{
	"id": "2e82c567-daf4-4214-abec-bc3315927e7d",
	"created_at": "2026-04-10T03:21:45.693526Z",
	"updated_at": "2026-04-10T03:22:18.854424Z",
	"deleted_at": null,
	"sha1_hash": "f373364ea66dbd691ba4e196c2ad2c2fc2453bbb",
	"title": "Sathurbot: Distributed WordPress password attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1555180,
	"plain_text": "Sathurbot: Distributed WordPress password attack\r\nBy ESET Research\r\nArchived: 2026-04-10 02:19:48 UTC\r\nThis article sheds light on the current ecosystem of the Sathurbot backdoor trojan, in particular exposing its use of torrents\r\nas a delivery medium and its distributed brute-forcing of weak WordPress administrator accounts.\r\nThe torrent leecher\r\nLooking to download a movie or software without paying for it? There might be associated risks. It just might happen that\r\nyour favorite search engine returns links to torrents on sites that normally have nothing to do with file sharing. They may,\r\nhowever, run WordPress and have simply been compromised.\r\nSome examples of search results:\r\nhttps://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/\r\nPage 1 of 14\n\nClicking on some of those links returns the pages below (notice how some even use HTTPS):\r\nhttps://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/\r\nPage 2 of 14\n\nhttps://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/\r\nPage 3 of 14\n\nhttps://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/\r\nPage 4 of 14\n\nThe movie subpages all lead to the same torrent file; while all the software subpages lead to another torrent file. When you\r\nbegin torrenting in your favorite torrent client, you will find the file is well-seeded and thus appears legitimate. If you\r\ndownload the movie torrent, its content will be a file with a video extension accompanied by an apparent codec pack\r\ninstaller, and an explanatory text file. The software torrent contains an apparent installer executable and a small text file. The\r\nobjective of both is to entice get the victim to run the executable which loads the Sathurbot DLL.\r\nAfter you start the executable, you are presented with a message like this:\r\nhttps://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/\r\nPage 5 of 14\n\nWhile you ponder your options, bad things start to happen in the background. You have just become a bot in the Sathurbot\r\nnetwork.\r\nBackdoor and downloader\r\nOn startup, Sathurbot retrieves its C\u0026C with a query to DNS. The response comes as a DNS TXT record. Its hex string\r\nvalue is decrypted and used as the C\u0026C domain name for status reporting, task retrieval and to get links to other malware\r\ndownloads.\r\nhttps://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/\r\nPage 6 of 14\n\nSathurbot can update itself and download and start other executables. We have seen variations of Boaxxe, Kovter and\r\nFleercivet, but that is not necessarily an exhaustive list.\r\nThe Sathurbot then reports its successful installation along with a listening port to the C\u0026C. Periodically, it reports to the\r\nC\u0026C that it is alive and well, waiting for additional tasks.\r\nWeb crawler\r\nSathurbot comes with some 5,000 plus basic generic words. These are randomly combined to form a 2-4 word phrase\r\ncombination used as a query string via the Google, Bing and Yandex search engines.\r\nFrom the webpages at each of those search result URLs, a random 2-4 word long text chunk is selected (this time it might be\r\nmore meaningful as it is from real text) and used for the next round of search queries.\r\nFinally, the second set of search results (up to first three pages) are harvested for domain names.