{ "id": "e9bc5506-41d1-4710-9360-f9607734b24b", "created_at": "2026-04-06T00:18:44.699753Z", "updated_at": "2026-04-10T13:12:14.149851Z", "deleted_at": null, "sha1_hash": "a2271e6a83031f34c312c82f48a26c5157b821b9", "title": "Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2202904, "plain_text": "Xbash Combines Botnet, Ransomware, Coinmining in Worm that\r\nTargets Linux and Windows\r\nBy Claud Xiao, Cong Zheng, Xingyu Jin\r\nPublished: 2018-09-17 · Archived: 2026-04-05 14:44:28 UTC\r\nExecutive Summary:\r\nUnit 42 researchers have found a new malware family that is targeting Linux and Microsoft Windows servers that\r\nwe have named XBash. We can tie this malware to the Iron Group, a threat actor group known for ransomware\r\nattacks in the past.\r\nXbash has ransomware and coinmining capabilities.\r\nIt also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or\r\nPetya/NotPetya). It also has capabilities not currently implemented that, when implemented, could enable it to\r\nspread very quickly within an organizations’ network (again, much like WannaCry or Petya/NotPetya).\r\nXbash spreads by attacking weak passwords and unpatched vulnerabilities.\r\nXbash is data-destructive; destroying Linux-based databases as part of its ransomware capabilities. We can also\r\nfind NO functionality within Xbash that would enable restoration after the ransom is paid.\r\nThis means that, like NotPetya, Xbash is data destructive malware posing at ransomware.\r\nOrganizations can protect themselves against Xbash by:\r\n1. Using strong, non-default passwords\r\n2. Keeping up-to-date on security updates\r\n3. Implementing endpoint security on Microsoft Windows AND Linux systems\r\n4. Preventing access to unknown hosts on the internet (to prevent access to command and control servers)\r\n5. Implementing and maintaining rigorous and effective backup and restoration processes and procedures.\r\nPalo Alto Networks customers are protected against this threat as outlined at the end of this blog.\r\nBelow are some more specifics on Xbash’s capabilities:\r\nIt combines botnet, coinmining, ransomware and self-propagation.\r\nIt targets Linux-based for its ransomware and botnet capabilities.\r\nIt targets Microsoft Windows-based systems for its coinmining and self-propagating capabilities.\r\nThe ransomware component targets and deletes Linux-based databases.\r\nTo date, we have observed 48 incoming transactions to these wallets with total income of about 0.964\r\nbitcoins meaning 48 victims have paid about US$6,000 total (at the time of this writing).\r\nHowever, as see no evidence that the paid ransoms have resulted in recovery for the victims.\r\nhttps://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/\r\nPage 1 of 15\n\nIn fact, we can find no evidence of any functionality that makes recovery possible through ransom\r\npayment.\r\nOur analysis shows this is likely the work of the Iron group, a group publicly linked to other ransomware\r\ncampaigns including those that use the Remote Control System (RCS), whose source code was believed to\r\nbe stolen from the HackingTeam in 2015.\r\nResearch:\r\nRecently Unit 42 used WildFire to identify a new malware family targeting Linux servers. After further\r\ninvestigation we realized it’s a combination of botnet and ransomware that developed by an active cybercrime\r\ngroup Iron (aka Rocke) in this year. We have named this new malware “Xbash”, based on the name of the\r\nmalicious code’s original main module.\r\nPreviously the Iron group developed and spread cryptocurrency miners or cryptocurrency transaction hijacking\r\ntrojans mainly for Microsoft Windows and only a few for Linux. Instead, Xbash aimed on discovering unprotected\r\nservices, deleting victim’s MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins. Xbash uses\r\nthree known vulnerabilities in Hadoop, Redis and ActiveMQ for self-propagation or infecting Windows system.\r\nOther new technical characteristics in Xbash that are worth noting:\r\nDeveloped in Python: Xbash was developed using Python and then converted into self-contained Linux\r\nELF executables by abusing the legitimate tool PyInstaller for distribution.