{ "id": "0196800c-b4dd-4358-a657-967a54fdfe93", "created_at": "2026-04-06T00:18:49.472933Z", "updated_at": "2026-04-10T13:11:57.813586Z", "deleted_at": null, "sha1_hash": "df9b4e7887b2574d77ca794d702ee533443bf260", "title": "New Threat: A Deep Dive Into the Zergeca Botnet", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1138565, "plain_text": "New Threat: A Deep Dive Into the Zergeca Botnet\r\nBy Alex.Turing\r\nPublished: 2024-06-19 ยท Archived: 2026-04-05 19:35:44 UTC\r\nBackground\r\nOn May 20, 2024, while everyone was happily celebrating the holiday, the tireless XLab CTIA(Cyber Threat\r\nInsight Analysis) system captured a suspicious ELF file around 2 PM, located at /usr/bin/geomi . This file\r\nwas packed with a modified UPX, had a magic number of 0x30219101, and was uploaded from Russia to\r\nVirusTotal, where it was not detected as malicious by any antivirus engine.\r\nLater that evening at 10 PM, another geomi file using the same UPX magic was uploaded to VT from Germany.\r\nThe suspicious file path, modified UPX, and multi-country uploads caught our attention. After analysis, we\r\nconfirmed that this is a botnet implemented in Golang. Given that its C2 used the string \"ootheca,\" reminiscent of\r\nthe swarming Zerg in StarCraft, we named it Zergeca .\r\nFunctionally, Zergeca is not just a typical DDoS botnet; besides supporting six different attack methods, it also has\r\ncapabilities for proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive\r\ndevice information. From a network communication perspective, Zergeca also has the following unique features:\r\nSupports multiple DNS resolution methods, prioritizing DOH for C2 resolution.\r\nUses the uncommon Smux library for C2 communication protocol, encrypted via XOR.\r\nDuring the investigation of Zergeca's infrastructure, we found that its C2 IP address, 84.54.51.82, has been serving\r\nat least two Mirai botnets since September 2023. We speculate that the author behind Zergeca accumulated\r\nexperience operating the Mirai botnets before creating Zergeca.\r\nOn June 10, XLab command tracking system captured a vector 7 DDoS command that the current samples did\r\nnot support, indicating that Zergeca's author is actively developing and updating, with new samples yet to be\r\ndiscovered. Our persistence paid off when we captured a new sample on the 19th that supports the vector 7.\r\nCurrently, the detection rates for Zergeca samples and C2 are very low. Considering Zergeca's potential threat in\r\nDDoS attacks, we have decided to release this article to share our findings with the community.\r\nSample \u0026 C2 Detection\r\nFrom the sample perspective, we captured a total of 5 Zergeca samples. While their functions are nearly\r\nidentical, there is a significant discrepancy in their detection rates. How can this anomaly be explained? Most\r\nantivirus vendors have categorized the sample 23ca4ab1518ff76f5037ea12f367a469 as Generic Malware. We\r\nspeculate that the detection of Zergeca by antivirus software is based on file hash. Therefore, as long as the hash\r\nchanges, the detection effectiveness diminishes.\r\nhttps://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet\r\nPage 1 of 18\n\nMD5 Detection First Seen Telemetry\r\n23ca4ab1518ff76f5037ea12f367a469 28/64 2024.05.20 Russian\r\n9d96646d4fa35b6f7c19a3b5d3846777 0/67 2024.05.20 Germany\r\nd78d1c57fb6e818eb1b52417e262ce59 1/67 2024.05.22 China\r\n604397198f291fa5eb2c363f7c93c9bf 1/66 2024.06.11 France\r\n60f23acebf0ddb51a3176d0750055cf8 0/67 2024.06.18 France\r\nTo verify our hypothesis, we appended the 4-byte string \"Xlab\" to the end of the file\r\n23ca4ab1518ff76f5037ea12f367a469 and re-uploaded it to VirusTotal. The detection rate changed to 9/67,\r\npartially confirming our speculation.\r\nAdditionally, the current detection is based on the packed samples, after unpacking, the detection rate drops to 0.