{
	"id": "bbf606ef-0cf1-4ca0-9292-dd475d912c4a",
	"created_at": "2026-04-06T00:22:00.133494Z",
	"updated_at": "2026-04-10T13:12:34.604802Z",
	"deleted_at": null,
	"sha1_hash": "a9adf657543357359a20e6040abcbbe9509b0378",
	"title": "PsiXBot's Use of Google's DNS over HTTPS Service | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1627230,
	"plain_text": "PsiXBot's Use of Google's DNS over HTTPS Service | Proofpoint\r\nUS\r\nBy September 06, 2019 The Proofpoint Threat Insight Team\r\nPublished: 2019-09-06 · Archived: 2026-04-05 12:35:01 UTC\r\nOverview\r\nSince posting our last PsiXBot update, the group or actor behind this malware has continued to make changes.\r\nMost notably, we have observed\r\nThe introduction of DNS over HTTPS\r\nA new version number (1.0.3)\r\nNew Fast Flux infrastructure\r\nA newly observed \"PornModule\"\r\nDistribution via Spelevo EK\r\nWhile tracking this threat, Proofpoint researchers noticed a change in the DNS resolution technique described in\r\nour previous blog, implementing Google’s DNS over HTTPS (DoH) service. We observed samples exhibiting this\r\nbehavior as dropped payloads via the Spelevo Exploit Kit. These newer samples (later versions 1.0.2 and 1.0.3)\r\nnow contain hard-coded C\u0026C domains to be resolved with Google’s DoH service.\r\nProofpoint researchers observed the use of DNS over HTTPS to retrieve the IP address for the command and\r\ncontrol (C\u0026C) domains. We observed this change while the version number for PsiXBot was still 1.0.2. This\r\nupdate was a stark departure from the previous update[1], which utilized a more convoluted process involving a\r\nURL shortener service to gather the IP Address for the C\u0026C infrastructure. On or around August 19, 2019,\r\nProofpoint researchers observed a fresh PsiXBot sample which began to utilize DNS over HTTPS (DoH) via\r\nGoogle's DoH service. It was around this time that we also observed the samples resuming a practice from version\r\n1.0.1, in which the C\u0026C domains were hardcoded in the malware samples with RC4 encryption. In the 1.0.2 and\r\n1.0.3 versions which use DoH, there is no longer a ping sent to either the DNS or C\u0026C servers to ensure uptime.\r\nMany companies now offer DNS over HTTPS as a service to enhance privacy on behalf of the user, speed up\r\nDNS queries, and provide a form of security during an encrypted DNS session. The author(s) behind PsiXBot\r\nhave now chosen Google's DoH service for routing their DNS queries to return the IP addresses of the C\u0026C\r\ndomains. By using Google’s DoH service, it allows attackers to hide the DNS query to the C\u0026C domain behind\r\nHTTPS. Unless SSL/TLS is being inspected by Man in the Middle (MitM), DNS queries to the C\u0026C server will\r\ngo unnoticed. This is expressed in sample code like the following:\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module\r\nPage 1 of 11\n\nFigure 1: Screenshot showing both hardcoded RC4-encrypted C\u0026C domains as well as code showing the use of\r\nGoogle’s DNS over HTTPS service to return the C\u0026C IP address.\r\nBecause the newer samples of PsiXBot are hardcoding the C\u0026C domains, they are simply placed into the GET\r\nrequest to https://dns.google[.]com as a variable. From the initial samples we saw utilizing the DoH method we\r\nobserved a request and response as such:\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module\r\nPage 2 of 11\n\nFigure 2: Network traffic showing a GET request to the Google DoH service, returning the IP address for a\r\nPsiXBot C\u0026C server.\r\nThis will return the C\u0026C domains’ IP address(es) in a JSON blob. Of note, this is not the standard RFC 8484[3]\r\nDoH format as one researcher[2] pointed out but is rather the JSON API format, provided by Google.\r\nFurthermore, all of the C\u0026C servers observed by Proofpoint researchers utilized HTTPS provided by Let's-Encrypt certificates.