it, and sends it to the attacker. Once all\r\ninformation has been exfiltrated, Azorult removes all data copied to %TEMP% and deletes its binary to cover its tracks.\r\nSTOP Ransomware and the Vidar Stealer\r\nThe STOP Ransomware was first discovered in 2018, but began its most aggressive campaigns in early 2019. Over the year,\r\nit evolved to strengthen its encryption and evade detection, and at one point was even used to deliver Azorult onto victim’s\r\nsystems.\r\nPredator downloads the STOP Ransomware from Bitbucket (111.exe) and executes it. STOP gathers information about the\r\ntarget machine by accessing api.2ip.ua and checks to see if it is running on a VM.\r\nSTOP creates a folder in %AppData%, copies its binary there, and changes access control to the file using icacls so others\r\ncannot access it.\r\nSTOP creates a RUN registry key and a scheduled task to execute itself every five minutes. While running, it connects to the\r\nC2 server, sends the C2 the MD5 hash of the MAC address, and downloads a key for file encryption.\r\nSTOP also downloads additional payloads onto the machine, including:\r\nhxxp://ring2[.]ug/files/cost/updatewin2.exe\r\nhxxp://ring2[.]ug/files/cost/updatewin1.exe\r\nhxxp://ring2[.]ug/files/cost/updatewin.exe\r\nhxxp://ring2[.]ug/files/cost/3.exe\r\nhxxp://ring2[.]ug/files/cost/4.exe\r\nhxxp://ring2[.]ug/files/cost/5.exe\r\n \r\nupdatewin.exe and updatewin2.exe help STOP evade detection, and the other payloads are independent pieces of malware:\r\nthe Visel Trojan, the infamous Vidar stealer, and several other files.\r\nhttps://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware\r\nPage 7 of 14\n\nCybereason UI: the process tree of STOP Ransomware and Vidar stealer.\r\nVidar is a well-known information stealer that collects system information, passwords from browsers, email, and two-factor\r\nauthentication software data. It stores stolen data in a randomly named folder in %ProgramData% and sends the info to its\r\nC2 server, besfdooorkoora[.]com. After the data is sent to the attacker, the malware stops the process and deletes its payload\r\nfrom the machine (5.exe).\r\nEvasive Monero Miner: Old Miner, New Dropper\r\nEver since the rise of Bitcoin, miners have gained popularity in the underground community, becoming one of the best\r\nsellers for attackers looking to make an easy profit. In this campaign, attackers continue this trend by distributing an Evasive\r\nMonero Miner.\r\nThe Evasive Monero Miner is a dropper that drops a version of the infamous, open source XMRig miner based on its\r\noriginal source code. An older version of the Evasive Monero Miner was first submitted to VirusTotal in late 2018, but was\r\nnot discovered until December 2019 after a massive campaign that infected machines all over the world.\r\nThe dropper is packed with Themida, a powerful packer with anti-debug features and a way of packing that intentionally\r\nmakes it difficult to manually unpack. It uses an Autoit compiled script to unpack and download the XMRig miner. The\r\ndropper also uses several evasive techniques it uses to avoid detection, including code injection, file renaming, encoded\r\nfiles, non-executable extensions, and the ability to connect through Tor.\r\nDeep Dive into the Monero Dropper\r\nWhen the Evasive Monero Miner is first executed, it drops several files in the %TEMP% folder:\r\nCL_Debug_Log.txt\r\nCR_Debug_Log.txt\r\nAsacpiex.dll (same as CR_Debug_Log.txt)\r\n \r\nCL_Debug_Log.txt is the binary for the 7zip executable renamed to hide its activity. It extracts and decodes a 7zip archive\r\nnamed CR_Debug_Log.txt. CR_Debug_Log.txt extracts a 32-bit and 64-bit version of the payload of the miner, 32.exe and\r\n64.exe, into %TEMP%.\r\nAfter extracting the payload, the dropper deletes the encoded archive CR_Debug_Log.txt and checks if the machine’s\r\narchitecture is 32-bit or 64-bit. Depending on the results of the check, it copies the relevant binary, renames it helper.exe,\r\nand saves it in \\AppData\\Roaming\\Microsoft\\Windows.\r\nhttps://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware\r\nPage 8 of 14\n\nCybereason UI: attack tree of the execution of the XMRig Miner Dropper\r\nThe dropper also creates an XML file in %TEMP% named SystemCheck.xml along with a scheduled task SystemCheck that\r\nruns the XML file every minute.\r\nThe XML file is configured to run helper.exe with the argument -SystemCheck:\r\nHow Sys5emCheck.xml executes helper.exe.\r\nhelper.exe is a compiled Autoit script. The script sets a few variables for the malware configuration, including:\r\nCommand line parameter\r\nTCP Protocol\r\nThe mining pool for the miner, with port manip2[.]hk:7777.\r\nA list of processes it must check to see if it is being analyzed.\r\nTwo URL paths public2/udp.txt and public2/32/32.txt, or fpublic2/64/64.txt for the 64-bit version.\r\nA password DxSqsNKKOxqPrM4Y3xeK that, based on the name of the variable, is used to decrypt an archive.\r\n \r\nhelper.exe decompiled code: the variables setting.\r\nhelper.exe contains two embedded binaries built during execution, the first of which is a 7zip binary.\r\nhttps://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware\r\nPage 9 of 14\n\nhelper.exe decompiled code: 7Zip binary embedded code.