{ "id": "08720fa0-470e-4886-8625-44b8ef19acd4", "created_at": "2026-04-06T00:21:17.942109Z", "updated_at": "2026-04-10T03:36:33.401829Z", "deleted_at": null, "sha1_hash": "cf717c301211689bdeba2d216f9e69a0b97ec5ad", "title": "Heloag has rather no friends, just a master", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 411334, "plain_text": "Heloag has rather no friends, just a master\r\nBy Georg Wicherski\r\nPublished: 2010-05-03 · Archived: 2026-04-05 16:21:34 UTC\r\nIncidents\r\nIncidents\r\n03 May 2010\r\n 1 minute read\r\nhttps://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/\r\nPage 1 of 4\n\nJose Nazario of Arbor Networks recently posted an analysis of Trojan.Heloag on their blog, mentioning that some\r\nobserved behaviour might be related to Peer-to-Peer C\u0026C functionality. However, Jose’s analysis was dynamic\r\nonly and thus he was not certain about this when I contacted him (also thanks to Alex Cox for sharing network\r\ntraces of his honeypot). Being interested in Peer-to-Peer botnets (e.g. Stormfucker: Owning the Storm Botnet\r\n[MP4 Video]), I had to take a deeper look.\r\nThe Heloag binaries I’ve looked at (6ede527bb5aa65eae8049ac955b1018d dropped by\r\nd9b14a7bc0334458d99e666e553f0ee0) did not contain any Peer-to-Peer C\u0026C functionality! Instead, the bot\r\nrather speaks a very simple protocol over TCP with the following command types supported (encoded as the first\r\nbyte of the packet):\r\n1. 1 DDoS another host using different techniques:\r\nTCP DDoS, connect(..) based (does not send data)\r\nUDP DDoS, sendto(..) based (sends some random data)\r\nHTTP DDoS requesting / with User-Agent “helloAgent”, InternetOpenUrlA based\r\nHTTP DDoS crawling links from / with User-Agent “Google page”\r\n2. 2 Download and execute an URL of up to 0xA4 bytes, zero-padded URL\r\n3. 3 Send the current computer name\r\n4. 4 Stop with the currently executing DDoS command\r\n5. 5 Disconnect from current server and connect to new C\u0026C server\r\nhttps://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/\r\nPage 2 of 4\n\nDisassembly for function 4\r\nThis means that even though during dynamic analysis, multiple C\u0026C servers were observed, it is just some kind\r\nof hand-over to another C\u0026C server which can be used for load-balancing or renting out bots. Since there is\r\nalways only one server, the bot is connected to at a time, this does not add a lot to take-down resilience (phew!).\r\nStill, this is an intersting specimen regarding malware authorship. What strikes immediately into the eye is that\r\nwhile for most of the commands, there is exactly one control byte, DDoS commands are all encoded in the same\r\nbyte. The additional payload of this commands then controls what DDoS is carried out to where. Instead of using\r\none type byte like for control bytes, this code uses different boolean bytes in the payload for controling DDoS\r\ntypes. Additionally, the DDoS related code makes heavy usage of C++ std::string’s while the rest of the main code\r\nuses wsprintf for string handling. It looks like this project was implemented by two different individuals\r\ncollaborating or at least one buying some source from the other.\r\nThis malware is pretty certainly from China. First, the usage of wsprintf underlines non-western character aware\r\npath names, which you rarely see in malware with western origins. Additionally, there is one Chinese IP\r\nhardcoded in the binary, which cannot be attacked by DDoS, no matter what command is given to the bot (and this\r\nis checked after DNS resolution).\r\nhttps://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/\r\nPage 3 of 4\n\nLatest Posts\r\nLatest Webinars\r\nReports\r\nKaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka\r\nMustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.\r\nKaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a\r\nkernel-mode rootkit to deliver and protect a ToneShell backdoor.\r\nKaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with\r\nDPAPI and RC5, as well as the MgBot implant.\r\nKaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their\r\nsignature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.\r\nSource: https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/\r\nhttps://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/" ], "report_names": [ "29693" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434877, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cf717c301211689bdeba2d216f9e69a0b97ec5ad.pdf", "text": "https://archive.orkl.eu/cf717c301211689bdeba2d216f9e69a0b97ec5ad.txt", "img": "https://archive.orkl.eu/cf717c301211689bdeba2d216f9e69a0b97ec5ad.jpg" } }