PhantomBot Daga Satar Shaidar Sirri zuwa Botnet

PhantomBot: Kamfen ɗin Typosquat wanda ya canza daga sata ta asali zuwa kayan aikin Botnet na Turnkey

TL, DR

Mai buga npm guda ɗaya, deadcode09284814, ya gudanar da wani kamfen na yin rubutu a kan halaltaccen rubutu axios da kuma chalk-template fakitin tun tsakiyar watan Mayu na 2026.

Yaƙin neman zaɓen ya fara ne a matsayin takardar shaidar aiki ta al'ada da satar walat, yana fitar da bayanai zuwa wani Wurin HTTPS na Serveo.

On 2026-05-17, tare da axois-utils:1.0.9, mai aiki ya canza nauyin da aka biya gaba ɗaya: maƙallin shigarwa sau uku ɗaya, mai bugawa iri ɗaya, sunan fakiti iri ɗaya.

Amma rubutun shigarwa yanzu shine ɗaukar DDoS botnet recruit.

Nauyin yana magana da wani localhost.run rami kuma yana karɓar umarnin ambaliyar ruwa, yana mai da yanayin da ya kamu da cutar zuwa wani ɓangare na botnet mai iya DDoS.

Ma'aikacin ya aika da shi har ma C2 uwar garken binary a cikin kwal ɗin tarball, yana nuna ƙaruwa a fili daga satar takardun shaida zuwa kayan aikin botnet masu aiki.

Fakiti biyu, nau'i huɗu har yanzu suna aiki akan rajistar, da kuma mai aiki ɗaya yanzu yana gudanar da duka sassan biyu a layi ɗaya.

Tsanani: babba.

Babban jigon IOC Duk wani sigar axois-utils ko alli-tempalte daga mai buga deadcode09284814

Harin: Yadda Yake Aiki

An gina kamfen ɗin ne akan wani tsari mai ban sha'awa na isar da sako: sunayen fakitin rubutu guda biyu, ragi ɗaya daga fakiti tare da ɗaruruwan miliyoyin saukewa na mako-mako (axios, samfurin alli), da kuma shigarwa sau uku hooks wanda ke tabbatar da aiwatarwa. Abin sha'awa shine menene ma'aunin ginin daukawa - da kuma gaskiyar cewa mai aiki ya canza kayan ba tare da canza komai ba.

Tsarin da aka raba

Kowace sigar da aka buga ta fakitin biyu tana bayyana zagayowar rayuwa guda uku iri ɗaya hooks in fakamari.json:

"scripts": {    "preinstall":  "node <payload>.js",    "install":     "node <payload>.js",    "postinstall": "node <payload>.js"  } 

Jerin nauyin da ke ƙarƙashin dukkan ukun hooks yana da yawan kisa - postinstall kawai zai gudana a cikin tsoho npm shigarwaZabin yana da muhimmanci: shigar npm –ignore-scripts yana tsallake rubutun, amma ayyuka da yawa na yau da kullun (cache na CI yana dawo da sake zagayowar rayuwa hooks zaɓi, ko kuma masu haɓaka waɗanda ke yin bincike kawai postinstall) yi shelar cewa mai kai harin zai yi fare sau uku mafi aminci.

alli-tempalte yana ƙara wata hanya ta biyu: yana ayyana amfani da axois:^1.0.7 a matsayin lokacin aiki dogaroShigar da kuskuren rubutu samfurin alli Saboda haka yana jawo kuskuren rubutu na 'yan'uwa, kuma duka abubuwan da ake biya suna gudana. Fakitin biyu biyu ne masu daidaitawa, ba jerin abubuwa masu zaman kansu ba.

