{
	"id": "d9e72881-9521-4580-a6dd-671b56ccb792",
	"created_at": "2026-04-06T00:19:02.352305Z",
	"updated_at": "2026-04-10T03:20:51.616471Z",
	"deleted_at": null,
	"sha1_hash": "9da1d8e33b93e63eb94f71d7e4ab13f71aca59f2",
	"title": "Quick look at another Alina fork: XBOT-POS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4051223,
	"plain_text": "Quick look at another Alina fork: XBOT-POS\r\nArchived: 2026-04-05 20:40:11 UTC\r\nEdit: In fact after looking at the sample it's a pure copy pasta of Tiny Nuke :) -\r\ncd025523e3aec57f809552b9d1adc4b89526cc632f6d4c481aa2c8c3501dda6b\r\nHi, it's time for a new post. Today I'll try to have a look at the \"Team NZMR\"\r\nI've found this funny team by hazard on Twitter via the bot @ScumBots\r\nI would like to write this little blog post because I think that this is interesting to see an Alina panel behind a\r\n.onion domain and as you can see later, I like look at some weird panels :D.\r\nLet's have a look on this server.\r\nAs we know, we have an Alina (Well known POS malware) panel at\r\nthzsmrjqqzpaz2mz.onion.link/al/loading.php .\r\nSamples: 26aa9709d0402157d9d36e4849b1f9bacecd8875169c7f26d7d40c5c0c3de298\r\n(http://thzsmrjqqzpaz2mz.onion.link/al/Spark.exe)\r\nIn the same boring way, we can found:\r\na Fareit/Pony panel at https://thzsmrjqqzpaz2mz.onion.link/pn/admin.php (I don't have sample)\r\nan Atmos at https://thzsmrjqqzpaz2mz.onion.link/at/cp.php :\r\nSample e34720cc8ab3718413064f19af5cc704e95661e743293a19f218d3b675147525\r\n(https://thzsmrjqqzpaz2mz.onion.link/at/files/us.exe)\r\nhttps://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html\r\nPage 1 of 8\n\nThanks to CCAM we can get 2 new servers used by this team:\r\nhttp://netco1000.ddns.net/at/file.php\r\nhttp://22klzn6kzjlwlmt2.onion.link/at/file.php\r\nThose guys really want your creds and your credit card numbers :D\r\nThey also try to deal with ransomware (NZMR Ransomware) at https://thzsmrjqqzpaz2mz.onion.link/ed2/\r\nwithout success...\r\nBut I've write this quick blog post for the last panel,\r\nLet me introduce you XBOT panel \\o/: https://thzsmrjqqzpaz2mz.onion.link/panel/\r\n(click to enlarge)\r\nhttps://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html\r\nPage 2 of 8\n\nThe bot ad:\r\nSelling xbot ,new bank trojan -- Modules -- Webinject -- Formgrabber -- Socket4/5 -- Hidden VNC\r\nNew bot bank xbot is available for rent (800$/monthly) -- server on tornetwork/clearnet\r\nCustomized programming service and web developer/c/c++/Python/NET/others\r\nTeam Coder/NZMR\r\nxbot costs 3k $ modules available \u003ewebinject -- formgrabber -- Socket4/5 -- Hidden VNC\r\nWhen buying xbot what do you get?\r\nYou will get the builder,bin/exe+socket.exe/server.exe hvnc\r\n[+] - Free installation on your server in tornetwork or clearnet, you choose\r\n[+] - monthly support paid 100 $ (you choose,with or without support)\r\n[+] - Update bot for new version 400 $\r\n[+] Rent xbot\r\nPanel access (Clearnet/Tornetwork)\r\nBin (exe)\r\nSocket.exe/hvnc.exe\r\nPriçe\r\n800 $ monthly (First 6 customers, others 1k $)\r\nSupport monthly 100 $ (btc)\r\nI don't have any sample yet but if you have one, i'm REALLY interrested :D.\r\nThanks to Xylitol this panel looks like a mix between Alina and Dexter. For example the URI scheme\r\n\"/front/stats.php\", the successstatuscode 666 or this page \"Version Control\":\r\nhttps://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html\r\nPage 3 of 8\n\nThis panel looks designed for Banking stuff (webinjects) and POS malware.\r\nFrom XBOT panel you can DL/Exec, Start VNC sessions, socks sessions and update bots:\r\nhttps://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html\r\nPage 4 of 8\n\nWe can also found some strange \"webinjects\" stuff:\r\nwhere \"view content\" leads to these kinds of data:\r\nhttps://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html\r\nPage 5 of 8\n\nSome settings (look at the Alinas 666 status code):\r\nYou can also add some bins in the panel database. Currently, they have 8472 Bins in the database.\r\nAnd finally the bot lists (~600 bots if I trust the bots list).\r\nhttps://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html\r\nPage 6 of 8\n\nI've uploaded the whole list of bots on this album. Ping me if you're on the list :D I'm really curious to see the\r\nbinary part\r\nAnd finally the database structure reminds again Alina:\r\nBy this way we will find soon more Alina forks than Zeus forks \\o/\r\nSo, NOPE! it's not a super new next gen POS malware, it's just another Alina Fork :D but this webinjects part\r\nlooks curious :) and the team seems very active.\r\nBut come one, 3k$ for open sourced malware haha...\r\nhttps://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html\r\nPage 7 of 8\n\nThanks for your time, thanks to Xylitol and happy hunting :)\r\nIOCs:\r\nhttp://thzsmrjqqzpaz2mz.onion.link/al/Spark.exe (Alina)\r\nhttp://thzsmrjqqzpaz2mz.onion.link/payload.exe (Neutrino)\r\nhttp://thzsmrjqqzpaz2mz.onion.link/at/files/us.exe (Atmos)\r\nhttp://22klzn6kzjlwlmt2.onion.link/al/Spark.exe (Alina)\r\nhttp://22klzn6kzjlwlmt2.onion.link/al/payload.exe (Neutrino\r\nhttp://22klzn6kzjlwlmt2.onion.link/al/files/us.exe (Atmos) http://netco1000.ddns.net\r\nhttp://netco400.ddns.net/Dia (Gorynch) http://netco400.ddns.net/at/(Atmos)\r\ne34720cc8ab3718413064f19af5cc704e95661e743293a19f218d3b675147525 (atmos)\r\n26aa9709d0402157d9d36e4849b1f9bacecd8875169c7f26d7d40c5c0c3de298 (Alina)\r\n8a62f61c4d11d83550ab4baceb9b18d980a4c590723f549f97661a32c1731aff (neutrino)\r\nSource: https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html\r\nhttps://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html"
	],
	"report_names": [
		"quick-look-at-another-alina-fork-xbot.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434742,
	"ts_updated_at": 1775791251,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9da1d8e33b93e63eb94f71d7e4ab13f71aca59f2.pdf",
		"text": "https://archive.orkl.eu/9da1d8e33b93e63eb94f71d7e4ab13f71aca59f2.txt",
		"img": "https://archive.orkl.eu/9da1d8e33b93e63eb94f71d7e4ab13f71aca59f2.jpg"
	}
}