Since February 15, 2021, 360Netlab's BotMon system has continuously detected a new variant of the Gafgyt family, which uses Tor for C2 communication to hide the real C2 and encrypts sensitive strings in the samples. This is the first time we found a Gafgyt variant using the Tor mechanism, so we named the variant Gafgyt_tor. Further analysis revealed that the family is closely related to the Necro family we made public in January, and is behind the same group of people, the so-called keksec group [1] [2]. In this blog, we will introduce Gafgyt_tor and sort out other recent botnets operated by this group.

The key points of this article are as follows.

  1. Gafgyt_tor uses Tor to hide C2 communication, over 100 Tor proxies can be built in, and new samples are continuously updating the proxy list.

  2. Gafgyt_tor share the same origin with the Gafgyt samples discturibed by the keksec group, the core function is still DDoS attacks and scanning.

  3. The keksec group reuse the code between different bot families.

  4. In addition, the keksec group also reuse a bunch of IP addresses for a long time.

Sample Analysis


The currently discovered Gafgyt_tor botnet is mainly propagated through Telnet weak passwords and the following three vulnerabilities.

  • D-Link RCE (CVE-2019-16920)
POST /apply_sec.cgi HTTP/1.1
Host: %s:%d
User-Agent: kpin
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
Connection: close
Referer: http://%s:%d/login_pic.asp
Cookie: uid=1234123
Upgrade-Insecure-Requests: 1

  • Liferay Portal RCE
POST /api/jsonws/expandocolumn/update-column HTTP/1.1
Host: %s:%d
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.25.0
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: Basic dGVzdEBsaWZlcmF5LmNvbTp0ZXN0

  • Citrix CVE-2019-19781
 POST /vpns/portal/scripts/newbm.pl HTTP/1.1
 Host: %s:%d
 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
 Accept-Encoding: gzip, deflate
 Accept: */*
 Connection: keep-alive
 NSC_USER: ../../../netscaler/portal/templates/flialwznxz
 Content-Length: %d
 Content-Type: application/x-www-form-urlencoded


Gafgyt_tor integrates a replacement encryption algorithm for encrypting C2 and sensitive strings to counter detection and static analysis. Sensitive strings include commands, IPC pathnames, DDoS-related attack strings, etc.

The following is a comparison of ciphertext and plaintext C2.

# ciphertext

# plaintext

The Gafgyt_tor variants we detected so far all use the same C2 wvp3te7pkfczmnnl.onion.

Some of the cipher decryption results are as follows.

# commands
~-6mvgmv    -    LDSERVER
1-|         -         UDP
cD|         -         TCP
ej~-        -        HOLD
51,U        -        JUNK
c~6         -         TLS
6c-         -         STD
-,6         -         DNS
6D7,,mv     -     SCANNER
j,          -          ON
jdd         -         OFF
jge         -         OVH
.~7DU,1v6m  -  BLACKNURSE

# DDoS-related attack
7~~         -         ALL
6p,         -         SYN
v6c         -         RST
dx,         -         FIN
7DU         -         ACK
|6e         -         PSH

# Scan-related
aDbwwtr3bw  -  WChnnecihn
aQuq        -         W.1
aEcc        -        WxTT
74tw!       -       Agent
1;t=        -        User

# misc
|x,<        -        PING
=ru_Brf_    -    rc.local

The following is the python decryption code we wrote based on the inverse results.

 def decode(encoded, encodes):
    idx = 0
    decodes = b'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ. '
    decoded = bytearray()

    while ( idx < len(encoded)):
        for table_idx in range(0, 64):
            if encoded[idx] == encodes[table_idx]:
        idx += 1

encodes = b'%q*KC)&F98fsr2to4b3yi_:wB>z=;!k?"EAZ7.D-md<ex5U~h,j|$v6c1ga+p@un'
encoded_cc = b'"?>K!tF>iorZ:ww_uBw3Bw'
decode(encoded_cc, encodes)


Compared with other Gafgyt variants, the biggest change of Gafgyt_tor is that the C2 communication is based on Tor, which increases the difficulty of detection and blocking. The Tor-based C2 communication mechanism has been seen in other families we have analyzed before( Matryosh leethozer moobot ), but this is the first time we encountered it in the Gafgyt family.

  • Code changes

Compared with other versions, the code structure of the main function of Gafgyt_tor, which adds the Tor proxy function, has changed very much, as shown in the following figure.

The original initConnection() function, which is responsible for establishing the C2 connection, is gone, replaced by a large section of code responsible for establishing the Tor connection. The newly added Tor-related functions are as follows.

