{
	"id": "3cb4b479-ee52-43cd-b75a-0463faa648a9",
	"created_at": "2026-04-10T03:20:22.631002Z",
	"updated_at": "2026-04-10T03:22:16.938576Z",
	"deleted_at": null,
	"sha1_hash": "a77686ce86fb9e2204d2fbf6539b0021faee6e8f",
	"title": "New Botnet Emerges from the Shadows: NightshadeC2",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3974081,
	"plain_text": "New Botnet Emerges from the Shadows: NightshadeC2\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-10 02:13:54 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nIn August 2025, eSentire's Threat Response Unit (TRU) identified a new botnet, tracked as \"NightshadeC2,\"\r\nwhich is being deployed via a loader that employs a simple yet highly effective technique to bypass malware\r\nanalysis sandboxes and exclude the final payload in Windows Defender using a technique we refer to here-in as\r\n“UAC Prompt Bombing”.\r\nTRU has observed both C and Python-based variants that communicate with an unidentified Command and\r\nControl (C2) framework. The C variant primarily communicates over TCP ports 7777, 33336, 33337, and 443,\r\nwhereas Python variants predominantly utilize TCP port 80.\r\nNightshadeC2 demonstrates an extensive capability set, including:\r\nReverse shell via Command Prompt/PowerShell\r\nDownload and execute DLL or EXE\r\nSelf-deletion\r\nRemote control\r\nScreen capture\r\nHidden web browsers\r\nKeylogging and clipboard content capturing\r\nAdditionally, TRU has identified certain variants with stealing capabilities that enable the extraction of browser\r\npasswords and cookies from victim systems for both Gecko and Chromium based browsers. The Python variant\r\nexhibits substantially reduced functionality, limited to self-deletion, download/execute, and reverse shell\r\ncapabilities.\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 1 of 24\n\nInitial Access Vector\r\nThe initial access method used in observed incidents make use of the ClickFix initial access vector, where victims\r\nare shown a captcha and instructed to execute a malicious command in the Windows Run Prompt.\r\nTRU has also identified payloads in OSINT sources where the malware has been delivered through trojanized\r\nversions of legitimate software applications, including Advanced IP Scanner, Express VPN, HyperSecure VPN,\r\nCCleaner, and Everything.\r\nFigure 1 – booking[.]com themed ClickFix attack\r\nAnalysis of Second Stage PowerShell\r\nThe second stage in the attack downloads/decrypts a .NET based loader and uses Assembly.Load to load the\r\nmodule and invokes the method ExclusionAndAutorun.PayloadExecutor.Run. This method is responsible for\r\ndownloading/decrypting the final stage NightshadeC2 C variant and excluding it in Windows Defender by using a\r\ntechnique we are referring to as “UAC Prompt Bombing”.\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 2 of 24\n\nFigure 2 – Second stage PowerShell loader\r\nAnalysis of .NET Based Loader\r\nAlthough the loader varies between samples, TRU has observed an obfuscated .NET-based loader (available here)\r\nthat implements a while loop to execute a PowerShell command in a new process. In a more recent version of the\r\nloader, a UAC bypass is used instead, but we will get to that later.\r\nThe command used by this particular sample attempts to add an exclusion in Windows Defender for the final\r\npayload, which has not yet been written to disk. The loader then verifies the exit code of the PowerShell process;\r\nif the code is 0 (indicating success), the next stage—typically NightshadeC2—is delivered. However, TRU has\r\nalso received reports of this same loader being utilized to distribute Lumma Stealer.\r\nIf the PowerShell process returns any exit code other than 0, the while loop continues executing, effectively\r\nforcing the user to approve the User Account Control (UAC) prompt or face system usability issues. TRU refers to\r\nthis technique as UAC Prompt Bombing.\r\nA particularly notable aspect of this approach is that systems with the WinDefend (Windows Defender) service\r\ndisabled will generate non-zero exit codes, causing malware analysis sandboxes to become trapped in the\r\nexecution loop. TRU has confirmed successful bypass of multiple sandbox environments using this trivial\r\ntechnique.\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 3 of 24\n\nWhile the specific testing was not exhaustive, it is highly probable that other sandbox solutions are similarly\r\nvulnerable to this evasion method.