Mataki na A — takardar shaidar aiki / mai satar walat (2026-05-15 → yanzu)

Mataki na A shine ainihin nauyin da aka ɗora. Na'urar ɗaukar kaya gajere ce bayan shigarwa.js wanda ke nuna hanyar juyawa ta Serveo HTTPS:

// chalk-tempalte/postinstall.js:11-13  const C2_HOST = "f04a273bd84c0622-80-200-28-28.serveousercontent.com";  const C2_PORT = 443;  const C2_PATH = '/collect'; 

Yankin Serveo yana ɓoye adireshin IP ɗin da ake nufi (80.200.28.28) kai tsaye a cikin sunan mai masaukin baki - wani tsari da za a iya gane shi don wannan sabis ɗin. Mai aiki yana juya prefix ɗin yanki na bazuwar tsakanin sigar don guje wa jerin toshewar yanki na banza, amma IP ɗin da ke ƙasa ba ya taɓa motsawa.alli-samfurin:1.0.14 used 8a3e818ea8f11186-80-200-28-28…; 1.0.16 / 1.0.19 / 1.0.20 amfani f04a273bd84c0622-….)

bayan shigarwa.js hannuwa zuwa ga phantom.js, wani tsarin "mai tarawa" mai layi 7,667. phantom.js yana tafiya mai masaukin baki don:

Maɓallan sirri na SSH (~/.ssh/*)
.npmrc abun ciki da kowane abu npm_* alamun env
Fayilolin shaidar AWS, GCP, da Azure
Regex na alamar shiga ta sirri ta GitHub (ghp_*, gho_*, ghu_*, ghs_*)
Abubuwan tarihi na walat ɗin Crypto don Bitcoin, Exodus, Electrum, Monero, Litecoin, Dogecoin, Zcash, Dash
Mai maimaitawa .env* yi tafiya a ciki ~/projects, ~/dev, ~/code, ~/workspace, da kuma shigar da cwd
Tarihin Shell da cikakken bayani process.env

An saka fakitin a cikin ramin Serveo a / tattaraBabu wani ɓoyewa, babu dabarar hana VM, babu tsari - faretin mai aiki yana kan girma da sauri.

Mataki na B — PhantomBot DDoS recruit (2026-05-17, axois-utils:1.0.9 kawai)

Mataki na B ya maye gurbin phantom.js + postinstall.js da fayil guda ɗaya mai suna distrube.js (rufewar ita ce ta mai aiki). Tsarin ƙugiya uku a cikin package.json ba shi da canji; kunshin yana riƙe da suna iri ɗaya, scope, da tsarin buguwa iri ɗaya. Daga waje, axois-utils:1.0.9 yayi kama da ƙaramin bin diddigin 1.0.6. A ciki, dangin malware ne daban.

distrube.js yana buɗewa da toshewar tsari wanda ke ba da sunan alamar mai aiki:

// axois-utils-1.0.9/distrube.js:11-15
// Use your localhost.run HTTPS URL (the tunnel handles HTTP internally)
const C2_HOST = 'b94b6bcfa27554.lhr.life'; // Your localhost.run tunnel
const C2_PORT = 443; // HTTPS port - tunnel handles SSL
const BOT_ID = `${os.hostname()}_${Date.now()}_${crypto.randomBytes(4).toString('hex')}`;

Ana isar da sharhin ga mai aiki na gaba wanda ke gudanar da kayan aikin ("Yi amfani da adireshin HTTPS na localhost.run ɗinku"). Wannan, da kuma abin da ke zuwa kusa da abokin cinikin bot, shine bayanin cewa wannan ba kawai kayan aikin da aka azabtar ba ne - kayan aikin ne.

Gudun:

  1. dagewa Yana fara aiki. Rubutun yana shigar da kansa ta hanyoyi uku daban-daban ga kowane OS (rajista Run + Fayil ɗin farawa + schtasks a kan Windows; crontab + phantom-bot.service na'urar systemd + .bashrc/.zshrc ƙara + /etc/rc.local akan Linux; LaunchAgent com.phantom.bot.plist akan macOS). Sunan sabis na juriya da kuma alamar LaunchAgent duka biyun suna bot-fatalwa / com.phantom.bot, wanda kuma shine inda sunan kamfen ɗin ya fito.
  2. Bayanin tsarin exfil Yana gudana sau ɗaya — sawun yatsa sau ɗaya POST zuwa b94b6bcfa27554.lhr.life:443/collect ɗauke da sunan mai masauki, dandamali, baka, sunan mai amfani, CPU/RAM, hanyoyin sadarwa, process.env, cwd, homedir, sigar node, da IP na jama'a. Wannan bai fi ƙarfin Mataki na A ba: babu SSH, babu wallets, babu sake dawowar .env. Aikin bot shine yin rijista, ba don sata ba.
  3. Madaurin bugun zuciya Yana buɗe HTTPS POST kowane daƙiƙa 30 zuwa b94b6bcfa27554.lhr.life:443/. Wakilin Mai Amfani shine PhantomBot/1.0. An kashe tabbatarwar TLS a bayyane (rejectUnauthorized: false). An fassara martanin C2 a matsayin JSON na fom ɗin {type, manufa, tashar jiragen ruwa, tsawon lokaci, zaren, hanyar} kuma an aika shi.
  4. Rumbun adana kayan yaƙi na ambaliyar ruwa an haɗa shi zuwa umarni shida:
Nau'in umarni module Notes
ping Amsar Rayuwa Bot ya bayyana kansa
http ambaliyar HTTP Ambaliyar ruwa ta Layer-7
https ambaliyar HTTPS Kamar http, TLS-wrapped
tcp ambaliyar TCP 65 KB spam ɗin da aka biya bazuwar
udp Ambaliyar UDP Fakitin UDP 65,507-bytes
m Sake saita DoS cikin sauri na HTTP/2 Fasahar CVE-2023-44487 ta 2023

Duk nau'ikan ambaliyar ruwa guda biyar suna ɗaukar manufa, tashar jiragen ruwa, duration, Da kuma zaren hujja — bot ɗin wani nau'in ruwa ne da ake amfani da shi don haya, ba a yi nufin wani wanda aka yi wa laifi ba. Jerin waɗanda aka yi wa aikin yana zaune a kan C2, ba a cikin kunshin ba.

Me ke Sabo a Nan — an aika da C2 binary

Mataki na A siffa ce da aka saba da ita: satar takardun shaida, ƙugiya ta shigarwa, C2 mai tunnel na mai siyarwa. Mataki na B shine har ila yau, siffa da aka saba da ita — botnets na DDoS sun kasance kayan aiki na fakitin npm masu cutarwa tsawon shekaru. Abin da ba a saba gani ba shi ne cewa mai aiki ya aika da su. gefen uwar garken na kayan aikin da ke cikin ƙwallon tar npm:

  • c2 — wani sabon tsarin binary na Go ELF mai megabyte 4 wanda aka haɗa
  • c2.go — tushen layin 426 na Go don wannan binary

Babu ɗayan fayil ɗin da aka shigar da shi. Ba sa cikin nauyin wanda aka azabtar. Suna zaune a cikin kundin adireshi kamar yadda fayil ɗin takardu zai yi. Mafi kyawun karatu shine cewa mai aiki ya tura aikin haɓaka su zuwa npm ba tare da tsara jerin fayilolin ba - ainihin zamewar OpSec - kuma abin da aka aika shine cikakken kayan aiki mai gefe biyu: abokin ciniki wanda aka azabtar yana gudana, kuma mai aiki yana gudana uwar garken.

Wannan shine ɓangaren labarin da ya tabbatar da tsarin "turnkey botnet kit". Duk wanda ya sauke amfani da axois:1.0.9 kafin cirewa ba wai kawai samfurin wanda aka azabtar ba ne - suna da uwar garken C2 mai aiki.

Jump, a cikin jumla ɗaya

Mai bugawa iri ɗaya, sunayen fakiti iri ɗaya, maƙallin ƙugiya uku iri ɗaya, alamar "fatalwa" iri ɗaya — amma kayan aikin sun canza tsarin samun kuɗi cikin dare ɗayadaga "sirrin girbi zan iya sake siyarwa" zuwa "hayar iyawar ambaliyar ruwa zan iya haya". TTPs na lokacin shigarwa waɗanda masu kare ya kamata su kalla kusan iri ɗaya ne a duk matakai biyu; kariyar da aka dogara da sa hannu wacce aka manne da igiyoyin hanyar walat ta Phase A ko zuwa phantom.jsMai tattara layin 7,667 zai rasa Phase B gaba ɗaya.

