{
	"id": "6a541548-0c52-4db4-84d3-429dfe05c2b2",
	"created_at": "2026-04-06T00:10:36.843819Z",
	"updated_at": "2026-04-10T13:11:32.24036Z",
	"deleted_at": null,
	"sha1_hash": "93ad4131171f82e8ce4a5b21f118440da43583b3",
	"title": "Is Tox the New C\u0026C Method for Coinminers?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 847287,
	"plain_text": "Is Tox the New C\u0026C Method for Coinminers?\r\nBy Uptycs Threat Research\r\nPublished: 2022-08-19 · Archived: 2026-04-05 17:48:23 UTC\r\nResearch by: Siddharth Sharma and Nischay Hegde\r\nTox is a peer-to-peer serverless messaging system that uses NaCl for encryption and decryption. Since it’s\r\nserverless, it uses UDP and the DHT to find online peers, similar to what BitTorrent does. It is also meant to be\r\nanonymous, which means each user gets a public key that also acts as their ID within the system.\r\nTox has been used before by threat actors as a contact method, but in this case, Tox is being used for remote\r\nadministration. The Uptycs threat research team recently found an ELF sample that acts as a bot and can run\r\nscripts on the victim machine using the Tox protocol.\r\nTechnical Overview\r\nThe binary found in the wild is a stripped but dynamic executable, making decompilation easier. The entire binary\r\nappears to be written in C, and has only statically linked the c-toxcore library.\r\nFigure 1 shows the decompiled main function of the sample or starting point:\r\nhttps://www.uptycs.com/blog/is-tox-the-new-cc-method-for-coinminers\r\nPage 1 of 7\n\nFigure 1: main function\r\nThe shell_script variable itself is suspicious, but it only kills certain programs that are known to infect linux\r\nservers. It also deletes the crontab, which is something frequently used for persistence. Highlighted (see figure 1)\r\nis a function called start_routine1 (decompilation in figure 2), which opens a file with a random filename in\r\n/var/tmp/ (Figure 3) and dumps the contents of shell_script in there and later executes it.\r\nhttps://www.uptycs.com/blog/is-tox-the-new-cc-method-for-coinminers\r\nPage 2 of 7\n\nFigure 2: start_routine1\r\nFigure 3: The script that is dropped into /var/tmp/\r\nThe dropped shell script contains commands to kill cryptominer related processes.\r\nstart_routine2 gets called via pthread_create in the main function, which appears to send the output of every\r\ncommand over UDP to the Tox recipient.\r\nhttps://www.uptycs.com/blog/is-tox-the-new-cc-method-for-coinminers\r\nPage 3 of 7\n\nFigure 4: start_routine2\r\nThere are some bash commands (see Figure 5) that warrant attention. The dig command attempts to use\r\nresolver4.opendns.com as a DNS server and looks up myip.opendns.com, something similar to this.\r\nUsing curl -s -m 20 ifconfig.me, the IP address of the machine is saved into a variable named name_var and  `cat\r\n/var/lib/dbus/machine-id` gives the hardware ID of the machine, which is also stored into the same variable and\r\nfurther used in tox_self_set_name to set the name of the user. Later, `nproc`, `uname -a` and `whoami` commands\r\nare run, which are then stored into status_var, used in tox_self_set_status_message to set the status message of the\r\nuser.\r\nhttps://www.uptycs.com/blog/is-tox-the-new-cc-method-for-coinminers\r\nPage 4 of 7\n\nFigure 5: some of the main function\r\nFigure 6: rest of the main function\r\nhttps://www.uptycs.com/blog/is-tox-the-new-cc-method-for-coinminers\r\nPage 5 of 7\n\nMoving on in the main function, we can see tox related functions tox_new, tox_self_set_name, and\r\ntox_self_set_status_message which are most likely used for tox setup on the victim machine.\r\nIn Figure 6, tox_callback_friend_message, gets called which looks at the previous message from a friend, and\r\ndecides what to do based on the message received.\r\nThere are three commands that are a part of the callback function(passed as arg to tox_callback_friend_message),\r\nas shown in Figure 7.\r\n`updatekilllist` updates the script executed in start_routine1, `execscript` runs the script on-demand, `getinfo`\r\nprints information, and `exit` quits the tox connection.\r\nFigure 7: callback_func\r\nConclusion\r\nhttps://www.uptycs.com/blog/is-tox-the-new-cc-method-for-coinminers\r\nPage 6 of 7\n\nWhile the discussed sample does not do anything explicitly malicious, we feel that it might be a component of a\r\ncoinminer campaign. We are observing it for the first time where Tox protocol is used to run scripts onto the\r\nmachine.\r\nWe have seen attackers using Tox as a communication mechanism in the past, like in HelloXD ransomware, where\r\nthe attacker used Tox and onion-based messengers. Therefore, it becomes important to monitor the network\r\ncomponents involved in the attack chains.\r\nIOC\r\n333a6b3cf226c55d4438c056e6c302fec3ec5dcf0520fc9b0ccee75785a0c8c5\r\nSource: https://www.uptycs.com/blog/is-tox-the-new-cc-method-for-coinminers\r\nhttps://www.uptycs.com/blog/is-tox-the-new-cc-method-for-coinminers\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.uptycs.com/blog/is-tox-the-new-cc-method-for-coinminers"
	],
	"report_names": [
		"is-tox-the-new-cc-method-for-coinminers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434236,
	"ts_updated_at": 1775826692,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/93ad4131171f82e8ce4a5b21f118440da43583b3.pdf",
		"text": "https://archive.orkl.eu/93ad4131171f82e8ce4a5b21f118440da43583b3.txt",
		"img": "https://archive.orkl.eu/93ad4131171f82e8ce4a5b21f118440da43583b3.jpg"
	}
}