\r\nJoe Sandbox\r\nCAPEv2 Sandbox\r\nHatching Triage (Update: No longer bypasses Hatching Triage as of 09/05/2025)\r\nAny.Run\r\nThe figure below illustrates the process tree generated by a malware sandbox analyzing the loader. This reveals\r\nhow the loop continues, preventing delivery of the final payload, due to the non-zero exit code of the PowerShell\r\nprocess.\r\nFigure 3 – Evasion loop in malware sandbox\r\nThe loader effectively bypasses:\r\nSandboxes with Microsoft Defender’s (WinDefend) service stopped\r\nWindows Defender if the victim accepts the UAC prompt\r\nVictims clicking \"Show details\" in the UAC prompt can see the malicious PowerShell command. Selecting \"No\"\r\ntriggers repeated prompts until \"Yes\" is selected—a technique we are referring to as UAC Prompt Bombing.\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 4 of 24\n\nFigure 4 – “Show details” of UAC prompt\r\nIn the figures below we can see the routine that handles adding the Windows Defender exclusion via a new\r\nPowerShell process and returning the exit code of the PowerShell process.\r\nFigure 5 – .NET loader concatenating PowerShell exclusion command\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 5 of 24\n\nFigure 6 – Checking exit code of PowerShell process\r\nPrior to starting the final stage payload, the loader establishes persistence via three different registry keys:\r\nWinlogon, RunOnce, and Active Setup. Within the figures, the final stage payload is started with the required\r\nargument 0x8c41db6c – likely to avoid analysis by security researchers and malware sandboxes.\r\nFigure 7 – Winlogon registry entry for persistence\r\nFigure 8 – RunOnce registry entry for persistence\r\nFigure 9 – ActiveSetup registry entry for persistence\r\nSandbox Bypass PoC\r\nTRU has created a Proof of Concept (PoC) available here to demonstrate the bypass found in the aforementioned\r\nloader. In the event the Windows Defender service (WinDefend) is stopped, the bypass will succeed. The PoC is\r\naround 50 lines of code and uses the same logic as the loader, where a while loop continues to show a UAC\r\nprompt to force the victim into setting an exclusion for the final payload.\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 6 of 24\n\nFigure 10 – PoC code with while loop and exclusion command\r\nThe figure below displays the PoC decrypting the final payload and executing it. Note, the final payload is simply\r\na messagebox application that prints the EICAR string. Since the malicious file has already been added to\r\nWindows Defender's exclusion list, it can run without triggering any security alerts!\r\nFigure 11 – PoC code that decrypts/drops/executes whitelisted payload\r\nAnalysis of NightshadeC2 Payload\r\nThe file in question (updater.exe) is packed and performs module stomping of shell32.dll to execute the\r\nNightshadeC2 payload. Initially, the malware queries ip-api[.]com to gather the victim's external IP information,\r\nincluding country and VPN status—likely to avoid security researchers and sandbox environments.\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 7 of 24\n\nFigure 12 – IP-API geo-ip lookup\r\nFigure 13 – PCAP request/response of IP-API geo-ip lookup\r\nAfter sending the RC4 encrypted key string to the C2 for authorization purposes, the malware’s fingerprint\r\ncallback is formed through the following steps.\r\n1. Retrieves the victim OS product name via the registry key/value:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 8 of 24\n\nFigure 14 – Acquiring ProductName of victim OS via Registry\r\n2. Queries the current process token to determine if the process is running with elevated permissions.\r\n3. Retrieves the victim OS MachineGuid from the registry key/value:\r\nHKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 9 of 24\n\nFigure 15 – Acquiring MachineGuid of victim OS via Registry\r\n4. Calls the APIs, GetUserNameW and GetComputerNameExW to retrieve the victim’s username, computer\r\nname, and domain.\r\nThe structure of this callback, once decrypted from RC4, is shown in the annotated figure below.\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 10 of 24\n\nFigure 16 – Fingerprint callback format\r\nThe figure below displays an annotated PCAP TCP stream between NightshadeC2 and a sandbox environment\r\nwithin VirusTotal from the PCAP available here. The first packet the client sends to the C2 is the RC4 encrypted\r\nRC4 passphrase RandOmKey322666B followed by the bytes 01 00 00 00.\r\nThis acts as an authorization step to allow for further communications with the C2. The C2 then responds with the\r\nRC4 encrypted passphrase in acknowledgement of the correct key, and the client sends the fingerprint information\r\nfor the victim device.