{ "id": "759c2f98-7244-4d38-a3ae-3b2e7ca96024", "created_at": "2026-04-06T00:19:12.185328Z", "updated_at": "2026-04-10T13:12:04.88579Z", "deleted_at": null, "sha1_hash": "e1caf5fd07da5fc0ef058c41d399a2124d8e2136", "title": "Digital Archeology: Investigating RotaJakiro", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 284470, "plain_text": "Digital Archeology: Investigating RotaJakiro\r\nBy Chad Anderson\r\nArchived: 2026-04-05 13:59:56 UTC\r\nDomainTools And Digital Archeology: A Look At RotaJakiro\r\nBackground\r\nOn April 21, 2021, Netlab released an excellent report on a malware sample they dubbed RotaJakiro, a long-lived\r\nbackdoor targeting 64-bit Linux systems with 0 detections on VirusTotal. This backdoor used a number of\r\ntechniques to remain unnoticed and the craftiness of the sample piqued the attention of the DomainTools Research\r\nTeam. Netlab’s post ended talking about how analysis of the binary was just the tip of the iceberg in discovering\r\nwhat this sample was about and that is where we feel that DomainTools, with our thorough historical data set of\r\nover 20 years of Whois and DNS information, had to take a look. For analysis on the binary itself, we suggest\r\nreading their excellent post while we concentrate here on one of our specialties: digital archeology.\r\nInitial Indicators\r\nIn this instance, the samples found by Netlab were first added to VirusTotal in 2018. As mentioned, none of them\r\nwere detected by any of the engines VirusTotal employs. These samples all called out to C2 infrastructure of the\r\nfollowing domains:\r\nnews.thaprior.net\r\nblog.eduelects.com\r\nhttps://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro\r\nPage 1 of 7\n\ncdn.mirror-codes.net\r\nstatus.sublineover.net\r\nA quick look in passive DNS shows that these domains only have these subdomains listed and they do not appear\r\nto be a part of any Dynamic DNS system so we can assume that the SLDs are owned by the same operator. We’ll\r\nlook more at passive DNS later, but for now we can throw these domains into Iris Investigate to see more about\r\ntheir intrinsic properties.\r\nFirst is the use of the Web4Africa registrar. This registrar has just a little over 18,000 domains associated with it so\r\nthe frequency of registration is rather low. Second, we see the registration dates are about the same for all of the\r\ndomains being from December 9th and 10th of 2015. This aligns with the research from the Netlab report and may\r\nindicate that there are actually older samples to be found in the wild. Third, we see that all have the same\r\nnameservers except for one domain. Outliers are always useful as they often link to additional connections\r\nelsewhere in the broader domain name data set. Lastly, the use of the Confluence Networks IP for their apex A\r\nrecord which is only slightly valuable. This is a parking page IP address and makes sense as the operator of this\r\nbackdoor used subdomains that all had A records to a specific IP address for C2.\r\nSummary of Additional Information and What it Tells Us\r\nWeb4Africa Registrar Low volume registrar.\r\nGrouped Create Date\r\nGrouped create date plus low volume registrar means we can hunt on the\r\nsame day for additional registrations.\r\nOutlier Nameserver\r\nOutliers often lead to additional infrastructure as they have been treated\r\nspecial for a reason.\r\nParking Page IP For Apex\r\nDomain\r\nGood to point out simply because it can be a rabbit hole.\r\nhttps://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro\r\nPage 2 of 7\n\nDiving Deeper Than Domains\r\nThe first step from here is we look at Whois history. In this case, privacy protection has been in place since the\r\ndomains were first registered in 2015. Most importantly we can tell that because the domain has never been\r\nallowed to expire,these weren’t domains that were dropped and re-registered. This lets us know that the same\r\nperson has owned these domains since 2015. That is an important distinction to make as adversaries are\r\nincreasingly aware that getting a drop catch domain is a nice way to immediately “age” a domain so it goes\r\nundetected as many machine learning algorithms rely heavily on registration date to determine malicious intent.