{ "id": "866c3fcf-57fc-41f7-8d3e-cad4876db3eb", "created_at": "2026-04-06T00:06:15.821035Z", "updated_at": "2026-04-10T03:24:58.419628Z", "deleted_at": null, "sha1_hash": "a2c76a9cb36c42c1c8a1e55d22ad73088442a6c0", "title": "Luoxk Malware – Exploiting CVE-2018-2893", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 395203, "plain_text": "Luoxk Malware – Exploiting CVE-2018-2893\r\nBy Duncan\r\nPublished: 2018-07-27 · Archived: 2026-04-02 10:35:00 UTC\r\nFirst observed in 2017, Luoxk is a malware campaign targeting web servers throughout Asia, Europe and North\r\nAmerica.\r\nLuoxk uses a variety of methods to compromise vulnerable servers but is primarily exploiting CVE-2018-2893, a\r\nremote code execution vulnerability on Oracle web servers. Open Remote Desktop Protocol ports have also been\r\nused to infect devices.\r\nThe luoxk group registered the luoxkexp[.]com C2 domain on March 16,2017, and then immediately started to use\r\nit – domain details here\r\nOnce access is achieved, the group operating Luoxk will use the compromised servers for a number of purposes\r\nincluding:\r\nEnrolling them in a Nitol variant botnet to be used for distributed denial-of-service attacks. Nitol is a\r\nsmaller botnet trojan that operates primarily in China and surrounding Asian countries.\r\nInstalling the Gh0st remote access trojan, which in turn is used to install an XMRig mining application and\r\nto propagate to other devices on the network.\r\nHosting malicious Android APK files for other malware to use.\r\nThe dns access traffic going to luoxkexp[.]com has been going up for the last few days.\r\nTraffic to luoxkexp[.]com July 2018\r\nIndicators of Compromise\r\nhttps://www.systemtek.co.uk/2018/07/luoxk-malware-exploiting-cve-2018-2893/\r\nPage 1 of 3\n\nIP Addresses\r\n121.18.238[.]56\r\n103.99.115[.]220\r\nURLs\r\nluoxkexp[.]com\r\nFull URL’s\r\nhttp://xmr.luoxkexp.com:8888/xmrig\r\nhttp://xmr.luoxkexp.com:8888/xmr64.exe\r\nhttp://xmr.luoxkexp.com:8888/version.txt\r\nhttp://xmr.luoxkexp.com:8888/jjj.exe\r\nhttp://xmr.luoxkexp.com:8888/7799\r\nhttp://xmr.luoxkexp.com:8888/2.exe\r\nhttp://xmr.luoxkexp.com:8888/1.sh\r\nhttp://xmr.luoxkexp.com:8888/1.exe\r\nhttp://xmr.luoxkexp.com/\r\nhttp://xmr.luoxkexp.com/1.exe\r\nhxxp://103.99.115.220:8080/JexRemoteTools.jar\r\nhxxp://121.18.238.56:8080/aaa.exe\r\nhxxp://121.18.238.56:8080/testshell.sh\r\nhxxp://121.18.238.56:8080/SYN_145\r\nhxxp://121.18.238.56:8080/a4.sh\r\nhxxp://121.18.238.56:8080/SYN_7008\r\nhxxp://121.18.238.56:8080/a5.sh\r\nhxxp://121.18.238.56/xmrig\r\nhxxp://luoxkexp.com:8099/ver1.txt\r\nMD5 File Hashes\r\n2f7df3baefb1cdcd7e7de38cc964c9dc\r\nCVE-2018-2893 was addressed in Oracle’s July 2018 Critical Patch Update (CPU).\r\nUsers are advised to update their affected systems immediately.\r\nhttps://www.systemtek.co.uk/2018/07/luoxk-malware-exploiting-cve-2018-2893/\r\nPage 2 of 3\n\nDuncan is a technology professional with over 20 years experience of working in various IT roles. He has a\r\ninterest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.\r\nSource: https://www.systemtek.co.uk/2018/07/luoxk-malware-exploiting-cve-2018-2893/\r\nhttps://www.systemtek.co.uk/2018/07/luoxk-malware-exploiting-cve-2018-2893/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.systemtek.co.uk/2018/07/luoxk-malware-exploiting-cve-2018-2893/" ], "report_names": [ "luoxk-malware-exploiting-cve-2018-2893" ], "threat_actors": [ { "id": "e4389aca-6209-443d-9fdc-7ad01c36e3b4", "created_at": "2023-01-06T13:46:39.07782Z", "updated_at": "2026-04-10T02:00:03.205516Z", "deleted_at": null, "main_name": "luoxk", "aliases": [], "source_name": "MISPGALAXY:luoxk", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433975, "ts_updated_at": 1775791498, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a2c76a9cb36c42c1c8a1e55d22ad73088442a6c0.pdf", "text": "https://archive.orkl.eu/a2c76a9cb36c42c1c8a1e55d22ad73088442a6c0.txt", "img": "https://archive.orkl.eu/a2c76a9cb36c42c1c8a1e55d22ad73088442a6c0.jpg" } }