\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 11 of 24\n\nFigure 17 – Fingerprint callback in PCAP (RC4 encrypted)\r\nCyberchef and the RC4 operation with the passphrase set to the key found in the payload allows for decrypting\r\ntraffic to and from the C2. In this case, the RC4 key was RandOmKey322666B.\r\nFigure 18 – Decrypted fingerprint callback via CyberChef\r\nThe malware then calls the SetThreadExecutionState API with the flags shown below to effectively prevent the\r\nvictim machine from going to sleep.\r\nSetThreadExecutionState(ES_CONTINUOUS | ES_AWAYMODE_REQUIRED | ES_DISPLAY_REQUIRED | ES_SYSTEM_REQUIRED);\r\nThe malware then creates a new thread to set up clipboard harvesting and keylogging capabilities. Harvested\r\nclipboard contents and keystrokes are written to a hidden log file path that varies sample to sample.\r\nIn the specific sample observed in the incident, the following log files are used:\r\n%LOCALAPPDATA%\\JohniiDepp - Used if the process's token IS elevated\r\n%LOCALAPPDATA%\\LuchiiSvet - “RaysLight” in Russian, used if the process's token IS NOT elevated\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 12 of 24\n\nFigure 19 – Create keylog/clipboard log file\r\nThe keylogging and clipboard harvesting capabilities are setup via a new thread that creates a hidden window via\r\nthe CreateWindowExW API and registers a callback via RegisterClassExW to process messages sent to the\r\nwindow.\r\nKey parameters are described below:\r\nCreateWindowExW(\r\n 0x80u, // dwExStyle == WS_EX_TOOLWINDOW - Hides the window from the victim's taskbar/ALT+TAB\r\n ClassName, // lpClassName == L\"IsabellaWine\" - Specific class name used for the window, does not appear to c\r\n 0LL, // lpWindowName == NULL - No window title text\r\n 0, // dwStyle == WS_OVERLAPPED - Omits WS_VISIBLE flag so window is hidden\r\n ...\r\nThe AddClipboardFormatListener API is then called to place the window in the clipboard format listener list,\r\nallowing the window to receive WM_CLIPBOARDUPDATE messages. This essentially allows the window to\r\nharvest the victim's clipboard contents when it changes.\r\nFigure 20 – Create hidden window with ”IsabellaWine” class name for capturing clipboard\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 13 of 24\n\nIn order to capture victim keystrokes, the SetWindowsHookExW API is called to install a hook procedure into the\r\nhook chain, a commonly used API for keylogging.\r\nKey parameters are described below:\r\nSetWindowsHookExW(\r\n 13, // idHook == WH_KEYBOARD_LL - Installs a hook procedure that monitors low-level keyboard input events.\r\n (HOOKPROC)fn, // lpfn == Pointer to the hook procedure that captures keystrokes,\r\n...\r\nThe hook procedure first checks to ensure the pressed keys aren't Ctrl+c or Ctrl+v, then converts the virtual key to\r\nits associated unicode character, and writes it to the log file, along with the current window's window text\r\nretrieved via GetWindowTextW, giving the threat actors context as to what window the keystrokes were typed in.\r\nFigure 21 – Hook procedure that captures/converts key strokes and writes to log\r\nA preview of an example keylog/clipboard log file is shown below. This demonstrates what content threat actors\r\nwould see after retrieving the file from the victim machine, including active window title and clipboard\r\ncontents/keystrokes.\r\nFigure 22 – Keylog/clipboard capture log file example\r\nNext, the malware begins handling commands from the C2. The list of commands, which can vary between\r\nsamples, can be found in the table below.\r\nCommand Description\r\n1 Pong / Keep Alive\r\n4 or 8 Reverse Shell via Command Prompt/PowerShell\r\n48 Upload attacker-specified file(s) from victim device\r\n49 Download/execute DLL or EXE\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 14 of 24\n\n89 Connect to new C2\r\n90 Self deletion\r\n128\r\nCreate mutex, start hidden desktops/browsers (Firefox, Chrome, Brave, Edge) or a Run Prompt\r\nin a specified desktop\r\n150 Upload captured victim keystrokes/clipboard contents from the hidden log file to the C2\r\n201/202 Screen capturing\r\n205\r\nRemote control capability: copy/paste from attacker to victim, simulate keyboard/mouse input\r\nvia SendInput API\r\nThe code shown creates a reverse shell connection to the C2 server by spawning a hidden Command Prompt or\r\nPowerShell process. It configures pipes as handles for the process's stdin, stdout, and stderr streams, allowing the\r\nC2 server to send commands and receive output from the compromised system's shell.