\r\nFrom the Domain Perspective, the four samples share two C2 domains that were created on the same day. The\r\nsamples prioritize using DOH (DNS over HTTPS) for C2 resolution, which obscures the relationship between the\r\nsamples and the C2 domains to some extent. Because of this, VirusTotal couldn't even associate the C2\r\ndomains with the samples , resulting in a naturally low detection rate.\r\nDomain Detection Create date\r\nootheca.pw 1/93 2024.04.28\r\nootheca.top 1/93 2024.04.28\r\nhttps://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet\r\nPage 2 of 18\n\nProfile of 84.54.51.82\r\nThe two C2 servers of Zergeca point to the same IP address, 84.54.51.82. According to our data, this IP has been\r\nin use since September 2023, serving a variety of roles. During this period, it has acted as a Scanner, Downloader,\r\nMirai botnet C2, and Zergeca botnet C2.\r\nScanner\r\nStarting from September 18, 2023, scanning activities commenced, primarily targeting protocols such as Telnet,\r\nHTTP, and socks4. The main ports scanned include 23, 8080, 3128, 80, and 8888 .\r\nMirai Downloader\u0026C2\r\nFrom September and October 2023 to April 2024, 84.54.51.82 was primarily used as the Loader IP and\r\nDownloader IP for the Mirai botnet.\r\n2023.09 - 2023.10, it was used as the Loader and Downloader IP to implant the following related samples.\r\n #Downloader\r\nhttp://84.54[.51.82/jaws\r\nhttp://84.54[.51.82/bin\r\nhttp://84.54[.51.82/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86\r\nhttp://84.54[.51.82/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc\r\nhttp://84.54[.51.82/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh4\r\nhttp://84.54[.51.82/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc\r\nhttp://84.54[.51.82/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl\r\nhttp://84.54[.51.82/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips\r\nhttp://84.54[.51.82/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68k\r\nhttp://84.54[.51.82/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i686\r\nhttp://84.54[.51.82/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7\r\nhttp://84.54[.51.82/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm6\r\nhttp://84.54[.51.82/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5\r\nhttps://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet\r\nPage 3 of 18\n\nhttp://84.54[.51.82/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm\r\nhttp://84.54[.51.82/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc\r\n#CC\r\nmirai://bot.hamsterrace.space:59666\r\n2024.04, it was used as the Loader IP to implant the following related samples.\r\n#Downloader\r\nhttp://145.239[.108.150/Fantazy.sh\r\nhttp://145.239[.108.150/Fantazy/Fantazy.arm5\r\nhttp://145.239[.108.150/Fantazy/Fantazy.arm6\r\nhttp://145.239[.108.150/Fantazy/Fantazy.mpsl\r\nhttp://145.239[.108.150/Fantazy/Fantazy.sh4\r\nhttp://145.239[.108.150/Please-Subscribe-To-My-YT-Channel-VegaSec/1isequal9.x86\r\nhttp://145.239[.108.150/cache\r\n# CC\r\nmirai://145.239.108.150:63645\r\nZergeca C2\r\nStarting from April 29, 2024, 84.54.51.82 began being used as the C2 server for Zergeca. The relevant C2\r\ndomains and their resolution records are as follows:\r\nExploits\r\nIn our observation, the primary methods used by 84.54.51.82 to propagate samples are Telnet weak passwords and\r\ncertain known vulnerabilities. The relevant vulnerability identifiers are as follows:\r\nTelnet Weak Password\r\nCVE-2022-35733\r\nCVE-2018-10562\r\nCVE-2018-10561\r\nCVE-2017-17215\r\nCVE-2016-20016\r\nhttps://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet\r\nPage 4 of 18\n\nDDoS Statistics\r\nFrom early to mid-June 2024, the Zergeca botnet primarily targeted regions such as Canada, the United States,\r\nand Germany. The main type of attack was ackFlood (atk_4), with victims distributed across multiple countries\r\nand different ASNs.