{
	"id": "0ed5e67c-c66f-41d0-8fae-378f5658c2c8",
	"created_at": "2026-04-06T00:14:51.212957Z",
	"updated_at": "2026-04-10T03:30:57.133817Z",
	"deleted_at": null,
	"sha1_hash": "eafba81fdeca8d822d3842361856dcbcc6d2bd7b",
	"title": "The Gafgyt variant vbot seen in its 31 campaigns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 530783,
	"plain_text": "The Gafgyt variant vbot seen in its 31 campaigns\r\nBy LIU Ya\r\nPublished: 2020-07-06 · Archived: 2026-04-05 17:27:19 UTC\r\nOverview\r\nGafgyt botnets have a long history of infecting Linux devices to launch DDoS attacks. While dozens of variants\r\nhave been detected, new variants are constantly emerging with changes in terms of register message, exploits, and\r\nattacking methods. On the other hand, their new botnets are usually short lived, with most of the C2s watched\r\nkeeping active for only a few days. In this blog, I will introduce such a sort of variant. The key findings are as\r\nfollow:\r\n1. This variant was active from mid-April to mid-June. In total 31 campaigns for this variant were detected,\r\nfrom which 572 samples were captured. They were spread to build 19 botnets.\r\n2. This variant evolved through 2 versions. Both have a characteristic register message template\r\n“ver:%f:%s:%d” that includes a rarely seen format specifier “%f”.\r\n3. Mirai code was heavily used in both versions, which makes it possible analyze them with the extracted\r\nMirai configurations.\r\n4. The same infrastructures, e.g., download servers, and filenames were observed being used in other families\r\nof botnet campaigns.\r\nThis variant was named as vbot because vbot is found being used in an unstripped sample by the author.\r\nAccordingly the 2 versions are named as vbot1 and vbot2 in this blog.\r\nvbot1\r\nOnly 1 vbot1 campaign was seen, with 26 samples captured, as shown by the following honeypot records.\r\nhttps://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/\r\nPage 1 of 12\n\nAll samples share the same C2 185.225.19.200:2017 . Since in Gafgyt it’s common that the same source code\r\nwill be compiled into binaries for different processor architectures, for simplicity, the following analysis is based\r\non the unstripped ARM sample of f696375452d08eecbde14d64c74acdde . Compared with previous variants, vbot1\r\nhas a more concise main() function because most of its code was moved into 2 new functions named init_vbot()\r\nand main_c2_handler().\r\nThe function name init_vbot indicates that the author code named their botnet as vbot. It's responsible for\r\ninitializing things including watchdog, configurations, and scanner. C2 communications are done in\r\nmain_c2_handler(), where a loop of connection, registration and receiving command can be found, as shown\r\nbelow.\r\nhttps://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/\r\nPage 2 of 12\n\nThe characteristic register message template “ver:%f:%s:%d” is used in the registration block that tightly follows\r\nthe connection block. From the unstripped symbols we can show that the 3 specifiers separately represent version,\r\nbot type and arch. The analyzed sample has version of 4.1.\r\nActually it’s just the rarely seen specifier “%f” that caused my attention to this variant because as far as I knew\r\n“%f” was not supported by Gafgyt. The original authors borrowed the design of C library functions printf and\r\nsprintf , and implemented a new function named sockprintf which can generate message according to the\r\nassigned string format and send it to the C2. A custom yet simple format controls is done inside sockprintf with\r\n“%f” not implemented. That function has been kept by most Gafgyt variants. When firstly encountering vbot’s\r\nregister template, I imagined a new version of sockprintf. However, that’s obviously not true. To reuse sockprintf\r\nbut avoid complex programming, vbot author turned to sprintf to generate the expected message then passed it to\r\nsockprintf with the supported specifier “%s” .\r\nSimilar to many Gafgyt variants, Mirai code can be found in vbot1. Due to its tight connection with the encrypted\r\nconfigurations, the borrowed code can be well analyzed with the extracted configurations. If you don’t know how\r\nto extract, please go to our VB2018 paper. The extracted configurations are shown below, with items annotated\r\nwith its owner modules.