\r\nThe extracted domain names are all subsequently probed for being created by the WordPress framework. The trick here is to\r\ncheck the response for the URL http://[domain_name]/wp-login.php.\r\nAfterward the root index page of the domain is fetched and probed for the presence of other frameworks. Namely, they are\r\nalso interested in: Drupal, Joomla, PHP-NUKE, phpFox, and DedeCMS.\r\nhttps://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/\r\nPage 7 of 14\n\nUpon startup, or at certain time intervals, the harvested domains are sent to the C\u0026C (a different domain is used than the one\r\nfor the backdoor – a hardcoded one).\r\nDistributed WordPress password attack\r\nThe client is now ready to get a list of domain access credentials (formatted as login:password@domain) to probe for\r\npasswords. Different bots in Sathurbot’s botnet try different login credentials for the same site. Every bot only attempts a\r\nsingle login per site and moves on. This design helps ensure that the bot doesn’t get its IP address blacklisted from any\r\ntargeted site and can revisit it in the future.\r\nDuring our testing, lists of 10,000 items to probe were returned by the C\u0026C.\r\nhttps://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/\r\nPage 8 of 14\n\nFor the attack itself, the XML-RPC API of WordPress is used. Particularly the wp.getUsersBlogs API is abused. A typical\r\nrequest looks like:\r\nThe sequence of probing a number of domain credentials is illustrated in the following figure:\r\nThe response is evaluated and results posted to the C\u0026C.\r\nTorrent client – seeder\r\nThe bot has the libtorrent library integrated and one of the tasks is to become a seeder – a binary file is downloaded, torrent\r\ncreated and seeded.\r\nThe BitTorrent bootstrap\r\nThat completes the cycle from a leecher to an involuntary seeder:\r\nhttps://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/\r\nPage 9 of 14\n\nNote: Not every bot in the network is performing all the functions, some are just web crawlers, some just attack the XML-RPC API, and some do both. Also, not every bot seems to be seeding a torrent.\r\nImpact\r\nThe above-mentioned attempts on /wp-login.php from a multitude of users, even to websites that do not host WordPress, is\r\nthe direct impact of Sathurbot. Many web admins observe this and wonder why it is happening. In addition, WordPress sites\r\ncan see the potential attacks on wp.getUsersBlogs in their logs.\r\nThrough examination of logs, system artifacts and files, the botnet consists of over 20,000 infected computers and has been\r\nactive since at least June 2016.\r\nOccasionally, we have seen torrent links being sent by email as well.\r\nDetection\r\nWeb Admins – Check for unknown subpages and/or directories on the server. If they contain any references to torrent\r\ndownload offers, check logs for attacks and possible backdoors.\r\nUsers – Run Wireshark with the filter http.request with no web browser open to see too many requests like GET /wp-login.php and/or POST /xmlrpc.php. Alternatively, check for files or registry entries listed in the IoC section, below.\r\nESET users are protected from this threat on multiple levels.\r\nRemoval\r\nhttps://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/\r\nPage 10 of 14\n\nWeb Admins – Change passwords, remove subpages not belonging to site, optionally wipe and restore the site from a\r\nbackup.\r\nUsers – Using a third-party file manager find the suspect .DLL (note that the files and directories have the hidden attribute\r\nset), open Process Explorer or Task Manager, kill explorer.exe and/or rundll32.exe, delete (quarantine) the affected .DLL,\r\nreboot.\r\nNote: this will remove Sathurbot only, and not any other malware it may have also downloaded.