{
	"id": "ef68ec54-7ab6-478c-b669-fe406f3bd56c",
	"created_at": "2026-04-06T00:07:42.281403Z",
	"updated_at": "2026-04-10T13:11:40.10224Z",
	"deleted_at": null,
	"sha1_hash": "e87354c228d96d29fd40b27d9e4945b4b6517312",
	"title": "How To Guide | Neutralizing Tofsee Spambot – Part 2 | InMemoryConfig store vaccine | Spamhaus Technology",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 793177,
	"plain_text": "How To Guide | Neutralizing Tofsee Spambot – Part 2 |\r\nInMemoryConfig store vaccine | Spamhaus Technology\r\nArchived: 2026-04-05 14:16:24 UTC\r\nIntroduction\r\nHere’s the second in our three-part series focused on protecting against Tofsee malware. This spambot is prolific,\r\nbut various vaccines and kill switches are available to defend against Tofsee. Our malware researchers are sharing\r\ntwo vaccines and a network-based kill switch in this series.\r\nA recap\r\nIf you’re wondering what malware vaccines are and how they can be utilized, or you’d like to read about the first\r\nvaccine our researchers have shared relating to Tofsee and its binary file, read this blog post. Alternatively, keep\r\nreading to learn about a second vaccine our team has produced, focused on polluting Tofsee’s internal\r\nconfiguration store.\r\nA deeper dive into Tofsee’s config stores\r\nDuring the runtime of Tofsee and the communications with its command and control (C\u0026C) server, Tofsee stores\r\nvarious configuration values pertinent to the proper runtime of the code in a memory-based structure which we\r\ncall the InMemoryConfig store. This is a circular linked list structure, and Tofsee defines it as follows:\r\nInMemoryConfig store structure\r\nLocations of Tofsee’s configuration storage\r\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-2-inmemoryconfig-store-vaccine/\r\nPage 1 of 5\n\nEach ConfigValue buffer has its internal structure based on the ConfigType value. This chained config is dumped\r\nand stored in various locations on the infected system so Tofsee can retrieve it after a reboot.\r\nThe various configuration storage locations are:\r\nFile Storage\r\n1 %USERPROFILE%:.repos (ADS)\r\n2 %USERPROFILE%\\Local Settings:.repos\r\n3 %USERPROFILE%\\Local Settings\\Application Data\\Microsoft\\Windows\\UsrClass.dat.repos\r\n4 %USERPROFILE%\\wincookie.repos\r\nRegistry storage\r\n1: HKEY_CURRENT_USER\\Control Panel\\Buses\\Config0\r\n2: HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Buses\\Config0\r\nA simple Tofsee xor algorithm encodes the data stored in one of these places:\r\nOnce retrieved and decoded, this data looks something like this in its raw parsed form:\r\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-2-inmemoryconfig-store-vaccine/\r\nPage 2 of 5\n\nThe config stores of particular interest to us are the work_srv and start_srv structures. Both are retrieved during\r\nthe initial C\u0026C connection of the Tofsee botnet.\r\nTofsee’s botnet C\u0026C environment\r\nTofsee has a tier-2 C\u0026C ecosystem. The malware uses the hardcoded C\u0026Cs in the binary only once to retrieve a\r\nlist of tier-2 peers. These tier-2 piers then act as forwarding C\u0026Cs and are stored in the work_srv and start_srv\r\nconfig stores.\r\nwork_srv and start_srv have the following definition in the memory:\r\n struct srv\r\n \r\n {\r\n \r\n char NumElements;\r\n \r\n struct \\_\\_srv\r\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-2-inmemoryconfig-store-vaccine/\r\nPage 3 of 5\n\n{\r\n \r\n char IP\\_C2[0x41];\r\n \r\n DWORD Port;\r\n \r\n }Src[NumElements]\r\n \r\n };\r\nHow can you exploit this for a vaccine?\r\nIn order to vaccinate Tofsee from connecting to first-tier or second-tier C\u0026Cs, we can pollute these config stores’\r\nvalues before the start of the infection chain.\r\nwork_srv will point to a controlled sinkhole IP. In this example, we’re going to point it to 127.0.0.1. In addition to\r\nthis, we will recalculate the crc32 of data buffer so that it passes the integrity check inside the binary:\r\nModified value for wrk_srv ( with proper crc32 hash value)\r\nTo create a vaccine, the above binary blob has to be encoded using the same algorithm and written back to one of\r\nthe config store paths file or registry:\r\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-2-inmemoryconfig-store-vaccine/\r\nPage 4 of 5\n\n“Config0” modified registry value for vaccine\r\nWhen Tofsee makes the connection, it only connects to the local sinkhole.\r\nSimple!\r\nThe final of our Tofsee series looks at a network-based kill switch to protect against this malware.\r\nAuthor: Raashid Bhat, Malware Reverse Engineer, Spamhaus. Active 2017 - 2023.\r\nSource: https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-2-inmemoryconfig-store-vaccine/\r\nhttps://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-2-inmemoryconfig-store-vaccine/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-2-inmemoryconfig-store-vaccine/"
	],
	"report_names": [
		"neutralizing-tofsee-spambot-part-2-inmemoryconfig-store-vaccine"
	],
	"threat_actors": [],
	"ts_created_at": 1775434062,
	"ts_updated_at": 1775826700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e87354c228d96d29fd40b27d9e4945b4b6517312.pdf",
		"text": "https://archive.orkl.eu/e87354c228d96d29fd40b27d9e4945b4b6517312.txt",
		"img": "https://archive.orkl.eu/e87354c228d96d29fd40b27d9e4945b4b6517312.jpg"
	}
}