{
	"id": "10edf0b3-022e-4b39-af93-4356e0ca3449",
	"created_at": "2026-04-06T00:14:21.101921Z",
	"updated_at": "2026-04-10T03:33:23.798434Z",
	"deleted_at": null,
	"sha1_hash": "e3dfffa6bae5e9c33d27868b39949eb46cb65dff",
	"title": "Boolka Unveiled: From web attacks to modular malware | Group-IB Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1314255,
	"plain_text": "Rustam Mirkasymov\r\nSenior Targeted Threat Researcher\r\nMartijn van den Berk\r\nCyber Threat Intelligence Analyst\r\nBoolka Unveiled: From web\r\nattacks to modular malware\r\nUncovering the operations of threat actor Boolka, driven by the creation of malicious scripts,\r\nmalware trojans, sophisticated malware delivery platforms, and more.\r\nJune 21, 2024 · min to read · Malware Analysis\r\n← Blog\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 1 of 35\n\nBoolka Malware Threat Intelligence\r\nIntroduction\r\nIn January 2024, during the analysis of the infrastructure used by ShadowSyndicate Group-IB\r\nThreat Intelligence analysts detected a landing page designed to distribute the BMANAGER\r\nmodular trojan, created by threat actor dubbed Boolka. Further analysis revealed that this landing\r\npage served as a test run for a malware delivery platform based on BeEF framework. The threat\r\nactor behind this campaign has been carrying out opportunistic SQL injection attacks against\r\nwebsites in various countries since at least 2022. Over the last three years, the threat actor have\r\nbeen infecting vulnerable websites with malicious JavaScript scripts capable of intercepting any\r\ndata entered on an infected website.\r\nThis blogpost contains a description of:\r\nYARA rules are available for Group-IB Threat Intelligence customers.\r\nIf you have any information which can help to shed more light on this threat and enrich current\r\nresearch, please join our Cybercrime Fighters Club. We would appreciate any useful information to\r\nupdate the current blog post.\r\nDescription\r\nDiscovery via InfraStorm connection\r\nIn January 2024 Group-IB detected a new ShadowSyndicate server with IP address\r\n45.182.189[.]109 by SSH fingerprint 1ca4cbac895fc3bd12417b77fc6ed31d. This server was used to\r\nhost a website with domain name updatebrower[.]com. Further analysis showed that this website\r\nserves a modified version of Django admin page with injected script loaded from\r\nhXXps://beef[.]beonlineboo[.]com/hook.js.\r\ninjected JS snippets used by the attacker we named Boolka\r\na newly discovered trojan we dubbed BMANAGER\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 2 of 35\n\nThe SSH key was mentioned in Group-IB blogpost. Based on that, an assumption was made that\r\nShadowSyndicate is a RaaS affiliate that uses various types of ransomware, which is the most\r\nplausible case.\r\nHowever, the information obtained during this research decreased the chance of this assumption\r\nbeing correct. We will continue to monitor InfraStorm assets to clarify the attribution. At the moment\r\nit looks like the aforementioned SSH belongs to some bulletproof hosting provider or VPN.\r\nWeb attacks\r\nThreat actor Boolka started his activities in 2022 by infecting websites with malicious form stealing\r\nJavaScript script. The threat actor injected the following script tag into HTML code of websites\r\n(Picture 1).\r\nPicture 1: Injected script tag\r\nWhen a user visits the infected website, the script will be downloaded and executed. During\r\nexecution it performs two main actions.\r\nFirst, it sends a request to the threat actor’s server to notify it that the script was executed. It utilizes\r\nHTTP GET parameters with “document.location.hostname” returning the hostname of the infected\r\nwebsite; and the current URL being Base64-encoded (Picture 2).\r\nPicture 2: Sending a beacon to C2\r\nSecond, it collects and exfiltrates user input from infected website (Picture 3)\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 3 of 35\n\nPicture 3: Data collection and exfiltration\r\nThe Boolka formstealing JavaScript script actively monitors user interactions, capturing and\r\nencoding input data from forms into session storage when form elements like inputs, selects, and\r\nbuttons are changed or clicked. It sends all stored session data (collected form values) encoded in\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 4 of 35\n\nBase64 format back to the threat actor’s server. This behavior suggests that the script is designed\r\nfor data exfiltration, potentially capturing sensitive user inputs such as passwords and usernames.