{
	"id": "832d8054-0b95-4f45-baf1-f43578b71c2e",
	"created_at": "2026-04-06T00:07:34.194568Z",
	"updated_at": "2026-04-10T03:20:49.411753Z",
	"deleted_at": null,
	"sha1_hash": "dd25c6faa519869f9bbc12036d7fa0f23f907914",
	"title": "Win32/Napolar – A new bot on the block",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 281714,
	"plain_text": "Win32/Napolar – A new bot on the block\r\nBy Pierre-Marc Bureau\r\nArchived: 2026-04-05 15:51:40 UTC\r\nThere is a new bot on the block. ESET identifies it as Win32/Napolar while its author calls it solarbot. This piece\r\nof malware came to our attention mid-August because of its interesting anti-debugging and code injection\r\ntechniques. It recently attracted general attention when it was discussed on various reverse engineering forums.\r\nThis malware can serve multiple purposes. The three main ones are to conduct Denial of Service attacks, to act as\r\na SOCKS proxy server, and to steal information from infected systems. The malware is able to hook into various\r\nbrowsers to steal information that is submitted in web forms.\r\nWe have uncovered many details about this bot since it became active at the end of July, with in-the-wild\r\ninfections starting mid-August. There have been reports of thousands of infections, many of them in South\r\nAmerica. The countries with the most infections are Peru, Ecuador, and Columbia. More information on the\r\ngeographical distribution for this threat can be found on virusradar.\r\nThe author of Win32/Napolar uses a website to promote it. The website looks very professional and contains\r\ndetailed information about the bot, including the cost ($200 USD for each build) and even a complete change-log\r\nof the evolution of the code.\r\nAlthough we have not yet directly seen Win32/Napolar being distributed in the wild, it seems likely that this threat\r\nhas been spread through Facebook. Since malware has the ability to steal Facebook credentials, its operator can\r\nreuse those credentials to send messages from compromised accounts and try to infect the victim’s friends. Below\r\nis a list of filenames we have seen used by this malware family:\r\nPhoto_032.JPG_www.facebook.com.exe\r\nPhoto_012-WWW.FACEBOOK.COM.exe\r\nPhoto_014-WWW.FACEBOOK.COM.exe\r\nInterestingly enough, the use of doubled file extensions (*.JPG.EXE, *.TXT.EXE and so forth) to obfuscate a\r\nfile's true extension is an old trick, dating back to Windows 95, but apparently still in use. What is funny about the\r\nusage in this particular instance is that the author of Win32/Napolar does not seem to realize that .COM is a valid,\r\nif somewhat old, extension for executable files and that these filenames would have allowed their execution\r\nwithout the added .EXE extension. A very recent blog by our colleagues at AVAST confirms they have also seen\r\nsimilar infection vectors.\r\nIn this blog post, we will show some of the anti-debugging tricks used by Win32/Napolar. These tricks were seen\r\nin early versions of this malware family. Most recent variants also use third party packers to evade antivirus\r\ndetection and slow down manual reverse engineering.\r\nhttps://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/\r\nPage 1 of 9\n\nWe will then explain the Win32/Napolar command and control (C\u0026C) protocol. Finally, we will show some of the\r\ninformation that was retrieved from the promotional website before it was taken offline.\r\nAnti-debugging Techniques\r\nWhen analyzing Win32/Napolar binaries, the first thing to notice is that there is no valid entry point in the PE\r\nheader, as shown in the figure below.\r\nThe first instructions that are executed when the binary is started are saved in the Thread Local Storage (TLS)\r\nfunctions. There are two TLS functions registered.  The first TLS function does not do anything. The second\r\nfunction decrypts more code using the RC4 encryption algorithm and the key 0xDEADBEEF. The decrypted code\r\nis registered as a third TLS function before the second function returns, as shown in the code extract below.\r\nThe third TLS function decrypts the rest of the code before calling the main body of the malware.  The malware\r\nuses other tricks to make itself harder to analyze:\r\nAll imports are resolved at runtime using hashes instead of the import names.\r\nhttps://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/\r\nPage 2 of 9\n\nInteractions with the operating system are mostly done by directly calling undocumented functions of the\r\nNTDLL library instead of using the standard APIs.