\r\nWe have certainly found that an overwhelming number of attacks come from newly registered domains in our\r\nanalysis.\r\nSince Whois history provides minimal additional points to pivot on, we can then turn to passive DNS. This data\r\nset of passively collected query and response pairs from recursive resolvers around the Internet shows a first and\r\nlast seen entry for any pair along with a count. This can help determine both breadth of use as well as when\r\nsomething first began and was last seen operating. In the case of the IP address used for all four of the subdomains\r\nthat were C2 infrastructure, we get the following list that shows activity as early as November 08, 2017 and as\r\nrecently as April 29, 2021 which is the time of this writing. In addition to that we get three new domains pointing\r\nto the exact same IP address just a few months prior in 2017.\r\nhttps://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro\r\nPage 3 of 7\n\nWhile this is interesting, it’s important not to jump to conclusions and tie this directly to the other domains. For\r\none, the IP is tied to a Ukraine and Netherlands based VPS provider called DeltaHost. A VPS provider rents out\r\nservers and with that IP addresses. This IP could simply have been recycled that month when the operator behind\r\nRotaJakiro decided to become active. Secondly, there are no subdomain patterns that match the naming\r\nconvention of the domains prior. Given that this IP has only ever hosted the confirmed RotaJakiro C2 domains and\r\nthese new domains, though, it behooves any analyst to take a closer look.\r\nhttps://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro\r\nPage 4 of 7\n\nUnfortunately, these three additional domains do not provide anything that can definitively tie them to the other\r\ndomains. They lack any overlapping times in passive DNS records and their registration patterns are different.\r\nOne oddity however is their Risk Score of 100. The DomainTools Risk Score is informed by a number of things,\r\nbut a score of 100 is indicative of a domain being included on a blocklist for a previous report of known badness.\r\nLooking at historical Whois for these domains we see them with a registrant email of daniel.madi@mail[.]com\r\nwho is tied to 88 Office 365 based phishing domains.\r\nGiven the complexity and stealth of the RotaJakiro backdoor it seems unlikely that such a noisy phishing\r\ncampaign would be so easily tied to such a quiet operation. If we were to tie these together it would be with\r\nextremely low confidence. We feel as researchers that it is much more likely that DeltaHost recycled this VPS IP\r\naddress shortly after the blocklisting of these domains and it was coincidentally used in other criminal activity and\r\nthat the IP address was picked up by the RotaJakiro operators. In support of this, passive DNS records show that\r\none of these older domains was suspended just before the C2 domains for RotaJakiro began operating on that IP\r\naddress. Passive DNS also shows the RotaJakiro C2 domains existing on other IP addresses prior to moving to\r\nDeltaHost. Both of these facts support the theory that these are separate.\r\nhttps://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro\r\nPage 5 of 7\n\nThis IP now belongs to Hivelocity, a small cloud provider that has only owned the IP address since 2019\r\naccording to the create date on the IP Whois record for their subnet. According to historical IP Whois information,\r\nHivelocity acquired this range from Swiftway after acquiring the company which had server locations in the\r\nNetherlands. The IP shown, 46.21.147[.]87 is still geolocated in the Netherlands.\r\nUnfortunately, we also cannot find any connections between the C2s mentioned in Avast’s Torii botnet report from\r\n2018 and the domains in the RotaJakiro report. Netlab did mention similarities between RotaJakiro and the Torii\r\nbotnet in their operation. If there had been a tie between those domains even and the daniel.madi@mail[.]com\r\ndomains we could increase our confidence in them belonging to the same operator.\r\nSometimes when reaching a dead end on infrastructure databases the best thing for us as analysts to do is turn to\r\ntraditional search engines. Throwing in the initial C2 domains we discovered and a few interesting hits came up.