{
	"id": "37ed3474-d924-41d0-ac7f-22eed3976b46",
	"created_at": "2026-04-10T03:20:19.255812Z",
	"updated_at": "2026-04-10T03:22:16.668443Z",
	"deleted_at": null,
	"sha1_hash": "b8da78c60d52b55c608d4826f06bbd2ff5c7932d",
	"title": "Bedep Lurking in Angler's Shadows",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 939288,
	"plain_text": "Bedep Lurking in Angler's Shadows\r\nBy Alexander Chiu\r\nPublished: 2016-02-09 · Archived: 2026-04-10 02:36:17 UTC\r\nThis post is authored by Nick Biasini.\r\nIn October 2015, Talos released our detailed investigation of the Angler Exploit Kit which outlined the\r\ninfrastructure and monetary impact of an exploit kit campaign delivering ransomware. During the investigation we\r\nfound that two thirds of Angler's payloads were some variation of ransomware and noted one of the other major\r\npayloads was Bedep. Bedep is a malware downloader that is exclusive to Angler. This post will discuss the Bedep\r\nside of Angler and draw some pretty clear connections between Angler and Bedep.\r\nAdversaries continue to evolve and have become increasingly good at hiding the connections to the nefarious\r\nactivities in which they are involved. As security researchers we are always looking for the bread crumbs that can\r\nlink these threats together to try and identify the connections and groups that operate. This is one of those\r\ninstances were a couple of crumbs came together and formed some unexpected connections. By tying together a\r\ncouple of registrant accounts, email addresses, and domain activity Talos was able to track down a group that has\r\nconnections to threats on multiple fronts including: exploit kits, trojans, email worms, and click fraud. These\r\nactivities all have monetary value, but are difficult to quantify unlike a ransomware payload with a specific cost to\r\ndecrypt.\r\nBack in the 0-Day\r\nLet's start a little more than a year ago with the Angler Flash 0-day (CVE-2015-\r\n0310). It's not the 0-day that's of interest. Instead, it's the group that was hosting\r\nit. This was around the time when Angler began distribution via Domain\r\nShadowing, accounting for the majority of domain activity hosting Angler. Domain\r\nShadowing is the process of leveraging hacked registrant accounts to host\r\nmalicious activity under subdomains. It started with Angler and has propagated\r\nthrough most exploit kits. What was interesting about the Flash 0-day was that it\r\ninitially wasn't being hosted using shadowed domains. Instead, it was using\r\nregistered domains. A sample of the domains being used can be found below.\r\nhttps://blog.talosintelligence.com/bedep-actor/\r\nPage 1 of 12\n\nDuring the investigation, we began looking deeper at these domains and found that they were all registered under\r\na single email address: yingw90@yahoo.com. At this point Talos was already blocklisting the domains associated\r\nwith this registrant account and began tracking it accordingly.\r\nAngler Research\r\nLet's fast forward to the months leading up to our report published in October\r\n2015. Talos gathered landing page URLs as well as URLs associated with the rest\r\nof the Angler infection chain. We looked at additional ways to group and slice the\r\ndata specifically associated with landing pages. While inspecting the length of the\r\nparameters we found something interesting. For 90% of the landing pages, we\r\nfound the parameters were less than 50 characters in length. The payloads\r\nassociated with this 90% varied quite considerably, but was predominantly\r\nransomware.\r\nWe found a group of ~10% that had a parameter around 100 characters. That was a significant deviation from\r\nwhat would be considered \"normal\" parameter length. We began then looking at the payloads and found that every\r\ninstance we traced that had a parameter of greater than 100, was delivering Bedep. There are some interesting\r\nimplications here. Is it possible that the instance or instances delivering Bedep are different from the instances\r\ndelivering additional payloads?\r\nThis became an even stronger possibility when we started finding double Angler infections. It started with users\r\nbeing compromised by Angler and getting an initial payload of Bedep. This was followed up with, command and\r\ncontrol or C2 communication and a download of click fraud software. This is normal behavior for Bedep.\r\nHowever there was an additional step. At some point after the infection we began seeing users being directed to\r\nother Angler instances. These systems were delivering other payloads, most commonly ransomware variants.\r\nThese seemed to point further to the Angler instances delivering Bedep are different from those delivering other\r\npayloads. Why would one Angler user direct their compromised users to other Angler instances?\r\nWe've mentioned multiple times the Bedep C2 communication, the next section will focus on Bedep. Below are\r\nsome samples of the domains we started to encounter.\r\nhttps://blog.talosintelligence.com/bedep-actor/\r\nPage 2 of 12\n\nBedep\r\nThis is obviously using a domain generating algorithm, or DGA. It's been\r\ndocumented that Bedep makes use of the exchange rates being hosted by the\r\nEuropean Central Bank, as one of the seeds for the DGA, which is an indicator of\r\nBedep infection. If investigating a potential Angler infection and a GET request to\r\nwww.ecb.europa.eu is observed there is a high probability the sytem was\r\ncompromised with Bedep. We had a large list of DGA based domains and found\r\nour first interesting connection.