\r\nTargets IP addresses and Domain Names: Modern Linux malware such as Mirai or Gafgyt usually\r\ngenerate random IP addresses as scanning destinations. By contrast, Xbash fetches from its C2 servers both\r\nIP addresses and domain names for service probing and exploiting.\r\nTargets Windows and Linux: When exploiting vulnerable Redis service, Xbash will also figure out\r\nwhether the service is running on Windows or not. If so, it will send malicious JavaScript or VBScript\r\npayload for downloading and executing a coinminer for Windows.\r\nIntranet Scanning Functionality: The Xbash authors have developed the new capability of scanning for\r\nvulnerable servers within enterprise intranet. We see this functionality in the samples but, interestingly, it\r\nhas not been enabled that we can see.\r\nWe have discovered four different versions of Xbash so far. Code and timestamp differences among these versions\r\nshow that it’s still under active development. The botnet began to operate since as early as May 2018. Thus far,\r\nwe’ve observed 48 incoming transactions to the Bitcoin wallet addresses used by the malware, which may indicate\r\n48 victims of its ransom behavior.\r\nIn the rest of this blog, we will introduce more technical details of these behaviors, and introduce how Palo Alto\r\nNetworks products prevent the threat.\r\nTechnical Details\r\nFrom Python Code to Native Executable\r\nIn a previous blog from 2016, Unit 42 revealed a Windows malware being developed by Python and being\r\nconverted to PE executable by PyInstaller. All four versions of Xbash that we discovered also used this technique.\r\nhttps://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/\r\nPage 2 of 15\n\nBased on this, we believe the malware authors gain many benefits:\r\n1. Faster Development: Developing in Python can be easier and faster than in C, C++ or Go: therefore it can\r\nenable faster, iterative development which enables the malware’s faster evolution (and can enable faster\r\ncounter-counter-measures as well).\r\n2. Easy, Assured Installation: PyInstaller creates self-contained native executables which include all\r\nnecessary dependencies including Python runtime, libraries,user and third-party libraries. Given the\r\ndiversity of Linux installations and environments, the attackers cannot be sure that Python-based malware\r\nwould install and run successfully. By packaging in a self-contained native executable like this, ensures\r\nthat the malware will successfully install on the target systems.\r\n3. Anti-Detection Capabilities: PyInstaller’s code compilation, code compression/conversion, and optional\r\ncode encryption together work to obfuscate the indicators of malicious behavior. This obfuscation helps the\r\nmalware to defeat detection by antivirus/antimalware engines or static analysis. At the time of this writing,\r\nwe observed a 1/57 detection rate for Xbash in VirusTotal as shown in Figure 1.\r\n4. Cross-Platform Malware: PyInstaller supports creating binaries for Windows, Apple macOS and Linux\r\nfrom the same Python code: this enables the malware to be truly cross-platform (though at the time of this\r\nwriting we have not found any Windows or macOS versions of Xbash).\r\nFigure 1  Detection Rate of Xbash as shown on VirusTotal\r\nThrough manual reverse engineering, we were able to extract the main malicious Python modules from the Xbash\r\nexecutables and decompile them successfully. Therefore, in the later sections of this analysis, we show the Python\r\nsource code.\r\nC2 Communication\r\nXbash hard-coded a bunch of domain names as its C2 servers. It also fetches a webpage hosted on Pastebin (listed\r\nin the IOCs) to update the C2 domain list. Some of these C2 domains are reused from previous Windows\r\ncoinminers attributed to Iron cybercrime group.