\r\nThe first is a link to a 2016 repository of Tor DNS logs that show to us that this domain has at least been accessed\r\nsince 2016. The second is from a Turkish government website and is a URL list in XML format. The domains are\r\nmentioned as appearing on April 29, 2021, same as the time of this writing, from the Zararlı Yazılım Komuta\r\nKontrol Merkezi which is Turkish for Malware Command Control Center, likely having been an ingestion of the\r\noriginal Netlab report.\r\nSummary of Additional Information and What It Tells Us\r\nC2 Domains Never\r\nLapsed\r\nSame registrant has owned these domains since their initial registration in\r\n2015.\r\nIP On DeltaHost VPS\r\nProvider\r\nVPS providers share resources amongst clients so unless we can overlap some\r\nrecords we cannot confirm that a single IP ties two events together.\r\nhttps://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro\r\nPage 6 of 7\n\nIP Used In Other\r\nMaliciousness\r\nThe VPS IP was used, but never overlapped, with another set of malicious\r\ndomains doing Office 365 phishing with entirely different registration patterns\r\nand levels of noise.\r\nC2s Previously Used A\r\nDifferent IP\r\nDuring the time where there could have been overlap with other maliciousness,\r\nthe C2s used an IP on a different VPS provider in the Netherlands.\r\nNo Infrastructure Tie To\r\nMatch Code Ties\r\nThe Torii Botnet mentioned by Netlab does not have any infrastructure ties to\r\nRotaJakiro.\r\nDomain Resolving In\r\n2016\r\nAlthough resolving as early as 2016, we cannot confirm that it resolved to the\r\nsame IP as the DeltaHost IP.\r\nConclusion\r\nAlthough we were unable to tie the Netlab report on RotaJakiro to another operator, we have produced a good\r\namount of evidence and potential conclusions for further analysis. We’ve been able to confirm timelines from the\r\nNetlab report as well as mark key oddities for further avenues of investigation. We were also able to identify\r\nadditional IP addresses which had been previously used by the C2 domains and would lower the threshold of\r\nconfidence for tying this to previous maliciousness. When all else brought us to a dead end we were able to\r\nexpand upon our original timeline thanks to good old fashioned OSINT using classic search engines. Whenever\r\ncoming across reports like this we hope that customers can find DomainTools useful in the practice of digital\r\narcheology.\r\nSource: https://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro\r\nhttps://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro\r\nPage 7 of 7\n\nlast seen entry something first for any pair along began and was last with a count. This seen operating. can help determine In the case of both breadth the IP address of use as well used for all four as when of the subdomains\nthat were C2 infrastructure, we get the following list that shows activity as early as November 08, 2017 and as\nrecently as April 29, 2021 which is the time of this writing. In addition to that we get three new domains pointing\nto the exact same IP address just a few months prior in 2017. \n Page 3 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro" ], "report_names": [ "domaintools-and-digital-archeology-a-look-at-rotajakiro" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "322a0ef1-136b-400e-89d0-0d62ee2bd319", "created_at": "2023-01-06T13:46:38.662109Z", "updated_at": "2026-04-10T02:00:03.05924Z", "deleted_at": null, "main_name": "Madi", "aliases": [], "source_name": "MISPGALAXY:Madi", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b07fec96-80cd-4d92-aa52-a26a0b25b7c2", "created_at": "2022-10-25T16:07:23.826594Z", "updated_at": "2026-04-10T02:00:04.760416Z", "deleted_at": null, "main_name": "Madi", "aliases": [ "Mahdi" ], "source_name": "ETDA:Madi", "tools": [ "Madi" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434752, "ts_updated_at": 1775826724, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e1caf5fd07da5fc0ef058c41d399a2124d8e2136.pdf", "text": "https://archive.orkl.eu/e1caf5fd07da5fc0ef058c41d399a2124d8e2136.txt", "img": "https://archive.orkl.eu/e1caf5fd07da5fc0ef058c41d399a2124d8e2136.jpg" } }