Among them, tor_socket_init is responsible for initializing a list of proxy nodes, each containing an ip address and a port.

Our analysis shows that the number of proxy nodes integrated in each sample is always 100+, with a maximum of 173.

After initializing the proxy list, the sample will select a random node from the list to enable Tor communication via tor_retrieve_addr and tor_retrieve_port.

After establishing a connection with the Tor proxy, Gafgyt_tor starts requesting wvp3te7pkfczmnnl.onion through the darknet waiting for instructions. This C2 address has not changed in the samples we have analyzed, but the communication port is continuously changing.

  • The command

The core function of Gafgyt_tor is still DDoS attack and scanning, so it mostly follows the common Gafgyt directive, a new directive called LDSERVER has been added. C2 can specify the download server used in Gafgyt_tor's exploit through this directive, as shown in the figure below.

This directive means that C2 can dynamically switch download servers, so that it can quickly switch to a new download server to continue propagation if the current one is blocked.

Some other things

Gafgyt_tor uses a few uncommon coding tricks in addition to the modification of the communication function.

  • Singleton mode

Single instance mode is implemented using Unix domain sockets (an IPC mechanism), which requires a pathname to be specified, which is also encrypted. As shown below, k4=f2t is decrypted to ugrade.

  • Function name obfuscation

None of the Gafgyt_tor samples we collected have been stripped, so the complete symbolic information is preserved in the samples, and most of the samples are scanned and propagated using a function named ak47Scan. In the sample captured on February 24 we found that the function name was obfuscated as a random string, so it can be assumed that the sample is in active development stage and the authors are gradually strengthening Gafgyt_tor's ability to counter analysis and detection.

Sample origin

While analyzing the IoC of Gafgyt_tor, we noticed that a download server IP was used by Necro botnet, which appeared in early January this year:

gxbrowser.net is one of Necro's 3 C2s, and the above image shows that it has resolved to this download server IP of Gafgyt_tor several times.

Further analysis shows that this IP and another Necro C2 IP were also used as C2 by other versions of Gafgyt and Tsunami botnet in early February, which apparently share code with Gafgyt_tor.

  1. Both have decryption functions named decode, with identical code structures.

  2. Both have scan functions named ak47scan and ak47telscan.

Their decode function decode() differs only in the code table.

# Code table in the gafgyt sample

# Code table in tsunami sample

The following figure is a comparison of their ak47scan() functions, you can see that the function and structure is actually similar, but there are changes in the way it runs and the ports it scans.

Based on the binary characteristics of the decode() and ak47scan() functions mentioned above, we found more such Tsunami and Gafgyt samples in our sample database, which are characterized as follows.

  1. Tsunami samples appear in mid-August 2020 and are active for a short period of time.

  2. Gafgyt samples were spreading intermittently from September to December 2020.

  3. From early to mid-February, first Tsunami samples resumed propagation, then Gafgyt, followed by Gafgyt_tor.

  4. There are many similarities between the currently spreading Gafgyt_tor variants and the previously captured Gafgyt samples, and the code is clearly same origin.

  5. These variants of botnet frequently reuse same download server and C2 IP.

We can see that there was no update in January this year, we guess because the authors focused their efforts on Necro. In terms of binary characteristics, there is no similarity with Gafgyt_tor as Necro is written in Python, but we see there are some commonalities in propagation methods.

  1. Both changed different exploits in a short period of time, presumably to improve the propagation effect.

  2. Both adopted the "develop-and-distribute" approach to continuously improve the botnet function, resulting in a large number of different samples being distributed in a short period of time.

Based on the above analysis, we think that Gafgyt_tor and Necro are very likely operated by the same group of people, who have a pool of IP addresses and multiple botnet source codes, and have the ability of continuous development. In actual operation, they form different families of botnets, but reuse infrastructure such as IP address, for example, the above-mentioned IP address acts as different C2 for different botnets since the end of last year, the timeline of different functions is roughly shown in the figure below.

Here are some conclusions about the group:

  1. They have at least the source code for Necro, Gafgyt and Tsunami.

  2. They continue to upgrade and rotate the botnets in their hands.

  3. They have a pool of IP address resources and reuse them in different botnets.

  4. The group also keeps up with n-day vulnerabilities in IoT and use them promptly to facilitate their own botnets.

The timeline chart below shows the Linux IoT botnet family operated by this group that we detected from last August to now.

Contact us

Readers are always welcomed to reach us on twitter, or email to netlab at 360 dot cn.


  • MD5
# tsunami

# gafgyt

# gafgyt_tor
  • C2
  • Download URL
  • Tor Proxy