{
	"id": "c920b93f-b216-46b2-8868-b4e4135c06a0",
	"created_at": "2026-04-06T00:17:24.052552Z",
	"updated_at": "2026-04-10T03:21:31.343077Z",
	"deleted_at": null,
	"sha1_hash": "8ba4e026553de80eff488888d159e062c32da655",
	"title": "Want Tofsee My Pictures? A Botnet Gets Aggressive",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 529939,
	"plain_text": "Want Tofsee My Pictures? A Botnet Gets Aggressive\r\nBy Edmund Brumaghin\r\nPublished: 2016-09-29 · Archived: 2026-04-02 12:05:27 UTC\r\nThursday, September 29, 2016 11:02\r\nThis post was authored by Edmund Brumaghin\r\nSummary\r\nTofsee is multi-purpose malware that has been in existence for several years, operating since at least 2013. It\r\nfeatures a number of modules that are used to carry out various activities such as sending spam messages,\r\nconducting click fraud, mining cryptocurrency, and more. Once infected, systems become part of the Tofsee spam\r\nbotnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase\r\nthe overall size of the botnet under the operator’s control.\r\nEarlier this year, Talos published a blog post discussing how the RIG exploit kit was delivering this malware to\r\ncompromised endpoints using malvertising. Malvertising is a technique commonly used by exploit kits to infect\r\nusers that browse web sites that are serving compromised advertisements. This activity seemed to disappear in\r\nJune, however Talos has recently observed a marked increase in the volume and velocity of spam email campaigns\r\ncontaining malicious attachments that are being used to distribute Tofsee.\r\nTofsee Spam Campaigns\r\nIn June 2016, following the disappearance of the Angler exploit kit from the threat landscape, other major exploit\r\nkits began to shift to different payloads. The RIG exploit kit moved from distributing Tofsee to other payloads,\r\npossibly because distributing them was more attractive to cybercriminals from a monetization standpoint or\r\nsimply because different actors began using this exploit kit as a distribution mechanism for their malware.\r\nGiven the volume of spam messages that infected hosts attempt to distribute, new nodes are quickly added to\r\nDNS-based Blackhole Lists (DNSBL) and most of the major email service providers will not accept new message\r\ntransmissions once this occurs. In order to keep spam levels consistent new nodes must be added constantly. When\r\nRIG stopped distributing Tofsee payloads, those responsible for Tofsee switched to alternative distribution\r\nmethods.\r\nWhile the Tofsee botnet has been known for sending spam messages, the messages have historically contained\r\nlinks to adult dating and pharmaceutical websites. Starting in August, Talos began to observe a change in the\r\nnature of the spam messages being sent by this botnet. The Tofsee spam botnet has begun utilizing malicious\r\nattachments that function as malware downloaders. This activity has increased in velocity and volume.\r\nhttps://blog.talosintelligence.com/tofsee-spam/\r\nPage 1 of 8\n\nFigure 1: Number of Emails Containing Malware Downloaders\r\nInitial Infection Vector\r\nThe initial infection for this variant of Tofsee appears to be accomplished by convincing users to open malicious\r\nattachments that are delivered via phishing emails. The phishing emails purport to be from women in Eastern\r\nEurope (namely Russia and Ukraine) and the theme of the emails is adult dating. Each email contains slightly\r\ndifferent text, however the same format is used across all of the messages Talos analyzed. The messages purport to\r\ncontain an attached zip archive with pictures of the sender as well as links to a Russian adult dating website. Here\r\nis an example of a Tofsee message body:\r\nFigure 2: Sample Tofsee Spam Message\r\nJavascript Downloader\r\nThe attachment is a zip archive named [Sender First Name]-photos.zip that contains a Javascript file. In all cases\r\nanalyzed, the filename of the javascript file is a woman’s first name. The filename and hash changes across groups\r\nof emails with several being sent on any given day. The code in javascript attachment is obfuscated in an attempt\r\nto make analysis more difficult.