{
	"id": "f31de3f8-1a81-4b5d-b983-b4660643c6b2",
	"created_at": "2026-04-06T00:21:45.519615Z",
	"updated_at": "2026-04-10T03:24:39.888983Z",
	"deleted_at": null,
	"sha1_hash": "855a524f45edb9a2b8df4ca050fce0c01985cdfb",
	"title": "Exploring the Genesis Supply Chain for Fun and Profit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1662949,
	"plain_text": "Exploring the Genesis Supply Chain for Fun and Profit\r\nBy KELA Cyber Team, Ben Kapon, Ben Kapon\r\nPublished: 2020-02-21 · Archived: 2026-04-05 23:51:20 UTC\r\nBy KELA Cyber Team\r\nEdited by Ben Kapon\r\nUpdated February 21, 2020\r\nBottom Line Up Front\r\nThis is the first post in a series of posts reviewing the supply chain of the Genesis Store market – a likely-Russian\r\nthreat actor operating a successful, borderline innovative, pay-per-bot store since 2018. The following post\r\nfeatures a quick-and-easy methodology breaking down over 335,000 unique Genesis infections into four malware\r\ngroups, allowing us to attribute over 300,000 AZORult infections to the Genesis actors currently involved in\r\ncampaigns resulting is tens of thousands of new AZORult infections per month. Furthermore, it seems\r\nGenesis isn’t necessarily leading these campaigns, but rather working with various Malware-as-a-Service (MaaS)\r\nproviders and cybercrime services.\r\nhttps://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/\r\nPage 1 of 11\n\nThis discovery, linking Genesis with widely known commodity malware, highlights the ongoing threat to\r\norganizations and the proliferation of illegal data obtained from infections. It also sheds light on the supply\r\nchain relationships between actors operating within the cybercrime financial ecosystem (read: Dark Net); we’ll\r\nexplore this theme, including specific actors and trends, in the next posts.\r\nPreface\r\nMuch has been written about the Genesis Store: the threat it poses to organizations, the native fingerprinting\r\nabilities embedded in the tools it provides, or (shameless plug alert) the shift in cybercrime business models it\r\nrepresents.\r\nOn a day-to-day operations basis, KELA automatically monitors new listings on the market – allowing our\r\nclients to monitor relevant infections. While these real-time alerts allow threat intelligence or incident response\r\nteams to remediate relevant threats, many of our clients were interested in a wider, more contextual understanding\r\nof Genesis. For example, one report indicated that Genesis “introduced a new breed of stealers specifically\r\ndesigned to collect digital fingerprints and artifacts;” another referred to the Genesis “botnet.” That raises the\r\nquestion, what do Genesis actors actually do? Develop specialized stealers, manage a MaaS botnet, or sell\r\ncredentials obtained by other actors?\r\nSeeking to demystify the threat, we focused on three major areas:\r\n1. Technical abilities – which trojan is being used: commodity malware or a tailored tool?\r\n2. Operational independence – are the Genesis actors leading independent campaigns, determining targets\r\nand infection methods, or reselling data obtained by other parties?\r\n3. Scale – the spread, infection rate and profits pocketed by the actors\r\nOur research aims to evaluate the actionable threat level: if ACME Corp found an infected endpoint offered for\r\nsale on the market, what should be the next steps of the incident response team? What does a Genesis infection\r\nsay about further threat hunting, threat containment and lateral movement, or impending payloads? In the age of\r\ncybercrime inter-group relations and joint campaigns, understanding how Genesis actors position themselves in\r\nthe cybercrime financial ecosystem as an emerging threat group can be extremely helpful to defenders.\r\nLuckily, it’s our business to have access to large cybercrime-related data; as such, KELA’s systems have been\r\nscraping Genesis ever since it became a prominent market, caching every infected machine’s data and\r\nmetadata, resulting in over 335,000 unique devices at the time of writing. However, unlike a day-to-day malware\r\nanalysis assignment, we had no specific infection to investigate. Since KELA is an external service provider, we\r\nlearn about Genesis infections affecting our clients from listings on the market and any network or endpoint\r\nindicators, leaving us with no access to actual samples.\r\nSo, the first question to answer was:How do you analyze a campaign without traditional indicators of\r\ncompromise?\r\nLet Me GUID You\r\nhttps://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/\r\nPage 2 of 11\n\nLet’s begin by introducing the components of a typical Genesis listing: the bot metadata, providing context and\r\ndata on the infected machine; and the data itself – showing the actual stolen credentials and associated details.\r\nFigure 1: Typical bot listing on the Genesis market\r\nNotably, Genesis obscures a significant property, which other actors selling infostealer data provide: the infection\r\ntype. While other markets and sellers clearly indicate which Trojan was used to source the stolen credentials,\r\nGenesis prefers white-labeling and rebranding data as their own.