\r\nSince at least November 24th 2023, the payload loaded by the script tag was updated. Let’s\r\ncompare two snippets used by Boolka before and after this update:\r\nhttps://urlscan.io/responses/420d8d83d5b98d959f7c62c2043b0cc2511385d4cab722b23ef4b39da51\r\nhttps://urlscan.io/responses/e6bc4f2ca5bf36fae278cbbc12bbacc12f475cd92f194a79c24afe384af3e6\r\nThe updated version of this malicious script includes several modifications. Notably, it now checks\r\nfor the presence of a specific div element with the ID “hookwork” on the page (Picture 4). If this div\r\nis not found, it creates one and sets it to be hidden.\r\nPicture 4: Snippet for creating div element\r\nThe code now includes additional checks within the cbClickButton function to exclude certain\r\nsessionStorage properties (key, getItem, setItem, removeItem, clear) from being sent to the server\r\n(Picture 5).\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 5 of 35\n\nPicture 5: Updated collection and exfiltration code\r\nThe event listeners for user interactions with input fields, buttons, and select elements remain,\r\ncapturing user input and sending it to the remote server.\r\nThe IP addresses of servers hosting the Boolka infrastructure were reported for multiple SQL\r\ninjection attempts. The number and locations of reporters allow us to speculate that these attacks\r\nwere opportunistic since there was no particular pattern in regions attacked by threat actor. Based\r\non this information we can infer that the infection of compromised websites was the result of\r\nexploitation of vulnerabilities detected during this opportunistic vulnerability scanning.\r\nExample SQL Injection payload used by attacker:\r\nAND 1=1 UNION ALL SELECT\r\n1,NULL,'\u003cscript\u003ealert(\"XSS\")\u003c/script\u003e',table_name FROM\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 6 of 35\n\ninformation_schema.tables WHERE 2\u003e1--/**/; EXEC\r\nxp_cmdshell('cat ../../../etc/passwd'\r\nMalware delivery\r\nThe landing page updatebrower[.]com (Picture 6) detected in January 2024 was a test run of a\r\nmalware delivery platform created by Boolka. This platform was based on open source tool BeEF\r\n(The Browser Exploitation Framework). In addition to the use of the obvious subdomain “beef” and\r\ndefault BeEF filename “hook.js” VirusTotal also detected and saved default hook.js version.\r\nPicture 6: Screenshot of first detected test landing page created by Boolka\r\nIn total threat actor created 3 domain names for landing pages but used only one of them:\r\nIn March 2024, Group-IB Threat Intelligence analysts detected the first use of Boolka’s\r\nmalware delivery platform in the wild. While there are multiple overlaps between the list of\r\nupdatebrower.com\r\n1-update-soft.com\r\nupdate-brower.com\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 7 of 35\n\nwebsites infected with Boolka’s formstealing JS and Boolka’s BeEF payload, we can assume that\r\nduring this campaign the threat actor used the same approach for website infection that he tested\r\nduring early stages of his activities.\r\nIn analyzed cases BeEF-based malware delivery platform created by Boolka was used to distribute a\r\ndownloader for the BMANAGER trojan.\r\nMalware\r\nDifferent malware samples were discovered during analysis. Infection starts with the BMANAGER\r\ndropper which will attempt to download the BMANAGER malware from a hard-coded URL.\r\nThe following malware samples have been discovered as being used by Boolka.\r\nBMANAGER downloader\r\nDownloader\r\nBMANAGER\r\nDownloader\r\nBMREADER\r\nData exfiltration\r\nBMLOG\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 8 of 35\n\nAll samples found thus far have been created with PyInstaller. The Python scripts used rely on\r\nPython 3.11.\r\nBMANAGER downloader\r\nThe BMANAGER downloader attempts to download, configure persistence for, and execute the\r\nBMANAGER malware.\r\nIt downloads the BMANAGER from a URL hard-coded into the dropper using a HTTP(S) GET\r\nrequest.\r\nThe response to this request is a list of Base64 encoded strings. These strings are decoded, ZLIB\r\ndecompressed, and appended to the BMANAGER executable file.\r\nBy default it drops the BMANAGER malware at: C:\\Program Files\\Full Browser\r\nManager\\1.0.0\\bmanager.exe\r\nKeylogger\r\nBMHOOK\r\nRecords which applications are running and have keyboard focus\r\nBMBACKUP\r\nFile stealer\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 9 of 35\n\nBMANAGER persistence \u0026 execution\r\nPersistence is achieved via Windows tasks. This starts the BMANAGER malware when the user logs\r\ninto Windows.\r\nschtasks /create /sc onlogon /tn bmanager /tr \"'C:\\\\Program Files\\\\Full\r\nBrowser Manager\\\\1.0.0\\\\bmanager.exe'\" /it /rl HIGHEST\r\nThe task is executed immediately after creation.