\r\nhttps://blog.talosintelligence.com/tofsee-spam/\r\nPage 2 of 8\n\nFigure 3: Sample Obfuscated Javascript Downloader \r\nThe above Javascript obfuscates a WScript downloader, which is used to retrieve and execute a malicious PE32\r\nexecutable from an attacker controlled web server. When executed, the downloader retrieves a malicious\r\nexecutable and runs it, infecting the system with Tofsee.\r\nInfection Details\r\nThe malware drops a randomly named PE32 executable into the %USERPROFILE% directory.\r\nFigure 4: Dropped Tofsee Binary \r\nThe dropped executable is registered to start whenever the infected user logs onto the system. This is performed\r\nby adding an entry to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.\r\nhttps://blog.talosintelligence.com/tofsee-spam/\r\nPage 3 of 8\n\nFigure 5: Persistence Mechanism\r\nIt also deletes the initial binary using a batch file that is temporarily stored inside the %TEMP% directory.\r\nFigure 6: Batch File Stored in Temp\r\nOnce infected, systems will begin connecting to various SMTP relays and sending spam email messages.\r\nFigure 7: SMTP Connections\r\nAdditionally, HTTP GET requests are generated periodically as the malware attempts to simulate clicking on ads\r\nas part of its click fraud routine:\r\nhttps://blog.talosintelligence.com/tofsee-spam/\r\nPage 4 of 8\n\nFigure 8: HTTP Connections\r\nConclusion\r\nThreats are constantly evolving as attackers change the way in which they attempt to distribute malware and\r\nattack systems. Threat actors also constantly strive to expand their presence by taking advantage of the ever\r\nincreasing number of Internet users and devices. By leveraging our vast visibility into the threat landscape, Talos\r\nis able to effectively monitor these threats and quickly detect changes in the tactics, techniques, and procedures\r\nattackers are using so that we can continually protect our customer’s networks and data.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nThe Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network\r\nactivity by threat actors. ESA can block malicious emails sent by threat actors as part of their campaign.\r\nIndicators of Compromise\r\nURLs:\r\nhttps://blog.talosintelligence.com/tofsee-spam/\r\nPage 5 of 8\n\nhXXp://franny.goadultgame[.]ru:80/js/boxun4.exe\r\nhXXp://getfile.myadultgame[.]ru:80/js/boxun4.exe\r\nhXXp://gsbooz.goadultgame[.]ru:80/js/boxun4.exe\r\nhXXp://ibvl.theadultgame[.]ru:80/js/boxun4.exe\r\nhXXp://oajwwh.goadultgame[.]ru:80/js/boxun4.exe\r\nhXXp://picshare.adultgamemedia[.]ru:80/js/boxun4.exe\r\nhXXp://pics.theadultgame[.]ru:80/js/boxun4.exe\r\nhXXp://reworder.adultgamesite[.]ru:80/js/boxun4.exe\r\nhXXp://rkeujctg.adultgamemedia[.]ru:80/js/boxun4.exe\r\nhXXp://video.theadultgame[.]ru:80/js/boxun4.exe\r\nhXXp://view.webadultgame[.]ru:80/js/boxun4.exe\r\nDomains:\r\nmyadultgame[.]ru\r\ntheadultgame[.]ru\r\nwebadultgame[.]ru\r\nadultgamesite[.]ru\r\ngoadultgame[.]ru\r\nadultgamemedia[.]ru\r\ndatingst[.]ru\r\nglobalhotstore[.]ru\r\ndatingrg[.]ru\r\ndatingsd[.]ru\r\ndatingds[.]ru\r\ndatinghq[.]ru\r\ndatingfr[.]ru\r\ndatinghl[.]ru\r\ndategh[.]ru\r\nIP Addresses:\r\n184[.]18[.]26[.]30\r\n103[.]232[.]222[.]57\r\n111[.]121[.]193[.]242\r\nDownloader Filenames:\r\nSandi.js\r\nTessa.js\r\nDori.js\r\nDebbie.js\r\nLira.js\r\nGriselda.js\r\nhttps://blog.talosintelligence.com/tofsee-spam/\r\nPage 6 of 