\r\nhttps://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/\r\nPage 3 of 12\n\nThe commands are hidden in configurations. Except for attacking methods, vbot1 also supports remote update\r\nhttps://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/\r\nPage 4 of 12\n\nwith the command UPDATE . Another worth mentioning feature is persistence mechanism, which is done by\r\nmodifying crontab.\r\nIt’s strange that vbot1 was spread only once. After its campaign was firstly detected, 35 hours, or 1.5 days, later\r\nthe first vbot2 campaign was seen from the same download server. Obviously the operators wanted to replace\r\nvbot1 with vbot2. The reason might be its buggy registration which always sends a 191-byte register message\r\nback to its C2 but only 18 bytes there are really useful, as shown by the following figure.\r\nvbot2\r\nIn total 30 vbot2 campaigns were seen from April 16 to June 12, 2020, with 546 samples captured from 12\r\ndownload servers. From those samples 13 C2 servers were checked. Detailed analysis shows except the\r\nregistration code, vbot2 actually differs a lot from vbot1 in terms of code structure, attacking methods and Mirai\r\nconfiguration. The following analysis is based on the x86 sample f5b0ebebc924e69e34a4ddd145916594 . It’s\r\nstripped but key function names have been manually restored.\r\nDifferent from vbot1 but similar to many other variants, vbot2's C2 communications are done in main(), as shown\r\nbelow.\r\nhttps://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/\r\nPage 5 of 12\n\nNearly the same registration block as vbot1 can be found, with the 3 specifiers holding the same semantics. The\r\nanalyzed sample has version of 1.5. The loop composed of “loc_804B80B -\u003e REGISTRATION -\u003e loc_804B863”\r\nis very similar to previous Gafgyt variants in terms of CFG node number and semantics. The blocks are separately\r\nresponsible for establishing connection, registration, and receiving commands.\r\n5 attacking methods were checked. All of them have been seen in other variants.\r\nhttps://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/\r\nPage 6 of 12\n\nSome vbot2 samples, e.g., e36d96a74236038a348cfd667ca83528 , have slightly different attacking method names,\r\nas shown below.\r\n2 Mirai configurations were found. The only difference lies in the 0x28 item, as shown by the following 2 figures.\r\nFrom the annotations we can see the Mirai code was mainly used in modules of watchdog, killer, scanner and rand\r\nalpha string generation. Since the 0x28 item corresponds to a message to be written to the STDOUT, and the\r\nsecond unprintable 0x28 item is probably caused by a typo from the author.\r\nWith the extracted configurations the differences from vbot1 are obvious. They are:\r\nhttps://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/\r\nPage 7 of 12\n\n1. vbot2 has different attacking methods from vbot1.\r\n2. While vbot1 hides commands in its configuration, vbot2 directly uses them.\r\n3. No remote update and persistence mechanism were found in vbot2.\r\nAlthough those great differences suggest that vbot1 and vbot2 were actually derived from different code bases, I\r\nstill think they were written by the same author(s) because:\r\n1. The shared register message template and registration implementation are unique enough.\r\n2. The first vbot2 campaign shared the same download and C2 server as vbot1 within a relatively short period\r\nof time (1.5 days).\r\nvbot and the RHOMBUS malware\r\nWhile the filename RHOMBUS was seen 4 times in vbot campaigns, its use in Gafgyt campaigns was much\r\nearlier[1], with the variant called RHOMBUS analysed in [2][3]. Here I make a simple comparison. In the\r\nblogged RHOMBUS malware dropper mechanism was found, with the dropper having the persistence ability\r\nacross restart by modifying crontab. The dropped binaries, e.g., 269029c1554b13c3eccfaacf0196ff72 and\r\nba42665872ea41e3d2edd8978bc38c24 , actually belong to another Gafgyt variant that also heavily borrowed code\r\nfrom Mirai, as shown by the below figure.\r\nhttps://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/\r\nPage 8 of 12\n\nFrom the above configuration we can see that obvious similarities exist between the RHOMBUS dropped binaries\r\nand vbot1. I think the most possibility is that vbot1 evolved from RHOMBUS malware with the following\r\nmodifications:\r\n1. The dropper’s persistence mechanism was grafted to its payload. That’s why persistence items could be\r\nfound in vbot1 configuration but not in the above figure.