{
	"id": "4c6db757-e005-43d1-8100-9165e6cb9b53",
	"created_at": "2026-04-06T00:09:12.225826Z",
	"updated_at": "2026-04-10T03:20:42.996087Z",
	"deleted_at": null,
	"sha1_hash": "a051a6ffbb0150c1a66bf158c5b436b2c841fc45",
	"title": "An Analysis of Linux.Ngioweb Botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1160636,
	"plain_text": "An Analysis of Linux.Ngioweb Botnet\r\nBy Alex.Turing\r\nPublished: 2019-06-21 · Archived: 2026-04-05 22:42:40 UTC\r\nBackground\r\nOn May 27, 2019, Our Unknown Threat Detect System highlighted a suspicious ELF file, and till this day, the\r\ndetection rate on VT is still only one with a very generic name. We determined that this is a Proxy Botnet, and it is\r\na Linux version variant of the Win32.Ngioweb[1] malware. We named it Linux.Ngioweb. It shares a lot of code\r\nwith Win32.Ngioweb, except that it has DGA features. We registered one of the DGA C2 domain names\r\n(enutofish-pronadimoful-multihitision.org) and was able to observe the Bot connections.\r\nIn addition, we have observed that Linux.Ngioweb malware has been implanted into a large number of WordPress\r\nWeb servers.\r\nAlthough the Bot program is loaded with the privilege of the user group corresponding to the Web container, it\r\nstill works and runs as Rotating Proxy node[2].\r\nWe don’t know why the attacker runs this proxy botnet, but it is possible that everything goes through the proxy is\r\nbeing recorded by the attacker.\r\nOverview of Linux.Ngioweb\r\nThe main functionality of the Linux.Ngioweb Bot sample is to implement Back-Connect Proxy[3].on the victim's\r\nmachine. The attacker builds multiple Bots into a Proxies Pool and controls it through a two-tier C2 protocol, then\r\nprovides a Rotating Proxy Service.\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 1 of 22\n\nReverse engineering on Linux.Ngioweb\r\nBasic information\r\nMD5: 827ecf99001fa66de513fe5281ce064d\r\nELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), statically linked, stripped\r\nAnti-reverse engineering technique\r\nUses a niche library named musl libc\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 2 of 22\n\nStores its functions in the function table in advance\r\nUses Stack Strings Obfuscation\r\nGenerates constant table used by CRC and AES\r\nUses a two-tier C2 protocol, where Stage-2 C2 is determined by the CONNECT instruction of Stage-1 C2\r\nStage-2 C2 uses a two-layer encrypted communication protocol\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 3 of 22\n\nStage-1 C2 protocol analysis\r\nAt this stage, the main behavior of the sample is to establish communication with Stage-1 C2, and proceed to the\r\nnext step according to the instructions returned by C2.\r\nCommunication attempt\r\nTry to establish communication with the following hardcoded C2 IP every 60 seconds\r\n169.239.128.166:443\r\n185.244.149.73:443\r\nTry to establish communication with the domain name generated by DGA (Domain Generation Algorithm)\r\nevery 73 seconds. When the number of DGA domain names reaches 300, the Seed will be reset. So the\r\ntotal number of DGA domain names is 300.