\r\nWith our main area of interest being the attributed stealer – the one data point Genesis actively hides – our\r\nmethodology focused on trying to extrapolate the available data points. The GUID, module and infection\r\ndate proved useful in answering that question.\r\nhttps://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/\r\nPage 3 of 11\n\nOur preliminary assumption is that the bot name – the title of each Genesis bot – is a globally unique\r\nidentifier, which we will refer to as the bot GUID. To put that into context, note the structure of the bot GUID in\r\nFigure 1: it’s composed of five alphanumerical octets separated by hyphens. However, not all Genesis bots follow\r\nthis distinct pattern; scanning the website, we’ve identified several GUID structures. So, if each GUID structure\r\nis associated with a particular malware, could we use the patterns to classify infection types?\r\nFigure 3: Genesis bots with different GUID patterns\r\nTo answer that, we attempted to group all \u003e335k Genesis bots scraped by KELA into distinct GUID classes,\r\nbased on the structure and syntax observed. We then assigned every GUID group to a malware, effectively\r\nmapping the Genesis malware supply chain. Our methodology involved three steps:\r\n1. Mapping possible delimiters and splitting each GUID into tokens, accordingly;\r\n2. Mining seemingly meaningful strings from all tokens into a dictionary; and\r\n3. Classifying each GUID based on the length of the token in its GUID and whether an important string appears\r\nin any of the tokens.\r\nhttps://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/\r\nPage 4 of 11\n\nFigure 4: KELA’s classification of different GUID patterns in Genesis\r\nIncorporating this methodology, we grouped all Genesis bots into 340 distinct GUID classes. That might\r\nseem like a major achievement, allowing us to map 340 different GUIDs to known (or unknown!) information\r\nstealers. However, as can be seen in Figure 5, many of the GUIDs share another syntactic feature: they end in\r\n“_20,” meaning that regardless of how the raw GUID starts, it ends in 20 alphanumeric characters following an\r\nunderscore.\r\nhttps://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/\r\nPage 5 of 11\n\nFigure 5: Initial GUID classes: the grey ones are distinct and well-formed, while the pink ones are less distinct,\r\nand were later grouped based on secondary properties\r\nThe Four GUIDers of the Apocalypse\r\nThis insight, along with the meaningful strings appearing in some GUIDs, quickly led us to realize that these\r\nGUIDs are essentially a Windows machine name concatenated with a seemingly unique 20-character string. We\r\nrefer to this class as {MACHINENAME}_20. This tweak to the classification methodology allowed us to group\r\nover 330 different GUIDs, resulting in four key structures across the entire Genesis dataset.\r\nhttps://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/\r\nPage 6 of 11\n\nFigure 6: Breakdown of bot GUID structures\r\nWith the four malware families classified and the number of infections accounted for, we could decipher other\r\nmeta-properties and make sense of how Genesis operates. Reviewing infection classes over time suggests Genesis\r\nactors have been experimenting with different Trojans: as seen in Figure 7, during its first year, Genesis only\r\nsold infections of {MACHINENAME}_20 class, and switched to 8-8-8-8-8 in late 2018, boosting the number of\r\ninfected machines obtained by the actors.\r\nhttps://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/\r\nPage 7 of 11\n\nFigure 7: Infection types (by GUID class) over time; dates indicate when the machine was infected\r\nAnother interesting date was late 2019 when the 32 GUID class appeared on the market; Genesis actors might\r\nhave considered introducing a new malware type into the market, but eventually decided to revert to their leading\r\nproduct – the 8-8-8-8-8 class.\r\nArmed with these insights, we set to analyze the 8-8-8-8-8 class based on its ongoing ubiquity. In our next post,\r\nwe’ll dive into the 32 class, providing insights into its short rise and fall on the market, and explore the historical\r\nthemes of the two remaining categories.\r\n88888, the Number of the GUID\r\nSeeing this pattern, our first suspect was AZORult infostealer, a malware that uses a similar GUID. However, it\r\nwas circumstantial at best; we needed some hard evidence linking the two.\r\nFigure 8: AZORult’s GUID featuring the 8-8-8-8-8 structure (analyzed by Cylance)\r\nhttps://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/\r\nPage 8 of 11\n\nLuckily, the cybercrime financial ecosystem is abundant with actors sharing samples of their “logs” – collections\r\nobtained via various malware types. We soon came across a prominent MaaS provider operating in a top-tier\r\nRussian cybercrime forum. Retrieving some of the data shared by the actor, we were able to find official\r\nAZORult logs – stolen credentials advertised as having been obtained via AZORult – that share the same\r\nGUIDs as Genesis’ 8-8-8-8-8 category. That, along with corresponding metadata, confirmed the 8-8-8-8-8 class,\r\nwhich comprises over 90% of Genesis infections, is based on AZORult.