{
	"id": "4d9e4fff-2fc6-4f06-a267-f23419e2e224",
	"created_at": "2026-04-06T00:15:09.087745Z",
	"updated_at": "2026-04-10T13:11:48.065666Z",
	"deleted_at": null,
	"sha1_hash": "d1a4863c6c64857ffa97790db8fef8798f42f434",
	"title": "Inside a malware campaign: Alina + Dexter + Citadel",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2199619,
	"plain_text": "Inside a malware campaign: Alina + Dexter + Citadel\r\nArchived: 2026-04-05 18:56:09 UTC\r\nI am going to start this article by mentioning that the server i am about to talk was under strong investigations.\r\nBut now i can talk, and there are some interesting things i want to mention about Alina and Dexter (both most\r\npopular PoS malwares for the moment).\r\nPlease note that my Dexter article is from this campaign.\r\nFirst of all, i am in possession of a chat log, and i can certainly affirm that author of dexter (Dice) had Alina\r\nsource, so its possible he coded them both.\r\nThe chat log is between dice and deputat (see my other article who's behind alina).\r\nI previously made an article about Dexter, noticing how offline bot are using red color in both bots.\r\nThere are more similarities, online bots are green , download \u0026 execute, update bot, all are common in both Alina\r\nand Dexter.\r\nEven the filter, to filter out the track2 from the logs is similar.\r\nOn this server, at first everything started from kernelmode.info i was looking to expand my ram scrappers\r\ncollection.\r\nSo i've set some rules on various ram scrapper and i've found Alina like that.\r\nLater i've found one server alive and found installed Citadel, Alina and Dexter, who was potentially dice's server.\r\nSince both Alina and Dexter contain debug information.\r\nAnd about the server... he come from \"off-sho.re\" i don't think i need to talk about his previous exploits.\r\nWe start to have some nice people here... :)\r\nLatest Alina version, v6.x (even if there is no real change between the 5.x and 6.x) contains the following debug\r\ninfo : \"C:\\Users\\dice\\Desktop\\src\\grab\\Debug\\alina_dex.pdb\"\r\nAlso seen for deputat.\r\nLet's have a look on these Alina panels, here are the 'logs':\r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 1 of 22\n\nSettings:\r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 2 of 22\n\nStats:\r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 3 of 22\n\nMore panels:\r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 4 of 22\n\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 5 of 22\n\nSome track2:\r\nAlina structure is very simple:\r\n Procedure of cards verification:\r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 6 of 22\n\nNow for Citadel, here are some screens of the C\u0026Cs:\r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 7 of 22\n\nFor a total of 27025807 reports and 35974 bots just for Citadel\r\nDexter v1 and v2: 8350 bots\r\nAlina all versions: 2159 bots\r\nTotal: 46k\r\nAnd this without Pony and some other additionals crimeware such as Power Loader v2\r\nThese kits was here but not really used, so let's skip about them.\r\n(folder /pnb/ for pony and /postnuke/ for PW)\r\nThe screenshots of my Power Loader v2 article come also from this server if you wonder. \r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 8 of 22\n\nInteresting also: the Citadel key used in these panels wasn't from the Citab builder.\r\nAnd i've found myself as a botnet ID on one of these C\u0026C (lol?).\r\n/armani/:\r\nBotnet ID: alfabeta, axlogax, brand_new, haha, LLLLL, logmein, menu, menu2, omega, POS, text_corn, u,\r\nupdate, we_we_we, xyl)\r\nKey: 4FB85153B10262ECF5028F67AD1F9B00\r\nLogin key: 20038735198F82BC8495A2C1B01A9210\r\n/carfca/:\r\nBotnet ID: rf\r\nKey: 94D3A279A412235D0360525484067CF1\r\nLogin key: 20038735198F82BC8495A2C1B01A9210\r\n/coconut/:\r\nBotnet ID: n/a\r\nKey: D83F6D1EAAB24EC38883D1CC68C5F49A\r\nLogin key: 20038735198F82BC8495A2C1B01A9210\r\n/justme/:\r\nBotnet ID: just\r\nKey: B143D3D208CF08B4835B37C27BAF8FCD\r\nLogin key: 20038735198F82BC8495A2C1B01A9210\r\n/pmserver/:\r\nBotnet ID: n/a\r\nKey: 0FBDED178A0F7C7D371E0C3F8826C309\r\nLogin key: 20038735198F82BC8495A2C1B01A9210\r\n/supernew/:\r\nBotnet ID: xxaaxxaaxx, canadas\r\nKey: D83F6D1EAAB24EC38883D1CC68C5F49A\r\nLogin key: 20038735198F82BC8495A2C1B01A9210\r\n/uae/:\r\nBotnet ID: test\r\nKey: 92B00C09C2301FB465FD688DE179C2E9\r\nLogin key: 20038735198F82BC8495A2C1B01A9210\r\nJohn Doe 15 according to Microsoft:\r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 9 of 22\n\nAs you can see, the panel inside the folder /armani/ have a Botnet ID 'POS' and many other relations with the\r\noperating botnets that Microsoft identified.