\r\nThe majority of the C2 domains were registered to the same registrant. This registrant also held all of the domains\r\nthat were first seen hosting the Flash 0-day. There is a basic pattern for Bedep C2: the DGA domains for that\r\nparticular day are registered, they are active while users connect to them, and then go dark. We profiled these sites\r\nand found that they use the same \"stock\" webpage. A sample of the web page is shown below:\r\nhttps://blog.talosintelligence.com/bedep-actor/\r\nPage 3 of 12\n\nThis is a unique \"stock\" webpage with an image of pills in the header and a section of links in the body. In general\r\nthese links do not go anywhere redirecting back to this main page.\r\nRabbit Hole Referers\r\nThe analysis continued with a focus on the referer data with a couple of interesting\r\ndiscoveries. They have been labeled as \"rabbit hole referers\" because they led us\r\ndown a rabbit hole of domains, IPs, and compromise. This lead us to the threat\r\nactor(s) responsible for a significant amount of Angler activity and a close link to\r\nthe Bedep downloader.\r\nFirst, Talos noticed a set of referers that were using a group of domains that resembled news4newsXXXX.com\r\nwhere XXXX is some variant of year (i.e. 14, 15, 2014, 2015). Leveraging OpenDNS, Talos found that a single\r\nregistrant account was responsible for all these domains. One interesting thing to note is the use of BizCN\r\nregistrar. There has been information around various other exploit kits using BizCN registered domains as a gate.\r\nThis could be yet another exploit kit making use of the same type of service.\r\nhttps://blog.talosintelligence.com/bedep-actor/\r\nPage 4 of 12\n\nTalos viewed these web pages and they appear to be a normal news site, a sample of which is shown below.\r\nHowever, whenever Angler redirection was found, there were a couple of interesting features. First, the syntax\r\nused was similar to the following:\r\nnews4news14[.]com/?source=7-381898\u0026campaign_id=2849\r\nThis syntax indicates it may be part of a malvertising campaign based on the campaign_id variable. However,\r\nbrowsing to something as simple as 'news4news14.com/?q=junk', the user was directed to an Angler URL with no\r\nmalicious data served. The second interesting feature relates to the sites that referred to news4newsXXX.com.\r\nThere were a large number of referers that appeared to be using some sort of search function to direct users.\r\nhttps://blog.talosintelligence.com/bedep-actor/\r\nPage 5 of 12\n\nHowever, Talos was not able to find any legitimate traffic to these domains. It appeared to be exclusively used as a\r\nreferrer. Talos dove deeper on two of these referrers in particular:\r\ndinorinwass[.]com/search.php\r\nwittalparuserigh[.]com\r\nAgain, leveraging OpenDNS, Talos was able to identify more information regarding the first domain.\r\nThe registrant email address potrafamin44as@gmail.com was then used to gather information from DomainTools.\r\nThis led Talos to a name of 'David Bowers' that had a significant amount of domains registered to them, as well as,\r\na list of other domains that OpenDNS had categorized as malicious from potrafamin44as@gmail.com. We were\r\nalso able to pull a screen capture of the default webpage for this site. The results are familiar, but not identical to\r\nthe other sites. This site makes use of notes in the top left of the header as opposed to the pills present in the other\r\nexamples.\r\nhttps://blog.talosintelligence.com/bedep-actor/\r\nPage 6 of 12\n\nResearch into some of these domains turned up some interesting results. Talos found that this particular registrant\r\naccount was also tied to domains associated with other threats including Bedep, Kazy, Symmi, and Chir mail\r\nworm. The registrant held domains that are closely related to those Trojans. As far as its relation to Bedep, we\r\nfound DGA domains registered to this registrant, as well as domains hosting click-fraud ads.  Below are samples\r\nof the requests to the DGA as well as a GET request for one of the ads.\r\nSample Bedep DGA\r\nSample Click Fraud Ad\r\nThe name 'David Bowers' became increasingly important when looking through the domains associated with\r\nyingw90@yahoo.com. It turns out that the same name and address are being used for a portion of domains\r\nassociated with yingw90@yahoo.com.\r\nThe other referer that kept showing up repeatedly was wittalparuserigh[.]com. The interesting part was that we\r\ncould find numerous instances where that site was a referer to one of the news4news sites, but we could not find a\r\nsingle instance of a user browsing to that page or any subpage directly. At this point, we were curious about the\r\nactual redirecting web page contents, so we went to the URL and found:\r\nhttps://blog.talosintelligence.com/bedep-actor/\r\nPage 7 of 12\n\nThat image should look familiar. It is an exact copy of the all the webpages that were found on the sites running\r\nthe C2 for Bedep. The data pointed to a connection to yingw90@yahoo.com. The next step was to start\r\ninvestigating wittalparuserigh[.]com.\r\nHowever, as shown above, we did not find any reference to yingw90@yahoo.com. Instead we found a different\r\nemail address associated with the domain. Next we looked at what additional domains were registered with this\r\nemail address. This user had a interesting mix of websites including normal looking domains, DGA-like domains,\r\nand adult websites. It's hard to imagine this user could be linked to Angler using the same default web page as the\r\nBedep C2 sites and not have some connection.