\r\nDGA implementation\r\nuint64_t GenSeed(uint32_t\u0026 seed, uint32_t mod)\r\n{\r\n uint32_t tmp = 0x41C64E6D * seed + 0x3039;\r\n seed = tmp;\r\n return tmp % mod;\r\n}\r\nstring dga(uint32_t\u0026 seed)\r\n{\r\n char* HeadBuf[] = { \"un\", \"under\", \"re\", \"in\", \"im\", \"il\", \"ir\", \"en\", \"em\",\r\n \"over\", \"mis\", \"dis\", \"pre\", \"post\", \"anti\",\"inter\",\r\n \"sub\", \"ultra\", \"non\", \"de\",\"pro\", \"trans\", \"ex\",\r\n \"macro\", \"micro\", \"mini\",\"mono\", \"multi\", \"semi\", \"co\" };\r\n char* BodyBufA[] = {\"able\",\"ant\",\"ate\",\"age\",\"ance\",\"ancy\",\"an\",\"ary\",\r\n \"al\",\"en\",\"ency\",\"er\",\"etn\", \"ed\", \"ese\",\"ern\",\"ize\",\r\n \"ify\",\"ing\",\"ish\",\"ity\",\"ion\",\"ian\",\"ism\",\"ist\",\"ic\",\"ical\",\r\n \"ible\",\"ive\",\"ite\",\"ish\",\"ian\",\"or\",\"ous\",\"ure\" };\r\n char* BodyBufB[] = {\"dom\",\"hood\",\"less\",\"like\",\"ly\",\"fy\",\"ful\",\"ness\",\r\n \"ment\",\"sion\",\"ssion\",\"ship\",\"ty\",\"th\",\"tion\",\"ward\" };\r\n char* TailBuf[] = { \".net\",\".info\",\".com\",\".biz\",\".org\",\".name\" };\r\n string BlockBufA = \"aeiou\";\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 4 of 22\n\nstring BlockBufB = \"bcdfghklmnprstvxz\";\r\n string domain;\r\n uint32_t dashloop = GenSeed(seed, 3) + 1;\r\n while (dashloop--)\r\n {\r\n domain += HeadBuf[GenSeed(seed, 0x1e)];\r\n int flag = 0;\r\n int i = 0;\r\n if (BlockBufA.find(domain.back()) == string::npos)\r\n flag = 1;\r\n int fillcnt = GenSeed(seed, 0x3) + 4;\r\n while (fillcnt \u003e i)\r\n {\r\n if (flag + i \u0026 1)\r\n domain += BlockBufA[GenSeed(seed, 0x5)];\r\n else\r\n domain += BlockBufB[GenSeed(seed, 0x11)];\r\n i++;\r\n }\r\n if (BlockBufA.find(domain.back()) == string::npos)\r\n domain += BodyBufA[GenSeed(seed, 0x23)];\r\n else\r\n domain += BodyBufB[GenSeed(seed, 0x10)];\r\n if (dashloop != 0)\r\n domain += \"-\";\r\n }\r\n return domain += TailBuf[GenSeed(seed, 0x6)];\r\n}\r\nCommunication Protocol\r\nThis phase of communication is based on the HTTP protocol and the parameters are Base64 encoded.\r\nPackets overview\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 5 of 22\n\nSent Packets decode\r\nAfter decoded the parameter content by Base64, we get the following information.\r\nid=machine-id[0:15]\r\nv=x86_64, hardcoded, architecture\r\nsv=5003, hardcoded, version number\r\n\u0026qlohmzalwdepupwf, random 16-byte data, the algorithm is as follows\r\nUser-Agent, hardcoded\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0\r\nReceived Packets decode\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 6 of 22\n\nCommand Supported\r\nWAIT\r\nCONNECT\r\nDISCONNECT\r\nCERT\r\nStage-2 C2 protocol analysis\r\nAt this stage, the main action of the sample is to establish communication with the C2 of Stage-2 and enable the\r\nBack-Connect Proxy function. C2 of stage-2 is specified by the CONNECT command.\r\nCommunication Protocol\r\nAt this stage, the communication is combined by double-layer encryption. The inner layer is XOR and the outer\r\nlayer is AES.\r\nPackets overview\r\nEncryption Algorithm\r\nThe XOR key is generated by a random algorithm:\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 7 of 22\n\nThe algorithm is:\r\nAES uses ECB mode, no padding. The key is:qwerasdfzxcqwerasdftyuirfdsdsdss\r\nPacket Structure\r\nThe packet consists of two parts: “header” and “msg”.