\r\nschtasks /run /tn bmanager\r\nThese values are hard-coded into the downloader.\r\nBMANAGER\r\nBMANAGER is capable of downloading files from a hard-coded C2, creating startup tasks, deleting\r\nstartup tasks, and running executables.\r\nFeatures\r\nWindows tasks \u0026 persistence\r\nPersistence is achieved by creating Windows tasks. Individual malware samples do not have the\r\ncapability to achieve persistence. This is done for them by the BMANAGER malware. The\r\nBMANAGER malware will execute the following command to achieve persistence:\r\nDownload executables from a hard-coded C2 address\r\nCreate Windows tasks to allow executables to run on login\r\nCreate Windows tasks to run executables\r\nDelete Windows tasks\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 10 of 35\n\nschtasks /create /sc onlogon /tn {task_name} /tr\r\n\"'{path_to_executable}.exe'\" /it /rl HIGHEST\r\nWith task_name being replaced by a name for the task as defined by the C2. And\r\npath_to_executable being replaced with the path to and name of the executable to configure the\r\npersistence for.\r\nC2 communication\r\nThe malware communicates with the C2 via HTTP(S) GET requests.\r\nRegister client\r\nOn startup the malware will send messages to the C2 to register it using a GUID randomly generated\r\nby the malware. This GUID is stored in a local SQL database.\r\nThe initial C2 this request is sent to is hard-coded into the sample.\r\n1. /client?guid={guid}\r\n1. Expects a string “success” to be returned.\r\n2. /getmainnodes?guid={guid}\r\n1. Expects a list of potential C2s to be returned.\r\n3. /\r\n1. This request is sent to each C2 in the received list to determine response time.\r\n2. List of C2s is sorted based on response time from low to high.\r\n4. /client?guid={guid}\r\n1. Request is executed for each C2 in the returned list.\r\n2. Expects a string “success” to be returned.\r\nIf “success” is returned the C2 is selected as the active C2 and it stops going through the\r\nlist of C2s.\r\n3.\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 11 of 35\n\nThe list of C2s is stored in a locally kept SQL database. The active C2 is marked as such in this SQL\r\ndatabase.\r\nGet target applications\r\nNext the malware will attempt to retrieve a list of applications which are targets. This request is made\r\nto the active C2.\r\nThe response is a single string containing comma separated executable names.\r\nopera.exe,msedge.exe,chrome.exe,firefox.exe,HxOutlook.exe,HxAccounts.exe,EXCEL.EXE,SearchA\r\nResponse of C2 during time of analysis (29/02/2024)\r\nThis list of applications is stored in the local SQL database. The information can then be used by\r\nother modules to determine what applications to target.\r\nGet additional malware\r\nLast but not least the malware will attempt to retrieve additional executables from the active C2.\r\nThese executables have thus far always been other malware samples. These samples are:\r\n/getprogramms?guid={guid}\r\nBMREADER\r\nData exfiltration module\r\nBMLOG\r\nKeylogger module\r\nBMHOOK\r\nWindows hooking module\r\nBMBACKUP\r\nFile stealer module\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 12 of 35\n\nIt will send a GET request to the C2 to retrieve the applications to download and install.\r\nhxxps://updatebrower[.]com/download/bmbackup.txt;bmbackup;C:\\Program Files\\Full Browser Ma\r\nhxxps://updatebrower[.]com/download/bmhook.txt;bmhook;C:\\Program Files\\Full Browser Manage\r\nhxxps://updatebrower[.]com/download/bmlog.txt;bmlog;C:\\Program Files\\Full Browser Manager\\\r\nhxxps://updatebrower[.]com/download/bmreader.txt;bmreader;C:\\Program Files\\Full Browser Ma\r\nResponse of C2 during the time of analysis (29/02/2024).\r\nThese strings consist of parameters used by the BMANAGER malware. These parameters are\r\nseparated using the semicolon (;) character. The parameters are as follows:\r\n/getinstall?guid={guid}\r\nDownload URL\r\nThe URL from where to download the executable.\r\nWindows task name\r\nThe name of the Windows task to create/run/delete.\r\nExecutable dump path\r\nWhere the downloaded executable is dumped on the victim device.\r\nFunction\r\nWhether to create a new Windows task for the executable, to run an existing Windows\r\ntask, to create and run a Windows task, or to delete an existing Windows task.\r\nPossible values:\r\n1\r\nCreate new Windows task (which is set to start on login)\r\nThis will download the executable.\r\n2\r\nDelete an existing Windows task\r\n3\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 13 of 35\n\nTo download an executable the malware sends a GET request to the given URL. The response is a\r\nlist of Base64 encoded strings. These strings are decoded, ZLIB decompressed, and appended to\r\nthe final executable file.