\r\nReverse Analysis\r\nThe four Zergeca samples in our observation are all designed for the x86-64 CPU architecture and target the Linux\r\nplatform. The presence of strings like \"android,\" \"darwin,\" and \"windows\" in the samples, along with Golang's\r\ninherent cross-platform capabilities, suggests that the author may eventually aim for full platform support.\r\nThis article focuses on the earliest captured sample for detailed analysis. The sample is packed with UPX and has\r\na magic number of 0x30219101. For this type of modified UPX packer, simply changing the magic back to the\r\nstandard \"UPX!\" allows for unpacking with the command upx -d .\r\nMD5:23ca4ab1518ff76f5037ea12f367a469\r\nMgaic:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, corrupted section header size\r\nPacker: UPX\r\nVersion:0.0.01c\r\nhttps://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet\r\nPage 5 of 18\n\nAfter unpacking, it becomes evident that Zergeca is a botnet implemented in Go language. The symbols are not\r\nobfuscated, making reverse analysis relatively straightforward.\r\nThe figure above shows a code snippet of the main_main function. Functionally, it can be broken down into four\r\ndistinct modules. The persistence and proxy modules are self-explanatory, with the former ensuring persistence\r\nand the latter handling proxying. The silivaccine module is used to remove competing malware, ensuring\r\nexclusive control over the device. The most crucial module is zombie, which implements the full botnet\r\nfunctionality. It reports sensitive information from the compromised device to the C2 and awaits commands from\r\nthe C2, supporting six types of DDoS attacks, scanning, reverse shell, and other functions.\r\n0x00: String Decryption\r\nZergeca uses XOR encryption for many sensitive strings. Using IDA, we found that the XOR key is referenced\r\n240 times across various functions. Each decryption involves two uses of the XOR key: one for initialization\r\nand one for decryption . So there are 120 decryption operations needed.\r\nThe XOR key is initially set to EC 22 2B A9 F3 DD DF 1C CD 46 AC 1E , but only the first six bytes ( EC 22 2B\r\nA9 F3 DD ) are used.\r\nhttps://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet\r\nPage 6 of 18\n\nManually decrypting 120 times is impractical. Although the decryption process isn't confined to a single function,\r\nCFG analysis revealed a specific pattern in most decryption-related code blocks:\r\n1. The XOR block has one predecessor and one successor.\r\n2. The predecessor block's first instruction is mov , with the first operand being an address pointing to the\r\noriginal length of the XOR key.\r\n3. The successor block's first instruction is cmp , with the first operand being a number indicating the\r\nciphertext's length.\r\n4. The predecessor block's predecessor's first instruction is lea , with the first operand being an address\r\npointing to the ciphertext's starting address.\r\nhttps://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet\r\nPage 7 of 18\n\nBy identifying these patterns, we can automate the decryption process and restore all encrypted strings\r\nefficiently.We implemented IdaPython decryption script in the Appendix with the following results: 111 successful\r\ndecryptions and 9 mismatches.\r\nThe 9 mismatched codes are distributed across six functions. Among them, the packets__Cursor\r\nRead/WriteString functions handle network packet encryption/decryption and can be ignored.\r\ngomi_bot_zombie__Zombie_Connect\r\ngeomi_common_utils_init_0_func1,\r\ngeomi_bot_discovery_Run,\r\ngeomi_common_packets__Cursor_WriteString,\r\ngeomi_common_packets__Cursor_ReadString,\r\ngeomi_common_utils_RandomUserAgent\r\nFor the remaining four functions, the issue was that the ciphertexts were arrays rather than single entries, causing\r\nthe pattern match to fail. For example, in the RandomUserAgent function, the user_agent_list contains 1000\r\nencrypted user agents.