\r\nFast Flux is a method for rapidly changing DNS entries using a botnet of compromised hosts to hide malicious\r\nactivities like phishing and malware distribution. In the most recent samples from PsiXBot, we observed evidence\r\nof newly implemented Fast Flux infrastructure in the responses for C\u0026C domains, both in standard DNS queries\r\nas well as what is returned via DoH:      \r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module\r\nPage 3 of 11\n\nFigure 3: A screenshot of Wireshark showing the response from a DNS server observing multiple IP addresses\r\nassociated with the C\u0026C domain greentowns[.]hk, possibly indicating fast flux infrastructure.\r\nFurther Analysis\r\nOn or around September 5, 2019, Proofpoint researchers observed the version number for PsiXBot increment to\r\nversion 1.0.3.\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module\r\nPage 4 of 11\n\nFigure 4: Newly updated version 1.0.3 for PsiXBot.\r\nThe C\u0026C check-in sequence remained largely the same, but was modified slightly to include a check for whether\r\nthe infected machine is a member of a domain. In version 1.0.2, a parameter of \"user_group\" was used, but in\r\n1.0.3, it simply does a binary check for domain membership. The C\u0026C traffic continues to be POSTed and the\r\nclient body data is still RC4-encrypted using a hardcoded key found in the sample. An example of the updated\r\ndecrypted C\u0026C traffic is below:\r\nFigure 5: Decrypted traffic to PsiXBot C\u0026C infrastructure\r\nAs evident in the previously analyzed versions of this malware, the C\u0026C response continues to be a JSON blob\r\nwhich contains further instructions as well as some arguments for the modules to be run.\r\nThe features for version 1.0.3 are largely the same as previously analyzed versions, but now contain a newly\r\nobserved module called \"PornModule\". \"GetProcList\" is new to these samples, but is functionally similar to the\r\n\"GetProcessList\" task observed in version 1.0.1.The current features contained in samples with version 1.0.3 are\r\nas follows, with the new features identified in bold:\r\nDownloadAndExecute\r\nExecute\r\nGetInstalledSoft\r\nGetOutlook\r\nGetProcList\r\nGetSteallerCookies\r\nGetSteallerPasswords\r\nSelfDelete\r\nStartComplexModule\r\nStartCryptoModule\r\nStartFGModule\r\nStartKeylogger\r\nStartNewComplexModule\r\nStartPorn\r\nStartSchedulerModule\r\nStartSpam\r\nNew Module Analysis\r\nStartPorn\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module\r\nPage 5 of 11\n\nThe \"PornModule”, assembly name \"chouhero\", is a module likely designed for blackmail/sexploitation purposes.\r\nSimilar to functionality observed recently in other malware campaigns[4], this module contains a dictionary\r\ncontaining pornography-related keywords used to monitor open window titles. If a window matches the text, it\r\nwill begin to record audio and video on the infected machine. Once recorded, the video is saved with a \".avi\"\r\nextension and is sent to the C\u0026C. Typically, these recordings are used for extortion purposes. Of note, the\r\nmalware uses the Windows DirectShow library to capture audio and video. This module appears incomplete and\r\nwill likely be modified in future releases.\r\nFigure 6: PsiXBot’s likely sexploitation/blackmailing PornModule containing keywords to monitor open windows\r\nwhich begins recording audio and video if found.\r\nStartSpam\r\nWhile this module is not new, it has been recently observed returning to infected machines with more robust spam\r\ncampaign commands and data, as it now contains updated message verbiage and attachment information. Below is\r\nan example of a recent configuration for the SpamModule returned from the C\u0026C server:\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module\r\nPage 6 of 11\n\nFigure 7: Configuration details retrieved from PsiXBot C\u0026C infrastructure.\r\nFigure 8: Sample malicious email template sent from the PsiXBot-infected system’s Outlook account\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module\r\nPage 7 of 11\n\nFigure 9: A look at the malicious document spammed from an infected machine’s Outlook account.