\r\nA new Windows task is created for this executable to start on login, and optionally the executable is\r\nstarted immediately.\r\nAfter all applications have been downloaded, and all tasks have been performed, a message is sent\r\nback to the C2.\r\nThe version being the version string found in the C2 response.\r\nBMREADER\r\nThe BMREADER malware sends stolen data stored in the local SQL database to the active C2.\r\nFeatures\r\nC2 communication\r\nCreate a new Windows task (which is set to start on login) and run it\r\nimmediately\r\nThis will download the executable.\r\n4\r\nRun an existing Windows task\r\n5\r\nStop a currently running Windows task\r\nThis will also delete the executable.\r\nVersion\r\nA string value. This value is used to distinguish between versions of the malware.\r\n/install?guid={guid}\u0026name={version}\r\nExfiltrates data stored in the local SQL database\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 14 of 35\n\nCommunication with the C2 is done via HTTP(S) GET requests.\r\nRegister with C2\r\nOn start-up the malware will retrieve a C2 to use for further communication. To make the first\r\nrequest the initial C2 that is used is set to the active C2 in the local SQL database.\r\nSending stolen inputs\r\nOne of the values stored in the local SQL database that is exfiltrated by the BMREADER is a list of\r\nkeyboard inputs. These keyboard inputs have been obtained by the BMLOG (keylogger) malware.\r\nThe following GET request is made to the connected C2.\r\n1. /getnodes?guid={guid}\u0026type=2\r\n1. Expects a list of C2s as response.\r\n2. /usednodes?guid={guid}\u0026t=0\u0026node={resultnode}\r\n1. resultnode is set to the initial C2 address.\r\n2. Only called if 1 did not return a list of C2s.\r\n3. Expects a list of C2s as response.\r\n3. /\r\n1. Called for every C2 in the list.\r\n2. Measures response time of C2s.\r\n3. List of C2s is sorted based on response time from low to high.\r\n4. /client?guid={guid}\r\n1. Called for every C2 in the list.\r\n2. Expects string “success”.\r\n3. If “success” is returned it will stop going through the list of C2s.\r\n5. /usednodes?guid={guid}\u0026t=0\u0026node={resultnode}\r\n1. resultnode is set to the C2 the malware has chosen to connect to.\r\n2. Sent to the initial C2.\r\n3. If no C2 returns “success”, the initial C2 is used.\r\n/clientdata?guid={guid}\u0026programm={programm}\u0026title={titleencode}\u0026vars={resultencode}\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 15 of 35\n\nThe “resultencode” string is created as follows:\r\nThe logged keys sent are then removed from the local SQL database.\r\nSending known applications\r\nAnother value stored in the local SQL database, and sent to the C2 by the malware, are applications\r\nfound to be running on the victim device. These applications are collected by the BMHOOK\r\nmalware.\r\nA GET request is made to the C2:\r\nWhen the response to this request is a string value of “success” the SQL database is updated. This\r\nupdate sets all applications as having been sent. This prevents entries from being sent twice.\r\nBMLOG\r\nThe BMLOG malware is a keylogger. It stores logged keys in a local SQL database.\r\nguid being the GUID retrieved from the local SQL database\r\nprogramm being the path of the application from which the keys were logged\r\ntitleencode being a ZLIB compressed and Base64 encoded string that is the window title\r\nfrom which the keys were logged\r\nresultencode being a ZLIB compressed and Base64 encoded string that is a combination\r\nof a number of values.\r\n“eventid={eventid}|||recid={recid}|||data={data}|||”\r\neventid being the ID of the event that triggered the keylogging\r\nrecid being the ID of the keylogging.\r\ndata being the actual string of inputs stolen from the victim.\r\n/clientprogramm?guid={guid}\u0026vars={resultencode}\r\nguid being the random GUID obtained from the local SQL database.\r\nresultencode being a ZLIB compressed and Base64 encoded string consisting of all\r\nprograms stored in the local SQL database\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 16 of 35\n\nIt performs the keylogging using the Python keyboard module.\r\nDue to the keyboard module logging keys globally, not per window, it uses the BMHOOK malware to\r\nrecord which window currently has keyboard focus.\r\nIt will only log keys for applications that have been set as targets. These targets are received by the\r\nBMANAGER malware from the C2 and stored in the local SQL database. The BMLOG malware reads\r\nthese targets from that same database.