{
	"id": "7977ee06-b423-4f27-be6a-afdedfabbbd2",
	"created_at": "2026-04-06T00:22:06.433344Z",
	"updated_at": "2026-04-10T13:12:18.165102Z",
	"deleted_at": null,
	"sha1_hash": "a95564709d0e346ccd9f4fdd195c65216f650174",
	"title": "Analysis of LilithBot Malware and Eternity Threat Group | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1645827,
	"plain_text": "Analysis of LilithBot Malware and Eternity Threat Group | Zscaler\r\nBy Shatak Jain, Aditya Sharma\r\nPublished: 2022-10-05 · Archived: 2026-04-05 13:54:42 UTC\r\nIntroduction\r\nThreatLabz recently discovered a sample of the multi-function malware LilithBot in our database. Further research revealed\r\nthat this was associated with the Eternity group (a.k.a. EternityTeam; Eternity Project), a threat group linked to the Russian\r\n“Jester Group,” that has been active since at least January 2022. Eternity uses an as-a-service subscription model to\r\ndistribute different Eternity-branded malware modules in underground forums, including a stealer, miner, botnet,\r\nransomware, worm+dropper, and DDoS bot. \r\nThe LilithBot we discovered was being distributed through a dedicated Telegram group and a Tor link that provided one-stop-shopping for these various payloads. In addition to its primary botnet functionality, it also had built-in stealer, clipper,\r\nand miner capabilities. In this blog, we’ll provide a deep analysis of the LilithBot campaign, including a look at several\r\nvariants.\r\nKey Features of this Attack\r\nThreat groups have been enhancing their capabilities and selling them as Malware-as-a-Service (MaaS) in exchange\r\nfor a membership fee. One such cyber criminal group, dubbed “Eternity,” has been found selling the malware\r\n“LilithBot”\r\n“LilithBot” is distributed by Eternity via a dedicated Telegram channel from which we can purchase it via Tor. It has\r\nadvanced capabilities to be used as a miner, stealer, and a clipper along with its persistence mechanisms.\r\nThe group has been continuously enhancing the malware, adding improvements such as anti-debug and anti-VM\r\nchecks. \r\nThe malware registers itself on the system and decrypts itself step by step, dropping its configuration file.  \r\nLilithBot uses various types of fields such as license key, encoding key, and GUID which is encrypted via AES and\r\ndecrypts itself at runtime.\r\nIt steals all the information and uploads itself as a zip file to its Command and Control.\r\nSummary \r\nIn July 2022, Zscaler’s ThreatLabz threat research team identified a multifunctional malware bot known as LilithBot, sold\r\non a subscription basis by the Eternity group. In this campaign, the threat actor registers the user on its botnet and steals files\r\nand user information by uploading it to a command-and-control (C2) server using the Tor network. In this campaign, the\r\nmalware uses fake certificates to bypass detections; it acts as a stealer, miner, clipper, and botnet. \r\nIn this blog, ThreatLabz will explain various aspects of the LilithBot threat campaign.\r\nAbout Eternity\r\nEternity Project is a malware toolkit which is sold as a malware-as-a-service (MaaS). These malware are distributed via the\r\nTor proxy. Eternity advertises via a dedicated Telegram channel named @EternityDeveloper and has an email address of\r\neternity@onionmail[.]org. They have different types of services:\r\nhttps://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group\r\nPage 1 of 18\n\nStealer\r\nMiner\r\nClipper\r\nRansomware\r\nWorm+Dropper\r\nDDoS Bot\r\nEternity usually operates via Telegram and accepts payments through popular cryptocurrencies including BTC, ETH, XMR,\r\nUSDT, LTC, DASH, ZEC and DOGE. \r\nThey provide customized viruses and will create viruses with add-on features if the customer desires.The price of the\r\nmalware ranges from $90-$470 USD.\r\nThe below screenshot of the Eternity Telegram channel illustrates the regular updates and enhancements the group makes to\r\ntheir products.\r\nhttps://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group\r\nPage 2 of 18\n\nhttps://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group\r\nPage 3 of 18\n\nFig 1. Eternity Telegram Channel\r\nThe Telegram channel is dubbed “Eternity Channel.” Basic account details are shown below.  \r\nhttps://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group\r\nPage 4 of 18\n\nhttps://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group\r\nPage 5 of 18\n\nFig 2. Telegram Home Page\r\nThe Eternity group regularly directs clients to their dedicated Tor link, in which their various malware and their features are\r\nlaid out in detail. \r\nhttps://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group\r\nPage 6 of 18\n\nhttps://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group\r\nPage 7 of 18\n\nFig 3. Tor link mentioned in Telegram \r\nThe Tor link leads to the below homepage, which explains the various products and modules available for purchase. \r\nFig 4. Tor site for Eternity group\r\nThe highest priced product for sale is their Ransomware, described in the below screenshot. The ransomware encrypts\r\ndocuments and files of the targeted user. The Tor page includes a dedicated video on how to generate the ransomware\r\npayload. \r\n                Fig 5. Features of payloads\r\nIn summary, Eternity has a very user-friendly service that is: \r\nhttps://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group\r\nPage 8 of 18\n\nEasy to purchase and operate via Tor, with a wide range of popular crypto currencies accepted for payment.\r\nCustomizable to fit clients’ specific needs.\r\nRegularly updated at no additional charge. They also offer many add-on discounts and referral rewards to their\r\ncustomers.\r\nComparison Between Two Variants\r\nAs the LilithBot malware has evolved, we have observed slight differences in the main function of different releases.\r\nSeveral commands that were present in earlier variants are not present in the newest variant that we have received. These\r\nfunctions include:\r\nChecking for the presence of various DLLs by iterating via arraylist and returning a Boolean value.The DLLs\r\nmentioned are related to virtual software like Sandboxie, 360 Total Security, Avast, and COMODO AVs.\r\nChecking for Win32_PortConnector which represents physical connection ports such as DB-25 pin male, Centronics,\r\nor PS/2. This ensures that it’s on a physical machine rather than a virtual machine.\r\n                Fig 6. Comparison between variants\r\nIt is likely that the group is still performing these functions, but doing so in more sophisticated ways: such as performing it\r\ndynamically, encrypting the functions like other regions of code, or using other advanced tactics.  \r\nTechnical Analysis\r\nThe entry point starts with registration of the bot. The malware initially checks with a Mutex named “8928a2d3-173b-43cb-8837-0e2e88b6d3b1” and subsequently checks for a file in the Startup folder. \r\nIt then copies the same into the Startup folder if the file does not exist. The function StartupFilename then checks whether a\r\nfile has been created which with an extension of “.exe”,”.com” or “.scr”; if not, it will append “.exe” to the filename and add\r\nthis filename in the Startup path.\r\nhttps://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group\r\nPage 9 of 18\n\nFig 7.  Mutex Creation\r\nFig 8. Checks Startup Files\r\nThe image below shows that the bot has successfully registered when the response to the decrypted data has the string\r\n“registered successfully” present in the register bot function, when checking the array data value.\r\nhttps://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group\r\nPage 10 of 18\n\nFig 9. Steals User Information\r\n \r\nFig 10. Registered Successfully\r\nThe Initialize function can be used to extract the value of different fields in a config file, as shown below. After decrypting\r\nthe aes cipher, we can see all the important fields present in the config file. The following are the fields present inside the\r\nconfig file:\r\n    \"Lilith\": {\r\n        \"CommandsCheckInterval\": 14\r\n    },\r\n    \"BotKiller\": {\r\n        \"Enabled\": false\r\n    },\r\n    \"Stealer\": {\r\n        \"Enabled\": true\r\n    },\r\n    \"Clipper\": {\r\n        \"Enabled\": true,\r\n        \"Addresses\": {\r\n            \"XMR\":\r\n\"493eic71yTX23KnxuC1FimhkW5kEv1G2aMcE1spdBYot5BLo2ZdDbUcPCLdXMQPgLpgkNxLH4FWDRLjcdxmvG6ba4D8saKg\r\n            \"BTC\": \"bc1qd8e4maz97mv23slmgg7d4je2mydslkl5m56vdz\",\r\n            \"ETH\": \"0xFf7f57a2c7952fD9550A5E0FE53d4F104886403A\"\r\n        }\r\n    },\r\n    \"Miner\": {\r\n        \"Enabled\": false,\r\n        \"Pool\": \"pool.minexmr.com:4444\",\r\nhttps://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group\r\nPage 11 of 18\n\n\"Wallet\":\r\n\"493eic71yTX23KnxuC1FimhkW5kEv1G2aMcE1spdBYot5BLo2ZdDbUcPCLdXMQPgLpgkNxLH4FWDRLjcdxmvG6ba4D8saKg\r\n        \"Password\": \"x\",\r\n        \"MaxCPU\": \"40\"\r\n    }\r\n \r\nFig 11. Decrypted Config File Found in memory\r\nWe also came across a function that confirms the malware is using its own decrypting mechanism so that it can’t be\r\ndecrypted manually. \r\nAll the encrypted data goes through the function “DecryptBytesToString” on which we can extend our breakpoint to know\r\nall the values of the decrypting data using dynamic analysis.