\r\nAll C2 communications were based on HTTP protocol. We found three kinds of C2 traffic:\r\n1. One for fetching a list of IP addresses or domains for scanning\r\n2. One for fetching a list of weak passwords, in addition of using hard-coded passwords\r\n3. One for reporting scan results\r\nThree types of URIs were used to fetch scanning targets:\r\nhttps://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/\r\nPage 3 of 15\n\n1. /domain/phpmyadmin or /domain/all: to get a list of domains for scanning of vulnerable or unprotected\r\nweb services such as phpMyAdmin.\r\n2. /port/tcp8080, /port/udp1900, etc.: to get a list of IP addresses for scanning of their specific TCP or UDP\r\nport\r\n3. /cidir, to get a list of CIDR of IP addresses for popular ports/services scanning.\r\nThrough a still alive C2 domain, we were able to get 1,000 domains, 1,000 IP addresses, or a /22 CIDR per\r\nrequest, respectively as shown in Figure 2. We found that different requests will return different results, showing\r\nthat the C2 servers were dynamic dispatching tasks to different bots. We randomly chose some domains and didn’t\r\nfind any specific region or industry targeted. And, the targeted domains are not in the Alexa top one million\r\ndomains list.\r\nFigure 2  Xbash fetched domains from C2 server for further scanning\r\nPopular Linux botnets such as Mirai and Gafgyt usually only scan IP addresses. Xbash represents a next-stage\r\nevolution of Linux botnets by extending the targets to public websites by targeting domains as well as IP address.\r\nThis also makes deploying a honeypot to observe Xbash challenging since honeypots are usually deployed with IP\r\naddresses only. While it may not be an intentional step, the inclusion of domain targeting has an anti-analysis\r\nbenefit for the attackers.\r\nBesides of fetching a list of scanning targets, Xbash will also request C2 server via URI “/p” to fetch a list of weak\r\npasswords for brute forcing.\r\nhttps://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/\r\nPage 4 of 15\n\nAfter Xbash has scanned a target and successfully found specific opening ports, weak credentials or exploitable,\r\nunpatched vulnerability, it will report the result to a random C2 server via HTTP POST to URI “/c”.\r\nService Probing and Brute Forcing\r\nIf the scanning target is an IP address, Xbash will try to scan many TCP or UDP ports. Here are part of services\r\nthey’re probing and the ports used:\r\nHTTP: 80, 8080, 8888, 8000, 8001, 8088\r\nVNC: 5900, 5901, 5902, 5903\r\nMySQL: 3306\r\nMemcached: 11211\r\nMySQL/MariaDB: 3309, 3308,3360 3306, 3307, 9806, 1433\r\nFTP: 21\r\nTelnet: 23, 2323\r\nPostgreSQL: 5432\r\nRedis: 6379, 2379\r\nElasticSearch: 9200\r\nMongoDB: 27017\r\nRDP: 3389\r\nUPnP/SSDP: 1900\r\nNTP: 123\r\nDNS: 53\r\nSNMP: 161\r\nLDAP: 389\r\nRexec: 512\r\nRlogin: 513\r\nRsh: 514\r\nRsync: 873\r\nOracle database: 1521\r\nCouchDB: 5984\r\nFor some services, such as VNC, Rsync, MySQL, MariaDB, Memcached, PostgreSQL, MongoDB, and\r\nphpMyAdmin, if a related port is open, it will use a built-in weak username/password dictionary and try to login\r\ninto the service as shown in Figure 3. The dictionary also contains common or default passwords for services like\r\nTelnet, FTP, and Redis.\r\nhttps://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/\r\nPage 5 of 15\n\nFigure 3  Xbash tries to brute force services such as Rsync\r\nDelete Databases and Ransom\r\nIf Xbash successfully login into a service including MySQL, MongoDB, and PostgreSQL, it will delete almost all\r\nexisting databases in the server (except for some databases that stored user login information), create a new\r\ndatabase named “PLEASE_READ_ME_XYZ”, and leave a ransom message into table “WARNING” of the new\r\ndatabase, as shown in Figure 4 and Figure 5.\r\nSend 0.02 BTC to this address and contact this email with your website or your ip or db_name of your server to\r\nrecover your database! Your DB is Backed up to our servers!If we not received your payment,we will leak your\r\ndatabase\r\n1jqpmcLygJdH8fN7BCk2cwwNBRWqMZqL1\r\nbackupsql@pm.me\r\nhttps://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/\r\nPage 6 of 15\n\nFigure 4  Xbash create ransom message into MySQL database via phpMyAdmin\r\nhttps://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/\r\nPage 7 of 15\n\nFigure 5  New database, table and ransome message created by Xbash\r\nIf Xbash logged into a phpMyAdmin service, it will do exactly the same operations as above to those databases\r\ntoo, via sending HTTP requests to phpMyAdmin. This is because the phpMyAdmin service is usually managing\r\nsome MySQL databases.