From 8318462b1ad28e921ffe706d05299c40eab1dd6b Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 5 Feb 2026 13:04:08 +0000 Subject: [PATCH] Add content from: The Shadow Campaigns: Uncovering Global Espionage --- .../malware-analysis.md | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md index f9334737c0a..62010489064 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md @@ -609,6 +609,25 @@ struct Header { - Once verified, the bot sends a `MsgType=0` body carrying the operator-defined **group string** (e.g. `android-postboot-rt`). If the group is enabled, the C2 responds with `MsgType=2 (confirm)`, after which tasking (MsgType 5–12) begins. - Supported verbs include SOCKS-style TCP/UDP proxying (residential proxy monetization), reverse shell / single command exec, file read/write, and **Mirai-compatible DDoSBody** payloads (same `AtkType`, `Duration`, `Targets[]`, `Flags[]` layout). +### Screen-resolution + companion-file guardrails (Diaoyu loader) +- Some loaders gate execution on *both* host attributes and packaging integrity to defeat automated sandboxes. Diaoyu checks for a horizontal resolution >= 1440 **and** verifies a zero-byte `pic1.png` sits beside the EXE; without it, the sample quits cleanly before payload staging. +- Dynamic analysis tip: recreate the original archive layout (drop `pic1.png` next to the loader) and set a matching resolution, otherwise the detonation path (security product probing + next-stage download) will never execute. + +### Payload staging from public code hosting +- After the guardrails, Diaoyu fetched three blobs from GitHub raw URLs masquerading as images (`admin-bar-sprite.png`, `Linux.jpg`, `Windows.jpg`) under a fake `wp-includes/images/` path and transformed them locally into a Cobalt Strike implant. +- Treat sequential `raw.githubusercontent.com/.../wp-includes/images/*.png|jpg` pulls as potential staged payloads; archive the downloaded content and attempt decoding/decryption to recover the beacon even if the repository vanishes. + +### eBPF kernel rootkit process/file hiding (ShadowGuard) +- eBPF backdoors execute inside the kernel BPF VM (no LKM artifact) and can intercept syscalls/tracepoints before userland sees them. ShadowGuard verifies root, eBPF, and tracepoint support, then hides operator-selected processes (up to 32 PIDs) and any path containing `swsecret` (shown as `.` in `ls` output). +- Operator controls for allow-listing the hide filter use custom kill signals: +```bash +# keep a PID visible / exclude it from hiding +kill -900 +# remove from allow list so hiding can apply again +kill -901 +``` +- DFIR tips: inspect active programs/maps (`bpftool prog show`, `bpftool map dump`) for unsigned eBPF hooks, hunt for repeated `kill -900/-901` usage, and enumerate directories via raw inodes/debugfs when `swsecret*` artifacts disappear from normal listings. + ## References - [Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/) @@ -628,5 +647,6 @@ struct Header { - Kimwolf Android TV Botnet: ENS-Based C2 Evasion, TLS+ECDSA C2 Protocol, and Large-Scale Proxy/DDoS Operations – [blog.xlab.qianxin.com](https://blog.xlab.qianxin.com/kimwolf-botnet-en/) - [Check Point Research – GachiLoader: Defeating Node.js Malware with API Tracing](https://research.checkpoint.com/2025/gachiloader-node-js-malware-with-api-tracing/) - [Nodejs-Tracer – GitHub](https://github.com/CheckPointSW/Nodejs-Tracer) +- [Unit42 – The Shadow Campaigns: Uncovering Global Espionage](https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/) {{#include ../../banners/hacktricks-training.md}} \ No newline at end of file