{
	"id": "ad341582-6c50-4572-81ce-ef38efdb79cc",
	"created_at": "2026-04-06T00:12:53.621361Z",
	"updated_at": "2026-04-10T03:30:33.298353Z",
	"deleted_at": null,
	"sha1_hash": "af6bbd3531e10c5e2c51c6508d4df326e61e2d92",
	"title": "'Hidden Bee' miner delivered via improved drive-by download toolkit | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 689518,
	"plain_text": "'Hidden Bee' miner delivered via improved drive-by download\r\ntoolkit | Malwarebytes Labs\r\nBy Malwarebytes Labs\r\nPublished: 2018-07-25 · Archived: 2026-04-05 18:49:36 UTC\r\nThis blog post was authored by @hasherezade and Jérôme Segura.\r\nWe recently detected a drive-by download attack trying to exploit CVE-2018-4878, a vulnerability in Flash Player,\r\nin a sequence that was not matching any of the exploit kit patterns that we currently track. Upon investigation, we\r\ndiscovered something that was new to us, but is part of an existing exploitation framework referenced in late 2017\r\nby Chinese security firm Qihoo360. At the time, the payload appeared to be a Trojan pushing adware. (Note: On\r\nJuly 26, our colleagues from TrendMicro published a blog post calling it the Underminer exploit kit).\r\nSince it was last documented, there have been changes to the exploits being used, although the distribution method\r\nis similar. One interesting aspect that we don’t see much of these days is the use of encryption to package exploits\r\non-the-fly, which requires a key from the backend server to decrypt and execute them.\r\nThe payload served in this campaign is also out of the ordinary because it is not a standard PE file. Instead, it is a\r\nmultiple-stage custom executable format, acting also as a downloader to retrieve LUA scripts used by the threat\r\nactors behind the Hidden Bee miner botnet. This was perhaps the first case of a bootkit being used to enslave\r\nmachines mining cryptocurrencies.\r\nCampaign overview\r\nThe attackers are leveraging malvertising via adult sites to redirect their victims to the exploit kit landing page. We\r\nbelieve this campaign is primarily targeting Asian countries based on the ads that are served and our own\r\ntelemetry data. A server purporting to be an online dating service contains a malicious iframe responsible for the\r\nexploitation and infection phases.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/\r\nPage 1 of 11\n\nTraffic play-by-play\r\nIE exploit\r\nWith a few exceptions, exploit kits typically obfuscate their landing page and exploits. But here the\r\nthreat actors go beyond by using encryption and requiring a key exchange with the backend server\r\nin order to decrypt and execute the exploit. In the past,\r\nThe execution of the malicious code starts from a webpage with an embedded encrypted block. This block is\r\nBase64 encoded and encrypted with one of two algorithms: RC4 or Rabbit.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/\r\nPage 2 of 11\n\nAfter being decrypted, the block is executed. You can find the decoded version of the Java Script that is being run\r\nhere. As you can see in the script, it generates a random session key, then encrypts it with the attacker’s public\r\nRSA key:\r\nThe encrypted key is being passed onto the next function and converted into JSON format to perform a POST\r\nrequest to the hardcoded URL:\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/\r\nPage 3 of 11\n\nThis is what we can see if we look at the traffic between the client and the server (the client sends the encrypted\r\n“key” and the server responds with the “value”):\r\nServer-side\r\nWith the attackers’ private RSA key, the server decrypts the passed session key.\r\nIt uses it to encrypt the exploit content with a chosen symmetric algorithm (Rabbit or RC4).\r\nIt returns the encrypted content back to the client.\r\nThanks to the fact that the client still has an unencrypted version of the key in memory, it is able to decrypt and\r\nexecute the exploit. However, researchers who just have the traffic captured cannot retrieve the original session\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/\r\nPage 4 of 11\n\nkey, and replaying the exploit is impossible. Thankfully, we managed to capture the exploit during dynamic\r\nanalysis.\r\nWe believe that the decrypted exploit is CVE-2018-8174, as one of our test machines patched against CVE-2016-\r\n0189 got exploited successfully.\r\nFlash exploit\r\nThis newer Flash exploit (CVE-2018-4878) was not part of the exploit toolkit at the time Qihoo documented it,\r\nand seems to be a more recent addition to boost its capabilities. The shellcode embedded in the exploit is a\r\ndownloader for the next stage.