\r\nFeatures\r\nStoring logged keys\r\nInstead of sending logged keys to a C2 it stores them in a local SQL database.\r\nThe keylogger will continually log keys until either:\r\nIf either of these events occurs all inputs are stored as a single string in the local SQL database.\r\nAfter storage the keylogger will begin logging again.\r\nThe inputs are translated as follows:\r\nAdditional values stored alongside the input string are:\r\nRecord keyboard inputs\r\n1. 60 seconds of logging have passed\r\n2. A different window gains keyboard focus\r\nFor inputs a single character long (a, b, 1, 2, etc.) they are put in the string as is.\r\nFor space inputs a whitespace is appended to the string.\r\nFor tab inputs a “\\t” character is appended to the string.\r\nFor other inputs the input is capitalized and placed between square brackets before being\r\nappended to the string.\r\nThe event ID\r\nThe amount of recordings made for the logged application\r\nThe path to the logged application\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 17 of 35\n\nThe BMREADER application sends the logged keys to the C2.\r\nBMHOOK\r\nThe BMHOOK malware uses Windows hooks to discover which applications are running on a victim\r\ndevice and which window/application has keyboard focus.\r\nThis sample stands out in its implementation in that it uses CPython and Windows APIs to install\r\nWindows hooks. This makes the sample function only on Windows.\r\nFeatures\r\nWindows hooks\r\nThe BMHOOK malware uses the SetWinEventHook function to install a Windows hook. This hook is\r\nconfigured to trigger on win32con.EVENT_OBJECT_FOCUS events. This type of event occurs\r\nwhen a window receives keyboard focus.\r\nThe following actions occur when this event is triggered:\r\nThe BMREADER malware uses the information stored in the local SQL database to send to the C2.\r\nThe BMLOG malware uses the information to determine which window/application is being\r\nkeylogged.\r\nBMBACKUP\r\nThe BMBACKUP malware is a file stealer. It checks for specific files retrieved from a C2. If it finds the\r\nfiles it will read them and send them to the C2.\r\nThe title of the window being keylogged\r\n0 value to indicate the information has not yet been sent to the C2\r\nInstall a Windows hook to trigger on a window receiving keyboard focus\r\nUse GetWindowTextW to retrieve the title of the hooked window.\r\nObtain the full path of the executable the window belongs to.\r\nInsert these two values, and a unique ID value, into the local SQL database.\r\nInsert the path to the application into the local SQL database, if it does not exist there already.\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 18 of 35\n\nFeatures\r\nC2 communication\r\nCommunication with the C2 occurs via HTTP(S) GET requests.\r\nRegister with C2\r\nOn start-up the malware will retrieve a C2 to use for further communication. To make the first\r\nrequest the initial C2 that is used is set to the active C2 in the local SQL database.\r\nGet target files\r\nRetrieve paths of files to steal from C2\r\nExfiltrate stolen files to C2\r\n1. /getnodes?guid={guid}\u0026type=2\r\n1. Expects a list of C2s as response.\r\n2. /usednodes?guid={guid}\u0026t=0\u0026node={resultnode}\r\n1. Only called if 1 did not return a list of C2s.\r\n2. Expects a list of C2s as response.\r\n3. /\r\n1. Called for every C2 in the list.\r\n2. Measures response time of C2s.\r\n3. List of C2s is sorted based on response time from low to high.\r\n4. /client?guid={guid}\r\n1. Called for every C2 in the list.\r\n2. Expects string “success”.\r\n3. If “success” is returned it will stop going through the list of C2s.\r\n5. /usednodes?guid={guid}\u0026t=0\u0026node={resultnode}\r\n1. Sent to the initial used for the first request.\r\n2. resultnode is set to the C2 the malware has chosen to connect to.\r\n3. If no C2 returns “success”, the initial C2 is used.\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 19 of 35\n\nThe malware sends a request to the C2 every 60 seconds to retrieve a list of files to exfiltrate.\r\nThe response consists of a list of strings. Each being an absolute path to a file to exfiltrate.\r\nC:\\*\\*\\AppData\\Roaming\\Bitcoin\\wallets\\*\\wallet.dat\r\nC:\\*\\*\\AppData\\Roaming\\Bitcoin\\wallets\\wallet.dat\r\nResponse from C2 during the time of analysis (29/02/2024).\r\nAfter making this request it will check each of these files whether they exist or not. If a file is found\r\nto exist the exfiltration process is initiated.\r\nExfiltrating files\r\nThe malware will go through the list of files to exfiltrate and check if they exist. When a file exists it\r\nwill begin the exfiltration process.