\r\nAlternatively, consider a comprehensive anti-malware product, or at least an online scanner.\r\nPrevention\r\nWeb Admins - Should the normal functioning of the website not require the XML-RPC API, you are advised to disable it\r\nand use complex passwords.\r\nUsers – Avoid both running executables downloaded from sources other than those of respected developers, and\r\ndownloading files from sites not designed primarily as file-sharing sites.\r\nIoCs\r\nCurrently, we have observed Sathurbot installing to:\r\n\\ProgramData\\Microsoft\\Performance\\Monitor\\PerformanceMonitor.dll\r\n\\ProgramData\\Microsoft\\Performance\\TheftProtection\\TheftProtection.dll\r\n\\ProgramData\\Microsoft\\Performance\\Monitor\\SecurityHelper.dll\r\n\\Users\\*****\\AppData\\Local\\Microsoft\\Protect\\protecthost.dll\r\nRuns in the context of rundll32.exe or explorer.exe process and locks files and registry keys from editing. It is present in\r\nboth x32 and x64 bit versions in the installer.\r\nSubfolders to the above (contain the seeded files by torrent)\r\n\\SecurityCache\\cache\\resume\\\r\n\\SecurityCache\\cache\\rules\\\r\n\\SecurityCache\\data\\\r\n\\SecurityCache\\zepplauncher.mif - contains the DHT nodes\r\n\\temp\\\r\n%appdata%\\SYSHashTable\\ - contains folders representing the hashes of visited domains\r\n%appdata%\\SYSHashTable\\SyshashInfo.db - collection of interesting domains found incl. framework info\r\nSamples (SHA-1)\r\nInstallers:\r\n2D9AFB96EAFBCFCDD8E1CAFF492BFCF0488E6B8C\r\n3D08D416284E9C9C4FF36F474C9D46F3601652D5\r\n512789C90D76785C061A88A0B92F5F5778E80BAA\r\n735C8A382400C985B85D27C67369EF4E7ED30135\r\n798755794D124D00EAB65653442957614400D71D\r\n4F52A4A5BA897F055393174B3DFCA1D022416B88\r\n8EDFE9667ECFE469BF88A5A5EBBB9A75334A48B9\r\nhttps://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/\r\nPage 11 of 14\n\n5B45731C6BBA7359770D99124183E8D80548B64F\r\nC0F8C75110123BEE7DB5CA3503C3F5A50A1A055E\r\nC8A514B0309BCDE73F7E28EB72EB6CB3ABE24FDD\r\nAF1AE760F055120CA658D20A21E4B14244BC047D\r\nA1C515B965FB0DED176A0F38C811E6423D9FFD86\r\nB9067085701B206D2AC180E82D5BC68EDD584A8B\r\n77625ADEA198F6756E5D7C613811A5864E9874EA\r\nSathurbot dll:\r\nF3A265D4209F3E7E6013CA4524E02D19AAC951D9\r\n0EA717E23D70040011BD8BD0BF1FFAAF071DA22C\r\n2381686708174BC5DE2F04704491B331EE9D630B\r\n2B942C57CEE7E2E984EE10F4173F472DB6C15256\r\n2F4FAA5CB5703004CA68865D8D5DACBA35402DE4\r\n4EBC55FDFB4A1DD22E7D329E6EF8C7F27E650B34\r\n0EF3ECD8597CE799715233C8BA52D677E98ABDFD\r\n0307BBAC69C54488C124235449675A0F4B0CCEFA\r\n149518FB8DE56A34B1CA2D66731126CF197958C3\r\n3809C52343A8F3A3597898C9106BA72DB7F6A3CB\r\n4A69B1B1191C9E4BC465F72D76FE45C77A5CB4B0\r\n5CCDB41A34ADA906635CE2EE1AB4615A1AFCB2F2\r\n6C03F7A9F826BB3A75C3946E3EF75BFC19E14683\r\n8DA0DC48AFB8D2D1E9F485029D1800173774C837\r\nAC7D8140A8527B8F7EE6788C128AFF4CA92E82C2\r\nE1286F8AE85EB8BD1B6BE4684E3C9E4B88D300DB\r\nAdditional payloads:\r\nC439FC24CAFA3C8008FC01B6F4C39F6010CE32B6\r\nABA9578AB2588758AD34C3955C06CD2765BFDF68\r\nDFB48B12823E23C52DAE03EE4F7B9B5C9E9FDF92\r\nFAFF56D95F06FE4DA8ED433985FA2E91B94EE9AD\r\nB728EB975CF7FDD484FCBCFFE1D75E4F668F842F\r\n59189ABE0C6C73B66944795A2EF5A2884715772E\r\nC6BDB2DC6A48136E208279587EFA6A9DD70A3FAA\r\nBEAA3159DBE46172FC79E8732C00F286B120E720\r\n5ED0DF92174B62002E6203801A58FE665EF17B76\r\n70DFABA5F98B5EBC471896B792BBEF4DB4B07C53\r\n10F92B962D76E938C154DC7CBD7DEFE97498AB1E\r\n426F9542D0DDA1C0FF8D2F4CB0D74A1594967636\r\nAA2176834BA49B6A9901013645C84C64478AA931\r\n1C274E18A8CAD814E0094C63405D461E815D736A\r\n61384C0F690036E808F5988B5F06FD2D07A87454\r\nF32D42EF1E5ED221D478CFAA1A76BB2E9E93A0C1\r\n594E098E9787EB8B7C13243D0EDF6812F34D0FBA\r\n1AAFEBAA11424B65ED48C68CDEED88F34136B8DC\r\nBA4F20D1C821B81BC324416324BA7605953D0605\r\nE08C36B122C5E8E561A4DE733EBB8F6AE3172BF0\r\n7748115AF04F9FD477041CB40B4C5048464CE43E\r\n3065C1098B5C3FC15C783CDDE38A14DFA2E005E4\r\nhttps://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/\r\nPage 