\r\nIt’s important to note that, the database name, table name, table schema, and the ransom message used by Xbash\r\nare almost identical with some incidents within multiple waves of ransom attacks to MySQL, MongoDB,\r\nElasticSearch, Hadoop, CouchDB, Cassandra, Redis, AWS S3, etc. at 2016 and 2017, which have compromised\r\nover 56,685 servers in the globe by report. The only changes in Xbash are:\r\nDatabase name changed from PLEASE_READ_ME to PLEASE_README_XYZ\r\nBitcoins they’re asking for reduced from 0.2 BTC or 0.15 BTC to0.02 BTC\r\nBitcoin wallet address and email address changed\r\nThis time a blackmail phrase was added into the message: “If we not received your payment,we will leak\r\nyour database”\r\nThus far, we have observed three different bitcoin wallet addresses hard-coded in the Xbash samples. Since May\r\n2018, there are 48 incoming transactions to these wallets with total income of about 0.964 bitcoins (about\r\nUS$6,000 at the time of this writing). Figure 5 shows one of the wallets. Also, note that the funds are being\r\nwithdrawn, showing us that the attackers are actively collecting their ransom.\r\nhttps://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/\r\nPage 8 of 15\n\nFigure 6  Incoming transactions to one of bitcoin wallets\r\nHowever, as is so often the case, we see no evidence that the attackers are actually making good on their\r\n“promise” and helping the victims restore their deleted databases. In fact, contrary to the ransom note, we found\r\nNO evidence of code in Xbash that backs up the deleted databases at all.\r\nExploit for Propagation\r\nWhen Xbash finds a destination has Hadoop, Redis or ActiveMQ running, it will also attempt to exploit the\r\nservice for self-propagation. Three known vulnerabilities are targeted:\r\n1. Hadoop YARN ResourceManager unauthenticated command execution, which was first disclosed in\r\nOctober 2016 and has no CVE number assigned.\r\nhttps://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/\r\nPage 9 of 15\n\n2. Redis arbitrary file write and remote command execution, which was first disclosed in October 2015 and\r\nhas no CVE number assigned. This is shown below in Figure 6.\r\n3. ActiveMQ arbitrary file write vulnerability, CVE-2016-3088.\r\nFigure 7  Xbash exploiting Redis vulnerability\r\nWhen the exploit succeeds, Xbash will either directly execute a shell command to download and to run malicious\r\nShell or Python scripts, or create new cron job to do the same, again as shown in Figure 6. The malicious scripts\r\nwere downloaded from the same C2 servers as Xbash used. In either instance, their main functions are to kill other\r\npopular Coinminers, download Coinminers developed by the Iron cybercrime group, and download Xbash itself\r\nonto the target system for further propagation.\r\nThe net of this is that Xbash targets and uses vulnerable Hadoop, Redis or ActiveMQ systems both to run the\r\nattackers’ coinminer AND propagate Xbash within the environment.\r\nInfecting Windows Servers\r\nAnother notable feature of Xbash is the way it uses Redis and an HTTP service to determine if the vulnerable\r\nRedis service is installed on Linux or Microsoft Windows. If the destination being scanned has both vulnerable\r\nRedis service and a HTTP service running, Xbash will try to use information leaked by the Redis vulnerability to\r\nguess HTTP web server’s installation location. Xbash then uses the location to guess which operating system\r\n(Linux or Windows) the destination is running as shown in Figure 7.