\r\nFor such cases, we can use the manual_decode function, where the first parameter is the starting address of the\r\nciphertext array and the second parameter is the number of array elements.\r\ney=b\"\\xEC\\x22\\x2B\\xA9\\xF3\\xDD\"\r\ndef manual_decode(base,cnt):\r\n for i in range(cnt):\r\n start=idc.get_qword(base)\r\nhttps://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet\r\nPage 8 of 18\n\naddr=idc.get_qword(start+i*16)\r\n size=idc.get_qword(start+8+i*16)\r\n buff=idc.get_bytes(addr,size)\r\n out=bytearray()\r\n for k,v in enumerate(buff):\r\n out.append(v ^ key[k%6])\r\n print(out.decode())\r\nmanual_decode(0x000000000C56FA0,1000) #user agent\r\nmanual_decode(0x0000000000C56F80,0xc) #opennic dns\r\nmanual_decode(0x000000000C56C40,2) # c2\r\nDecrypted examples include various user agents, OpenNIC DNS server, and C2s.\r\nWith all strings successfully decrypted, we can now begin reverse-engineering Zergeca's various functionalities.\r\n0x01: Persistence Module\r\nZergeca achieves persistence on compromised devices by adding a system service geomi.service . This service\r\nensures that the Zergeca sample automatically generates a new geomi process if the device restarts or the process\r\nis terminated.\r\n[Unit]\r\nDescription=\r\nRequires=network.target\r\nAfter=network.target\r\n[Service]\r\nPIDFile=/run/geomi.pid\r\nExecStartPre=/bin/rm -f /run/geomi.pid\r\nhttps://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet\r\nPage 9 of 18\n\nExecStart=/usr/bin/geomi\r\nRestart=always\r\n[Install]\r\nWantedBy=multi-user.target\r\nExperiment A\r\nWhen running the Zergeca sample on a virtual machine and restarting the device, geomi.service automatically\r\nlaunches the Zergeca sample. The resulting process named geomi had a PID of 897. Terminating this process\r\nwith kill -9 897 immediately spawned a new geomi process with PID 8460.\r\nWhen network administrators discover a geomi process and suspicious traffic on a device, they can attempt the\r\nfollowing cleanup steps:\r\n1. Delete /etc/systemd/system/geomi.service\r\n2. Delete the sample file referenced by the ExecStart parameter\r\n3. Terminate the geomi process\r\n0x2: Silivaccine Module\r\nTo monopolize the device, Zergeca includes a list of competitor threats, covering miners, backdoor trojans,\r\nbotnets, and more. Some familiar names on the list include mozi, kinsing, and various mining pools. Zergeca\r\ncontinuously monitors the system and terminates any process whose name or runtime parameters match those on\r\nthe list, deleting the corresponding binary files.\r\nMozi.a com.ufo.miner kinsing kthreaddi\r\nkaiten srv00 meminitsrv .javae\r\nsolr.sh monerohash minexmr c3pool\r\ncrypto-pool.fr f2pool.com xmrpool.eu .........\r\nhttps://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet\r\nPage 10 of 18\n\nExperiment B\r\nWe renamed the system program /bin/sleep to Mozi.a and ran it. The Mozi.a process was killed, and the\r\ncorresponding binary file was deleted.\r\n0x3: Zombie Module\r\nZergeca resolves the C2 IP address using the geomi_common_utils_Resolve function, which supports four\r\nresolvers: Public DNS, Local DNS, DoH (DNS over HTTPS), and OpenNIC.\r\nZergeca prioritizes two DoH resolvers, masking C2 domain resolution in DNS traffic.\r\nhttps://cloudflare-dns.com/dns-query\r\nhttps://dns.google/resolve\r\nAfter obtaining the C2 IP, the bot reports device sensitive information encapsulated in a DeviceInfo structure,\r\nincluding details like \"country, public IP, OS, user groups, runtime directory, and reachability\".