\r\n“header” structure:\r\n#le-\u003elittle endian\r\n#be-\u003ebig endian\r\nstruct header\r\n{\r\nuint32_le xorkey;\r\nuint32_be msgcrc32;\r\nuint32_be len;\r\nuint16_be msgcode\r\nuint16_be magic\r\n};\r\n“msg” consists of chunks, and the chunks supported by the sample are as follows:\r\nChunk\r\nType\r\nChunk\r\nLength\r\nDescription\r\n1 1 BYTE\r\n2 2 WORD big endian\r\n3 4 DWORD big endian\r\n4 8 QWORD big endian\r\n5 N+4\r\nBytes array.The first 4 bytes of chunk are the big endian-encoded length (N)\r\nof the array\r\nA “msg” can have one or more chunks, and different “msg”s are made up by different chunks .\r\nThe “msg” types uses by this sample are “recv” and “send”.\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 8 of 22\n\nrecv\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 9 of 22\n\nsend\r\nSee the table below for a summary of different “msg”s:\r\nmsgcode Driection Description Fromat\r\n0x1010 recv set channel id 3 chunks:(QWORD ConnId, Array IPAddr,WORD Port)\r\n0x1011 recv\r\nstart proxy\r\nrequest\r\n5 chunks:(QWORD RequestId, BYTE reason,BYTE\r\nAddrType,Array Addr, WORD port)\r\n0x1012 recv\r\nclose\r\nconnection\r\n1 chunk:(QWORD ConnId)\r\n0x10 send check-in 1 chunk:(QWORD BotId)\r\n0x11 send set-channel ack 1 chunk:(DWORD VersionId)\r\n0x14 send\r\ntcp server\r\nstarted\r\n5 chunks:(DWORD ConnectionId, QWORD RequestId, BYTE\r\nAddrType, Array Addr, WORD Port)\r\n0x15 send error 2 chunks:(DWORD RequestId,BYTE reason )\r\n0x16 send\r\nudp server\r\nstarted\r\n5 chunks:(DWORD ConnectionId, QWORD RequestId, BYTE\r\nAddrType, Array Addr, WORD Port)\r\nSent packets sample analysis\r\nRaw data\r\n packet[0:31]:\r\n 6c 52 8c 08 3e 80 a9 3c 00 00 00 10 00 10 fa 51\r\n 04 dd b0 b4 9d 10 ec 42 c3 00 00 00 00 00 00 00\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 10 of 22\n\nheader ---\u003epacket[0:15]\r\n xorkey ---\u003e0x088c526c\r\n msgcrc32 ---\u003e0x3e80a93c\r\n msglen ---\u003e0x00000010\r\n msgcode ---\u003e0x0010,check-in\r\n magic ---\u003e0xfa51\r\n msg ---\u003epacket[16:31]\r\n 1st chunk\r\n chunktype ---\u003e0x4\r\n content ---\u003e0xddb0b49d10ec42c3\r\n \r\nAfter XOR encryption\r\n6c 52 8c 08 36 0c fb 50 08 8c 52 7c 08 9c a8 3d\r\n0c 51 e2 d8 95 9c be 2e cb 8c 52 6c 08 8c 52 6c\r\nAfter AES encryption\r\nc1 d3 78 71 2d f6 5b bb 16 ca ff 8b ef 69 bb 26\r\n3b 01 f0 22 70 09 38 dc e7 06 89 de 2b 55 eb 8e\r\nReceived packets sample analysis\r\nRaw data\r\nc5 ad 4a bf 30 C2 3a 43 9b 6e 22 08 73 e0 b9 5d\r\n3c e6 b7 f0 74 76 53 43 3a 79 0e 82 80 1a c3 84\r\nba a4 85 05 4a 63 b1 d6 d1 94 ad 53 be 7a 9a 88\r\nAfter AES decryption\r\n59 8b e5 6d 4a ee bf ef 6d e5 8b 79 7d f5 71 08\r\n69 b8 81 aa 92 ed 65 fb 29 e0 8b 59 6d e1 51 47\r\n19 e1 89 d8 29 e5 8b 59 6d e5 8b 59 6d e5 8b 59\r\nAfter XOR decryption\r\n packet[0:47]\r\n 59 8b e5 6d 27 0b 34 b6 00 00 00 20 10 10 fa 51\r\n 04 5d 0a f3 ff 08 ee a2 44 05 00 00 00 04 da 1e\r\n 74 04 02 81 44 00 00 00 00 00 00 00 00 00 00 00\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 11 of 22\n\nheader ---\u003epacket[0:15]\r\n xorkey ---\u003e0x6de58b59\r\n msgcrc32 ---\u003e0x270b34b6\r\n msglen ---\u003e0x00000020\r\n msgcode ---\u003e0x1010,set channel id\r\n magic ---\u003e0xfa51\r\n msg ---\u003epacket[16:47]\r\n 1st chunk\r\n chunktype ---\u003e0x04\r\n content ---\u003e0x5d0af3ff08eea244\r\n 2nt chunk\r\n chunktype ---\u003e0x05\r\n content ---\u003elen:0x00000004 buf:0xda1e7404\r\n 3rd chunk\r\n chunktype ---\u003e0x02\r\n content ---\u003e0x8144\r\nStage-2 C2 association analysis\r\nWe obtained the following 6 Stage-2 C2 addresses by visiting the Stage-1 C2 URL\r\n(http://185.244.149.73:443/min.js).