\r\nAll the code is position-independent.\r\nTo find the offset of its own code that will be decrypted, Win32/Napolar searches through its memory for the\r\nopcode 0x55. This opcode represents “push ebp”, the first instruction of the current function in assembly\r\nlanguage. If this instruction is replaced by 0xCC, the opcode for a software breakpoint, the decryption of the code\r\nwill not work. This is a clever way of altering the behavior of the malware if it is being analyzed with a debugger\r\nand if a software breakpoint is put on the first instruction of the TLS.\r\nWin32/Napolar has more anti-debugging tricks. To make dynamic analysis harder, Win32/Napolar will create a\r\nsub process of itself and will debug this new instance. The screenshot below shows the call to CreateProcess.\r\nThe software protection technique of self-debugging has been seen before but in the case of Win32/Napolar, the\r\ntrick happens in the main body of the malware, not in the packer.\r\nOnce the debugged process is started, Win32/Napolar will enter a loop that handles debugging events returned by\r\nthe function WaitForDebugEvent. Pseudocode for the loop handling debugging events is presented below.\r\nhttps://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/\r\nPage 3 of 9\n\nThe first event handled by this code is CREATE_PROCESS_DEBUG_EVENT. This event takes place when the\r\ndebugged process is started. In this case, the main process will parse the MZ and PE header of the debugged\r\nprocess in order to retrieve the offset and size of the position-independent code. It will then allocate another area\r\nof memory in the debugged process in which to inject the code. This creates two copies of the same code in the\r\nsame process.\r\nThe next event is EXCEPTION_DEBUG_EVENT. In this second event, the main process overwrites the first TLS\r\nfunction of the binary so as to redirect execution at the beginning of the executable, using a push – ret instruction.\r\nThis, once again, decrypts the main body of the malware and lets it execute within the child process. It is the code\r\nof the child process that then proceeds to inject itself into all the processes running sub-processes and hooking\r\nvarious functions to hide its presence on the system and capture desired information.\r\nFinally, the main process receives the EXIT_PROCESS_DEBUG_EVENT event; it stops debugging by calling\r\nthe function DebugActiveProcessStop and terminates its own process using NtTerminateProcess.\r\nhttps://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/\r\nPage 4 of 9\n\nOne of the main characteristics of Win32/Napolar is its ability to steal information when a user fills a web form in\r\na web browser. Trusteer’s browser protection probably stops the malware from capturing this information. This is\r\nwhy the malware has specific checks for Trusteer products. It will iterate through all the running processes and\r\nspecifically kill any process that has the string “trusteer” in it. We did not perform any test to confirm whether or\r\nnot this attempt at disabling Trusteer’s product is successful or not.\r\nNetwork behavior\r\nWhen communicating with its command and control server, Win32/Napolar uses the HTTP protocol. The first\r\nquery sent by the bot to the command and control server contains the following information:\r\nVersion of the bot\r\nCurrent windows username of the infected user\r\nComputer name\r\nA unique bot identifier\r\nVersion of the operating system\r\nSystem type, which can be 32 or 64 bit.  Indeed, this bot supports both types of architecture.\r\nThe server then responds with commands the bot needs to execute. These commands are encrypted using RC4,\r\nThe bot unique identifier is used as the encryption key. The bot supports a variety of commands, from information\r\nstealing and SOCKS proxying, to denial of service, download, execution and update. Each command has a unique\r\nidentifier stored as a single byte and the information following this byte contains the command parameters. The\r\nfollowing figure shows a traffic dump of the communication between a host infected by Win32/Napolar and its\r\ncommand and control server.\r\nhttps://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/\r\nPage 5 of 9\n\nThe following figure shows the decryption of this command using the proper key. The first byte of the received\r\ncontent is 0xC, and this instructs the bot to sleep. The parameter is a string, “600”, which represents the number of\r\nseconds that the bot needs to sleep.