{
	"id": "45635a41-c097-4241-b31e-00837c2c8d2b",
	"created_at": "2026-04-06T00:12:43.993654Z",
	"updated_at": "2026-04-10T13:12:25.176803Z",
	"deleted_at": null,
	"sha1_hash": "ed42b0bc1c4cd44916712d903bb0505b48da685c",
	"title": "Bedep has raised its game vs Bot Zombies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 112383,
	"plain_text": "Bedep has raised its game vs Bot Zombies\r\nArchived: 2026-04-05 18:41:07 UTC\r\n2016-04-14 - Deception\r\nSimulacra \u0026 Simulation - Jean Baudrillard\r\nFeatured in Matrix\r\nBedep could be described as a fileless loader with a resident module that can optionally perform AdFraud. It's\r\nintimate to Angler EK and appeared around August 2014. \r\nOn the 2016-03-24 I noticed several move in Bedep. \r\nhttps://malware.dontneedcoffee.com/2016/04/bedepantiVM.html\r\nPage 1 of 8\n\nAngler infecting a VM and integrating it into an instance of Bedep botnet\r\n2016-03-24\r\nNo more variable in the URI (as several month before), the protocol Key changed and in most of my manual\r\nchecks, all threads were sending a strange payload in the first stream.\r\n2ko size for Win7 64bits :\r\nhttps://malware.dontneedcoffee.com/2016/04/bedepantiVM.html\r\nPage 2 of 8\n\nPopup shown by the first payload from Bedep Stream - Win7\r\n(in the background Angler Landing)\r\n48ko size for WinXP 32bits:\r\nPopup shown by the first payload from Bedep Stream - WinXP\r\nLooking at my traffic I thought for some time that one of the Bedep instances was split in two.\r\nThen I understood that I got different result on my \"manually\" driven VM (on VMWare ESXi) and my automated\r\nCuckoo driven one ( on VirtualBox). I suspected it was related to hardening, as this is one of the main difference\r\nhttps://malware.dontneedcoffee.com/2016/04/bedepantiVM.html\r\nPage 3 of 8\n\nbetween those two systems.\r\nAnd I got confirmation. Here is an example on a GooNky ([1] [2] [3]) malvertising traffic in Australia :\r\nA VM not hardened enough against Bedep got redirected to a \"decoy\" instance of Bedep that i will refer as :\r\nBedep \"Robot Town\" - 2016-04-12\r\nNow look what i get instead with a VM that is not spotted as is:\r\nhttps://malware.dontneedcoffee.com/2016/04/bedepantiVM.html\r\nPage 4 of 8\n\nSame Angler thread - VM not detected. 1st Stream get Vawtrak\r\n2016-04-12\r\nI am not skilled enough to give you the list of checks Bedep is doing. But here is one of them spotted by Cuckoo :\r\nhttps://malware.dontneedcoffee.com/2016/04/bedepantiVM.html\r\nPage 5 of 8\n\nBedep doing some ACPI checks\r\nI think there are multiple level of checks. Some resulting in Bedep not trying to contact the C\u0026C, some where the\r\npositive check end up with a different seed for the Bedep DGA redirecting spotted machines in a dedicated\r\ninstance. \r\nThis is quite powerful :\r\n- the checks are made without dropping an executable. \r\n- if you don't know what to expect it's quite difficult to figure out that you have been trapped\r\n- there is a lot of things that operators can do with this list of known bots and initial Bedep thread ID. \r\nOne of them is for instance knowing which of the infection path are researcher/bots \"highway\" :\r\nhttps://malware.dontneedcoffee.com/2016/04/bedepantiVM.html\r\nPage 6 of 8\n\nIllustration for Bedep \"Robot Town\" from an \"infection path\" focused point of view\r\nThis could be just a move to perform different tasks (AdFraud only (?) ) on VMs, but my guess it that this Bedep\r\nevolution on 2016-03-24 is a fast reaction to this Proofpoint Blog from 2016-03-18 which  show how Bedep\r\nthreads are additional connectable dots. \r\nSharing publicly is often a difficult decision. The question is which side will benefits the most from it, in the long\r\ntime.\r\nFor researchers:\r\nIn the\r\nlast 3 weeks\r\nhttps://malware.dontneedcoffee.com/2016/04/bedepantiVM.html\r\nPage 7 of 8\n\n, if your VM have communicated with :\r\n95.211.205.228 (which is a Bedep ip from end of 2015 reused) || ( 85.25.41.95  \u0026\u0026 http.uri.path  \"ads.php?\r\nsid=1901\" ) and you are interested by the \"real payload\" then you might want to give PAfish a run.\r\nMarvin - Paranoid Android\r\nOn the other hand, any of your VM which has communicated with 104.193.252.245 (Bedep \"standard\" 18xx 19xx\r\ninstance)  since the 24 of March is hardened enough to grab the real payload.\r\n[Edits]\r\n- Removed the AU focused mention on the Vawtrak. I have been told (Thanks ! ) it's US focused. Got geo \r\nGlitched. Maybe more about that a day or the other.\r\n- Refine the check conditions for Researcher. IP  85.25.41.95 and sid=1901...otherwise...ok :)\r\n[/Edits]\r\nAcknowledgements :\r\n--\r\nI'm sorry, but I must do it...Greetings to Angler and Bedep guys. ;) You are keeping us busy...and awake !\r\nReading :\r\nSource: https://malware.dontneedcoffee.com/2016/04/bedepantiVM.html\r\nhttps://malware.dontneedcoffee.com/2016/04/bedepantiVM.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malware.dontneedcoffee.com/2016/04/bedepantiVM.html"
	],
	"report_names": [
		"bedepantiVM.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434363,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ed42b0bc1c4cd44916712d903bb0505b48da685c.pdf",
		"text": "https://archive.orkl.eu/ed42b0bc1c4cd44916712d903bb0505b48da685c.txt",
		"img": "https://archive.orkl.eu/ed42b0bc1c4cd44916712d903bb0505b48da685c.jpg"
	}
}