\r\n5.135.58.119\r\n5.135.58.121\r\n5.135.58.123\r\n5.135.58.124\r\n91.134.157.11\r\n193.70.73.115\r\nWe looked up this md5 (9017804333c820e3b4249130fc989e00) in our GraphicQuery platform and was able to\r\nfind more IPs which host the same file, we then sent specific crafted packets to these IPs and was able to ID\r\nanother 18 Stage-2 C2s.\r\n5.135.35.160\r\n5.196.194.209\r\n51.254.57.83\r\n54.36.244.84\r\n54.36.244.85\r\n54.36.244.91\r\n91.121.36.212\r\n91.121.236.219\r\n92.222.151.63\r\n145.239.108.241\r\n163.172.201.184\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 12 of 22\n\n163.172.202.116\r\n178.33.101.176\r\n178.33.101.177\r\n178.33.101.178\r\n178.33.101.182\r\n188.165.5.123\r\n188.165.163.20\r\nWe found that these Stage-2 C2 IP address are providing Socks5 proxy service by looking them up on free-socks.in\r\nAs we tested, all these Socks5 proxy IPs are properly functioning. Also, they accessed the C2 domain we\r\nown(enutofish-pronadimoful-multihitision.org) via the Stage-1 C2 protocol, so it can be said that they are all\r\nLinux.Ngioweb Bots.\r\nroot@localhost:~# curl --socks5 91.134.157.11:50880 ifconfig.me\r\n31.170.123.49\r\nroot@localhost:~# curl --socks5 91.134.157.11:62012 ifconfig.me\r\n208.113.197.88\r\nroot@localhost:~# curl --socks5 91.134.157.11:18278 ifconfig.me\r\n45.58.190.100\r\nroot@localhost:~# curl --socks5 91.134.157.11:64380 ifconfig.me\r\n72.29.64.29\r\nroot@localhost:~# curl --socks5 91.134.157.11:47067 ifconfig.me\r\n54.38.101.17\r\nroot@localhost:~# curl --socks5 91.134.157.11:63862 ifconfig.me\r\n88.99.212.97\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 13 of 22\n\nroot@localhost:~# curl --socks5 91.134.157.11:49475 ifconfig.me\r\n23.91.65.240\r\nInfected IPs information\r\nBy listening on C2 domain (enutofish-pronadimoful-multihitision.org), we have observed a total of 2692 Bot IPs.\r\nThe following is a detailed list of countries/regions with number of infected IPs:\r\nUS 1306\r\nBR 156\r\nRU 152\r\nDE 133\r\nFR 102\r\nSG 98\r\nNL 80\r\nGB 66\r\nCA 66\r\nIT 64\r\nVN 42\r\nAU 36\r\nPL 31\r\nTR 28\r\nJP 26\r\nIN 26\r\nZA 21\r\nID 19\r\nES 18\r\nUA 15\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 14 of 22\n\nBy probing the infected IPs, we found out that almost all Bot IPs are web servers and have WordPress programs\r\ndeployed. We did not look into how the attacker took control of these WordPress sites though.\r\nWe contacted some infected users and found multiple WebShells on their Web servers.\r\nThese WebShells are highly obscured, but the techniques, encryption, and code share similar characters.\r\nCombined with the accessing characteristics (such as time, order) the infected IPs made to the our sinkhole DGA\r\ndomain, we speculate that the attacker will periodically issue commands to the WebShells on the victim websites,\r\nas well as running the Linux.Ngioweb program.\r\nSolutions and Suggestions\r\nWe recommend that readers do not use the Socks5 proxy service provided by these Stage-2 C2 IP.\r\nWe recommend that WordPress users back up the website article database (delete backdoor users such as\r\nwp.service.controller.