\r\nBad guys behind was Pushing Dexter and Alina with Citadel scripts, Citadel was pushed via Exploit Kit.\r\nAnd for the PoS machines infected, they probably bought them on the black market.. no idea.\r\nThe citadel panels was well organised, each groups got different payloads in function of the country and machine.\r\nMalware was various and downloaded from compromissed sites like:\r\nhttp://vxvault.siri-urz.net/ViriList.php?MD5=1EFEB85C8EC2C07DC0517CCCA7E8D743\r\nhttp://vxvault.siri-urz.net/ViriList.php?MD5=133B384F0A4D66809815BAD06AA47AE4\r\nThese MD5 are know and was found on compromissed servers/used as citadel script:\r\n133B384F0A4D66809815BAD06AA47AE4\r\n7AAFCD134198CBEFBB5B20D6B926F5C4\r\nA418410FA8B2617F3109DC289FA151C5 \u003e Alina v5.5\r\nCB625454CE2EE0F97E65D1F2DD06BC79 \u003e Alina v5.5\r\n57BEB794C8887EC7FCF1FDCEB246CDD5 \u003e Dexter\r\n907A1EA5D6C662B8493EF80F3844406D\r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 10 of 22\n\nFC5D9565F22310273CC864529DEFB3BC\r\n8FC5D179B1D89C05617F6E296134C629 \u003e Dexter\r\nBAE7CB3CDB8E61A2DE141A971E74E29D\r\nAE3E36133C94453B3FDB1EA098F85127\r\nC428BE2DF49E6F5B4F2C424AB12659F7\r\nBB0B17C2F66A868CF1E8A46626366A32 \u003e Dexter\r\n54D4C90E4E957BBF4DA438870243CCF5\r\nFor the Botnet ID 'xyl' only two bots was inside, and i wasn't one of them :)\r\nThat happen sometime, bad guys use my nick for their malware configurations, they have probably a problem of\r\ninspiration. (or simply due to the noise i made after that i've found one of their sample ?)\r\nNowaday a small amount of bots are still calling the sinkholes, almost all infected systems call with 'Alina'\r\nreferrers.\r\nFrom sinkhole logs, bots call mostly from Canada, this country was the main target in this campaign.\r\nCitadel webinjects was targeting BMO (Bank of Montreal) and even some corporates specialized in Point-Of-Sales like Moneris.\r\nHow this campaign ended ?\r\nThe bad guys behind have put the emergency brake when Microsoft released the lawsuit against Citadel  users\r\n(botnetlegalnotice.com)Domains of Alina got sinkholed, and the server who was accesible from IP have gone few\r\nweeks after. (box got formatted)\r\nAnd no more new citadel build related to this login key, new Alina infection appeared after that.\r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 11 of 22\n\nDexter and Alina package was found for sale months after probably to erase traces.\r\nIt's also for that these day we can see some new Dexter and Alina activities, people are reselling it.\r\nFor Dexter, the last botnet i've spotted was hosted on 62.76.44.111\r\nThe C\u0026C files was exactly the same as the Alina+Dexter+Citadel campaign.\r\nBy exactly the same i mean some 'test files' totaly unrelated to Dexter that i've found on the old campaign was also\r\npresent in this server.\r\nMade me think that bad guys have sold the content of the server in speed.\r\nHere are some screenshots, the version used here is also 'StarDust' (like in the campaign):\r\n4946 Dumps.\r\nSome panels was very interesting like this one, who have a version 'Millenium':\r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 12 of 22\n\nInteresting even with infected systems:\r\nUsername: Manage_ATM\r\nComputer name: DIEBOLD-B79E854\r\nThis machine have dumps obviously:\r\nThere is also weird process running according to the logs...\r\nDid they infected an ATM ? seem.\r\nInstalling a VNC backdoor:\r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 13 of 22\n\nThe machine is running a process of ATMeye.iQ.\r\nFrom what i've see, it's a video/fraud surveillance system for ATM.\r\nI have no idea if this application was used by the bad guys to try to get PINs, but seem he was interested into\r\narchive video of the ATM surveillance:\r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 14 of 22\n\nThe bad guys uploaded/deleted some stuff via ftp:\r\nDeleting logs:\r\nTrying to shutdown the ATM after erasing traces ?\r\nAnother panel, less dumps:\r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 15 of 22\n\n/base1/ use the same db as /b2/:\r\nPanel fucked-up:\r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 16 of 22\n\nAnother panel:\r\nThe guys have downloaded and uploaded on these infected machines several files like passwords cracker,\r\nnetworks scanner, and cards scanner.\r\nWant some math too for this Dexter panel ?\r\n21138 Credit Card Dumps stolen.\r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 17 of 22\n\nFrom the server, a zbot panel was also here according to the sql db but empty: no reports, no bots.