\r\nhttps://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet\r\nPage 11 of 18\n\nstruct DeviceInfo\r\n{\r\nCountry string\r\nPlucAddress byte[]\r\nMAC string\r\nOS string\r\nARCH string\r\nName string\r\nMachineId string\r\nNumcpu uint32\r\nCPUMODEL string\r\nusername string\r\nuid string\r\ngid string\r\nUsers []string\r\nUptime time.Duration\r\nPID uitn32\r\nPath string\r\nchecksum []uint8\r\nversion string\r\nReachable bool\r\n}\r\nThe bot then awaits commands from the C2, processing them with different handlers.\r\nThe supported functions are as follows:\r\nID Task\r\n0x01 Proxy\r\n0x02 Reverse Shell\r\n0x03 FileTransfer\r\n0x05 Self-update\r\n0xa0 DDoS\r\n0xb0 Stop Discovery\r\nhttps://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet\r\nPage 12 of 18\n\nID Task\r\n0xb1 Start Discovery\r\nThe DDoS functionality supports the following seven attack vectors:\r\nSub-ID Attack Vector\r\n1 minecraft\r\n2 httpPPS\r\n3 synFlood\r\n4 ackFlood\r\n5 pushFlood\r\n6 rstFlood\r\n7 pushOVHFlood\r\nCommunication Protocol\r\nZergeca uses smux for Bot-C2 communication. Smux(Simple MUltipleXing) is a Golang multiplexing library that\r\nrelies on underlying connections like TCP or KCP for reliability and ordering, providing stream-oriented\r\nmultiplexing. Smux packets feature an 8-byte header: VERSION(1B) | CMD(1B) | LENGTH(2B) | STREAMID(4B) |\r\nDATA(LENGTH) .\r\nFrom an analysis perspective, only the LENGTH and DATA fields are of primary concern. The captured traffic\r\nincludes various messages such as online status, device information reporting, command 0xb0, and heartbeat\r\nmessages.\r\nhttps://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet\r\nPage 13 of 18\n\nOnline Message:\r\nLength: 0x04 bytes\r\nContent: Hardcoded 13 3a 12 79\r\nDevice Info Report:\r\nLength: 0xd5 bytes (varies by device)\r\nContent (excluding IP): XOR encrypted with key EC 22 2B A9 F3 DD\r\nDecrypted DeviceInfo as follows\r\npos: 0x4 len: 0x2 \u003c----\u003e b'JP'\r\npos 0x7 len: 4 \u003c----\u003e 45.14.XX.XX\r\npos: 0xc len: 0x11 \u003c----\u003e b'72:ba:29:e9:b8:08'\r\npos: 0x1f len: 0x5 \u003c----\u003e b'linux'\r\npos: 0x26 len: 0x5 \u003c----\u003e b'amd64'\r\npos: 0x2d len: 0x6 \u003c----\u003e b's22262'\r\npos: 0x35 len: 0x20 \u003c----\u003e b'b19642a3c672d4f20cbdb5b1569bf98f'\r\npos: 0x5b len: 0x29 \u003c----\u003e b'Intel(R) Xeon(R) CPU E5-2678 v3 @ 2.50GHz'\r\npos: 0x86 len: 0x4 \u003c----\u003e b'root'\r\npos: 0x86 len: 0x4 \u003c----\u003e b'root'\r\npos: 0xa2 len: 0x2 \u003c----\u003e b'\\x92\\xf1'\r\npos: 0xa6 len: 0xe \u003c----\u003e b'/usr/bin/geomi'\r\npos: 0xb6 len: 0x14 \u003c----\u003e b'r\\xbd\u003e\\xcfY\\x15[\\xd9]\\xa4\\xe7m\\x86\\x9f\\xbf\\x895\\xaa\\x19\\xe8'\r\npos: 0xcc len: 0x7 \u003c----\u003e b'0.0.01c'\r\nCommand 0xb0 Message:\r\nhttps://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet\r\nPage 14 of 18\n\nLength: 0x08 bytes\r\nFunction: Stop scanning\r\nHeartbeat Message:\r\nLength: 0x03 bytes\r\nContent: ff 00 00\r\nLet's take a look at the DDoS-related packets. The format is cmd (1 byte) + length (2 bytes) + sub_cmd (1\r\nbyte) + target_info (length-1) , where cmd is 0xa0 , indicating a DDoS command, and sub_cmd is 0x4 ,\r\nindicating an ACK flood attack. The target_info field focuses on the first 4 bytes, which represent the target IP.\r\nFor example, 1f 06 10 21 corresponds to the IP address 31.6.16.33.\r\nWhen the Bot receives the aforementioned command, the resulting attack traffic aligns perfectly with our analysis.\r\nExperiment C\r\nBased on our network protocol analysis, we implemented a fake C2 to control the Bot and observe its behavior\r\nupon receiving different commands. In this experiment, we sent the Bot a 0xb1 command, which is to \"start\r\nscanning.\"\r\nUpon receiving this command, the Bot immediately began scanning 16 ports on randomly generated IP addresses.