\r\nFigure 8  Web server paths Xbash used to determine operating system\r\nhttps://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/\r\nPage 10 of 15\n\nIf it believes it’s found a Windows server, Xbash will exploit the Redis vulnerability to create a Windows startup\r\nitem (as shown in Figure 6), instead of a Linux cronjob. Depends on Xbash’s version, this new startup item will\r\ndownload a malicious HTML or a Scriptlet file from Xbash’s C2 server, and to execute the JavaScript or VBScript\r\ncode in the file via “mshta” or via “regsvr32”. These scripts will then invoke PowerShell to download a malicious\r\nPE executable or PE DLL file from the same C2 server for execution as shown in Figure 8.\r\nFigure 8  Malicious JavaScript code to be executed in vulnerable Windows server (with comments)\r\nThrough our investigation we found that these malicious PE files were coinminer or ransomware developed by the\r\nIron cybercrime group as shown in Figure 9.\r\nFigure 9  AutoFocus associated the malicious PE file with Iron cybercrime group\r\nTargeting Enterprise Intranet\r\nIn all versions of Xbash we found, there is a Python class named “LanScan”. Its functions are to get local intranet\r\ninformation, generate a list of all IP addresses within the same subnet, and to perform port scanning to all these\r\nIPs as shown in figure 10. It appears that during its evolution, the author was adding more ports to this piece of\r\nhttps://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/\r\nPage 11 of 15\n\ncode. However, the code was inert and unutilized: it is still standalone and yet to be connected with the main part\r\nof the code. We believe the author may enable this functionality in coming versions.\r\nFigure 10  Generate list of IP addresses in victim’s subnet and perform port scanning\r\nIn an enterprise network (including office network and datacenter or private cloud), there are usually more servers\r\nproviding services internally than to public. And these services are also more likely unprotected or configured\r\nwith weak password. The chance of find vulnerable services within Intranet is much higher than over Internet. We\r\nbelieve that is the main motivation of Xbash’s Intranet scanning code.  If events like WannaCry and NotPetya are\r\nany guide, this intranet functionality could make Xbash even more devastating once it’s enabled.\r\nConclusions\r\nXbash is a novel and complex Linux malware and the newest work of an active cybercrime group. From its\r\ncharacteristics and behaviors, we could realize many trends in current IoT/Linux security battleground:\r\nAttackers are expanding their profit-making ways from mining cryptocurrency to hijacking or ransom for\r\ncryptocurrency\r\nAttackers are expanding territory by scanning domain names and by attacking enterprise Intranet\r\nAttackers are looking for more potential victims by gathering more and more vulnerabilities from\r\neverywhere, no matter whether the vulnerability is new or old, and no matter whether it’s famous or not (a\r\nCVE number was assigned or not)\r\nAttackers are to toward cross-platform attacks and quick evolution\r\nDifferent types of script files are important actors between exploiting and malware execution\r\nhttps://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/\r\nPage 12 of 15\n\nPalo Alto Networks customers are protected from this threat:\r\nWildFire detected Xbash for Linux as well as the dropped CoinMiner for Windows\r\nELF and PE format malware’s signatures have been released via Antivirus\r\nAll involved malicious domains have been covered by PAN-DB URL Filtering\r\nAll three vulnerabilities exploit by Xbash have been covered by Threat Prevention (39786, 39787, 54654,\r\n54655)\r\nXbash C2 traffic have been covered by Threat Prevention too (18474, 18475, 18476)\r\nAn AutoFocus tag has been created for tracking this attack.