{
	"id": "1b16f066-f841-4b2a-8b72-3b24f122b5c7",
	"created_at": "2026-04-06T00:21:54.783924Z",
	"updated_at": "2026-04-10T03:21:51.146002Z",
	"deleted_at": null,
	"sha1_hash": "e3595aff467eeb87b6b2b22d3b4d60d6dd57f90a",
	"title": "The REBOL Yell: A New Novel REBOL Exploit | FRSecure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1871594,
	"plain_text": "The REBOL Yell: A New Novel REBOL Exploit | FRSecure\r\nBy By Oscar Minks\r\nPublished: 2021-10-05 · Archived: 2026-04-05 20:24:02 UTC\r\nA novel exploit explained and why default deny and user awareness are still king!\r\nEver heard of REBOL? If not, you may be seeing and hearing a lot of it soon. We recently discovered a REBOL\r\nexploit used for command-and-control.\r\nSo, what is REBOL? How is it being used as an exploit? And most importantly, what can you do to minimize the\r\npotential damage it can do to you and your organization?\r\nWhat is REBOL?\r\nLet’s be clear here, REBOL itself is not a malicious program. It has been used for very legitimate operations. In\r\nour study here, we will illustrate how it is being used for evil in the wild.\r\nREBOL is a “multi-paradigm dynamic programming language” that was designed to be used for network\r\ncommunications and distributed computing. It is multi-platform, can run on any operating system (OS), and it\r\nintroduced the idea of dialecting—small, optimized, domain-specific languages for code and data.\r\nIt can be used to program internet applications (client and server-side), database applications, utilities, and\r\nmultimedia applications.\r\nREBOL is also very lightweight—the entire install is less than 1MB, making deployment on a victim machine\r\nvery trivial.\r\nWhy are we talking about this?\r\nAs I mentioned previously, we recently discovered a novel technique that utilizes REBOL as a command-and-control environment.\r\nI’ve scoured the internet high and low and am unable to identify anyone else who has found and documented this\r\ntechnique. Therefore, I feel it is our duty to get this information to the public so you can be aware and implement\r\ncontrols in your environment to prevent this technique from being deployed.\r\nREBOL Functionality\r\nFirst, let’s look at some functionality of REBOL.\r\nWe’re specifically looking at REBOL/View 2.7 in this article, but the same logic can be applied to other versions.\r\nhttps://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/\r\nPage 1 of 11\n\nComponents of the REBOL Application\r\nAs you can see from the screenshot above, there are lots of powerful components that are built into this\r\napplication. Windows registry, network components, DLL access, Windows installers, Command-shell access, etc.\r\nFor the sake of brevity, we’re not going to dig into all of these, but just understand there isn’t much that you can’t\r\ndo through this interface.\r\nAnd please keep in mind—it’s OS agnostic. Custom programs can be built and executed cross-platform.\r\nNow that we understand a bit more about what REBOL is and what it can do, let’s dig into how this was used in a\r\nrecent exploit and I think you’ll see the power of this program when used maliciously.\r\nREBOL Exploit\r\nIt Always Starts with a Phish\r\nOkay, it doesn’t always, but you know what I’m saying.\r\nSo long as default-deny is still king for the good guys, phishing is and will remain king for the bad guys. In this\r\ncase, our victim received an email with a malicious Excel spreadsheet (XLS) attached.\r\nThe malicious XLS looked decently legitimate and included (surprise) VBA macros.\r\nhttps://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/\r\nPage 2 of 11\n\nPhishing Email sent with malicious XLS attached\r\nVBA Macros\r\nThe macros were quite simple. The language is set by calling the data in the “subject” field of the XLS, which is\r\nJScript. Code is added from the “comments” field of the document.\r\nMacros\r\nYou can see the code in the image below is slightly obfuscated (reversed), but essentially it is invoking\r\nWindowsInstaller.Installer to install an MS located at hxxp://172.105.178.[119]/install.msi using an eval\r\nstatement.\r\nhttps://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/\r\nPage 3 of 11\n\nContents of Subject and Comments\r\nOnce the user opens the document and enables the macros, the system then reaches out to the malicious website\r\nand installs the payload as expected (install.msi).