\r\nhttps://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet\r\nPage 15 of 18\n\nSummary\r\nThrough reverse analysis, we gained initial insights into Zergeca's author. The built-in competitor list shows\r\nfamiliarity with common Linux threats. Techniques like modified UPX packing, XOR encryption for sensitive\r\nstrings, and using DoH to hide C2 resolution demonstrate a strong understanding of evasion tactics. Implementing\r\nthe network protocol with Smux showcases their development skills. Given this combination of operational\r\nknowledge, evasion tactics, and development expertise, encountering more of their work in the future would not\r\nbe surprising.\r\nThis is our basic intelligence of Zergeca. We welcome unique insights from other companies, such as Init Access.\r\nAnd readers can contact us on Twitter for more details.\r\nIOC\r\nSample\r\n23ca4ab1518ff76f5037ea12f367a469\r\n9d96646d4fa35b6f7c19a3b5d3846777\r\nd78d1c57fb6e818eb1b52417e262ce59\r\n604397198f291fa5eb2c363f7c93c9bf\r\nf68139904e127b95249ffd40dfeedd21\r\nd7b5d45628aa22726fd09d452a9e5717\r\n6ac8958d3f542274596bd5206ae8fa96\r\npathced with \"xlab\" at the end of file\r\n980cad4be8bf20fea5c34c5195013200\r\nsample captured on 2024.06.19, support ddos vector 7\r\n60f23acebf0ddb51a3176d0750055cf8\r\nDomain\r\nhttps://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet\r\nPage 16 of 18\n\nootheca.pw\r\nootheca.top\r\nbot.hamsterrace.space\r\nIP\r\n84.54.51.82 The Netherlands|None|None AS202685|Aggros Operations Ltd.\r\nAppendix\r\nIdaPython Script\r\n# Test script, only for 23ca4ab1518ff76f5037ea12f367a469\r\n# Modidy keyaddr,sizeaddr in your case\r\ndef decode(buf):\r\n key=b\"\\xEC\\x22\\x2B\\xA9\\xF3\\xDD\"\r\n out=bytearray()\r\n for i in range(len(buf)):\r\n out.append(buf[i]^key[i%6])\r\n return out\r\n \r\ncount=0\r\nnotcount=0\r\nfailedfunc=[]\r\nsuccessedfunc=[]\r\nkeyaddr=0x0000000000C56FC0\r\nsizeaddr=0x0000000000C56FC8\r\nrefs=XrefsTo(keyaddr, flags=0)\r\nfor ref in refs:\r\n f_blocks = idaapi.FlowChart(idaapi.get_func(ref.frm), flags=idaapi.FC_PREDS)\r\n for blk in f_blocks:\r\n if blk.start_ea!=ref.frm:\r\n continue\r\n if len(list(blk.preds()))!=1 and len(list(blk.succs()))!=1:\r\n continue\r\n predblk=list(blk.preds())[0]\r\n succsblk=list(blk.succs())[0]\r\n \r\n if idc.get_operand_value(predblk.start_ea,1)!=sizeaddr:\r\n \r\n continue\r\nhttps://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet\r\nPage 17 of 18\n\nif idc.get_operand_type(succsblk.start_ea,1)!=0x5:\r\n print(idc.get_func_name(ref.frm),hex(ref.frm),\"not matched\")\r\n notcount+=1\r\n failedfunc.append(idc.get_func_name(ref.frm))\r\n continue\r\n ppredblk=list(predblk.preds())\r\n if len(ppredblk)!=1:\r\n continue\r\n addr=idc.get_operand_value(ppredblk[0].start_ea,1)\r\n size=idc.get_operand_value(succsblk.start_ea,1)\r\n buf=idc.get_bytes(addr,size)\r\n out=decode(buf)\r\n count+=1\r\n print(idc.get_func_name(ref.frm),hex(ppredblk[0].start_ea),\"matched, ciphertext at\", hex(addr), \"\u003c----\u003e\"\r\n successedfunc.append(idc.get_func_name(ref.frm))\r\nprint(\"\\n--------------------Statistic--------------------\")\r\nprint(f'Success:{count},Failed:{notcount}\\n')\r\nprint(\"---------Success Function---------\")\r\nprint(set(successedfunc),'\\n')\r\nprint(\"---------Failed Function---------\")\r\nprint(set(failedfunc),'\\n')\r\nSource: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet\r\nhttps://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet" ], "report_names": [ "a-deep-dive-into-the-zergeca-botnet" ], "threat_actors": [ { "id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3", "created_at": "2023-01-06T13:46:39.390649Z", "updated_at": "2026-04-10T02:00:03.311299Z", "deleted_at": null, "main_name": "Kinsing", "aliases": [ "Money Libra" ], "source_name": "MISPGALAXY:Kinsing", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434729, "ts_updated_at": 1775826717, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/df9b4e7887b2574d77ca794d702ee533443bf260.pdf", "text": "https://archive.orkl.eu/df9b4e7887b2574d77ca794d702ee533443bf260.txt", "img": "https://archive.orkl.eu/df9b4e7887b2574d77ca794d702ee533443bf260.jpg" } }