{
	"id": "8921bb57-91d9-4418-ae98-098d23f09b28",
	"created_at": "2026-04-06T00:17:38.169269Z",
	"updated_at": "2026-04-10T03:23:51.498029Z",
	"deleted_at": null,
	"sha1_hash": "a19b55e284dfb975617e38dee7080f95bbbae9b2",
	"title": "The Accidental Malware Repository: Hunting \u0026 Collecting Malware Via Open Directories (Part 1)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6251558,
	"plain_text": "The Accidental Malware Repository: Hunting \u0026 Collecting\r\nMalware Via Open Directories (Part 1)\r\nPublished: 2024-02-01 · Archived: 2026-04-05 13:08:29 UTC\r\nTABLE OF CONTENTS\r\nDid You Know?What Else Can I Find?\r\nThis post will serve as the first in a long series of articles on using the platform to identify malicious infrastructure\r\nand hunt across the open internet for malware, phishing pages, and whatever else may pose harm to the networks\r\nwe defend.\r\nFor our initial blog in this hunting workshop, we'll leave our territory and peruse an open directory containing a\r\nphishing site, which also happens to be hosting the XWorm RAT.\r\nDid You Know?\r\nYou can find open directories across a network of over 5,000 sources, enabling you to quickly pinpoint specific\r\nfile names, sandbox results for hosted malware samples, exposed shell history, and more with a single click. If you\r\nhaven't already, apply for an account and give the Hunt platform a try.\r\nhttps://hunt.io/blog/hunting-and-collecting-malware-via-open-directories-part-1\r\nPage 1 of 8\n\nFigure 1: Hunt Open Directory Feature\r\nOne of our budding researchers discovered the IP address 65.1.224[.]214:80 while collecting intelligence on\r\nservers hosting malicious software. Digging deeper into the open directory, we see some interestingly named files,\r\nincluding a sub-directory titled \"/We.\"\r\nFigure 2: Suspect Open Dir\r\n*You can download and obtain a file hash or see what other servers host the same file by clicking one of the\r\nbuttons under \"Actions.\"\r\nhttps://hunt.io/blog/hunting-and-collecting-malware-via-open-directories-part-1\r\nPage 2 of 8\n\nFor the eagle-eyed reader, you may have noticed that Hunt detects the lazily named \"PowerShell.ps1\" as the\r\nXWorm RAT. We'll take a look at that file, as well as the others, later. For now, let's check out the /We directory.\r\nFigure 3: File contents of the /We directory\r\nThe folder contains several files, including images, an image folder, and HTML \u0026 PHP pages. Files titled\r\n\"BlockChain_Login\" and \"Device_Verification\" lead us to believe that whoever is controlling this server is\r\nattempting to phish user credentials, posing as the legitimate site, likely for the theft of digital currency.\r\nLet's take a look at the malicious login page.\r\nhttps://hunt.io/blog/hunting-and-collecting-malware-via-open-directories-part-1\r\nPage 3 of 8\n\nFigure 4: Spoofed Login Page\r\nFigure 5: Legitimate Login Page\r\nIf you've investigated phishing pages before, the malicious login page is often a carbon copy of the legitimate site,\r\nwith limited functionality outside of capturing credentials on login.\r\nIf we refer back to the /We folder, there are files for the \"Import Your Account\" button. Clicking on the button\r\nreveals an additional attempt to steal the user's recovery phrase.\r\nhttps://hunt.io/blog/hunting-and-collecting-malware-via-open-directories-part-1\r\nPage 4 of 8\n\nFigure 6: Attempt To Steal Private Key Phrase\r\nSo far, some web pages are attempting to spoof a digital currency financial services company. Interesting and\r\nworth reporting (hopefully, your users aren't trading currency on the company network), but the multiple .bat,\r\n.vbs, and .ps1 files may really pique your interest.\r\nFigure 7: Batch File Which Initiates Execution\r\nWhile a thorough analysis of the files themselves is outside the scope of this post, Downloader.bat, void of any\r\nobfuscation, downloads the PowerShell script we saw earlier.\r\nhttps://hunt.io/blog/hunting-and-collecting-malware-via-open-directories-part-1\r\nPage 5 of 8\n\nFigure 8: PowerShell Script To Download .bat \u0026 .vbs files\r\nThe script, thoughtfully written with comments, downloads two files and checks if the documents already exist on\r\nthe victim machine; if not, it executes the VBS file from a hidden window.\r\nFigure 9: Malicious VBS File\r\nAgain, the visual basic file checks if the 2.bat file is on the victim host and, if so, runs the file silently.\r\nhttps://hunt.io/blog/hunting-and-collecting-malware-via-open-directories-part-1\r\nPage 6 of 8\n\nFigure 10: Encoded Batch File\r\n2.bat, when executed, drops a file named 2.bat.exe in the %TEMP% folder. Luckily, the decryption key can be\r\nfound within the code, and decompression is trivial.\r\nhttps://hunt.io/blog/hunting-and-collecting-malware-via-open-directories-part-1\r\nPage 7 of 8\n\nFigure 11: Decompressed \u0026 Decrypted Code\r\nWhat Else Can I Find?\r\nShort answer: just about anything you can think of. We constantly scan and update our database of open\r\ndirectories and their associated files, ensuring the most up-to-date information for defenders and researchers\r\nlooking to analyze malicious samples and thwart actors attempting to damage their reputations.\r\nAs we progress in this series, we'll dive deeper into how Hunt can assist in hunting for the next significant threat,\r\nkeeping our networks and brands safer one blog at a time.\r\nFound something interesting using the Open Directories feature, please share it on X (Twitter), LinkedIn, or\r\nMastodon.\r\nSource: https://hunt.io/blog/hunting-and-collecting-malware-via-open-directories-part-1\r\nhttps://hunt.io/blog/hunting-and-collecting-malware-via-open-directories-part-1\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://hunt.io/blog/hunting-and-collecting-malware-via-open-directories-part-1"
	],
	"report_names": [
		"hunting-and-collecting-malware-via-open-directories-part-1"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434658,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a19b55e284dfb975617e38dee7080f95bbbae9b2.pdf",
		"text": "https://archive.orkl.eu/a19b55e284dfb975617e38dee7080f95bbbae9b2.txt",
		"img": "https://archive.orkl.eu/a19b55e284dfb975617e38dee7080f95bbbae9b2.jpg"
	}
}