*), reinstall the latest version of WordPress program, enhance user password complexity,\r\nenhance WebShell detection capabilities, and disable PHP commands to execute related functions;\r\nContact us\r\nRelevant security and law enforcement agencies are welcomed to contact netlab[at]360.cn for a list of infected IP\r\naddresses.\r\nReaders are always welcomed to reach us on twitter, WeChat 360Netlab or email to netlab at 360 dot cn.\r\nIoC list\r\nSample MD5\r\n827ecf99001fa66de513fe5281ce064d\r\nStage-1 C2 (Hardcoded IP)\r\n169.239.128.166 South Africa ASN 61138 Zappie Host LLC\r\n185.244.149.73 Romania ASN 60117 Host Sailor Ltd.\r\nStage-2 C2\r\n163.172.201.184 France ASN 12876 Online S.a.s.\r\n163.172.202.116 France ASN 12876 Online S.a.s.\r\n5.135.35.160 France ASN 16276 OVH SAS\r\n5.135.58.119 France ASN 16276 OVH SAS\r\n5.135.58.121 France ASN 16276 OVH SAS\r\n5.135.58.123 France ASN 16276 OVH SAS\r\n5.135.58.124 France ASN 16276 OVH SAS\r\n5.196.194.209 France ASN 16276 OVH SAS\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 15 of 22\n\n51.254.57.83 France ASN 16276 OVH SAS\r\n54.36.244.84 France ASN 16276 OVH SAS\r\n54.36.244.85 France ASN 16276 OVH SAS\r\n54.36.244.91 France ASN 16276 OVH SAS\r\n91.121.36.212 France ASN 16276 OVH SAS\r\n91.121.236.219 France ASN 16276 OVH SAS\r\n91.134.157.11 France ASN 16276 OVH SAS\r\n92.222.151.63 France ASN 16276 OVH SAS\r\n145.239.108.241 Germany ASN 16276 OVH SAS\r\n178.33.101.176 Ireland ASN 16276 OVH SAS\r\n178.33.101.177 Ireland ASN 16276 OVH SAS\r\n178.33.101.178 Ireland ASN 16276 OVH SAS\r\n178.33.101.182 Ireland ASN 16276 OVH SAS\r\n188.165.5.123 Ireland ASN 16276 OVH SAS\r\n188.165.163.20 France ASN 16276 OVH SAS\r\n193.70.73.115 France ASN 16276 OVH SAS\r\nStage-1 C2 (DGA)\r\nenutofish-pronadimoful-multihitision.org\r\nexaraxexese-macrobacaward-exafosuness.net\r\nnonafudazage.name\r\ndemigelike.net\r\nemuvufehood.net\r\nsubolukobese.biz\r\ninogepicor-prorarurument.biz\r\noverahudulize-unazibezize-overuzozerish.org\r\nimunolance-postodinenetn-antifipuketn.net\r\nantizerolant-monogevudom.info\r\ntransavecaful-transinenation-transikaduhern.com\r\nsubogonance.info\r\ninoxodusor-misehupukism.info\r\ndevikoviward-semibazegily-copaxugage.name\r\neniguzeless-inecimanable.net\r\nsubilebesion-irogipate.biz\r\ncolozosion-antigobunaful.name\r\ninudiduty-dezaviness.org\r\nirelizaring-enipulical-monovuxehossion.info\r\nilenudavous-monoxoxapal-semimihupution.info\r\nultrapadupize.biz\r\ncovategal-dezakedify-enebugassion.name\r\ntransivesudom-macropimuship.org\r\nrezolezation-transapupirify-seminecation.name\r\nmacrolutoxous-overefimety.name\r\ncoxumumage-dexolalite.name\r\ncotexafical-postirutuvian-emimimous.biz\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 16 of 22\n\ncopubuloness-misumusal-disokozian.com\r\nnonecuzuking-enekopofen-imakozity.info\r\ndezohipal-ultrazebebive.name\r\ncosazalike-antifoxirer-subudikic.biz\r\nunderotutilism-monoceraretion-underosociful.name\r\noverugiror.net\r\nemuzixucize.biz\r\ndisicevament-desizigasion-recadihuful.biz\r\ndecehoward-microhikodely-overokerezant.com\r\nmicrolasokadom-ultralarumous.info\r\nminixecision-iruzaxuhood.net\r\nprofusonuty.info\r\nmultifipakency-conovofy-prorakikate.com\r\nantiseramoment.info\r\npostavutetn-emedarevous.biz\r\ninolugoty-inidiverible.com\r\nprodipamament.biz\r\noverogobity-imivocurify-disovizution.biz\r\ndecozaness