\r\nThe second is an encoded 7zip archive for a Tor client named Tor.tmp. Tor.tmp is decoded using the embedded password in\r\nhelper.exe and extracted to \\AppData\\Roaming\\Microsoft\\Windows\\Tor\\.\r\nhelper.exe decompiled code: Tor client embedded code.\r\nCybereason UI: command line used to extract the Tor.tmp archive.\r\nThe dropper checks for various antivirus engines on the target machine, as well as if the SmartScreen feature of Windows\r\nDefender exists. SmartScreen is used to protect against phishing and various malware websites.\r\nhttps://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware\r\nPage 10 of 14\n\nThe helper.exe decompiled code: an embedded list of security products.\r\nhelper.exe holds four domains encoded in Base64:\r\nhelper.exe decompiled code: embedded Base64 encoded domains.\r\nThe decoded domains:\r\nbgpaio75egqvqigekt5bqfppzgth72r22f7vhm6xolzqd6ohroxs7pqd[.]onion\r\njr2jjfxgklthlxh63cz3ajdvh7cj6boz3c3fbhriklk7yip4ce4vzsyd[.]onion\r\nuovyniuak3w4d3yzs4z4hfgx2qa6l2u6cx4wqsje4pmnmygc6vfddwqd[.]onion\r\nRcjndzwubq5zbay5xoqk4dnc23gr4ifseqqsmbw5soogye6yysc7nkyd[.]onion\r\nThe dropper uses the Tor client to connect to one of the decoded domains, combined with the URL paths, and downloads the\r\ncontents into a file named SysBackup.tmp and the malware version into a file name upd.version to the target machine. Both\r\nof these files are created under \\AppData\\Roaming\\Microsoft\\Windows\\.\r\nhelper.exe decompiled code: creating the GET request that downloads the XMRig miner - SysBackup.tmp.\r\nAfter the file is downloaded, the dropper terminates tor.exe.\r\nSysbackup.tmp houses a bytes array for the XMRig miner executable.\r\nhttps://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware\r\nPage 11 of 14\n\nXMRig file properties.\r\nhelper.exe spawns attrib.exe and injects the XMRig miner code into memory.\r\nXMRig code floating in memory of attrib.exe. Taken using Process Hacker.\r\nThe dropper executes attrib.exe with a command line that specifies the mining pool and the wallet where the miner will add\r\nits resources.\r\nhelper.exe decompiled code: building the command line for attrib.exe.\r\nClosing Thoughts\r\nAttackers continue to abuse legitimate online storage platforms for their own gain. By storing malicious payloads on trusted\r\nplatforms, attackers can  bypass security products to exploit the trust given to legitimate online services. In addition, it\r\nprovides the attackers with another way of reducing the risk of exposure to their C2 server infrastructure through separating\r\nthe delivery infrastructure (online storage platforms) from the C2 server infrastructure.\r\nIn some ways, this attack takes persistent revenue to the next level. These attackers infect the target machine with different\r\nkinds of malware to get as much sensitive data as possible, alongside miner capabilities and ransomware capabilities. This\r\nhttps://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware\r\nPage 12 of 14\n\nattack is the epitome of “have your cake and eat it too”, with attackers layering malware for maximum impact.\r\nAttackers continue to evolve and look for more effective ways to make a profit. They are finding that, when their tools fail,\r\nthey can use legitimate ones instead. Security practitioners must find ways to evolve faster and ensure the security of these\r\ntrusted resources so we can stay ahead of these threats.\r\nThe best way to defend against an attack like this is to use an iterative security process. Learn more in our whitepaper,\r\n\"Unleashing the true potential  of MITRE ATT\u0026CK.\"\r\nDownload\r\nIndicators of compromise\r\nClick here for a full list of the IOCs (PDF).\r\nMITRE ATT\u0026CK BREAKDOWN\r\nInitial Access Execution Persistence\r\nPrivilege\r\nEscalation\r\nDefense Evasion\r\nCredential\r\nAccess\r\nCollection C\u0026C\r\nDrive-by\r\nCompromise\r\nCommand-Line\r\nInterface\r\nScheduled\r\nTask\r\nBypass\r\nUser\r\nAccount\r\nControl\r\nBypass User\r\nAccount Control\r\nCredentials\r\nfrom Web\r\nBrowsers\r\nAudio\r\nCapture\r\nCommonl\r\nUsed Port\r\nSpearphishing\r\nLink\r\nScheduled\r\nTask\r\nRegistry\r\nRun Keys /\r\nStartup\r\nFolder\r\nStartup\r\nItems\r\nDeobfuscate/Decode\r\nFiles or Information\r\nCredentials\r\nin Files\r\nData from\r\nInformation\r\nRepositories\r\nData\r\nEncoding\r\n  Scripting\r\nShortcut\r\nModification\r\n \r\nDisabling Security\r\nTools\r\nCredentials\r\nin Registry\r\nScreen\r\nCapture\r\nMulti-hop\r\nProxy\r\n \r\nUser\r\nExecution\r\n    File Deletion  \r\nVideo\r\nCapture\r\n \r\n        Process Injection      \r\n        Software Packing      \r\n        Masquerading      \r\nhttps://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware\r\nPage 13 of 14\n\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and\r\nenterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies,\r\nreverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first\r\nto release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware\r\nhttps://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware"
	],
	"report_names": [
		"the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434217,
	"ts_updated_at": 1775791308,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/813819acc85ffe02c7f90eceb8e33cbcb30c9ca7.pdf",
		"text": "https://archive.orkl.eu/813819acc85ffe02c7f90eceb8e33cbcb30c9ca7.txt",
		"img": "https://archive.orkl.eu/813819acc85ffe02c7f90eceb8e33cbcb30c9ca7.jpg"
	}
}