{
	"id": "f6370b3f-0e56-4adc-b1b5-d13aaec13eff",
	"created_at": "2026-04-06T00:13:37.808042Z",
	"updated_at": "2026-04-10T03:20:34.273046Z",
	"deleted_at": null,
	"sha1_hash": "ceddcc68bdafcb5807db262bb725578efd0a8d21",
	"title": "Sly malware author hides cryptomining botnet behind ever-shifting proxy service",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57603,
	"plain_text": "Sly malware author hides cryptomining botnet behind ever-shifting\r\nproxy service\r\nBy Written by Catalin Cimpanu, ContributorContributor Sept. 13, 2018 at 4:04 p.m. PT\r\nArchived: 2026-04-05 15:32:36 UTC\r\nSecurity\r\nWithout a doubt, botnets focused on cryptocurrency mining operations have been one of the most active forms of\r\nmalware infections in 2018.\r\nNew botnets are appearing left and right if we are to believe security researchers from Chinese security firm\r\nQihoo 360, who said this week that they are discovering new instances on a daily basis.\r\nNot all of them may be profitable, as a recent Malwarebytes report has shown, but that doesn't stop cyber-criminals from trying.\r\nAlso: Why cryptocurrency mining malware is the new ransomware\r\nAlthough most botnets are a carbon copy of one another, once in a while researchers spot one that stands out\r\nabove the crowd. This week, the cryptomining botnet that took the crown in terms of creativity was one\r\ndiscovered by the Netlab team at Qihoo 360.\r\nngrok-botnet.png\r\nAnd according to the Netlab team, the thing that stood out about this botnet was that instead of letting infected\r\nbots connect to a remote server via a direct connection, its authors were using the ngrok.com service instead.\r\nAlso: 7 tips for SMBs to improve data security TechRepublic\r\nFor readers unaware of ngrok, this site is a simple reverse proxy used to let Internet-based users connect to servers\r\nlocated behind firewalls or on local machines that don't have a public IP address.\r\nThe service is very popular with enterprises because it allows employees a way to connect to corporate intranets.\r\nThe service is also used by home users, usually freelance developers, to let customers preview applications that\r\nare under development.\r\nIn most cases, a user hosts a server on his local machine, registers with ngrok, and gets a public URL in the form\r\nof [random_string].ngrok.io that he then shares with a customer or friend to let him preview an ongoing project.\r\nhttps://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/\r\nPage 1 of 3\n\nAlso: Windows and Linux Kodi users infected with cryptomining malware\r\nAccording to Netlab researcher Hui Wang, at least one cryptomining botnet operator is also familiar with this\r\nservice and has been using it to host a command and control (C\u0026C) server behind ngrok's proxy network.\r\nBut besides anonymity, the botnet operator also appears to have indirectly gained a resilience against any\r\nattempted takedowns of his C\u0026C server.\r\nAs Hui explains, this happens because ngrok.io URLs stay online for only around 12 hours, and by the time\r\nsecurity researchers identify a new C\u0026C URL, the ngrok.io link changes to a new one, hiding the botnet from\r\nresearchers once more. This allows the botnet to survive more than other botnets that host C\u0026C servers on popular\r\nhosting platforms where security firms can usually intervene via abuse requests.\r\nAlso: Best Home Security Devices for 2018 CNET\r\nBut that's where the botnet's creativity ends. Besides the nifty C\u0026C trick, this particular botnet uses a somewhat\r\nsimple make-up for its internal structure.\r\nHui says the botnet consists of four major components, all which have self-explaining names. The Scanner scans\r\nthe Internet for applications vulnerable to known exploits; the Reporter takes care of client-server\r\ncommunications; the Loader downloads and infects a host; and the Miner is the actual app installed on the server\r\nthat generates cryptocurrency for the botnet operator.\r\nAlso: New Hakai IoT botnet takes aim at D-Link, Huawei, and Realtek routers\r\nCurrently, Hui says the botnet is targeting an assortment of web applications and CMSs, such as Drupal, ModX,\r\nDocker, Jenkins, Redis, and CouchDB.\r\nThere's also a module to scan for local Ethereum wallets, but this is not active. On the other hand, a module that\r\ninjects the Coinhive JavaScript library in all of the server's JS files is active, meaning the botnet will also mine\r\nMonero inside the browsers of users visiting a site hosted on the infected servers.\r\nThis particular botnet is not extremely successful when compared to other botnets that have made millions of US\r\ndollars, and according to Hui, its operator made roughly 70 XMR coins, which is around $7,800. In terms of\r\nbotnet operations, this is only pocket money.\r\nA technical analysis and some indicators of compromise (IOCs) are available in Netlab's report, here.\r\nThese are 2018's biggest hacks, leaks, and data breaches\r\nPrevious and related coverage:\r\nWhat is malware? Everything you need to know\r\nCyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of\r\nmalware - and how to avoid falling victim to attacks.\r\nSecurity 101: Here's how to keep your data private, step by step\r\nhttps://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/\r\nPage 2 of 3\n\nThis simple advice will help to protect you against hackers and government surveillance.\r\nVPN services 2018: The ultimate guide to protecting your data on the internet\r\nWhether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad\r\ninternet.\r\nSource: https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/\r\nhttps://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/"
	],
	"report_names": [
		"sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service"
	],
	"threat_actors": [],
	"ts_created_at": 1775434417,
	"ts_updated_at": 1775791234,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ceddcc68bdafcb5807db262bb725578efd0a8d21.pdf",
		"text": "https://archive.orkl.eu/ceddcc68bdafcb5807db262bb725578efd0a8d21.txt",
		"img": "https://archive.orkl.eu/ceddcc68bdafcb5807db262bb725578efd0a8d21.jpg"
	}
}