{
	"id": "bb7b1720-044c-4bad-9877-d9be2cc3664b",
	"created_at": "2026-04-06T00:15:40.885023Z",
	"updated_at": "2026-04-10T03:22:13.154517Z",
	"deleted_at": null,
	"sha1_hash": "e13349dd9dc6d8427f8226a3996603af2c896807",
	"title": "Could Threat Actors Be Downgrading Their Malware to Evade Detection?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 283434,
	"plain_text": "Could Threat Actors Be Downgrading Their Malware to Evade\r\nDetection?\r\nBy by Nozomi Networks Labs | November 2, 2022\r\nArchived: 2026-04-05 16:35:12 UTC\r\nThreat actors are known to modify their malware to evade detection and make additional profits. They do this by\r\nchanging the file name and IP address, along with other features. This gives them an advantage, as it makes\r\ndetection more difficult and helps them stay under the radar. The modifications are so common that we noticed not\r\nonly upgraded but also downgraded versions of the same malware, which could be part of a broader threat actor\r\nstrategy.\r\nThese upgraded/downgraded versions may suggest the existence of modular malware capabilities, with customers\r\nwho pay extra getting access to additional and/or unique features. This may also suggest that threat actors are\r\ntailoring payloads for each campaign to avoid revealing all of a malware’s functionality to researchers at once.\r\nAfter analyzing several malware types, we decided to focus on the Gafgyt malware family, which is known to\r\ntarget IoT devices, such as routers, to launch Denial of Service (DoS) attacks.\r\nIt requires a certain effort for security researchers stay on top of the latest botnet developments and their changes.\r\nThat’s why Nozomi Networks focuses on detecting malicious servers across the internet, in order to better\r\nunderstand malware behavior and enhance the protection of our customers. In this blog, we introduce the first and\r\nsecond stage of the Gafgyt malware, its variants/modifications, and provide Indicators of Compromise (IoC)s for\r\ndetecting malicious activity.\r\nFirst Stage – Initial Access\r\nOne of the most prevalent initial access techniques that Nozomi Networks Labs researchers track is the misuse of\r\nvalid accounts. Malware attempts to perform credential access by brute forcing SSH and telnet credentials. If\r\nsuccessful, the attacker can achieve code execution and deploy the first stage of malware to the vulnerable\r\ndevices. Our chain of honeypots was able to capture the top credentials misused by attackers in the last week of\r\nSeptember 2022 (Figure 1):\r\nhttps://www.nozominetworks.com/blog/could-threat-actors-be-downgrading-their-malware-to-evade-detection/\r\nPage 1 of 8\n\nFigure 1. Top credentials misused by attackers within the last week of September 2022\r\nMost of these entries (e.g. admin:admin, root:root, admin:1234, etc.) are the default usernames and passwords\r\nused to access various Internet of Things (IoT) devices. These credentials are used by multiple botnets; some are\r\neven accessible in the publicly available source code of Mirai malware. The top entries change over time, so the\r\nresults may vary from month to month. You can find a chart of top credentials our honeypots captured in the first\r\nhalf of 2022 in our OT/IoT Security Report.\r\nOnce the malicious actors have gained access to the device, they then execute a bash script that allows them to\r\ndeliver and execute the second-stage payload. The classic approach involves iteratively downloading several\r\nExecutable and Linkable Format (ELF) payloads tailored to different architectures (usually using standard tools\r\nlike curl or wget). The most common computer architectures are x86, ARM, MIPS/MIPSEL, PowerPC, SH-4,\r\nSPARC and m68k, so it will vary depending on the device. The threat actor will then attempt to execute each of\r\nthem on the victim’s device.\r\nFigure 2. An example of the first stage bash script\r\nNow, let’s focus on the binary payloads delivered in the second stage and the type of information that can be used\r\nto aid researchers in attribution and clusterization.