\r\nresultencode is created in the following manner:\r\n/getpaths?guid={guid}\r\nA copy of the target file is made with a randomized name. This randomized name is a random\r\nUUID value ending with “.tmp”. This copy is placed in the users temporary directory\r\n(C:\\Users\\*\\AppData\\Local\\Temp).\r\n1.\r\nThe copy file is read in 16384 byte chunks. Each of these chunks is sent to the C2 via a GET\r\nrequest.\r\n2.\r\n1. /clientfiledata?guid={guid}\u0026vars={resultencode}\r\n2. resultencode being a Base64 encoded string containing the byte data.\r\nUp to 16384 bytes are read from the target backup file and converted to a hexadecimal string\r\nThe info string is created\r\n“partid={partid}|||partcount={partcount}|||hex={hex}|||fn={file}|||\r\npartid is which chunk of the file this object is\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 20 of 35\n\nSQL database\r\nMost samples make use of a local SQL database. The path and name of this database is hard-coded\r\nin the samples to be located at: C:\\Users\\{user}\\AppData\\Local\\Temp\\coollog.db, with user being the\r\nusername of the logged in user.\r\nThe following is a map of the SQL database. This map contains all tables and fields used by the\r\ndifferent malware samples. Do note that the tables are created by each sample as they use them.\r\nThus if certain samples are not present on a device, these tables may not be present.\r\npartcount are the total amount of chunks the file consists of\r\nhex are the bytes read from the file\r\nfile is the path and name of the original file (not the path and name of the backup\r\nfile)\r\nThis info string is ZLIB compressed, Base64 encoded, and then made URL safe\r\nThis is the final resultencode object that is sent as a URL parameter\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 21 of 35\n\nTables\r\nclientguid\r\nContains the randomly generated GUID used to identify the sample to the C2.\r\nCreated by BMANAGER\r\nmainnodes\r\nContains a list of C2s, in particular the currently active C2.\r\nCreated by BMANAGER\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 22 of 35\n\nSigning certificate\r\nBMANAGER 2f10a81bc5a1aad7230cec197af987d00e5008edca205141ac74bc6219ea1802 is signed\r\nwith a valid certificate by ООО ТАСК:\r\nlog\r\nContains the keylogger data.\r\nCreated by BMLOG\r\nevent\r\nContains which applications/windows have/had keyboard focus.\r\nCreated by BMHOOK\r\nallprogramm\r\nContains a list of applications whose window has received keyboard focus at one point.\r\nCreated by BMHOOK\r\nprogramms\r\nContains a list of all applications that are to be targeted by other modules.\r\nCreated by BMANAGER\r\nfiles\r\nContains a list of files that need to be exfiltrated to the C2.\r\nCreated by BMBACKUP\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 23 of 35\n\nSerial number 75 69 94 1C 66 2A AD 5F E9 50 11 B1\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 24 of 35\n\nAccording to its metadata the signer is i.shadrin@tacke.ru.\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 25 of 35\n\nAccording to the company’s website they develop software, however there are few suspicious\r\nthings:\r\nBased on public information the company consists of 4 people, and their CEO also runs 5 other\r\nsmall companies.\r\nThese facts lead to three different versions:\r\nThe locale shown on the map differs from the address, which points to the town of Dmitrov in\r\nMoscow, Russia.\r\nall buttons show static info which doesn’t correlate with their description\r\nthe certificate doesn’t belong to OOO ТАСК, and it was bought by a fraudster providing fake\r\ndata to GlobalSign\r\nthe certificate was stolen from OOO ТАСК, which means that either infrastructure of ООО ТАСК\r\nwas compromised or email i.shadrin@tacke.ru got compromised\r\nООО ТАСК or it’s employees anyhow involved into fraudulent operations\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 26 of 35\n\nWe can not confirm any of these versions. However we checked domain tacke.ru in the stealer logs\r\ncloud and didn’t find any occurrence.\r\nConclusion\r\nThe discovery of the Boolka’s activities sheds light on the evolving landscape of cyber threats.\r\nStarting from opportunistic SQL injection attacks in 2022 to the development of his own malware\r\ndelivery platform and trojans like BMANAGER, Boolka’s operations demonstrate the group’s tactics\r\nhave grown more sophisticated over time. The injection of malicious JavaScript snippets into\r\nvulnerable websites for data exfiltration, and then the use of the BeEF framework for malware\r\ndelivery, reflects the step-by-step development of the attacker’s competencies.