{
	"id": "ee95f9d5-a1ae-4541-97e6-82975f64e0ed",
	"created_at": "2026-04-06T00:13:39.239265Z",
	"updated_at": "2026-04-10T13:12:48.020191Z",
	"deleted_at": null,
	"sha1_hash": "90f737820ff82162f3af0fa19df9f96e99829762",
	"title": "360 Netlab Blog - Network Security Research Lab at 360",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 156494,
	"plain_text": "360 Netlab Blog - Network Security Research Lab at 360\r\nBy lvxing\r\nPublished: 2024-06-14 · Archived: 2026-04-05 22:47:48 UTC\r\n警惕：魔改后的CIA攻击套件Hive进入黑灰产领域\r\n概述 2022年10月21日，360Netlab的蜜罐系统捕获了一个通过F5漏洞传播，VT 0检测的可疑ELF文件\r\nee07a74d12c0bb3594965b51d0e45b6f，流量监控系统提示它和IP45.9.150.144产生了SSL流量，而且双方都\r\n使用了伪造的Kaspersky证书，这引起了我们的关注。经过分析，我们确认它由CIA被泄露的Hive项目\r\nserver源码改编而来。这是我们首次捕获到在野的CIA HIVE攻击套件变种，基于其内嵌Bot端证书的\r\nCN=xdr33， 我们内部将其命名为xdr33。关于CIA的Hive项目，互联网中有大量的源码分析的文章，读者\r\n可自行参阅，此处不再展开。 概括来说，xdr33是一个脱胎于CIA Hive项目的后门木马，主要目的是收集\r\n敏感信息，为后续的入侵提供立足点。从网络通信来看，xdr33使用XTEA或AES算法对原始流量进行加\r\n密，并采用开启了Client-Certificate Authentication模式的SSL对流量做进一步的保护；从功能来说，主要有\r\nbeacon，trigger两大任务，其中beacon是周期性向硬编码的Be\r\nSource: http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/\r\nhttp://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "ZH",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/"
	],
	"report_names": [
		"mykings-the-botnet-behind-multiple-active-spreading-botnets"
	],
	"threat_actors": [],
	"ts_created_at": 1775434419,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/90f737820ff82162f3af0fa19df9f96e99829762.pdf",
		"text": "https://archive.orkl.eu/90f737820ff82162f3af0fa19df9f96e99829762.txt",
		"img": "https://archive.orkl.eu/90f737820ff82162f3af0fa19df9f96e99829762.jpg"
	}
}