\r\nhttps://www.nozominetworks.com/blog/could-threat-actors-be-downgrading-their-malware-to-evade-detection/\r\nPage 2 of 8\n\nSecond Stage Payload\r\nTraditionally, the first stage of a brute force attack is initiated by other compromised devices, while malicious\r\nCommand-and-Control (C2) servers are used to deliver second stage payloads and issue commands to bots. To\r\nfurther complicate this attack, a different filename is usually associated with each C2 server. Due to the large\r\nnumber of different IPs used to carry out these attacks, the detection rate for malicious IPs on Virus Total is quite\r\nlow. In the following example (Figure 3), Nozomi Networks is one of only eight vendors, out of a total of 94, that\r\ncan detect malicious indicators that have been modified.\r\nFigure 3. Low number of malicious C2 detections\r\nThere are several types of second-stage payloads:\r\nnot packed samples\r\nsamples packed with public versions of Ultimate Packer for Executables (UPX)\r\nsamples packed with unreleased versions of UPX\r\nsamples packed with any version of UPX and corrupted afterwards\r\nIf you are interested in the exact distribution of packers used, you can learn more in one of our previous blogs\r\ndedicated to anti-reverse engineering techniques. Regarding the UPX corruption, Nozomi Networks Labs recently\r\nreleased an open-source tool that automatically restores these modifications.\r\nGafgyt (aka Qbot) Malware Samples\r\nNow let’s dissect the Gafgyt malware and its variants. The Gafgyt source code was published more than five years\r\nago and is publicly available on GitHub for everyone to re-use. Therefore, many of the analyzed samples\r\nimplement one or more of Gafgyt capabilities. At first, the analyzed files may seem to belong to the same family,\r\nbut they contain certain differences in capabilities and main functionality.\r\nCommon Sample\r\nhttps://www.nozominetworks.com/blog/could-threat-actors-be-downgrading-their-malware-to-evade-detection/\r\nPage 3 of 8\n\nThe common objective of the Gafgyt malware is to generate DDoS attacks via one of the few supported protocols.\r\nFigure 4 shows how the corresponding commands look inside the malware:\r\nFigure 4. A routine check of which supported commands were issued\r\nThese commands allow threat actors to perform DDoS attacks by using several protocols and methods (e.g., UDP,\r\nTCP, ICMP and HTTP).\r\nIn this case we see the usage of:\r\nUDP flood\r\nICMP flood\r\nTCP SYN flood\r\nTCP ACK flood\r\nTCP raw flood\r\nHTTP flood\r\nOther common functionalities enable the malicious actors to verify the status of the bot, execute arbitrary\r\ncommands on it, or kill the malicious process. Additional functionality used by one of the analyzed samples\r\nincludes:  \r\n1. scanning and searching for other devices on demand and attempt to penetrate them (Figure 5)\r\n2. using a hardcoded list of credentials (similar to the one used by Mirai botnet)\r\nThis capability is also present on the Gafgyt source code on GitHub:\r\nchar *usernames[] = {\"root\\0\", \"\\0\", \"admin\\0\", \"user\\0\", \"login\\0\", \"guest\\0\"};\r\nhttps://www.nozominetworks.com/blog/could-threat-actors-be-downgrading-their-malware-to-evade-detection/\r\nPage 4 of 8\n\nchar *passwords[] = {\"root\\0\", \"\\0\", \"toor\\0\", \"admin\\0\", \"user\\0\", \"guest\\0\", \"login\\0\", \"changeme\\0\", \"1234\\0\",\r\n\"12345\\0\", \"123456\\0\", \"default\\0\", \"pass\\0\", \"password\\0\"}\r\nHowever, in the analyzed samples, the list of credentials has been extended to include some credentials listed in\r\nMirai source code.\r\nFigure 5. Credentials used by the scanner in the analyzed sample\r\nUnique Sample\r\nThe Gafgyt sample we analyzed uses a few defensive evasion techniques to conceal themselves and prolongate the\r\ninfection. Here are some of the most common unique functionalities:\r\nMonitoring processes running on the system: One of the techniques used by this malicious sample is to\r\nlist and continuously monitor all the processes running on the machine and to kill any running process that\r\nis not stored on a specific path.\r\nhttps://www.nozominetworks.com/blog/could-threat-actors-be-downgrading-their-malware-to-evade-detection/\r\nPage 5 of 8\n\nFor each process, the sample obtains the path of the executables resolving the symlink in /proc/PID/exe.\r\nWhen obtained, the file path checks if it contains the substrings bin/ or lib/.\r\nInterestingly, this feature corresponds to the command “stop” in the extended sample, while in the\r\nlightweight sample it is always executed.