\r\nThe analysis reveals the complexity of the malware ecosystem employed by Boolka, with various\r\ncomponents such as formstealing scripts, keyloggers, and file stealers orchestrated to achieve\r\nmalicious objectives. Additionally, the investigation into the signing certificate used by the\r\nBMANAGER malware underscores the challenges in attribution and the potential involvement of\r\nlegitimate entities in illicit activities.\r\nRecommendations\r\nRecommendations for end users:\r\nAvoid clicking on suspicious links or downloading files from unknown sources.\r\nDownload apps and updates only from official sources.\r\nEnsure that your operating systems, browsers, and all software are regularly updated.\r\nEmploy strong, unique passwords for different accounts and use a reputable password manager\r\nto keep track of them.\r\nEnhance security by enabling multi-factor authentication (MFA) on your accounts wherever\r\npossible.\r\nEnsure you have reliable and up-to-date security measures like anti-virus software in place to\r\ndetect and remove threats.\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 27 of 35\n\nRecommendations for website owners:\r\nSupercharge your cybersecurity with\r\nGroup-IB's Threat Intelligence\r\nConduct frequent security audits and vulnerability assessments to identify and fix potential\r\nweaknesses. Group-IB’s Penetration Testing services can help you minimize your\r\nsusceptibility to web attacks. Our experts work with the latest methods and techniques curated\r\nby Group-IB Threat Intelligence to pinpoint assets vulnerable to web injection attacks, and\r\nmore.\r\nUse robust authentication protocols and require strong passwords for all users, along with multi-factor authentication.\r\nEnsure all software, including plugins and content management systems, are updated with the\r\nlatest security patches.\r\nDeploy a WAF to monitor and filter malicious traffic targeting your web applications.\r\nFor advanced cybersecurity teams, we recommend using Group-IB’s Threat Intelligence\r\nsystem, which can be used to detect relevant threats as early as during their preparation stage.\r\nThe built-in graph analysis tool enriched by data from the largest threat-actor database reveals\r\nlinks between attackers, their infrastructures, and their tools. Enriching cybersecurity with threat\r\nintelligence helps significantly strengthen an organization’s ability to counter attacks, including\r\nones carried out by state-sponsored groups.\r\nProvide regular training for your staff on the latest security practices and threat awareness.\r\nSet up continuous website monitoring for suspicious activities and have an incident response\r\nplan ready in case of a breach.\r\nRequest a demo\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 28 of 35\n\nMITRE ATT\u0026CK\r\nT1583.001 – Acquire Infrastructure: Domains\r\nT1583.004 – Acquire Infrastructure: Virtual Private Server\r\nT1584.003 – Compromise Infrastructure: Botnet\r\nT1587.001 – Develop Capabilities: Malware\r\nT1588.002 – Obtain Capabilities: Tool\r\nT1189 – Drive-by Compromise\r\nT1190 – Exploit Public-Facing Application\r\nT1059.007 – Command and Scripting Interpreter: JavaScript\r\nT1203 – Exploitation for Client Execution\r\nT1204.002 – User Execution: Malicious File\r\nT1569 – System Services\r\nT1569.002 – System Services: Service Execution\r\nT1543 – Create or Modify System Process\r\nT1543.003 – Create or Modify System Process: Windows Service\r\nT1001 – Data Obfuscation\r\nT1657 – Static Analysis Evasion\r\nT1056 – Input Capture\r\nT1056.001 – Input Capture: Keylogging\r\nT1082 – System Information Discovery\r\nT1083 – File and Directory Discovery\r\nT1210 – Exploitation of Remote Services\r\nT1005 – Data from Local System\r\nT1213 – Data from Information Repositories\r\nT1071.001 – Application Layer Protocol: Web Protocols\r\nT1041 – Exfiltration Over C2 Channel\r\nT1565 – Data Manipulation\r\nT1565.002 – Data Manipulation: Transmitted Data Manipulation\r\nT1608 – Stage Capabilities\r\nT1608.004 – Stage Capabilities: Upload Malware\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 29 of 35\n\nIoCs\r\nFile hashes\r\n2f10a81bc5a1aad7230cec197af987d00e5008edca205141ac74bc6219ea1802 - Dropper\r\n7266f20123edcb2e0b92ac0b63225b8db2c5ff349818b339ef1553bff06719e4 - BMANAGER\r\n9434e2f277f764bb75302cd5355ed45f7624f1d993a454a7dbaf68b7e9b4b3a2 - BMBACKUP\r\nb2dbd3187c67883c0f77c17530f41e05950e9e38b2798773770fe37f5985e367 - BMHOOK\r\n94430690ac9516a25ca764bae8c4b5a88d6f0308f558aea43ca50b5f750685ee - BMLOG\r\n227b8233071da4d3015cb04b69285885100c9f2e5d98b803b37d23afb798375a - BMREADER\r\nDomains \u0026 IPs\r\nDomain\r\nRegistration\r\ndate\r\nRegistrar