\r\nWe have seen at least seven different command and control servers used by Win32/Napolar. Most of them only\r\nstayed online for a couple of days before the operator moved them to a new network. This might indicate that this\r\nbot is being actively used in the wild. Below is a list of domain names where we have recently observed command\r\nand control servers:\r\ndabakhost.be\r\nterra-araucania.cl\r\nxyz25.com\r\nyandafia.com\r\nelzbthfntr.com\r\nalfadente.com.br\r\nThere are some references to TOR in the malware code. Most precisely, some configuration lines and references to\r\nthe configuration file for TOR. During our analysis of the malware, it didn’t seem to make any usage of this data.\r\nThis could be some dormant feature that has not been activated in the samples we have analyzed.\r\nPromotional website\r\nThe author of Win32/Napolar seems very frank about wanting to sell his new malware. He has put together a very\r\nprofessional-looking website where he boasts that his bot is a “professional shellcode based bot”, referring to the\r\nhttps://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/\r\nPage 6 of 9\n\nfact the malware is position-independent.\r\nThe website also provides information for potential customers.  For example, the complete code for the command\r\nand control server can be found there, a php script running with an SQL database backend. The code of the\r\ncommand and control server confirms of our analysis of the network protocol used by the Win32/Napolar\r\nmalware.\r\nThe promotional website also provides multiple examples of plugins that can be used by malware operators. The\r\nplugins must be written using the Delphi programming language. The example plugins show how one can display\r\na message on an infected victim system, find which version of the antivirus is installed on the victim system, and\r\neven how to steal Bitcoin wallets.\r\nFinally, the website even presented a complete log of the changes made to the bot’s source code, including\r\ninformation on new features and bug fixes. The website shows the first changelog entry made on July 14th.  This\r\nfits our timeline since we saw the first instances of this bot in the wild in the beginning of August. The registration\r\ndate for the domain name where the content is hosted is the first day of August, another indication that the\r\nbeginning of the promotion is recent.\r\nhttps://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/\r\nPage 7 of 9\n\nConclusions\r\nWin32/Napolar is a new bot that surfaced in July and started to be observed in the wild in August. It has\r\ninteresting techniques for countering reverse engineering. The most notable point about this malware is how\r\nopenly it is being promoted on the web by its creator. The advertisement is probably the same that was identified\r\nby Dancho Danchev at webroot in July. We have seen many messages on different forums promoting this bot, in\r\naddition to the existence of a publicly-accessible website. As it was previously discussed in the Foxxy case, this is\r\nanother good example of the specialization of cybercrime operations where we now clearly have authors that\r\ncreate malware and sell it to other gangs who will operate it.\r\nAlthough this bot has functionalities similar to other families like Zeus or SpyEye, it might gain in popularity\r\nbecause its author is actively maintaining it, and because of its ease of use and the simplicity with which plugins\r\ncan be created.\r\nAnalyzed files\r\nThe following are MD5 hashes of the analyzed files:\r\n85e5a0951182de95827f1135721f73ad0828b6bc\r\n9c159f00292a22b7b609e1e8b1cf960e8a4fa795\r\na86e4bd51c15b17f89544f94105c397d64a060bb\r\nhttps://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/\r\nPage 8 of 9\n\nce24ae6d55c008e7a75fb78cfe033576d8416940\r\ndacfa9d0c4b37f1966441075b6ef34ec8adc1aa6\r\nAcknowledgments\r\nThanks to Lubomir Trebula and Joan Calvet for their help while analyzing this malware.\r\nPierre-Marc Bureau\r\nSecurity Intelligence Program Manager\r\nSource: https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/\r\nhttps://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/"
	],
	"report_names": [
		"win32napolar-a-new-bot-on-the-block"
	],
	"threat_actors": [],
	"ts_created_at": 1775434054,
	"ts_updated_at": 1775791249,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dd25c6faa519869f9bbc12036d7fa0f23f907914.pdf",
		"text": "https://archive.orkl.eu/dd25c6faa519869f9bbc12036d7fa0f23f907914.txt",
		"img": "https://archive.orkl.eu/dd25c6faa519869f9bbc12036d7fa0f23f907914.jpg"
	}
}