\r\nFirst malicious connection\r\nDropped Files\r\nOnce the MSI is executed, it creates the directory c:\\programdata\\Temp and drops the following files:\r\nFiles dropped from MSI\r\nLet’s dissect these files quickly. AudioDriver is actually REBOL/View 2.7.8.\r\nInfo.txt is a simple text file that contains a string used to identify the victim.\r\nInfo.txt\r\nRandom.txt appears to be just that—a randomly generated string of numbers.\r\nhttps://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/\r\nPage 4 of 11\n\nRandom.txt\r\nImage.ico is a bit more interesting. We can see here that it dynamically builds a value for “ID” and uses that\r\ninformation to access a URL: hxxp://139.59.93.[223]/c.php. There is also a sleep timer of three (3), meaning it\r\nwill repeat this function every three seconds until the process terminates.\r\nImage.ico\r\nThe Execution of the REBOL Exploit\r\nWe then see install.msi execute “audiodriver.exe” (REBOL) using the following syntax which calls the image.ico\r\nconfiguration file.\r\nREBOL execution from install.MSI\r\nOn execution, the process modifies the following registry key for the persistence of REBOL/View.\r\nRegistry Modification\r\nhttps://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/\r\nPage 5 of 11\n\nKey Value\r\nIt then begins making repeated queries to this malicious IP:\r\nConnections to attacker\r\nHere, we can see the structure of the GET request attempting to retrieve c.php appended with dynamic ID and Info\r\nparameters making an http connection using the User-Agent of “REBOL View 2.7.8.3.1”\r\nHTTP Request\r\nWhat’s next?\r\nThe attacker is then able to embed REBOL commands in the .php file for complete command and control! When\r\nthe victim retrieves c.php that includes REBOL commands, they are executed locally through the running REBOL\r\nView instance.\r\nIn our lab environment, we did some quick testing to confirm this functionality, and the execution is quite trivial.\r\nWe stood up an httpd server, routed all traffic to our malicious IP there, created the target c.php file, and input\r\nsome commands in proper syntax for REBOL into this file.\r\nThe first command instructed REBOL to show the user an alert: “all your base are belong to us.”\r\nhttps://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/\r\nPage 6 of 11\n\nThis was followed by a call to execute a PowerShell command that extracts the IP configuration from our victim\r\nand places the result into a text file named ips.txt.\r\nLab c.php contents\r\nAfter executing our payload on the victim machine, sure enough, we were greeted with an alert:\r\nAlert\r\nAnd subsequently—ips.txt appeared in the c:\\programdata\\temp folder:\r\nCreated file ips.txt\r\nAnd the text file contained the output from the ipconfig command.\r\nIps.txt contents\r\nOther Uses\r\nhttps://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/\r\nPage 7 of 11\n\nThat’s pretty darn simple, right? Now, let’s explore what other mechanisms could easily be implored by this novel\r\nREBOL exploit technique.\r\nWe know that attackers love to live off the land. Using this REBOL exploit, anything that an attacker can execute\r\nusing Windows PowerShell, WMI, or really any local function can be tunneled through this program. Recon,\r\nenumeration, privilege escalation, lateral movement, and data-exfil techniques can certainly be achieved using this\r\nmechanism.\r\nWhat we are looking at is a command-and-control environment using a little-known, off-the-shelf program that\r\nwill not fire any signature-based alerts on your systems.\r\nIt is not malware; it is a legitimate program being used with malicious intent.\r\nIn our real-world analysis of this technique, we observed our attacker using this functionality for recon and\r\nenumeration as well as deployment of another backdoor for persistence. In this case, we were able to act quickly,\r\nidentify the point of ingress, identify the systems that were pivoted to, and eradicate our attacker without\r\nsignificant impact or damage. If this went unnoticed, we all know where this likely ends—ransom.\r\nPreventing and Mitigating a REBOL Exploit\r\nDefault Deny is Still King\r\nThis is a perfect example of why application allow-listing in your environment is an effective approach to\r\nstopping this technique (and others that may be similar).\r\nAudit the applications in your environment and only allow those required for business function to run.