Kwanan wata (UTC) Event
2026-05-15 Bugawa ta farko: axois-utils:1.0.4 (Gina gwajin LAN, kayan aikin haɓakawa a 192.168.129.19)
2026-05-15 axois-utils:1.0.6 an buga — An canza Mataki na A C2 zuwa 80.200.28.28 ta hanyar ramin Serveo; sharhin tushe // Change to '80.200.28.28' for public yana tabbatar da canjin dev→prod
2026-05-16 chalk-tempalte:1.0.14 da kuma 1.0.16 an buga - mai ɗaukar kaya da sarka yana bayyana axois-utils:^1.0.7 a matsayin dogaro da lokacin gudu; An juya yankin Serveo
2026-05-16 An gano kamfen na Mataki na A yayin duba npm na yau da kullun; an yi amfani da hukunce-hukuncen mugunta da aka tabbatar
2026-05-17 axois-utils:1.0.9 an buga — tsarin biyan kuɗi: PhantomBot DDoS recruit ta hanyar localhost.run tunnel; gefe-gefen mai aiki c2 binary da c2.go an aika tushen a cikin kwalin tarball
2026-05-17 chalk-tempalte:1.0.19 da kuma 1.0.20 an buga — har yanzu Mataki na A (mai satar); mai aiki yanzu yana gudanar da duka sassan biyu a layi ɗaya
2026-05-17 Gano Mataki na B yayin daukar hoton yau da kullun; an yi amfani da hukunce-hukuncen a duk faɗin 2026-05-17 versions
(mai gudana) Ana jiran rahotannin cirewa; duk fakiti huɗu da aka buga suna nan a rajista a lokacin rubutawa

Alamomin Yarjejeniya

Pakete

Kayan daji Package versions
npm axois-utils (matsalar axios) 1.0.4, 1.0.6, 1.0.9
npm chalk-tempalte (takardar alli) 1.0.14, 1.0.16, 1.0.19, 1.0.20

Asalin marubuci

Field darajar
mai bugawa npm deadcode09284814
Imel ɗin mai wallafawa phantomdeadcode@tutamail.com
SCM tabbaci m

Umurni da sarrafawa

Phase Endpoint Transport
A f04a273bd84c0622-80-200-28-28.serveousercontent.com:443/collect Wurin HTTPS na Serveo
A 8a3e818ea8f11186-80-200-28-28.serveousercontent.com:443/collect Wurin Serveo HTTPS (sigar da ta gabata)
A 80.200.28.28:443/collect Ƙarshen ƙarshen VPS
B b94b6bcfa27554.lhr.life:443/ localhost.run HTTPS mai juyawa

Fayilolin da aka tattara (SHA-256)

fayil SHA-256 Notes
c2 (Tafi ELF, 4 MB) 165fa92d237fd017c227d00da06ab788212a62be94bf61e95df2d22d00377ef2 Sabar C2 ta ɓangaren mai aiki, an aika ta ciki axois-utils:1.0.9
c2.go (Layuka 426) 7d0ae79fdb1e9968f3323a3712b624643a782ba3efb2cf3a2cb9c4c5513cea30 Je zuwa tushen C2 binary
distrube.js 308b15c023088a7188dea4ef609010ac2493eb4c365b103053d7621a9ca5b935 Abokin ciniki na Phase B bot
phantom.js (chalk-tempalte:1.0.19) 9e380ec88d3ccf3929e1a104e3b868d4d7b59ca189a8a431a54e9f3357dfdd81 Takardar shaidar mataki na A / mai karɓar walat
phantom.js (chalk-tempalte:1.0.20) d1c9e3f296ee9f7d5032f73f9c504cede50334bc14c394055fd5cb9c3a6e08b3 Mai tarawa na Mataki na A (nau'in 1.0.20)
postinstall.js (chalk-tempalte:1.0.19 = 1.0.20) ffba9bdd6793edd5b38e12900252c1813a693f59c25af51c3b658cf3f27b6162 Mai lodawa na Phase A, iri ɗaya ne da byte a cikin duka sigogin biyu