Description\r\nboolka.tk – Freenom Form stealing JS C2\r\nboolka24.tk – Freenom Form stealing JS C2\r\nbeonlineboo.com 30.06.2022\r\nCNOBIN\r\nINFORMATION\r\nTECHNOLOGY LIMITED\r\nForm stealing JS C2\r\nbeef.beonlineboo.com 30.06.2022\r\nCNOBIN\r\nINFORMATION\r\nTECHNOLOGY LIMITED\r\nBeEF-based malware\r\ndelivery platform C2\r\nmainnode.beonlineboo.com 30.06.2022\r\nCNOBIN\r\nINFORMATION\r\nTECHNOLOGY LIMITED\r\nBoolka malware C2\r\n(BManager, BMReader,\r\nBMBackup)\r\nCNOBIN B lk l C2\r\nIP Domain Name\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 30 of 35\n\n194.165.16.68 boolka.tk\r\n141.98.81.23 boolka24.tk\r\n179.60.150.123 beonlineboo.com\r\n141.98.9.152 mainnode.beonlineboo.com\r\n92.51.2.78 beef.beonlineboo.com\r\n179.60.147.74 node.beonlineboo.com\r\n45.182.189.109 updatebrower.com\r\nURLs\r\nhttps://mainnode.beonlineboo.com\r\nhttps://mainnode.beonlineboo.com/client?guid={guid}\r\nhttps://mainnode.beonlineboo.com/getmainnodes?guid={guid}\r\nhttps://mainnode.beonlineboo.com/getprogramms?guid={guid}\r\nhttps://mainnode.beonlineboo.com/getinstall?guid={guid}\r\nhttps://mainnode.beonlineboo.com/install?guid={guid}\u0026name={version}\r\nhttps://mainnode.beonlineboo.com/usednodes?guid={guid}\u0026t={nodeping}\u0026node=https://node.beon\r\nhttps://node.beonlineboo.com\r\nhttps://node.beonlineboo.com/client?guid={guid}\r\nhttps://node.beonlineboo.com/clientdata?guid={guid}\u0026programm={programm}\u0026title={titleencode\r\nhttps://node.beonlineboo.com/clientprogramm?guid={guid}\u0026vars={resultencode}\r\nhttps://node.beonlineboo.com/clientfiledata?guid={guid}\u0026vars={resultencode}\r\nhttps://updatebrower.com/download/bmanager.txt\r\nhttps://updatebrower.com/download/bmbackup.txt\r\nhttps://updatebrower.com/download/bmhook.txt\r\nhttps://updatebrower.com/download/bmlog.txt\r\nhttps://updatebrower.com/download/bmreader.txt\r\nhttp://boolka.tk/js/support.js?host=\r\nhttps://beef.beonlineboo.com/check?url=\r\nhttps://beef.beonlineboo.com/hook.js\r\nhttps://beonlineboo.com/js/support.js?host=\r\nhttps://boolka24.tk/js/support.js?host=\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 31 of 35\n\nFile artifacts\r\nC:\\Users\\*\\AppData\\Local\\Temp\\coollog.db\r\nC:\\Users\\*\\AppData\\Local\\Temp\\coollog.db-journal\r\nC:\\Program Files\\Full Browser Manager\\1.0.0\\bmanager.exe\r\nC:\\Program Files\\Full Browser Manager\\1.0.0\\bmbackup.exe\r\nC:\\Program Files\\Full Browser Manager\\1.0.0\\bmhook.exe\r\nC:\\Program Files\\Full Browser Manager\\1.0.0\\bmlog.exe\r\nC:\\Program Files\\Full Browser Manager\\1.0.0\\bmreader.exe\r\nC:\\Users\\*\\AppData\\Local\\Temp\\{UUID}.tmp\r\n{UUID} being a randomly generated UUID value.\r\nPersistence\r\nTo achieve persistence, a Windows task is created by the BMANAGER malware.\r\nschtasks /create /sc onlogon /tn bmanager /tr \"'C:\\\\Program Files\\\\Full Browser Manager\\\\\r\nschtasks /create /sc onlogon /tn bmreader /tr \"'C:\\\\Program Files\\\\Full Browser Manager\\\\\r\nschtasks /create /sc onlogon /tn bmlog /tr \"'C:\\\\Program Files\\\\Full Browser Manager\\\\1.0\r\nschtasks /create /sc onlogon /tn bmhook /tr \"'C:\\\\Program Files\\\\Full Browser Manager\\\\1\r\nschtasks /create /sc onlogon /tn bmbackup /tr \"'C:\\\\Program Files\\\\Full Browser Manager\\\\\r\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 32 of 35\n\nhttps://www.group-ib.com/blog/boolka/\r\nPage 33 of 35\n\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nSubscription plans Services Resource Center\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 34 of 35\n\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/boolka/\r\nPage 35 of 35",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.group-ib.com/blog/boolka/"
	],
	"report_names": [
		"boolka"
	],
	"threat_actors": [
		{
			"id": "5132dd03-d080-46af-87b5-2e8bdb9df471",
			"created_at": "2024-07-02T02:00:04.165814Z",
			"updated_at": "2026-04-10T02:00:03.669194Z",
			"deleted_at": null,
			"main_name": "Boolka",
			"aliases": [],
			"source_name": "MISPGALAXY:Boolka",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "eae4b6c4-8a61-4303-becc-b11f00b5bfda",
			"created_at": "2024-02-22T02:00:03.772831Z",
			"updated_at": "2026-04-10T02:00:03.592334Z",
			"deleted_at": null,
			"main_name": "ShadowSyndicate",
			"aliases": [],
			"source_name": "MISPGALAXY:ShadowSyndicate",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434461,
	"ts_updated_at": 1775792003,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e3dfffa6bae5e9c33d27868b39949eb46cb65dff.pdf",
		"text": "https://archive.orkl.eu/e3dfffa6bae5e9c33d27868b39949eb46cb65dff.txt",
		"img": "https://archive.orkl.eu/e3dfffa6bae5e9c33d27868b39949eb46cb65dff.jpg"
	}
}