\r\nCrazy stuff anyway, how did they managed to get inside these PoS ?\r\nAnd the answer is...: weak VNC/RDP passwords as usual.\r\nFor the Diebold ATM i've still no idea, i've scanned the IP but no remote service are open.\r\n \"1234\" lol seriously... guys...\r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 18 of 22\n\nSame lame password on RDP protocol:\r\nI've brute forced those infected systems to retrieve myself the malware, here are some hashs:\r\n5149313A6C43EB5197C39CC28DE02039\r\n087EE6DD7F15985033119D397E9DAD0A\r\n62809FA40972073C1EB0B41EB589E467\r\n7D419CD096FEC8BCF945E00E70A9BC41\r\nC3A3D3CEDFCA895BBAB07919B2AED7B5Old server:\r\n140D24AF0C2B3A18529DF12DFBC5F6DE\r\nIf Visa warn almost everytime merchants in their \"data security bulletins\" about weak passwords there is a reason.\r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 19 of 22\n\nYou are looking for a Dexter decoder ? it's the good place.\r\nif (isset($_POST['query']) \u0026\u0026 !is_array($_POST['query']) \u0026\u0026 $_POST['query'] != null) {\r\n$query = $_POST['query'];\r\nif (strstr($query, '\u0026') !== false) {\r\n$vars = explode('\u0026', $query);\r\n$data = array();\r\nforeach ($vars as $var) {\r\nif (strstr($var, '=') !== false) {\r\n$_ = explode('=', $var, 2);\r\nif (ctype_alpha($_[0]) \u0026\u0026 ctype_alnum(str_replace('=', '', $_[1]))) {\r\n$data[$_[0]] = $_[1];\r\n}\r\n}\r\n}\r\nif (!isset($data['val']))\r\necho('Cannot get the encryption key...');\r\nelse {\r\n$key = base64_decode($data['val']);\r\necho('Encryption key: ' . htmlentities($key) . ' - ');\r\necho('UID: ' . ((!isset($data['page'])) ? 'Cannot get UID...' : DecodeDecrypt($data['page'], $key)) . ' - ');\r\necho('Username: ' . ((!isset($data['unm'])) ? 'Cannot get Username...' : DecodeDecrypt($data['unm'], $key)) . ' - ');\r\necho('Computer: ' . ((!isset($data['cnm'])) ? 'Cannot get Computer...' : DecodeDecrypt($data['cnm'], $key)) . ' - ');\r\necho('OS: ' . ((!isset($data['query'])) ? 'Cannot get OS...' : DecodeDecrypt($data['query'], $key)) . ' - ');\r\necho('Arch: ' . ((!isset($data['spec'])) ? 'Cannot get Arch...' : DecodeDecrypt($data['spec'], $key)) . ' - ');\r\necho('Idle: ' . ((!isset($data['opt'])) ? 'Cannot get Idle...' : DecodeDecrypt($data['opt'], $key)) . ' - ');\r\necho('Version: ' . ((!isset($data['var'])) ? 'Cannot get Version...' : DecodeDecrypt($data['var'], $key)) . ' - ');\r\necho('IP: ' . ((!isset($data['ip'])) ? 'Cannot get IP...' : DecodeDecrypt($data['view'], $key)) . ' - ');\r\necho('Keylog: ' . ((!isset($data['ks'])) ? 'Cannot get Keylog...' : DecodeDecrypt($data['ks'], $key)) . ' - ');\r\necho('Dump: ' . ((!isset($data['ump'])) ? 'Cannot get Dump...' : DecodeDecrypt($data['ump'], $key)) . ' - ');\r\n}\r\n}\r\n}\r\n?\u003e\r\nfunction _xor($src, $key) {\r\nfor ($i = 0; $i \u003c strlen($src); $i++)\r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 20 of 22\n\nfor ($x = 0; $x \u003c strlen($key); $x++)\r\n$src{$i} = $src{$i} ^ $key{$x};\r\nreturn $src;\r\n}\r\nfunction DecodeDecrypt($src, $key) {\r\n$src = base64_decode($src);\r\n$dest = _xor($src, $key);\r\nreturn $dest;\r\n}\r\n?\u003e\r\nThat was for Dexter, now about Alina yes they still use it and even more clumsily like for Dexter people try to sell\r\nit.\r\nReported here by exitthematrix, i've saw the sale thread too before an admin removed it for 'fraud' (the guys was\r\nselling even passports) but i've not took a screenshot thinking it was not serious.\r\nAlina 5.3 source code:\r\nTrack2 scanner proc in Alina:\r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 21 of 22\n\nThis Alina + Dexter + Citadel was probably disastrous for alot of people, i even received mails from merchants\r\nwho told me that they got infected and this when the campaign was still running.\r\nCombining the cream of RAM Scrapers with banking trojans can make a lot of damage.\r\nMicrosoft reacted with a good timing and have destroyed a lot of campaigns.\r\nSource: https://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nhttps://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.xylibox.com/2013/10/inside-malware-campaign-alina-dexter.html"
	],
	"report_names": [
		"inside-malware-campaign-alina-dexter.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434509,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d1a4863c6c64857ffa97790db8fef8798f42f434.pdf",
		"text": "https://archive.orkl.eu/d1a4863c6c64857ffa97790db8fef8798f42f434.txt",
		"img": "https://archive.orkl.eu/d1a4863c6c64857ffa97790db8fef8798f42f434.jpg"
	}
}