Ba da fifiko da kwarin gwiwa

Muna bin diddigin wannan kamfen ɗin kamar yadda PhantomBot, ɗaukar alamar kamfanin daga Wakilin Mai Amfani: PhantomBot/1.0 kan bugun zuciya, phantom-bot.service naúrar systemd, com.phantom.bot da kuma alamar LaunchAgent, lambar mutuwa ta phantomdead@ Ma'ajiyar imel. Mai aiki ya yi daidai da wannan sunan a cikin aƙalla kayan tarihi guda huɗu.

Kundin sigina

  • Publisher - lambar mutuwa09284814 akan npm. Asusu mai hannu ɗaya, imel ɗin da za a iya zubarwa a Tutamail, babu SCM tabbatarwa. Babu wani tarihin bugawa da ya gabata bayan wannan kamfen.
  • Sake amfani da alamar kasuwanci — “fatalwa” ya bayyana a cikin imel ɗin mai wallafawa, a cikin sunan fayil ɗin mai tarawa na Phase A (phantom.js), a cikin sunan sabis na juriya na Phase B (phantom-bot.service), a cikin lakabin LaunchAgent (com.phantom.bot), da kuma a cikin bot ɗin Mai Amfani da Mai Amfani (PhantomBot/1.0).
  • Lantarki - VPS guda ɗaya a 80.200.28.28 Gaban Mataki na A ta hanyar juyawar subdomain na Serveo; Mataki na B yana motsawa zuwa a localhost.run ramin juyawa (b94b6bcfa27554.lhr.rai) Duk ayyukan masu siyarwa kyauta ne kuma suna buƙatar SSH na waje kawai a gefen mai aiki, daidai da saitunan OpSec masu ƙarancin kuɗi da ƙarancin kuɗi.
  • salon code — Javascript mara ɓoyewa a ko'ina; babu ɓoyewa, babu ɓoyewar igiya, babu duba anti-VM. Sunaye masu canzawa suna da bayanin (sleetoSystemInfo, aiwatar da Umarni, httpFlood). Sharhi a cikin distrube.js kai tsaye ga mai aiki na gaba ("Yi amfani da adireshin HTTPS na localhost.run ɗinku"), yana nuna cewa an yi niyyar sake rarraba fayil ɗin azaman kayan aiki, ba mai hari ɗaya ba ne ke amfani da shi.
  • Zaɓen OpSec - Kwallan tarball na Phase B yana jigilar abokin ciniki na bot da sabar C2 ta gefe mai aiki (c2 Elf + c2.go tushe). Wannan ya yi daidai da mai aiki wanda ya tura aikinsu zuwa npm ba tare da duba jerin fayilolin ba. Ko dai mai aiki ba shi da ƙwarewa, ko kuma kayan aikin ne ma'ana a rarraba shi a bainar jama'a kuma binary na C2 wani ɓangare ne na samfurin.
  • Tabbatar da kai - amfani da axois:1.0.4 ya ƙunshi sharhin tushe // Canja zuwa '80.200.28.28' don jama'a a layi na 12, yana tabbatar da ci gaban ci gaban haɓakawa / shiryawa / samarwa wanda masu aiki galibi ke musantawa.

Motivation

Satar kuɗi ta Mataki A hanya ce mai sauƙi: takardun shaida, maɓallan girgije, alamun GitHub, da walat ɗin crypto duk suna da kasuwannin sake siyarwa na ruwa. Mataki na B kuma kuɗi ne, amma kai tsaye: Ayyukan DDoS-for-haya ("booter") suna hayar ƙarfin ambaliya da minti ɗaya, kuma bots kamar wanda aka kawo a nan su ne kayan da waɗannan ayyukan ke gudana. Zuciyar da ta wuce daƙiƙa 30, ta gama gari. manufa/tashar jiragen ruwa/duration tsarin umarni, da kuma rumbun adana ambaliyar ruwa mai tsari biyar sune standard samfurin mai aiki da booter.

