{
	"id": "0d1e313b-fb14-4cf2-afe2-7101a29b4090",
	"created_at": "2026-04-06T01:32:00.558407Z",
	"updated_at": "2026-04-10T03:20:26.614703Z",
	"deleted_at": null,
	"sha1_hash": "b33bca2473dde08f0f705ec71e90d000fbbd2aaf",
	"title": "ALDIBOT - Threat Encyclopedia | Trend Micro (US)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52558,
	"plain_text": "ALDIBOT - Threat Encyclopedia | Trend Micro (US)\r\nArchived: 2026-04-06 00:59:37 UTC\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser\r\nMozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants\r\nsend the gathered information to their command-and-control (C\u0026C) servers.\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such\r\nas HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information,\r\ngathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system.\r\nInstallation\r\nThis backdoor drops the following copies of itself into the affected system:\r\n%Application Data%\\AudioTreiber_x64.exe\r\n%Application Data%\\hklm.exe\r\n%Application Data%\\nvsvc32.exe\r\n%Application Data%\\Windowsie.exe\r\n(Note: %Application Data% is the current user's Application Data folder, which is usually C:\\Documents and\r\nSettings\\{user name}\\Application Data on Windows 2000, XP, and Server 2003, or C:\\Users\\{user\r\nname}\\AppData\\Roaming on Windows Vista and 7.)\r\nOther System Modifications\r\nThis backdoor adds the following registry keys:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\\r\nActive Setup\\Installed Components\\{random}\r\nIt adds the following registry entries:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\\r\nWindows\\CurrentVersion\\Run\r\nAudio Treiber x64 = \"%Application Data%\\AudioTreiber_x64.exe\"\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\\r\nWindows\\CurrentVersion\\Run\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot\r\nPage 1 of 4\n\nAudio Treiber x64 = \"%Application Data%\\AudioTreiber_x64.exe\"\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\\r\nActive Setup\\Installed Components\\{random}\r\nAudio Treiber x64 = \"\"%Application Data%\\AudioTreiber_x64.exe /ActiveX\"\"\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\\r\nServices\\SharedAccess\\Parameters\\\r\nFirewallPolicy\\StandardProfile\\AuthorizedApplications\\\r\nList\r\n%Application Data%\\AudioTreiber_x64.exe = \"%Application Data%\\AudioTreiber_x64.exe:*:Enabled:\"\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\\r\nWindows\\CurrentVersion\\Run\r\nc0xG3w0pwDWmTic = \"%Application Data%\\hklm.exe\"\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\\r\nWindows\\CurrentVersion\\Run\r\nc0xG3w0pwDWmTic = \"%Application Data%\\hklm.exe\"\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\\r\nServices\\SharedAccess\\Parameters\\\r\nFirewallPolicy\\StandardProfile\\AuthorizedApplications\\\r\nList\r\n%Application Data%\\hklm.exe = \"%Application Data%\\hklm.exe:*:Enabled:\"\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\\r\nWindows\\CurrentVersion\\Run\r\nNVidia Physx Service = \"%Application Data%\\nvsvc32.exe\"\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\\r\nWindows\\CurrentVersion\\Run\r\nNVidia Physx Service = \"%Application Data%\\nvsvc32.exe\"\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\\r\nActive Setup\\Installed Components\\{random}\r\nNVidia Physx Service = \"\"%Application Data%\\nvsvc32.exe /ActiveX\"\"\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\\r\nWindows\\CurrentVersion\\Run\r\nKyKEJSLY1Nb07ie = \"%Application Data%\\Windowsie.exe\"\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\\r\nWindows\\CurrentVersion\\Run\r\nKyKEJSLY1Nb07ie = \"%Application Data%\\Windowsie.exe\"\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot\r\nPage 2 of 4\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\\r\nActive Setup\\Installed Components\\{random}\r\nKyKEJSLY1Nb07ie = \"\"%Application Data%\\Windowsie.exe /ActiveX\"\"\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\\r\nWindows\\CurrentVersion\\Run\r\nsw9YAYyV3loUuvj = \"%Application Data%\\AudioTreiber_x64.exe\"\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\\r\nWindows\\CurrentVersion\\Run\r\nsw9YAYyV3loUuvj = \"%Application Data%\\AudioTreiber_x64.exe\"\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\\r\nActive Setup\\Installed Components\\{random}\r\nsw9YAYyV3loUuvj = \"\"%Application Data%\\AudioTreiber_x64.exe /ActiveX\"\"\r\nBackdoor Routine\r\nThis backdoor executes the following commands from a remote malicious user:\r\nStartHTTP - starts an HTTP DDoS attack\r\nStartSlowloris - starts a Slowloris DDoS attack\r\nStartTCP - starts a TCP DDoS attack\r\nStartSSYN - starts SYN DDoS attack\r\nStartLayer7 - starts Layer 7 DDoS attack\r\nStopHTTPDDoS - stops an HTTP DDoS attack\r\nStopTCPDDoS - stops a TCP DDoS attack\r\nStopDDoS - stops all DDoS attack\r\nDownloadEx - downloads and executes file\r\nstartUDP - starts a UDP DDoS attack\r\nOpenWebSite - visits sites\r\nCreateSocks - creates SOCKS5 proxy\r\nStealData - performs password stealing capability\r\nUpdate - updates itself\r\nOther Details\r\nThis backdoor connects to the following possibly malicious URL:\r\nhttp://{BLOCKED}i.{BLOCKED}t.w2c.ru/gate.php?hwid={HWID}\u0026pc={Host Name}\u0026localip={Local\r\nIP Address}\u0026winver={OS Version}\r\nhttp://{BLOCKED}1.ba.{BLOCKED}c.de/aldi/gate.php?hwid={HWID}\u0026pc={Host Name}\u0026localip=\r\n{Local IP Address}\u0026winver={OS Version}\r\nhttp://{BLOCKED}e.{BLOCKED}b.com/tt/gate.php?hwid={HWID}\u0026pc={Host Name}\u0026localip={Local\r\nIP Address}\u0026winver={OS Version}\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot\r\nPage 3 of 4\n\nhttp://{BLOCKED}lnoe.{BLOCKED}ke.com/musice/gate.php?hwid={HWID}\u0026pc={Host\r\nName}\u0026localip={Local IP Address}\u0026winver={OS Version}\r\nhttp://www.{BLOCKED}ued.de/aldi/gate.php?hwid={HWID}\u0026pc={Host Name}\u0026localip={Local IP\r\nAddress}\u0026winver={OS Version}\r\nNOTES:\r\nIt attempts to get stored information such as user names, passwords, and host names from the following browsers:\r\nMozilla Firefox\r\nIt steals information such as user names and passwords from the following application:\r\nPidgin\r\njDownloader\r\nIt also uses the following as its User-Agent:\r\nAldi Bot FTW :D\r\nSource: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot"
	],
	"report_names": [
		"aldibot"
	],
	"threat_actors": [],
	"ts_created_at": 1775439120,
	"ts_updated_at": 1775791226,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b33bca2473dde08f0f705ec71e90d000fbbd2aaf.pdf",
		"text": "https://archive.orkl.eu/b33bca2473dde08f0f705ec71e90d000fbbd2aaf.txt",
		"img": "https://archive.orkl.eu/b33bca2473dde08f0f705ec71e90d000fbbd2aaf.jpg"
	}
}