Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
15 distinct techniques documented for this family, organized by ATT&CK tactic.
the “koi” module encrypts messages using a custom protocol based on ECC encryption.
The downloaded script contains a long chunk of bytes and a sort of decryption routine base on a textbook-looking xor operation, after that, the resulting bytes are loaded as a .NET assembly module.
it uses mutex “99759703-b8b4–4cb2–8329–76f908b004f0” to avoid re-infection
it uses mutex “99759703-b8b4–4cb2–8329–76f908b004f0” to avoid re-infection and also checks for the presence of video controller of the Wine emulation framework, along with common user names and computer names used by sandboxes or by AV emulation routines.
All these communications happen in plain HTTP, but despite that, messages are not easy to spot because the “koi” module encrypts messages using a custom protocol based on ECC encryption.
the main routine of this loader does two things: insistently tries to download multiple executable files with the name pattern “ab[NUMBER].php” and “ab[NUMBER].exe” from a statically configured location, and runs an additional inline PowerShell command to download and execute more code.
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.