Skip to main content
Mallory
Back to malware
Malware

RoboVPN

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Command and Control

4 techniques
T1071Application Layer ProtocolEvidence1

Popa appears designed with a singular purpose: Implementing a persistent communications layer capable of registering a device, maintaining long-lived encrypted connections, and opening communication tunnels on demand.

T1090.003Multi-hop ProxyEvidence1

Popa appears designed with a singular purpose: Implementing a persistent communications layer capable of registering a device, maintaining long-lived encrypted connections, and opening communication tunnels on demand.

T1105Ingress Tool TransferEvidence1

Google, HUMAN Security and Trend Micro teamed up to disrupt Badbox 2.0, a botnet that is closely associated with Vo1d... immediately after that disruption, several dozen new domains were registered to serve as controllers for the Popa botnet.

T1568Dynamic ResolutionEvidence1

XLAB flagged at least nine domain names that were used to register and direct the activities of compromised devices... Qurium said it found several dozen domains used to control Popa... including gmslb[.]net, safernetwork[.]io, tera-home[.]com, and ninjatech[.]io.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.