Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Victims searching for the free archiving software were instead led to a lookalike site that installed hidden proxy software instead of the real program.
I quickly recognized what looks like XOR encoding in some of the payload and was reward with uncovering multiple domains when applying XOR key 70.
Testing showed that instead of behaving like a real VPN, the app pinged large numbers of unrelated IP addresses and opened multiple simultaneous connections, a pattern consistent with acting as an exit point for someone else’s internet traffic.
Once running, the malware quietly rented out the victim’s internet connection to paying customers without their knowledge or consent.
Les victimes installent un logiciel proxy caché qui loue leur connexion internet à des clients payants sans leur consentement
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.