\r\n2. The register template was updated.\r\n3. c2 communications were moved to the so called main_c2_handler() function.\r\nOther key points about RHOMBUS malware include:\r\n1. The register message template is \"jm:_:%d\" or jm:%s:%d.\r\n2. Similar to many Gafgyt variants, C2 communications were done in main().\r\nhttps://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/\r\nPage 9 of 12\n\n3. The Gafgyt characteristic function initConnection() was removed with its code broken down into snippets\r\nthat can be found in main().\r\nConclusion\r\nI have introduced a short lived Gafgyt variant vbot. During its 2 month life, 31 campaigns were seen to build 19\r\nbotnets. From vbot we can learn that it’s easy for Linux IoT botnet authors to quickly write new variants, which\r\nmight be due to the fact that dozens of Gafgyt and Mirai source has been leaked online. Once a new variant is\r\nwritten, the behind operators usually will spread it over and over with different campaigns to build multiple\r\nbotnets. Such patterns have also been observed in other variants and families, e.g., Mirai. To fight such sort of fast\r\nemerging while short living botnets, automatic IoC extraction would play an import role for quick blocking or\r\ntracking. In VB2020 conference to be held in October, I will give a talk on that topic. I hope it will help you fight\r\nagainst Gafgyt botnets better.\r\nIoC\r\ndownload servers\r\n104.244.75.12\r\n142.11.194.209\r\n185.172.110.248\r\n185.172.110.249\r\n185.225.19.200\r\n192.119.66.66\r\n192.129.188.98\r\n205.185.123.101\r\n23.254.164.76\r\n45.84.196.148\r\n50.115.173.131\r\n85.92.108.211\r\nvbot1 MD5\r\n2a141cd2930536f74f51fb57adbb0236\r\n8717baf17660d8e96813ccd99f32c0be\r\ncc559b487e1ec18727f37006bd3395e0\r\nf666c3398601cd1b017f8d4556cabbbc\r\n6fb6aaa253c165636ee63a4fdcdb1b9e\r\nf422707ac869240bfeea648b6f9b90ad\r\n36997fd129a5ff09311da94c3814379c\r\n790ae71c097662bf6efba92d2d633076\r\ne420df68941cc7ce2d8dd4ba92fd360e\r\n3e36440871a6e39ee87e6d7d1a42155a\r\nae50829a02e5265c590f2fff35e64c52\r\nhttps://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/\r\nPage 10 of 12\n\n09ab7435c76df627a813fb75db15ce5d\r\n43ee98318945a475b555045aed4f0e01\r\ne4db8addb5123021e358576157e5e1c0\r\n4147fb0fe442173558f86fe37728ecae\r\n846d6ad9ea86e331f2e071eac6a269de\r\n40b1bf1e415ae508f8a5b831c2f4e994\r\nf696375452d08eecbde14d64c74acdde\r\n98b07b087b98b8d679c9938b16ae4df3\r\naea960687f0e43b465198be7ffafcf82\r\n3d596d37fe6536a2c759923d920f3e08\r\n52c462f3b22646774219f91bfb44ae66\r\nd2c273e758fd4ac2759ca1d63aafcf6c\r\nbbee73ed05730ad95df7a77241207ea5\r\n0f492673eb249fa1209512575040f62d\r\n0e59d4a40bba390314ffa0713b18441c\r\nvbot1 C2\r\n185.225.19.200 -port 2017\r\nvbot2 MD5\r\nefabd7e734490b9ad12812982347f237\r\n614581bba324c3550a18268a8cb9c221\r\n86310b514c55d31db288a2bb2c1e6114\r\n76d9c69036f1eaac8f7a90eba3a36bfc\r\ne36d96a74236038a348cfd667ca83528\r\nd45da804fd35cf502bf942ebfeb64064\r\n90a633f30bdbb2b80642bb229d1605d1\r\nc4391301645cc9df4da3657f4c88f7dc\r\n8bef47e420d0cdf8d0ee69a5d1f5b74c\r\n4c8cdcbaf16f39a461b0bf7052fe1ec3\r\nd936a9226fbbe97993bbe604c8cd5458\r\n125b99cc79808679a7461f1841fd80a5\r\n3b7da3d39db6ec08373c1e4af79aff85\r\n23f764f5f918746b9ffff952dd25cc21\r\n6f24268273573fd5f07cacb00031f1a0\r\necae928b4e4093489bd221986da39aba\r\nd883d5a2bedf0c3a3da79358c06fa429\r\n3e26626d4563f3199fde498d0ff9fe32\r\n11c1d777b18ffc0f23d2435fdb4645dc\r\n...\r\nvbot2 C2\r\nhttps://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/\r\nPage 11 of 12\n\n104.244.75.12_666\r\n142.11.194.209_1337\r\n142.11.194.209_17911\r\n142.11.194.209_34\r\n142.11.194.209_44\r\n184.172.110.248_666\r\n184.172.110.249_666\r\n185.172.110.248_323\r\n185.172.110.248_666\r\n185.225.19.200_666\r\n192.119.66.66_7331\r\n192.129.188.98_323\r\n205.185.123.101_666\r\n23.254.164.76_107\r\n23.254.164.76_33\r\n23.254.164.76_89\r\n45.84.196.148_1227\r\n50.115.173.131_111\r\n85.92.108.211_1447\r\nSource: https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/\r\nhttps://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/"
	],
	"report_names": [
		"the-gafgyt-variant-vbot-and-its-31-campaigns"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434491,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eafba81fdeca8d822d3842361856dcbcc6d2bd7b.pdf",
		"text": "https://archive.orkl.eu/eafba81fdeca8d822d3842361856dcbcc6d2bd7b.txt",
		"img": "https://archive.orkl.eu/eafba81fdeca8d822d3842361856dcbcc6d2bd7b.jpg"
	}
}