Threat Research

Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain

Securonix

Threat actors are increasingly using blockchain to hide and distribute malicious data and C2 instructions. Nozomi Networks researchers track Glupteba activity on the Bitcoin blockchain, showing how OP_RETURN data, XOR encryption, and Tor-based C2 are used, with guidance on how defenders can hunt for these artifacts.

Keypoints

  • Glupteba is a backdoor trojan delivered via Pay-Per-Install networks and infected installers or cracks.
  • The malware can deploy additional modules from a credential stealer to exploit IoT devices from vendors like MikroTik and Netgear.
  • Glupteba uses the Bitcoin blockchain (OP_RETURN) to store and distribute C2 domains, making takedowns difficult.
  • Early variants used AES-GCM for payload protection; newer variants use XOR encryption with a fixed key (e.g., “cheesesauce”).
  • TOR hidden services began being used as C2 servers in 2021, increasing resilience and anonymity.
  • Researchers identify four Glupteba campaigns (2019–2022) spanning multiple wallets and addresses, and they map associated domains and TLS/certificate activity.
  • Defenders are advised to block blockchain-related domains and monitor DNS logs, TLS cert activity, and keep antivirus updated.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – The operators can deploy additional modules from the credential stealer to exploit kits on infected systems. ‘the botnet operators can deploy additional modules from the credential stealer to exploit kits’
  • [T1090] Proxy – Tor – Glupteba started using TOR hidden services as C2 servers, enhancing anonymity. ‘TOR hidden services were used as a command-and-control server by Glupteba’
  • [T1027] Obfuscated/Compressed Data – The payload is protected by an XOR encryption scheme in newer variants. ‘a XOR encryption scheme to protect the data’
  • [T1583] Acquire Infrastructure – The operation relies on infrastructure such as blockchain-based domains and TLS/certificate activities; certificate registrations are noted. ‘Let’s encrypt certificate registration’ and various domain registrations are described

Indicators of Compromise

  • [Domain] C2 domains – cdneurops[.]pics, mastiakele[.]icu, mastiakele[.]xyz, cdneurops[.]buzz, cdneurops[.]shop
  • [Domain] Associated domains – limeprime[.]org, greenphoenix[.]xyz, revouninstaller[.]homes, getyourgift[.]life
  • [Wallet Address] Wallet addresses – 12EfzLra6LttQ8RWvBTDzJUjYE6eRxx4TY, 14XZhcCJDguZuZF4p13tfLXJ6puudY7gqs, 15nWGFaodg3efVKATgsaaSPU2TxSbiMHcP, 19RzEN3pqHvgRHGMjjtYCqjVTXt8bnHkK3, 1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK
  • [Wallet Address] Additional addresses – 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97, 1CzetoTU29WbhNy1UozrQpxuFuCVxffbTd, 1HjoomvzjtvZdbznoEijTNAkMjmsFba9fY

Read more: https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/