\r\nHiding the process name: At the very beginning of the execution and just after setting up a socket\r\nlistening for incoming commands from the C2 server, the malware renames its process (e.g., to /bin/bash).\r\nTo achieve this, it uses prctl syscall with an argument PR_SET_NAME, which allows it to set the name of\r\nthe calling process to the values passed as a second argument.\r\nFigure 6. Malware using prctl to change its process name\r\nActive use of forks: To be able to segregate its functionality, malware will execute parts of the code in\r\nmany separate forks, which can complicate the debugging. As shown in Figure 7, one of them creates 15\r\ndifferent instances\r\nFigure 7. Active use of forks in IoT malware\r\nLightweight Sample\r\nWhile conducting our analysis, we discovered a Gafgyt sample with minimal amounts of Gafgyt capabilities. It\r\nsupports only three commands, whereas the previously described samples have 12 different functionalities.\r\nOne of the basic features of this sample is for the C2 server to be able to check if the bot is alive. The C2 sends the\r\ncommand “PING” to the bot, and the bot will answer with “PONG” if it is up and running, as shown here:\r\nif (!strcmp(argv[0], \"PING\"))\r\nhttps://www.nozominetworks.com/blog/could-threat-actors-be-downgrading-their-malware-to-evade-detection/\r\nPage 6 of 8\n\n{\r\nsockprintf(mainCommSock, \"PONG!\");\r\nreturn;\r\n }\r\nFigure 8 shows the second and third functionalities in the function called botkill_and_udp_flood.\r\nFigure 8. Three capabilities inside the lightweight version of Gafgyt: ping, botkill and UDP flood\r\nattack.\r\nThe botkill feature allows the C2 to send a command to kill the malicious process on the infected device, same as\r\nin the feature-rich sample described above. If the bot receives the command “botkill” it simply exits.\r\nFigure 9. Botkill functionality\r\nAnother way this functionality is implemented is by issuing a kill -9 PID command, as shown in Figure 10:\r\nFigure 10. Another implementation of botkill command\r\nThe UDP flood attack, exactly like in the other sample’s code, contains an infinite loop that calls sys_sendto\r\nwhich keeps sending UDP packets until this malicious program is killed.\r\nFigure 11. UDP flood attack inside the malicious sample code\r\nConclusion\r\nAccording to this research, threat actors may have various upgraded and downgraded variants of their malwares.\r\nThis could mean that they’re changing their tactics and evading detection, or it could be a part of a dark web cyber\r\nhttps://www.nozominetworks.com/blog/could-threat-actors-be-downgrading-their-malware-to-evade-detection/\r\nPage 7 of 8\n\ncrime scheme to make additional profits by modulating the malware; additional features being added à la carte.\r\nModifications include using different file names and IPs to evade detection and increase the longevity of an attack.\r\nAt Nozomi Networks, we distinguish between static and changing functionality to create robust detections that\r\ncan help you keep track of different campaigns. To protect your network and systems, it is necessary to monitor\r\nthese changes and incorporate tactics that counter these attacks into your defense strategy. Below are indicators\r\nassociated with the malicious botnet discussed in this blog:\r\nIoCs\r\n62.197.136.231\r\n80.76.51.244\r\n2b1cc052f78141d91e1bc40db25418359a05c4ad28d2cd55f6e503e4f78c1010\r\n05e586d03dfb2c4a79372d46f2f4a8a91bf24d303017a0ce9f223263b28752a5\r\nSource: https://www.nozominetworks.com/blog/could-threat-actors-be-downgrading-their-malware-to-evade-detection/\r\nhttps://www.nozominetworks.com/blog/could-threat-actors-be-downgrading-their-malware-to-evade-detection/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.nozominetworks.com/blog/could-threat-actors-be-downgrading-their-malware-to-evade-detection/"
	],
	"report_names": [
		"could-threat-actors-be-downgrading-their-malware-to-evade-detection"
	],
	"threat_actors": [],
	"ts_created_at": 1775434540,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e13349dd9dc6d8427f8226a3996603af2c896807.pdf",
		"text": "https://archive.orkl.eu/e13349dd9dc6d8427f8226a3996603af2c896807.txt",
		"img": "https://archive.orkl.eu/e13349dd9dc6d8427f8226a3996603af2c896807.jpg"
	}
}