\r\nFigure 23 – Reverse shell logic\r\nThe functionality of the copy/paste feature can be seen in the figure below, where the malware sends a request to\r\nthe C2 for the replacement text, and replaces it via the Windows API SetClipboardData prior to calling SendInput\r\nto send the Ctrl+v keyboard shortcut.\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 15 of 24\n\nFigure 24 – Copy/paste and mouse/keyboard simulation from C2\r\nThe next figure displays the code responsible for spawning a hidden web browser or Run Prompt. Depending on\r\nflags from the C2, the specified web browser is started in a new or existing desktop, with support for Google\r\nChrome, Microsoft Edge, Firefox, and Brave.\r\nFirefox is started with the -no-delevate parameter, while Chromium-based browsers use --mute-audio --do-not-deelevate. These command line arguments ensure proper browser functionality when launched with elevated\r\nprivileges.\r\nIf the C2 specifies the flag to spawn a Run Prompt instead of a web browser, the following process is spawned:\r\n\"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Windows\\System32\\shell32.dll\" #61\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 16 of 24\n\nFigure 25 – Run prompt/hidden web browser capability\r\nNightshadeC2 Python Variant\r\nTRU found threat actors may have used an LLM to convert the C-based malware to Python. The Python variant\r\nmaintains a subset of functionality including download/execute, self-deletion, and reverse shell capabilities.\r\nThis approach likely helps evade detection, as VirusTotal shows few vendors identify Python variants. The figure\r\ndemonstrates how the Python code uses nearly identical API calls as its C counterpart to gather the victim's\r\nexternal IP address and OS information, before sending it off to the C2 server formatted in the structure shown in\r\nFigure 17 above.\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 17 of 24\n\nFigure 26 – Nightshade C2 Python variant, near identital logic to C variant\r\nThe next figure displays the command handling logic, where the fingerprint information is sent to the C2 and a\r\nthread is started to ping the C2. This behavior is identical in the C variant.\r\nThree commands are handled by the script (shown in order below), including: ping, reverse shell,\r\ndownload/execute of a DLL or EXE, and self-deletion.\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 18 of 24\n\nFigure 27 – Nightshade C2 Python variant command handling, self-deletion, reverse shell,\r\ndownload/execute\r\nSteam Profile for C2\r\nLike other malware, some Nightshade variants (including the python variants) make use of steam URLs for\r\nacquiring the C2. This allows threat actors to change their C2 on-the-fly, while maintaining the same steam URL.\r\nThe figures below demonstrate this lookup in the malware and show the C2 “programsbookss[.]com” in the Steam\r\nprofile metadata.\r\nFigure 28 – Acquire C2 via Steam Community URL\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 19 of 24\n\nFigure 29 – Example C2 ”programsbookss[.]com” from Steam Community URL\r\nUAC Bypasses\r\nTRU has observed two different UAC bypass techniques used in campaigns. The first was found built into a\r\nNightshadeC2 payload and makes use of a UAC bypass from 2019 for privilege escalation that abuses the\r\nbehavior of the RPC server that implements the UAC feature. A PoC of the bypass is available in Github here.\r\nThe second UAC bypass makes use of the technique described here and has been implemented in a new version of\r\nthe .NET based loader, where it checks if the system is running an OS older than Windows 11. If so, it starts the\r\nfollowing LOLBin processes to escalate privileges. Shortly after, it adds an exclusion in Windows Defender for\r\nthe final payload, avoiding the need to escalate by UAC prompt.\r\nreg add \"HKCU\\Environment\" /v windir /t REG_SZ /d \"\u003cREDACTED_PAYLOAD_PATH\u003e /1\" /f\r\nschtasks /Run /i /TN \"\\Microsoft\\Windows\\DiskCleanup\\SilentCleanup\"\r\nreg delete \"HKCU\\Environment\" /v windir /f\r\nYara Rules\r\nrule NightshadeC2_Win_x64\r\n{\r\n meta:\r\n author = \"YungBinary\"\r\n description = \"Detects NightshadeC2 in memory\"\r\n strings:\r\n $a = \"camera!\" wide\r\n $b = \"keylog.txt\" wide\r\n $c = \"powershell Start-Sleep -Seconds 3; Remove-Item -Path %ws -Force\" wide\r\n $d = \"MachineGuid\" wide\r\n $e = \"[%02d:%02d %02d.%02d.