\r\nFigure 9: Genesis listing (top) and an AZORult log obtained from a prominent MaaS provider (bottom) sharing\r\nthe same GUID and metadata, confirming the “8-8-8-8-8” Genesis GUIDs are indeed AZORult\r\nOperating since 2016, AZORult is a commodity malware widely used by multiple threat actors in numerous\r\ncampaigns. While its author stopped maintaining the project in late 2018, AZORult is still widespread and used\r\nin active campaigns. AZORult’s source code was readily available to numerous actors who modified the original,\r\nproducing unofficial variants for small-scale, independent campaigns. In the case of Genesis, this could mean\r\nactors either operate their own version of the stealer, resell infection from a MaaS provider, or both.\r\nGoing back to the AZORult log samples mentioned in Figure 9, we analyzed fifteen months’ worth of records\r\noffered by the MaaS provider and found correlating GUIDs and over 10,000 such bots. These findings might\r\nindicate a supply chain link between Genesis and known cybercriminals, where actors monetize their\r\ncampaigns by selling data to Genesis.\r\nhttps://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/\r\nPage 9 of 11\n\nFigure 10: Possible cooperation between Genesis and a MaaS provider offering access to AZORult-infected\r\nmachines\r\nNot only does Genesis use commodity malware for over 90% of its bots – the actors do so as part of a joint\r\nbusiness venture with MaaS providers. This offers a glimpse into an interesting aspect of the cybercrime sector:\r\ninteractions and cooperation between actors. In the case of Genesis, old forum posts indicate they’re not\r\nentirely independent and are interested in gaining access to compromised machines. As can be seen in\r\nFigures 7 and 10, Genesis obviously found a supplier – most likely several – of infections they can utilize for\r\ncredential-stealing purposes.\r\nhttps://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/\r\nPage 10 of 11\n\nFigure 11: A post from the early days of the Genesis Store: “Asking you kindly, if you want to work with us, we\r\nneed loads in big volumes. Topical infections of 5-10 a week will not do”\r\nThe next parts of this research will dive deeper into the supply chain relations Genesis has with at least one\r\nprominent MaaS provider, shedding light on cybercriminal business models.\r\nThe GUID, the Bad, and the Obvious\r\nIn the first part of our research, we focused on developing a methodology for continuous monitoring of the\r\nGenesis Store – specifically supply-related trends. Analyzing the elements of one of today’s most prolific\r\ncybercrime outlets, we were able to link over 300,000 AZORult infections to Genesis – or at least to their\r\nproviders. Behind these numbers are diverse victims: from SMBs to enterprises, from the private sector up to\r\ngovernment officials.\r\nWhile the fact that a top-tier market uses one of the most popular stealers is hardly surprising, our main point is\r\nthis: Genesis actors are not going anywhere anytime soon, so we might as well keep tabs on them. Gaining a\r\nbetter understanding of the threat, as well as demystifying it, is crucial in establishing KPIs for further monitoring.\r\nOnly now – when we have clear definitions of the necessary data points to extrapolate from the operations of\r\nGenesis actors – can we establish baseline metrics and measure when they’re being disrupted. Adding new\r\nmalware strains, utilizing new and different credential-stealing modules, or shifting infection volumes can serve as\r\nthreat indicators to improve awareness.\r\nThis is also our motivation for the upcoming parts of this research, where we will try to:\r\nIdentify the three remaining GUID classes, linking them to known malware;\r\nDescribe the different stages of Genesis’ evolution, from inception to a top-tier provider of the\r\ncybercriminal underground;\r\nDeep dive into specific MaaS actors involved, both directly and indirectly, in the Genesis supply chain;\r\nExplore themes and trends in the MaaS industry and the broader cybercrime financial ecosystem, and their\r\neffects on consumers of threat intelligence;\r\nRefer to biases, traps and gaps in our methodology; and\r\nCome up with as many GUID-themed puns as possible.\r\nSource: https://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/\r\nhttps://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/"
	],
	"report_names": [
		"exploring-the-genesis-supply-chain-for-fun-and-profit"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434905,
	"ts_updated_at": 1775791479,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/855a524f45edb9a2b8df4ca050fce0c01985cdfb.pdf",
		"text": "https://archive.orkl.eu/855a524f45edb9a2b8df4ca050fce0c01985cdfb.txt",
		"img": "https://archive.orkl.eu/855a524f45edb9a2b8df4ca050fce0c01985cdfb.jpg"
	}
}