\r\nUpon successful exploitation, it will retrieve its payload at the following URL:\r\nThis file, given the extension .wasm, pretends to be a Web Assembler module. But in fact, it is something entirely\r\ndifferent, appearing to be a custom executable format, or a modified, header-less PE file.\r\nIt starts from the names of the DLLs that are going to be needed during the execution:\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/\r\nPage 5 of 11\n\nAs you can see, it loads Cabinet.dll that is used for unpacking cabinet files. In later sections, we saw the APIs and\r\nstrings that are used for the communication over HTTP protocol. We also found references to “dllhost.exe” and\r\n“bin/i386/core.sdb”.\r\nIt is easy to guess that this module will be downloading something and running via dllhost.exe.\r\nAnother interesting string is a Base64-encoded content:\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/\r\nPage 6 of 11\n\nThe decoded content points to more URLs:\r\nhttp://103.35.72.223/git/wiki.asp?id=530475f52527a9ae1813d529653e9501 http://103.35.72.223/git/glfw.w\r\nLooking at the traffic captured by Fiddler, we found that, indeed, those URLs are being queried:\r\nThe requests are coming from dllhost.exe, so that means the above executable was injected there.\r\nThe file glfw.wasm has nothing in common with Web Assembly. It is, in fact, a Cabinet file, containing packed\r\ncontent under the internal path: bin/i386/core.sdb. Looking inside, we found the same custom executable format,\r\nstarting from DLL names:\r\nThen, HTTP traffic stops. This was another interesting aspect of this threa,t because the threat actors are perhaps\r\ntrying to hide the traffic by pretending to use the SLTP protocol to retrieve the actual payload, which can be seen\r\nin the strings extracted from the Cabinet file inside of core.sdb:\r\nINSTALL_SOURCE \u0026sid=%u INSTALL_SID INSTALL_CID sltp://setup.gohub[.]online:1108/setup.bin?id=128 ntdl\r\nThat hostname resolves to 67.198.208[.]110:\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/\r\nPage 7 of 11\n\nPinging setup.gohub.online [67.198.208.110] with 32 bytes of data: Reply from 67.198.208.110: bytes=3\r\nEncrypted TCP network traffic from our sandboxed machine shows how the binary payload is retrieved:\r\nThis whole exploitation and payload retrieval process is rather complex, especially in light of the intended purpose\r\nbehind this drive-by campaign. Infected hosts are instructed to mine for cryptocurrencies:\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/\r\nPage 8 of 11\n\nWhat is unique about this miner is that it achieves persistence by using a bootkit, as described here. Infected hosts\r\nwill have their Master Boot Record altered to start the miner every time the operating system boots.\r\nA sophisticated attack for a simple payload\r\nThis attack is interesting on many levels for its use of different technologies both in the exploit delivery part as\r\nwell as how the payload is packaged. According to our telemetry, we believe it is also focused on a select few\r\nAsian countries, which makes sense when taking its payload into consideration.\r\nIt also shows that threat actors haven’t completely given up on exploit kits, despite a noted downward trend over\r\nthe last couple of years.\r\nProtection\r\nMalwarebytes detects both the IE and Flash exploits, resulting in the infection chain being stopped early on.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/\r\nPage 9 of 11\n\nIndicators of compromise\r\nInjected dating site\r\n144.202.87[.]106\r\nExploit toolkit\r\n103.35.72[.]223\r\n52he3kf2g2rr6l5s1as2u0198k.wasm\r\n087FD1F1932CDC1949B6BBBD56C7689636DD47043C2F0B6002C9AFB979D0C1DD\r\nglfw.wasm\r\nCCD77AC6FE0C49B4F71552274764CCDDCBA9994DF33CC1240174BCAB11B52313\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/\r\nPage 10 of 11\n\nPayload URL and IP\r\nsetup.gohub[.]online:1108/setup.bin?id=128 67.198.208[.]110\r\nMiner Proxy\r\n133.130.101[.]254\r\nSource: https://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/"
	],
	"report_names": [
		"hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434373,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/af6bbd3531e10c5e2c51c6508d4df326e61e2d92.pdf",
		"text": "https://archive.orkl.eu/af6bbd3531e10c5e2c51c6508d4df326e61e2d92.txt",
		"img": "https://archive.orkl.eu/af6bbd3531e10c5e2c51c6508d4df326e61e2d92.jpg"
	}
}