%02d] %ws\"\r\n condition:\r\n 4 of them\r\n}\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 20 of 24\n\nrule NightshadeC2_Python_Win\r\n{\r\n meta:\r\n author = \"YungBinary\"\r\n description = \"Detects PyNightshade on disk\"\r\n strings:\r\n $s1 = \"Winhttp.WinHttpOpenRequest(hConnect, \\\"GET\\\", \\\"line/?fields=\" ascii\r\n $s2 = \"MachineGuid\" ascii\r\n $s3 = \"i = (i + 1) % 256\" ascii\r\n condition:\r\n all of them\r\n}\r\nWhat did we do?\r\nOur team of 24/7 SOC Cyber Analysts proactively isolated the affected host to contain the infection on the\r\ncustomer’s behalf.\r\nWe communicated what happened with the customer and helped them with remediation efforts.\r\nWhat can you learn from this TRU Positive?\r\nNightshadeC2 is a new botnet/infostealer malware with comprehensive functionality: system control\r\ncapabilities, keystroke/clipboard monitoring, reverse shell access, payload execution, and credential theft\r\nfrom browsers.\r\nDistribution occurs through two methods: ClickFix leveraging booking[.]com-themed landing pages, and\r\ntrojanized legitimate software including CCleaner, Advanced IP Scanner, Everything, and VPN setup\r\npackages.\r\nTechnical note: Analysis environments with disabled Windows Defender protection fail to properly execute\r\nthe loader component.\r\nThreat actors continue to make use of existing and novel User Account Control (UAC) bypasses to evade\r\nWindows Defender.\r\nHow eSentire is Responding\r\nThe eSentire Threat Response Unit (TRU) combines threat intelligence gained from research and security\r\nincidents to create practical outcomes for our customers. We are taking a comprehensive response approach to\r\ncombat modern cybersecurity threats by deploying countermeasures, such as:\r\nConducting global threat hunts to identify Indicators across our customer base, ensuring early detection\r\nand mitigation of threats.\r\nMaintaining continuous threat intelligence monitoring through our Threat Response Unit (TRU), which\r\nallows us to stay ahead of NightshadeC2 updates and adapt our MDR for Endpoint and MDR for Network\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 21 of 24\n\ncapabilities to address new variants and proactively defend against attack methods.\r\nDeveloping and implementing custom detection rules and prevention measures across our MDR platform\r\nto identify and block NightshadeC2's unique signatures, injection techniques, and associated malicious\r\nbehaviors.\r\nOur detection content is supported by investigation runbooks, ensuring our 24/7 SOC Cyber Analysts respond\r\nrapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures. In addition, TRU\r\nclosely monitors the threat landscape, constantly addresses capability gaps, and conducts retroactive threat hunts\r\nto assess customer impact.\r\nRecommendations from the Threat Response Unit (TRU)\r\nDisable the Run prompt via GPO:\r\nUser Configuration \u003e Administrative Templates \u003e Start Menu and Taskbar \u003e Enable “Remove Run\r\nmenu from Start Menu”\r\nImplementing Phishing and Security Awareness Training (PSAT) programs is crucial to educate employees\r\nabout emerging threats and mitigate the risk of successful social engineering attacks.\r\nUse a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) solution to detect and contain\r\nthreats.\r\nIndicators of Compromise\r\nIndicators of Compromise can be found here.\r\nReferences\r\nhttps://x.com/YungBinary/status/1959083146944623043\r\nhttps://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/\r\nhttps://googleprojectzero.blogspot.com/2019/12/calling-local-windows-rpc-servers-from.html\r\nhttps://github.com/Kudaes/Elevator\r\nhttps://x.com/JAMESWT_WT/status/1961292003620102532\r\nhttps://x.com/JAMESWT_WT/status/1959874333704130804\r\nhttps://x.com/JAMESWT_WT/status/1958944063706546672\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 22 of 24\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 23 of 24\n\nSource: https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nhttps://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2\r\nPage 24 of 24\n\nprivileges. If the C2 specifies the flag to spawn a Run Prompt instead of a web browser, the following process is spawned:\n\"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Windows\\System32\\shell32.dll\"  #61\n  Page 16 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2"
	],
	"report_names": [
		"new-botnet-emerges-from-the-shadows-nightshadec2"
	],
	"threat_actors": [],
	"ts_created_at": 1775791222,
	"ts_updated_at": 1775791336,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a77686ce86fb9e2204d2fbf6539b0021faee6e8f.pdf",
		"text": "https://archive.orkl.eu/a77686ce86fb9e2204d2fbf6539b0021faee6e8f.txt",
		"img": "https://archive.orkl.eu/a77686ce86fb9e2204d2fbf6539b0021faee6e8f.jpg"
	}
}