\r\nhttps://blog.talosintelligence.com/bedep-actor/\r\nPage 8 of 12\n\nTaking these domains and running a quick search in ThreatGrid found matches for some of the domains.\r\nAdditional analysis shows that this account's domains are tied to multiple different threats, such as a Necurs\r\nVariant, Kazy, and Lurk.\r\nRecap\r\nLet's pause for a minute and recap all that has been discussed to this point. It\r\nstarted a year ago with the Adobe Flash 0-Day that was incorporated into Angler\r\n(CVE-2015-0310). The infrastructure used to deliver the Flash 0-day exploit led\r\nTalos to a series of domains that were not shadowed and registered to a single\r\nemail address (yingw90@yahoo.com). Talos then started investigating these\r\nvarious leads and ended up with a group of three email addresses:\r\nhttps://blog.talosintelligence.com/bedep-actor/\r\nPage 9 of 12\n\nThere is one final note here. While Talos was continuing its research, @Kafeine posted a story about 'XXX' or the\r\ntrue name of the Angler exploit kit. In this post, there was a discussion regarding one of the original Angler users -\r\n-the indexm.html instance. While looking at the information we noticed something very interesting, some of the\r\ndomains pointed back to this same email yingw90@yahoo.com.\r\nAngler Exploit Server Visibility\r\nMoving back to the recent research of Angler. The image below should look\r\nfamiliar. It is the diagram illustrating the infrastructure we exposed.\r\nAfter our research was published, Talos was able to get some information regarding the communications of an\r\nAngler exploit server. This included repeated connections on TCP port 225 from the exploit server to another host.\r\nThis port is actually a reserved IANA port, but in this case was being used as an HTTP server with basic\r\nauthentication.\r\nhttps://blog.talosintelligence.com/bedep-actor/\r\nPage 10 of 12\n\nThis connection was made repeatedly and each time returned an executable, with a different hash, that was being\r\nused to deliver content to the compromised user. This appeared to be the system that was delivering payloads to\r\nthe users. The payload host was specified in the HTTP transactions, but was not accompanied by DNS requests.\r\nWe immediately began looking at this host and found an overlap.\r\nThe domain specified in the HTTP requests to the Exploit Server is owned by the same registrant account that was\r\nredirecting users to Angler landing pages with a web site using the \"stock\" Bedep C2 web page. This brought the\r\ndata full circle and cemented the link between Angler and Bedep.\r\nList of Domains Registered yingw90@yahoo.com Domains\r\npotrafamin44as@gmail.com Domains\r\njohn.bruggink@yahoo.co.uk Domains\r\n*Note that these addresses are actively registering domains so the list may not be exhaustive\r\nConclusion\r\nThe organizations responsible for these exploit kit campaigns are generating\r\nmillions of dollars in revenue. As a result they are continually evolving to maximize\r\nthe amount of users that are impacted. Security researchers are constantly trying\r\nto find common threads or connections between threats or groups of threats. This\r\nresearch is an excellent example of how leveraging little crumbs of information\r\nand gathering over long periods of time can provide meaningful results.\r\nAt this point Talos can draw strong connections between Angler and Bedep. It stands to reason that the instances\r\nof Angler that are delivering Bedep are actually tied to Angler itself. This would explain Bedep being leveraged to\r\ndrive users to other Angler instances. It would ensure, as an Angler customer, a certain amount of users would be\r\nhttps://blog.talosintelligence.com/bedep-actor/\r\nPage 11 of 12\n\nguaranteed to be driven to the Angler instance. This would also tie back to the instance that was initially delivering\r\nthe Flash 0-day was also owned by the same group. The additional connection on the back-end of Angler activity\r\nto the system delivering the payloads is yet another thread that keeps these two groups closely aligned. It's not\r\npossible with the data we have to say for certain that the two groups are in fact the same. However, there are a lot\r\nof coincidences that we have outlined to make the case that they are at the very least closely related and leveraging\r\nsome of the same infrastructure.\r\nAdditionally, through this investigation we have found links between these activities and other threats including\r\nseveral different trojans that can be delivered through multiple methods including as email attachments. This\r\npoints to a larger organization that is using various threats to infect users for monetary gain.\r\nSource: https://blog.talosintelligence.com/bedep-actor/\r\nhttps://blog.talosintelligence.com/bedep-actor/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/bedep-actor/"
	],
	"report_names": [
		"bedep-actor"
	],
	"threat_actors": [],
	"ts_created_at": 1775791219,
	"ts_updated_at": 1775791336,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b8da78c60d52b55c608d4826f06bbd2ff5c7932d.pdf",
		"text": "https://archive.orkl.eu/b8da78c60d52b55c608d4826f06bbd2ff5c7932d.txt",
		"img": "https://archive.orkl.eu/b8da78c60d52b55c608d4826f06bbd2ff5c7932d.jpg"
	}
}