\r\nWe can see that the C2 server has the IP address: 77.73.133[.]12 with the port no. 4545 with the api gate/ and which expects\r\ncertain arguments for field {0} and {1}. The key and data are hidden inside the Hex array which we can see in the memory\r\ndump. \r\nWe can decrypt the encoded key which translates to the value c4d8c7f433c1e79afe4eff3a4b05c7c9. \r\nWe also observed a license key field which has the value 59BE0ABAF3BC570D8F6F88A597C64B85. This is the\r\ndecrypting function; the below image shows the decrypted text for the corresponding values.\r\nhttps://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group\r\nPage 12 of 18\n\nFig 12. Decrypted License Key and Encoded Key \r\nThe sample also defines a function which gets the response of the body. If the response is not null, it then checks to make\r\nsure both the C2 server and the target’s network are online. Then, it will then generate the GET request by checking a few\r\npermissions.\r\nThe malware further checks whether the hostname contains the onion domain. After checking the permissions, it downloads\r\nthe Tor bundle and connects to the IP. The Upload File function combines the hostname with the client, name of the file, and\r\ndirectory as parameters.\r\nFig 13. Checks if bot is online or offline\r\nNetwork Artifacts\r\nLilithBot malware shows 3 requests to the Host ip:77.73.133[.]12 with port 4545.The user agent shows the relation of the\r\nmalware with LilithBot.\r\nThe first request is to register the bot with  /registerBot API with the mutex name prepended.\r\nhttps://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group\r\nPage 13 of 18\n\nFig 14. Sends Request to Register Bot\r\nThe second request is an API to download the file contents according to the plugin settings ‘admin_settings_plugin.json’.\r\nFig 15. Requests plugin settings\r\nWe see another request to upload the file in a ZIP format named as “report.zip” with dir parameter as ‘Stealer’. The zip file\r\ncontains multiple directories that store information typical of a stealer, including the browser history, cookies, and personal\r\ninformation such as pictures stored in the C:\\Users\\[user]\\Pictures folder, and much more.\r\nhttps://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group\r\nPage 14 of 18\n\nFig 16.   Uploads report file\r\nFig 17. Contents inside Report.zip\r\nFake Certificates \r\nA legitimate Microsoft-signed file is issued by the “Microsoft Code Signing PCA” certificate authority, and will also display\r\na countersignature from Verisign. However, we have seen that the fake certificates in LilithBot have no countersignature,\r\nand appears to have been issued by “Microsoft Code Signing PCA 2011” which was not verified.\r\nhttps://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group\r\nPage 15 of 18\n\nFig 18. Fake certificate issued by Microsoft\r\nSandbox Report\r\nFig 19. Zscaler Sandbox report\r\nZscaler's multilayered cloud security platform detects indicators, as shown below:\r\nWin64.PWS.LilithBot\r\nMITRE ATT\u0026CK\r\nhttps://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group\r\nPage 16 of 18\n\nID Tactic Technique\r\nT1003 Credential Access OS Credential Dumping\r\nT1552.002 Credential Access Credentials in Registry\r\nT1114.002 Collection Remote Email Collection\r\nT1005 Collection Data from Local System\r\nT1204 User Execution User interaction\r\nT1268 Conduct social engineering Uses social eng to install payload\r\nT1222 Defense Evasion File Directory Permissions Modification\r\nT1027 Defense Evasion Obfuscated Files or Information\r\nT1016 Discovery System Network Configuration Discovery\r\nT1012 Discovery Query Registry\r\nT1018 Discovery Remote System Discovery\r\nT1057 Discovery Process Discovery\r\nT1047 Execution Windows Management Instrumentation\r\nT1059 Execution Command and Scripting Interpreter\r\nT1037.005 Persistence, Privilege Escalation Startup Items\r\nhttps://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group\r\nPage 17 of 18\n\nT1071 Command and Control Application Layer Protocol\r\nIndicators of Compromise (IOCs)\r\n0ebe8de305581c9eca37e53a46d033c8  Executable using microsoft signed certificate\r\n1cae8559447370016ff20da8f717db53  Executable using microsoft signed certificate\r\ne793fcd5e44422313ec70599078adbdc Executable File\r\n65c0241109562662f4398cff77499b25  Dll File using microsoft signed certificate\r\n77.73.133.12 C\u0026C\r\n45.9.148.203 C\u0026C\r\n91.243.59.210 C\u0026C\r\n195.2.71.214 C\u0026C\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group\r\nhttps://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group"
	],
	"report_names": [
		"analysis-lilithbot-malware-and-eternity-threat-group"
	],
	"threat_actors": [],
	"ts_created_at": 1775434926,
	"ts_updated_at": 1775826738,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a95564709d0e346ccd9f4fdd195c65216f650174.pdf",
		"text": "https://archive.orkl.eu/a95564709d0e346ccd9f4fdd195c65216f650174.txt",
		"img": "https://archive.orkl.eu/a95564709d0e346ccd9f4fdd195c65216f650174.jpg"
	}
}