\r\nFor now, if you don’t have a legitimate use for REBOL in your environment, block it while you work on\r\nimplementing your application allow-list approach. (You ARE going to get right on that, aren’t you?)\r\nDisable Macros!\r\nSimple, right?\r\nEnd-User Awareness\r\nAlso, let’s not forget to train your users!\r\nThe human is always the weakest link, and that’s okay. We are all… human, and to live is to err.\r\nBecause we all make mistakes, it’s not the mistake that is most important it is our response to the mistake.\r\nTrain your users to be able to identify when they may have fallen victim, and ensure they know how to properly\r\nreport issues like these. Also, encourage your users to report anything seen as suspicious. Reward them if\r\npossible! Be sure everyone errs on the side of caution. If an end-user or anyone else is unsure, report it and get\r\nhelp!\r\nhttps://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/\r\nPage 8 of 11\n\nHave a process and staff that is fully capable of responding to and analyzing potential exploits. If you don’t have\r\nthe internal capabilities, get a partner that does!\r\nTime is critical when responding to events like this. If you are quick to act, you can most likely contain before the\r\nreal damage is done.\r\nThe Indicators of Compromise (IoCs) for REBOL Yell\r\nThe full list of IoCs for this REBOL exploit is below. Be sure to block the hashes and IPs. But also know—these\r\nIPs are a revolving door and will likely be shut down (if they aren’t already) by the time we publish this.\r\nHappy hunting all!\r\nFiles and Hash in SHA256\r\nrebol-core-278-2-4.tar.gz\r\n0881B0FDE0C36F27D540B53D6167E2D141EB39F7DEA13447A9650F72DC8BEF2E\r\nrebol-core-278-2-5.tar.gz\r\nEDFA75F1BE9D0D4F92A217185A3810E05B0DEE41F8D24096F7568515B7B4AA06\r\nrebol-core-278-3-1.exe\r\n2A5E3AC2CCA464030A911B7052E8127979D960EB3518259A94FD99632E418BEF\r\nrebol-core-278-4-10.tar.gz\r\n5AAE66B90BFBA05921FD54B0F7DC3F25BE761749C990BAB1F67378D37347D1F0\r\nrebol-core-278-4-2.tar.gz\r\n7F75B197C01A3FFFDA5C15655A3006742DD0EB2F6A248651FAA80D07FD053BB0\r\nrebol-core-278-4-3.tar.gz\r\nB0080DF93905F56209875D811C6632C825C385E05D390B220C5D9555A8D38EEE\r\nrebol-core-278-4-8.tar.gz\r\n14F01A73886D61EF2FD99A005DE2FAB14C9AABB7B15DE0165DB9BC4AE16F76B0\r\nrebol-core-278-7-2.tar.gz\r\n38361CA43D869EC687F5D35A556125E0328BACEBD43B47FA919BAFA9F13A7122\r\nrebol-core-278-9-4.tar.gz\r\nF020F4260CD9A14C17A7C95F5D161F8843A1F111A366CEDD50DC0B28BB5D9D74\r\nrebol-view-278-2-4.tar.gz\r\nCE05B8F8434C04C7CBA515F442B0E01805A9079C1902D7AFA0E32258093566C9\r\nrebol-view-278-2-5.tar.gz\r\n9AFF51EB1D388EC93CE6385EB77A285064A101B5F2F716851170D2E6B9F6E031\r\nrebol-view-278-3-1.exe\r\n215E28F9660472B6271A9902573C9D190E4D7CCCA33FCF8D6054941D52A3AB85\r\nrebol-view-278-4-2.tar.gz\r\n918CA549EEA412F519C24593258B186A7C64A202AEAF08C3DEC094BB13D8B04B\r\nrebol-view-278-4-3.tar.gz\r\nA30C11C4446B70D606E950108E1A5F324F304C2B6DFD515E5DF1BE1930B67967\r\nrebol-view-278-4-8.tar.gz\r\nhttps://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/\r\nPage 9 of 11\n\n115E270F8694E0270493D1CA53879DD8670E28D14BBBFE9240913BEB4F17F1F5\r\nrebol-view-278-7-2.tar.gz\r\n7A3537DD61E0C754F113CF48DD37EE154984DBCC58C0EBD17B186D3C62853AED\r\nrebol-view-278-9-4.tar.gz\r\n4E08BA0E1D5EB7230B4E91D6CF9D573C7918352ED7FC8D67A433C3A1B7D83183\r\nIPs\r\n139.59.93.[223]\r\n172.105.178.[119]\r\nClosing Thoughts\r\nWe’re going to coin this exploit the “REBOL Yell!”\r\nIt is quite noisy (3-second intervals for command retrieval) and gives me a reason to include a Billy Idol meme\r\nwith a hint of fall…\r\nAlso, a big shout out to Kyle McCray—our case handler who first observed this technique.\r\nAs always, FRSecure is here to help. Whether you suspect you’ve been compromised as part of this attack or are\r\nsimply hoping to shore your defenses before this becomes a larger concern, please do not hesitate to reach out to\r\nour incident response team.\r\nhttps://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/\r\nPage 10 of 11\n\nSource: https://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/\r\nhttps://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/"
	],
	"report_names": [
		"the-rebol-yell-new-rebol-exploit"
	],
	"threat_actors": [],
	"ts_created_at": 1775434914,
	"ts_updated_at": 1775791311,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e3595aff467eeb87b6b2b22d3b4d60d6dd57f90a.pdf",
		"text": "https://archive.orkl.eu/e3595aff467eeb87b6b2b22d3b4d60d6dd57f90a.txt",
		"img": "https://archive.orkl.eu/e3595aff467eeb87b6b2b22d3b4d60d6dd57f90a.jpg"
	}
}