\r\nThe document itself contains malicious macros that will retrieve a payload of PsiXBot, and contains the above\r\nSpamModule configuration for further replication.\r\nDistribution via Spelevo EK\r\nOn or around August 29, 2019, we observed a PsiXBot sample (afe7192cd7e4be82352ba43f29d54a1a) with\r\nversion 1.0.2 being dropped as a payload from Spelevo Exploit Kit. As of now, the code being dropped by the\r\nSpelevo EK contains samples with version 1.0.3.\r\nConclusion\r\nAs noted in the previous Threat Insight Blog post on PsiXBot, this malware is under active development and\r\ncontinues to evolve. By expanding the feature set of the included modules and the overall capabilities of this\r\nmalware, the actor or team behind its development appears to be seeking feature parity with other similar malware\r\non the market. The group also included anti-analysis and detection evasion features by implementing DNS over\r\nHTTPS and fast flux infrastructure. We will continue to monitor PsiXBot as the current pace of updates suggests\r\nfurther refinements will not be far behind.\r\nReferences\r\n[1] https://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module\r\nPage 8 of 11\n\n[2] https://twitter.com/seckle_ch/status/1169558035649433600\r\n[3] https://tools.ietf.org/html/rfc8484\r\n[4] https://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\nfnoetwotb4nwob524o.hk Domain\r\nPsiXBot\r\nCommand and\r\nControl\r\nv3no4to24wto24.hk Domain\r\nPsiXBot\r\nCommand and\r\nControl\r\nworldismine.hk Domain\r\nPsiXBot\r\nCommand and\r\nControl\r\nthe-best.hk Domain\r\nPsiXBot\r\nCommand and\r\nControl\r\ngreentowns.hk Domain\r\nPsiXBot\r\nCommand and\r\nControl\r\nwonderlands.hk Domain\r\nPsiXBot\r\nCommand and\r\nControl\r\nfastyoutube.info Domain PsiXBot\r\nCommand and\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module\r\nPage 9 of 11\n\nControl\r\nrealty4rent.hk Domain\r\nPsiXBot\r\nCommand and\r\nControl\r\ne7332d507230fb218cf905a040fe83e81675a44d3da02fb737a2039d04ebea5e\r\nSha256\r\nHash\r\nPsiXBot\r\nExecutable\r\n979862ba03fd40ed9679989972f7c174332ca2b51efaa1578bdb04dc2a652fff\r\nSha256\r\nHash\r\nPsiXBot\r\nExecutable\r\nf93973c29125db0d62dbf8be9b73b0957dbc552b5fd277ae0f2e974724ab25bb\r\nSha256\r\nHash\r\nPsiXBot\r\nExecutable\r\n1961454dca8e742ca967fa1581228b65fdd8a6da9080702d8c11c801aea28920\r\nSha256\r\nHash\r\nPsiXBot\r\nExecutable\r\ne847d5fd623a60788776fc662b41abfe8578d85b4136ea6a9933132fe894dc4f\r\nSha256\r\nHash\r\nPsiXBot\r\nExecutable\r\ne847d5fd623a60788776fc662b41abfe8578d85b4136ea6a9933132fe894dc4f\r\nSha256\r\nHash\r\nPsiXBot\r\nExecutable\r\n05aa0ca087dc142b96c64c9f5f5f60072b9d5dff57181eb46d6178e73aa9f7fd\r\nSha256\r\nHash\r\nPsiXBot\r\nPornModule\r\n94bb94f50f9a641b902c031788b1f069a6cc2822fdb99cb833f17f067a05a32a\r\nSha256\r\nHash\r\nPsiXBot\r\nMalDoc\r\nET and ETPRO Suricata/Snort Signatures\r\n2837734 - ETPRO TROJAN Win32/PsiXBot CnC Checkin\r\n2838108 - ETPRO TROJAN Observed Malicious SSL Cert (PsiXBot CnC)\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module\r\nPage 10 of 11\n\n2838127 - ETPRO TROJAN Observed Malicious SSL Cert (PsiXBot CnC)\r\n2838194 - ETPRO TROJAN Observed Malicious SSL Cert (PsiXBot CnC)\r\n2838213 - ETPRO TROJAN Observed Malicious SSL Cert (PsiXBot CnC)\r\n2838289 - ETPRO TROJAN Observed Malicious SSL Cert (PsiXBot CnC)\r\n2838290 - ETPRO TROJAN Observed Malicious SSL Cert (PsiXBot CnC)\r\n2838309 - ETPRO TROJAN Observed Malicious SSL Cert (PsiXBot CnC)\r\nSource: https://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module\r\nhttps://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module"
	],
	"report_names": [
		"psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module"
	],
	"threat_actors": [],
	"ts_created_at": 1775434920,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a9adf657543357359a20e6040abcbbe9509b0378.pdf",
		"text": "https://archive.orkl.eu/a9adf657543357359a20e6040abcbbe9509b0378.txt",
		"img": "https://archive.orkl.eu/a9adf657543357359a20e6040abcbbe9509b0378.jpg"
	}
}