Gudanar da dukkan sassan biyu a layi ɗaya - alli-samfurin:1.0.19 da kuma 1.0.20 ci gaba da jigilar sata yayin da amfani da axois:1.0.9 yana jigilar bot ɗin - yana nuna cewa mai aiki yana hana hanyoyin samun kuɗi maimakon barin Mataki na A. Tsarin shine Bugu da kari, ba maye ba.

Abin da ba mu da'awa ba

Ba mu sami damar tabbatar da ainihin asalin duniya a bayan wannan ba lambar mutuwa09284814 hannun riga, kuma ba mu danganta wannan kamfen ga wani mai suna mai yin barazana, ƙungiya, ko ƙasa ba. Alamar "fatalwa" ta yi daidai a cikin kayan tarihi don nuna cewa mai aiki ɗaya ne, amma jigilar kaya ta hanyar kayan aiki ta C2 binary ta bar damar cewa fakitin gaba daga hannun da ba su da alaƙa za su sake amfani da lambar iri ɗaya.

Tasiri

Maƙasudin halal na squat axios da kuma samfurin alli ana dogaro da su sosai a cikin tsarin JavaScript; axios shi kaɗai yana cikin manyan fakitin npm guda talatin da aka fi saukewa. Sunayen typosquat suna da maɓalli ɗaya nesa da na gaske (aksoisaxios, tempaltetemplate), kuma duka biyun kuskuren rubutu ne da za a iya tabbatar da shi ta hanyar harshe.

Ba mu sami damar samun ingantattun ƙididdiga na saukewa don nau'ikan ɓarna ba kafin cirewa - npm ba ya riƙe adadin saukewa na kowace sigar bayan an cire fakiti, kuma npms.ioWakilai masu salo suna da hayaniya a wannan sikelin. Duk wata ƙungiya wacce fayil ɗin kulle ta ta'allaka ne akan kunshin da aka sanya wa suna axois-utils or alli-tempalte daga mai wallafa lambar mutuwa09284814 ya kamata a yi la'akari da shi azaman abin da aka lalata: juya duk takardun shaida da ke cikin tsari.env akan mai masaukin da abin ya shafa, duba vectors na juriya ga kowane OS (duba "Abin da masu kare ya kamata su yi" a ƙasa), kuma cire dogaro.

Tsarin da ke fitowa

Wannan kamfen ɗin ya nuna misalan wani sauyi da muka gani a cikin abubuwan da suka faru kwanan nan a cikin npm: maƙallin ƙugiya mai shigarwa shine kadara mai ɗorewa; Ana iya canza kayan aikinMai bugawa iri ɗaya, fakiti ɗaya, iri ɗaya shigarwa kafin lokaci / shigar / postinstall sau uku, har ma da irin wannan sigar - ƙarar ƙarfi - abu ɗaya tilo da ya canza tsakanin amfani da axois:1.0.6 da kuma amfani da axois:1.0.9 fayil ɗin shine hooks gudu. Ganowa bisa sa hannu an manne shi da kayan aiki na Phase A (wallet-trade through, phantom.jsMai tattara layin 7,667, mai masaukin Serveo C2) zai yi wa sigogi uku na farko alama kuma ya rasa Phase B gaba ɗaya.

Irin wannan tsari yana bayyane a cikin sauran kamfen ɗin 2026 da muka bi diddiginsa: mai aiki ɗaya mai tsari mai ƙarfi, musayar tsakanin satar takardun shaida, abokan cinikin da ke yaudarar jarrabawa, Telegram-bot exfil, da kuma yanzu ɗaukar ma'aikata na DDoS. Masu tsaron baya waɗanda suka dogara da sa hannun masu ɗaukar nauyi za su ci gaba da rasa zagaye na biyu na kowane kamfen.