\r\nIndicators of Compromise\r\nSamples for Linux\r\n7a18c7bdf0c504832c8552766dcfe0ba33dd5493daa3d9dbe9c985c1ce36e5aa  zlibx\r\n0b9c54692d25f68ede1de47d4206ec3cd2e5836e368794eccb3daa632334c641  Xbash\r\ndbc380cbfb1536dfb24ef460ce18bccdae549b4585ba713b5228c23924385e54  xapache\r\n5b790f02bdb26b6b6b270a5669311b4f231d17872aafb237b7e87b6bbb57426d  libhttpd\r\ne59be6eec9629d376a8a4a70fe9f8f3eec7b0919019f819d44b9bdd1c429277c  XbashX\r\nf808a42b10cf55603389945a549ce45edc6a04562196d14f7489af04688f12bc  XbashY\r\ndcd37e5b266cc0cd3fab73caa63b218f5b92e9bd5b25cf1cacf1afdb0d8e76ff  rootv2.sh\r\nde63ce4a42f06a5903b9daa62b67fcfbdeca05beb574f966370a6ae7fd21190d  lowerv2.sh\r\n09968c4573580398b3269577ced28090eae4a7c326c1a0ec546761c623625885  rootv2.sh\r\na27acc07844bb751ac33f5df569fd949d8b61dba26eb5447482d90243fc739af  r88.sh\r\nSamples for Windows\r\nf888dda9ca1876eba12ffb55a7a993bd1f5a622a30045a675da4955ede3e4cb8  tt.txt\r\n31155bf8c85c6c6193842b8d09bda88990d710db9f70efe85c421f1484f0ee78  tg.jpg\r\n725efd0f5310763bc5375e7b72dbb2e883ad90ec32d6177c578a1c04c1b62054  reg9.sct\r\nd7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6  m.png\r\nece3cfdb75aaabc570bf38af6f4653f73101c1641ce78a4bb146e62d9ac0cd50  tmp.jpg\r\nDownloading URLs\r\nhxxp://3g2upl4pq6kufc4m[.]tk/zlibx\r\nhttps://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/\r\nPage 13 of 15\n\nhxxp://e3sas6tzvehwgpak[.]tk/XbashY\r\nhxxp://3g2upl4pq6kufc4m[.]tk/XbashY\r\nhxxp://3g2upl4pq6kufc4m[.]tk/xapache\r\nhxxp://3g2upl4pq6kufc4m[.]tk/libhttpd\r\nhxxp://xmr.enjoytopic[.]tk/l/rootv2.sh\r\nhxxp://xmr.enjoytopic[.]tk/l2/rootv2.sh\r\nhxxp://xmr.enjoytopic[.]tk/l/r88.sh\r\nhxxp://xmr.enjoytopic[.]tk/12/r88.sh\r\nhxxp://e3sas6tzvehwgpak[.]tk/lowerv2.sh\r\nhxxp://3g2upl4pq6kufc4m[.]tk/r88.sh\r\nhxxp://e3sas6tzvehwgpak[.]tk/XbashY\r\nhxxp://e3sas6tzvehwgpak[.]tk/XbashX\r\nhxxp://png.realtimenews[.]tk/m.png\r\nhxxp://daknobcq4zal6vbm[.]tk/tt.txt\r\nhxxp://d3goboxon32grk2l[.]tk/reg9.sct\r\nDomains for C2 Communication\r\nejectrift.censys[.]xyz\r\nscan.censys[.]xyz\r\napi.leakingprivacy[.]tk\r\nnews.realnewstime[.]xyz\r\nscan.realnewstime[.]xyz\r\nnews.realtimenews[.]tk\r\nscanaan[.]tk\r\nscan.3g2upl4pq6kufc4m[.]tk\r\nscan.vfk2k5s5tfjr27tz[.]tk\r\nscan.blockbitcoin[.]tk\r\nhttps://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/\r\nPage 14 of 15\n\nblockbitcoin[.]com\r\nIPs for C2 Communication\r\n142.44.215[.]177\r\n144.217.61[.]147\r\nURLs for C2 Domain Updating\r\nhxxps://pastebin[.]com/raw/Xu74Mzif\r\nhxxps://pastebin[.]com/raw/rBHjTZY6\r\nBitcoin Wallet Addresses in Ransom Messages\r\n1Kss6v4eSUgP4WrYtfYGZGDoRsf74M7CMr\r\n1jqpmcLygJdH8fN7BCk2cwwNBRWqMZqL1\r\n1ExbdpvKJ6M1t5KyiZbnzsdQ63SEsY6Bff\r\nEmail Addresses in Ransom Messages\r\nbackupsql@protonmail[.]com\r\nbackupsql@pm[.]me\r\nbackupdatabase@pm[.]me\r\nSource: https://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/\r\nhttps://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" ], "report_names": [ "unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows" ], "threat_actors": [ { "id": "7c053836-8f50-4d40-bc5c-7088967e1b57", "created_at": "2022-10-25T16:07:24.549525Z", "updated_at": "2026-04-10T02:00:05.03048Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra", "G0106", "Iron Group", "Rocke" ], "source_name": "ETDA:Rocke", "tools": [ "Godlua", "Kerberods", "LSD", "Pro-Ocean", "Xbash" ], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "5b9d2809-47b7-46a8-ab2d-9687537f1bc7", "created_at": "2023-01-06T13:46:38.804869Z", "updated_at": "2026-04-10T02:00:03.107112Z", "deleted_at": null, "main_name": "Iron Group", "aliases": [ "Iron Cyber Group" ], "source_name": "MISPGALAXY:Iron Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "905eabd9-2b7f-483d-86bd-0c72f96b4162", "created_at": "2023-01-06T13:46:39.02749Z", "updated_at": "2026-04-10T02:00:03.185957Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra" ], "source_name": "MISPGALAXY:Rocke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f", "created_at": "2022-10-25T15:50:23.360509Z", "updated_at": "2026-04-10T02:00:05.337702Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Rocke" ], "source_name": "MITRE:Rocke", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434724, "ts_updated_at": 1775826734, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a2271e6a83031f34c312c82f48a26c5157b821b9.pdf", "text": "https://archive.orkl.eu/a2271e6a83031f34c312c82f48a26c5157b821b9.txt", "img": "https://archive.orkl.eu/a2271e6a83031f34c312c82f48a26c5157b821b9.jpg" } }