12 of 14\n\nFA25E212F77A06C0B7A62C6B7C86643660B24DDA\r\nFADADFFA8F5351794BC5DCABE301157A4A2EBBCF\r\nB0692A03D79CD2EA7622D3A784A1711ADAABEE8D\r\n9411991DCF1B4ED9002D9381083DE714866AEA00\r\nAssociated domains\r\nDNS:\r\nzeusgreekmaster.xyz\r\napollogreekmaster.xyz\r\nC\u0026C:\r\njhkabmasdjm2asdu7gjaysgddasd.xyz\r\nboomboomboomway.xyz\r\nmrslavelemmiwinkstwo.xyz\r\nuromatalieslave.space\r\nnewforceddomainisherenow.club\r\njustanotherforcedomain.xyz\r\nartemisoslave.xyz\r\nasxdq2saxadsdawdq2sasaddfsdfsf4ssfuckk.xyz\r\nkjaskdhkaudhsnkq3uhaksjndkud3asds.xyz\r\nbadaboommail.xyz\r\nTorrent trackers:\r\nbadaboomsharetracker.xyz\r\nwebdatasourcetraffic.xyz\r\nsharetorrentsonlinetracker.xyz\r\nwebtrafficsuccess.xyz\r\nRegistry values\r\nYou may need to use a third-party tool, as Windows Regedit might not even show these:\r\nHKLM\\SYSTEM\\CurrentControlSet\\services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{variable GUID} =\r\n“v2.10|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|App=C:\\\\Windows\\\\explorer.exe|Name=Windows\r\nExplorer|”\r\nHKLM\\SYSTEM\\CurrentControlSet\\services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{variable GUID} =\r\n“v2.10|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|App=C:\\\\Windows\\\\system32\\\\rundll32.exe|Name=Wind\r\nhost process (Rundll32)|”\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\0TheftProtectionDll =\r\n{GUID1}\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{GUID1} = “Windows Theft Protection”\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{GUID1}\\InprocServer32 =\r\n“C:\\\\ProgramData\\\\Microsoft\\\\Performance\\\\TheftProtection\\\\TheftProtection.dll”\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{GUID1}\\InprocServer32\\ThreadingModel = “Apartment”\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{GUID2}\r\nThe {GUID2} entries are variable across samples and have 6 char long subkeys, content is binary type and encrypted – used\r\nto store variables, temporary values and settings, IP’s, C\u0026C’s, UID\r\nhttps://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/\r\nPage 13 of 14\n\ne.g. {GUID2} entries look like\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\\00000003\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\\00000002\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\\00000001\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\\00000009\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\\00000011\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\\00010001\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\\00010002\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\\00000008\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\\00000007\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\\00000004\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\\00000010\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\\00020001\r\nSource: https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/\r\nhttps://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/"
	],
	"report_names": [
		"sathurbot-distributed-wordpress-password-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775791305,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f373364ea66dbd691ba4e196c2ad2c2fc2453bbb.pdf",
		"text": "https://archive.orkl.eu/f373364ea66dbd691ba4e196c2ad2c2fc2453bbb.txt",
		"img": "https://archive.orkl.eu/f373364ea66dbd691ba4e196c2ad2c2fc2453bbb.jpg"
	}
}