Abinda ya samo asali shine cewa TTPs na lokacin shigarwa sune mafi kyawun sigina. Bayanin ƙugiya-shigarwa sau uku, rubutun shigar da ke shigo da su https or tsari na yaro, shigar da rubutun da ke rubutu zuwa manyan fayilolin farawa na mai amfani, da kuma shigar da rubutun da ke warware sunayen masu masauki akan ayyukan juyawa kyauta (Serveo, localhost.run, ngrok, cloudflared) duk ba kasafai ake samun su a cikin fakitin halal ba kuma sun zama ruwan dare gama gari a cikin waɗanda ba su da kyau.

Abin da masu kare ya kamata su yi

  • Binciken fayil ɗin kullewa. Bincika kowane kunshin-kulle.json / makulli / pnpm-lock.yaml a cikin ƙungiyar ku don ainihin igiyoyi axois-utils da kuma alli-tempalte. Ka ɗauki duk wani abin da za a yi a matsayin sulhu.
  • Juya sirrin akan masu masaukin da abin ya shafa. Mataki na A takardar shaidar SSH, girgije, GitHub, npm, da walat da aka tattara da yawa. Ka ɗauka cewa kowace takardar shaidar da aka samu a ciki tsari.env, ~ / .ssh, ~/.aws, ~/.npmrc, ~ / .kurar hoto, ko wani .env* Fayil ɗin da ke kan mai masaukin da abin ya shafa ya bayyana.
  • Cire juriya (Mataki na B). A kan Windows, goge HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemUpdate, cire %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\system-update.bat, Da kuma schtasks /delete /tn Sabunta Tsarin /fA kan Linux, crontab -e kuma cire @sake kunnawa node …, kashe tsarin systemctl –user –now phantom-bot.service to share ~/.config/systemd/user/phantom-bot.service, gogewa .bashrc / .zshrc / /etc/rc.localA kan macOS, saukar da launchctl ~/Library/LaunchAgents/com.phantom.bot.plist sannan a goge plist ɗin.
  • Toshe masu masaukin baki na C2. Ƙara maki huɗu na ƙarshe na C2 a cikin teburin IOC zuwa jerin toshewar fitarwa. *.servousercontent.com da kuma *.lhr.rai za a iya toshe shi gaba ɗaya idan muhallinku ba shi da ingantaccen amfani don ayyukan juyawa.
  • Farauta ta hanyar TTP lokacin shigarwa, ba nauyin da ya dace ba. Shigar da fayilolin makullin kaya waɗanda fakamari.json ayyana shigarwa kafin lokaci, shigar, Da kuma postinstall duk suna nuna rubutu ɗaya. Duba tsakanin shekarun fakitin da matsayin tabbatar da mai bugawa. Wannan tsari ba kasafai yake faruwa a cikin fakitin da suka dace ba kuma shine siginar da PhantomBot ke amfani da ita.
  • Binciken kuɗi na binary na C2. Duk wanda ya sauke amfani da axois:1.0.9 yana da uwar garken C2 na mai aiki (c2 ELF, sha256 165fa92d…) a kan faifai. Ana duba cache da kuma adana kayan tarihi na CI. Binary ɗin yana barci da kansa, amma kasancewarsa a kan wurin aiki shaida ce mara tabbas cewa an sanya fakitin.

Layin rufewa

Mai aiki ɗaya, fakiti ɗaya, da kuma ƙugiya ɗaya ta shigarwa na iya kawo barazana daban-daban cikin awanni 48. Ku kula da maƙallin, ba kayan da aka ɗora ba.

kayan aikin nazarin kayan aikin sca-tools-composition
Fifiko, gyara, da kuma kare haɗarin software ɗinka
Sami Asusunka Kyauta.
Babu katin bashi da ake bukata.

Tabbatar da Haɓaka Software da Isarwarka

tare da Xygeni Product Suite