-antihazation-overetalovical.net\r\nnonesolafy.com\r\nunihatosancy.name\r\ninteriragocern-micropuxotion-transogorion.org\r\nseminamatity-enogibely.name\r\ninosebovion.net\r\nexofifure-postirexument.info\r\ntransirirenern-semizafunic-nonivubed.biz\r\nenegizize-microtizobity.name\r\nmacrohuseded-multipazaseship.com\r\nimefihured-macrohixuhood.org\r\nmicrolulition-macrokiguxable.biz\r\nmultizesumefy-emebefion.biz\r\nunderebelassion-postizoziless.info\r\ndezuvazen.name\r\ndecotusion-exexavihood-exevozebant.name\r\ndisuzepuly.info\r\ninuviging-antizoluly.biz\r\nmultisotiren-ilazufist.org\r\npredepussion.info\r\ninidozadom.name\r\ninterikuhaful.info\r\ncozuheming.biz\r\nmultiruxuth.org\r\nmonozogeced.org\r\nmononoredom.info\r\npostarubixage-monocinamety-overogefesal.com\r\nprebekokian-misadepepive-transilogify.com\r\nmonohatodom-cohotiship.com\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 17 of 22\n\nexebasusion.org\r\nunahodoness-emevuzeward-emuzeduness.com\r\nexemidexous-underiposapite-unegatature.name\r\ninterocugopist-misugexadic-ilobipegency.org\r\nmonokifomancy-misagefism-macrobepoth.com\r\nantizekussion-minipusaral-copofuxoship.com\r\nrelutodom-comakitize.name\r\nmultikezusion.org\r\nemopumical-enohecical.org\r\nsemitegopish.net\r\nrecepatission.info\r\ninoluvary.com\r\nseminitotuful.info\r\ninteranubing-emelulotal-transugotuzern.com\r\nsubefehity-iledutession.name\r\nultrapapiten.biz\r\ntransuvarusish-prozumoxety.info\r\ntransisigern.org\r\nimirotiship-microhopulive-emotomeship.com\r\npresefavution.info\r\nenevifaking.org\r\nmisidogive-coxecovor-dexefoxan.name\r\noverazadudom-deliromohood.com\r\nemakanuward.com\r\nemitohage-overasuhorure-antitipenoless.info\r\nultrasesebible.biz\r\nmultihadekite.name\r\niluvused-iravoxish.info\r\npostobagoly-detovaward-unixohible.biz\r\nunderasusogen.com\r\nimovaman-multimihivoship-imeduxian.biz\r\ndedunuguhood.com\r\nprevukition.info\r\nunderehugavish.org\r\nmisoxomelical-iluxubism.net\r\nmicrocolacoful-postabitition.name\r\noverurohely-overadolure-iruraluness.org\r\nunurodable-dekipuhic-postuxufous.org\r\nunitucihern-postadagen-imupuduth.org\r\nimukokuship.org\r\nprenubocetion-ultrahahohood.com\r\nmonofugition-underefogukic.org\r\nirofetufy.com\r\nirobigelike.org\r\npresifament.biz\r\noveretigution.info\r\nenuvopan-imixesoward-irarupipary.biz\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 18 of 22\n\ninorofizian.com\r\nmonopadecotion-multicecihood-imuzicasion.com\r\nexofosehance-minimezazofy.org\r\nmonokacofudom-inuvinable.com\r\nemisucosion-prohosexite-imorekusion.net\r\nsemiledoduly.info\r\nmultivapufy-promumuly-enonuben.net\r\nsubebodency.info\r\ncofexasish-inodehed.net\r\nunutexupify-conofubusion.com\r\nmisebonure-iluborize-rezericify.com\r\nexunaxian.info\r\ncolanizity-postosecive-nonuresible.info\r\ndedaliward-imipusen-inacaliver.com\r\nrefusovize.org\r\nmonokuvission-transodigical-semihehamussion.biz\r\ntransalavudom-multilavezuhood.net\r\nexusizeward.net\r\nunisimor.name\r\nminipihagaship.com\r\nrecusigetion-transubeviful.info\r\nmultixizitufy-microtomuly-multixoleward.com\r\nmicroxulodish-semibahoty.biz\r\nmacrokunith-proxobivive.net\r\npreginaxodom.name\r\ntransimapeful-cotalision.com\r\nprefinazuly.name\r\ninucasazing-microhesunian-semidikokement.biz\r\ndisitirotion-transekarenate.org\r\nunehihify-antimepavable-nonubovafy.net\r\nmisunotelike-nonugidant.info\r\nenogosudom-macrogekabive.biz\r\npostozokipetn-microdomobaly.biz\r\ninterunavission-ininibecist.org\r\nmicrohinoler.org\r\nprosihamish-noneguhaness.com\r\npreberekous-microkagibant-imemahal.name\r\niletegifage.org\r\nemikuraran.biz\r\noverokigoty-ilecavish.net\r\nnonikofucable-postelihuzism-rexecigism.net\r\nimixifure.info\r\nminirabupeness-nonitefuward.org\r\nmisasugegify-underazosuzish-exuvexezical.info\r\nmultipocihood-monomuhunible.org\r\nnonohacutancy-postuxikitan-microseditoless.info\r\noverasobament.info\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 19 of 22\n\noverulurotion.biz\r\ndisepadely-disuzirovor.net\r\nrepetepian-irelucify.biz\r\nenikobadom-postolixement.name\r\ninunatogite-imoboraness.net\r\nirimarefy.net\r\nmonohiloless-demodefy.com\r\nprevibetian-misunohigate.info\r\nmultivunuhance-inabiber.com\r\nsemicasinaty-ilibaholy.biz\r\ntransupovetn-monozeruduless.biz\r\ndebapesetn-underisaxufical-imukugamism.info\r\nmultibibetefy.com\r\nexanonish.name\r\ninteranulish-imazekalike-unisukugate.info\r\ninokevidage.org\r\nmonofipuly-underubihal.net\r\nprofobekify-subebobefy-exozufous.name\r\nmacrovetecuship-emebudemical-underaxakament.biz\r\ndemeficiward-retitisily-macromuvaward.org\r\nmonosumuly-ilenusuty-dedabaness.net\r\nexapofaran-postulusadify.com\r\nmicrohobament-postevofafity.com\r\nrebezusaly-overidirity-ultrahiseness.org\r\nunafacigage-transihicical-prebokity.info\r\ninterazution-irudegufy-antinefoly.biz\r\nminizecidish-macrolafukish-depovased.biz\r\nderirepous-cosideship-semibiseless.biz\r\noverupazadity-irativorical.name\r\ncoseviness-nonikunant-macrorasihood.net\r\nnonesocern-macrotocipity.info\r\ninteruzoputy.info\r\ninicinic-misuluzan-ultrakuxuness.com\r\nsububesebism-ultrabutath.com\r\nmisacireship.org\r\nexuxuburan-miniravuhood-exosoxen.info\r\nmacrozigahood-monosulopancy.com\r\nunegoping-detunusion-antimuruseful.biz\r\nmacrozixaward-semivanimoly-underekutoty.biz\r\nultratipuxian-inosilission-multiridith.net\r\nmicrotonagament.info\r\ncobemesion-redacocoful.name\r\ndisicogure-seminedasoly.biz\r\ndekacify.net\r\nemegamilike-imupogazance-ultrapanacesion.org\r\nunocelibable-underelatucance.com\r\nirodetolike-imisocatite-inecolafian.com\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 20 of 22\n\nantikuzucen-irokarance-transitupikible.org\r\nsemiralety-macrorobinant-ultrapixutency.biz\r\ntransisomuless.name\r\nilebigument-macroripakesion.org\r\nprofebarable.org\r\nnonixigefy-protisumiless.biz\r\ncorahicohood.com\r\npretuvution-disafatutical-irehopuvese.name\r\nminiregath-anticesuty-postudagily.biz\r\ncoguvilaship-recakubodom.name\r\noveripugoful-interizihing.org\r\nimipadaness-iralikoward-semitolicoly.info\r\ninterupefity-semigiduly.info\r\nmacromosoriship.net\r\nantigizepist.net\r\nsubuluhic-disomokate.net\r\nirunucudor-macrogocudern-comoxizish.name\r\nunderedofobate.net\r\nprolapuzern-progobutiful-dehifasion.org\r\nirucasian-macrofevasion.net\r\nunogoxeness-semixocapency.org\r\nrehofocese.org\r\nexebutian-interomifenism.org\r\nsubihefahood-subenopure-ultramoherihood.net\r\nnonezogeward.com\r\nexasavate-minidevilefy-subanevous.biz\r\nenodenission-overucelancy-microvitasission.info\r\nultrafakitesion-misesuzahical-transanafetion.biz\r\ninterinipoly-minimorovor-debininess.com\r\nprenedelission-interugefable-repekosossion.name\r\npostifozible-irololuship.com\r\nunozolasion.org\r\nunobelaness-prepifavety.info\r\ncofukosable.info\r\niloletible-imakeben.info\r\nultraronupity.name\r\nminikisision-monobavunism-micronepavage.org\r\nunufepaness-misedepugance.biz\r\ninafolage.com\r\nsemifolofic-unaraxal.biz\r\nenerivosism-imenufanist-macrovonahood.org\r\nmonobocution.info\r\ncosuzuness-prepurizor-unasulal.name\r\ninopivic-antimaporary-subavocobive.biz\r\ncovogidish-iletinassion.biz\r\ndefizalike-unodatage-inarabevous.com\r\nunuvirisern-interusalosize-misucakiness.org\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 21 of 22\n\nireninenish-multicemath-prezucetussion.biz\r\ninterodekive.com\r\niramilahood-antirotuxary-misobegesion.name\r\nmultidafadite-postagoker.org\r\nmonobagehance.net\r\nemixuvidite-ilofikency-subolubify.biz\r\npostugihucency-emademify.name\r\ncotefehood-imocakitency.biz\r\nenikavely-inosifuty-postaviraly.info\r\ntransabusossion.biz\r\ninteritebure.net\r\nunehumugage-ultraburosion.com\r\nsubutavahen-inuhabish.org\r\nsubifefer-devufoward-probelalance.org\r\nemefimafible.biz\r\nilibefudom.biz\r\npostemivaxage.net\r\nmonofudumossion.info\r\ninuxazodom-macrodexaxahood.org\r\nsemibugegetn-monohifutuly.biz\r\nmacromohazaship-subonohion-disonixucing.com\r\nemosacekant-cokebohood-nonetakive.biz\r\ninterozecifist-antipinukity-multifekemath.net\r\nrefedomous-antifaliless.name\r\nultraxekevohood-nonizerosion-exovigant.name\r\ninterarogous-unuculuhood.org\r\nsemipulimian.com\r\nmonocalacaless.biz\r\ndisevolikency-retipegation.biz\r\ncosituxath-misuxunor.info\r\nultraporader-conapefy-prolobeziless.info\r\nilucasure.com\r\nreletohite-misosulahood-antitedudom.info\r\nminivucilous-inafafomism.net\r\nmonorifutaless-ilocamussion.name\r\ninohufohese-imufilahood-antifidupite.com\r\nemegemaxed-transigifuty-multitumolith.net\r\nexotacible-denitokolike.com\r\nSource: https://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nhttps://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/\r\nPage 22 of 22\n\nAfter XOR encryption content ---\u003e0xddb0b49d10ec42c3 \n6c 52 8c 08 36 0c fb 50 08 8c 52 7c 08 9c a8 3d\n0c 51 e2 d8 95 9c be 2e cb 8c 52 6c 08 8c 52 6c\nAfter AES encryption   \nc1 d3 78 71 2d f6 5b bb 16 ca ff 8b ef 69 bb 26\n3b 01 f0 22 70 09 38 dc e7 06 89 de 2b 55 eb 8e\nReceived packets sample analysis   \nRaw data   \nc5 ad 4a bf 30 C2 3a 43 9b 6e 22 08 73 e0 b9 5d\n3c e6 b7 f0 74 76 53 43 3a 79 0e 82 80 1a c3 84\nba a4 85 05 4a 63 b1 d6 d1 94 ad 53 be 7a 9a 88\nAfter AES decryption   \n59 8b e5 6d 4a ee bf ef 6d e5 8b 79 7d f5 71 08\n69 b8 81 aa 92 ed 65 fb 29 e0 8b 59 6d e1 51 47\n19 e1 89 d8 29 e5 8b 59 6d e5 8b 59 6d e5 8b 59\nAfter XOR decryption   \npacket[0:47]   \n59 8b e5 6d 27 0b 34 b6 00 00 00 20 10 10 fa 51\n04 5d 0a f3 ff 08 ee a2 44 05 00 00 00 04 da 1e\n74 04 02 81 44 00 00 00 00 00 00 00 00 00 00 00\n  Page 11 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/"
	],
	"report_names": [
		"an-analysis-of-linux-ngioweb-botnet-en"
	],
	"threat_actors": [],
	"ts_created_at": 1775434152,
	"ts_updated_at": 1775791242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a051a6ffbb0150c1a66bf158c5b436b2c841fc45.pdf",
		"text": "https://archive.orkl.eu/a051a6ffbb0150c1a66bf158c5b436b2c841fc45.txt",
		"img": "https://archive.orkl.eu/a051a6ffbb0150c1a66bf158c5b436b2c841fc45.jpg"
	}
}