8\n\nChere.js\r\nJess.js\r\nBettie.js\r\nKaterine.js\r\nKarena.js\r\nBirdie.js\r\nBlondelle.js\r\nPansy.js\r\nThomasina.js\r\nNananne.js\r\nAbigail.js\r\nAdelaida.js\r\nDownloader Hashes:\r\nfe6290253a02c231c07e8604c6b2a1b298520e112e0c0ba08f76c26724b3c820\r\nf706c9c0982c358a165c5d31b218140461e110662332c6c508a9a66305311b17\r\n7e3e4d33b9477f4d38934fdafa2203815950bef6d3b5b1011cd433035f9c0975\r\n83a5e5e319169ec0de90a3ffa3513bbfdcb169fcda57ee671b9c4d08893f5d86\r\n762be900fa19aff05fe6459da36b407b81cf08d2e95c8aa7b23870c2fe4178cc\r\n40f039b9bfedbe5829c9301b0f2b1f322191694961f54a34853d5b4ae5627355\r\n91e57da11ec889574aebd03f9a213d7154d899d2cf137ec7275e90201e62a170\r\nf524ed3077caf65891d8b2c56c0fd32a5f58bba53ff09ad805fef8e7818a9b71\r\nd9fa2cd39e8dd741a95bb83576e4f7a1e766e8e1ba6580676a5aad145b2ac56d\r\n0274427bae4e479c28e9f8f21460cd03947c4878038458aeca406b7564563dc0\r\n0931fc405a4bc660dc695f5da8f9e6c027832530e7ee48a5385ea6b43587ff52\r\n0d98ad52e4db0085fbcf7d87465a14883e64038923e164d27e23983d4bde290c\r\nf6d17a1034a08de4048ba3b5f3adea7aa7d11180277c74c3ea09e3826520f768\r\n979ca79de2e3f3bdfa2a202824b3d6070aca61908f1413413777efeee224869f\r\ne8072ee6e6007ba44071bee91bd25f88c3e9d5db8c49c59975946d8f421b7ab7\r\n23a37772ff69c0da4294f858ee1b50ef8f261c007fc5ae0a1216757d0a1a4148\r\n5d005f26295b05b7a9e8bf317c1452a616c362594e787d3bac5ecb2709059f2e\r\nBinary Hashes:\r\n3100af215a1dbe16be91fa5ee4fd8def2c58623e5c7b3751e2a4c4df1263c5bc\r\n08eb7d50f070f84227ba9a7f55149bcd775d700636417c917a317248acd2f57d\r\n0904af6c04c349dddc1cdb1e76a7c0782dd750e36c3e2e9e84ea8e40f41905c6\r\n0aaea185e269923b4181951b3761a33a745f1ff8671f9a17ee69798c605b7aff\r\n25fae47b7959cfb5be90cffc9a33d0875a0f5cb8dc7f6bd1bfb926ca26e24ea3\r\n4529bc3de5ac1e5807d91dbe9883aca563dc845ef80cbddd835fd04a4b2d7ab8\r\n4cb9925bcc4d8e8e74f8a1288595b3775bc8a8e7cac3e2e05f4fe6fefceb8af2\r\n5ba6eb7748f1e01c8302f8a97c264e82256f5b7c796b5a893550673c5ca0e134\r\nhttps://blog.talosintelligence.com/tofsee-spam/\r\nPage 7 of 8\n\n5d06f55a5fb94d5717dfa798e670c3cdacbaa57a798fe917e0c69ee0e42cfcb8\r\n6c6b60b62b1090fee62336852ecf2e9999050de32ec7a9114a0fce54fe9fb177\r\n785c9f48829d0ac2958a403976346833d630e8eba24bf5fa4024d36e37d8f77d\r\n7c41a29a697dab21b7303baf75bf931bdc06123b339349268e5de0f124818364\r\n8204b8590b916268dd683a5d040225d1ec3836a473e79fda5463031da9cce632\r\n906cbae96a9d21d0dd692b858f11c7515d515773da854add7dc695e8b0f973d1\r\n9a7e3fda688862acbad677f62f99ac449c3df6b884408c80a34938dd18d5284f\r\n9e0550c4a5dbbb19c30fa82ff05d28971d8934f1a954b24a6335ed19aeba72d5\r\na77355c3dd7f65957aab46a586463762e02cbfc981817fdb95c44b144dea1842\r\nacb5bd713f0077725d754e98961eb4c691e1d68d45678597c5dbf1ff667e27ca\r\nb1f96a761338ec65ecfb385486c583f8677fb865735b8d839a4a7ff094cc9744\r\nb86c1f59060c6607f8da882ac45c9e4e82a899dbb57a77f007b15f8460d32a71\r\nbcf9256595fa8da550b479ccfd518a67a1fc53ff2bffe990c3789dda29cc5886\r\nc1a1b521a365402ec82adff554be11e22cdedce7d50dc49d47609b1b6aed2d79\r\nc4808689aaf69cee2db9783d9831abe568e0953f9f6f1e80e162e99fb9c664f0\r\nca8851bdb285c02fd1d5176cffc9cedafe8838610466df859b33e465f3a91572\r\nd2085fd53064953de40f9735ec31c09b479612cfa13597c9a30df4ebf06dd85b\r\ne522062d780fc38f89c463f0a2002b3646681a1582435276d2f81d75b9c7696b\r\nffc9744be0450e5ed8dd296798c2562f688d77c954ed976c9ccb723163fa7006\r\nSource: https://blog.talosintelligence.com/tofsee-spam/\r\nhttps://blog.talosintelligence.com/tofsee-spam/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/tofsee-spam/"
	],
	"report_names": [
		"tofsee-spam"
	],
	"threat_actors": [],
	"ts_created_at": 1775434644,
	"ts_updated_at": 1775791291,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8ba4e026553de80eff488888d159e062c32da655.pdf",
		"text": "https://archive.orkl.eu/8ba4e026553de80eff488888d159e062c32da655.txt",
		"img": "https://archive.orkl.eu/8ba4e026553de80eff488888d159e062c32da655.jpg"
	}
}