Cyber Security

Bondnet Using High-Performance Bots For C2 Server

Threat actors abuse high-performance bots to carry out large-scale automated attacks efficiently.

These bots can work quickly, flood systems, steal information, and conduct and orchestrate sophisticated cyber operations largely autonomously.

Cybersecurity researchers at ASEC recently discovered that Bondnet has used high-performance bots for C2 servers.

Technical Analysis

Bondnet, a threat actor deploying backdoors and cryptocurrency miners since 2017, was still finding new approaches.

The ASEC researchers noted that Bondnet configures reverse RDP environments on fast stolen systems using them as C2 servers.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

It meant modifying an open-source, fast reverse proxy (FRP) tool embedding the threat actor’s proxy server information.

This included setting up an FRP-based reverse RDP environment, whereby Bondnet ran various programs onto the targets, like the Cloudflare tunneling client, for remote access, ensuring that they remained vigilant about keeping hold of compromised valuables.

Cloudflare tunneling client (Source – ASEC)

Cloudflare tunneling client is one of the attempts Bondnet threat actors used to connect a service on the compromised target with their C2 domain after registering a C2 domain on Cloudflare.

One of the applications executed was HFS, which provided a file server service on TCP port 4000. The software’s architecture resembled this threat actor’s Command and Control infrastructure.

The HFS Golang program encountered environmental issues, which made it impossible to observe how the system could have been changed into a command-and-control one. 

However, strong evidence indicates that Bondnet wished to exploit high-speed compromised systems as part of their C2 infrastructure via this tunneling means.

Bondnet, a threat actor, linked compromised targets with the Cloudflare tunneling client and HFS program to associate system services with the Cloudflare-hosted C2 domain.

They might have intended to convert high-performance bots into their C2 infrastructure via reverse RDP connections.

No data exfiltration or lateral movement was detected, although similarities between the HFS program UI and the actor’s C2 suggested its expected use.

During analysis of this system, it turned out that the HFS program did not work properly.

Some months later, the actors’ C2 UI changed, with new malicious files appearing and those that were deleted previously being restored, suggesting that they may have used another compromised bot using different tooling after facing issues while turning the initial target into a C2 node.

IOCs

MD5s

  • D6B2FEEA1F03314B21B7BB1EF2294B72(smss.exe)
  • 2513EB59C3DB32A2D5EFBEDE6136A75D(mf)
  • E919EDC79708666CD3822F469F1C3714(hotfixl.exe)
  • 432BF16E0663A07E4BD4C4EAD68D8D3D(main.exe)
  • 9B7BE5271731CFFC51EBDF9E419FA7C3(dss.exe)
  • 7F31636F9B74AB93A268F5A473066053(BulletsPassView64.exe)
  • D28F0CFAE377553FCB85918C29F4889B(VNCPassView.exe)
  • 6121393A37C3178E7C82D1906EA16FD4(PstPassword.exe)
  • 0753CAB27F143E009012053208B7F63E(netpass64.exe)
  • 782DD6152AB52361EBA2BAFD67771FA0(mailpv.exe)
  • 8CAFDBB0A919A1DE8E0E9E38F8AA19BD(PCHunter32.exe)
  • 00FA7F88C54E4A7ABF4863734A8F2017(fast.exe)
  • AD3D95371C1A8465AC73A3BC2817D083(kit.bat)
  • 15069DA45E5358578105F729EC1C2D0B(zmass_2.bat)
  • 28C2B019082763C7A90EF63BFD2F833A(dss.bat)
  • 5410539E34FB934133D6C689072BA49D(mimikatz.exe)
  • 59FEB67C537C71B256ADD4F3CBCB701C(ntuser.cpl)
  • 0FC84B8B2BD57E1CF90D8D972A147503(httpd.exe)
  • 057D5C5E6B3F3D366E72195B0954283B(check.exe)
  • 35EE8D4E45716871CB31A80555C3D33E(UpSql.exe)
  • 1F7DF25F6090F182534DDEF93F27073D(svchost.exe)
  • DC8A0D509E84B92FBF7E794FBBE6625B(svchost.com)
  • 76B916F3EEB80D44915D8C01200D0A94(RouterPassView.exe)
  • 44BD492DFB54107EBFE063FCBFBDDFF5(rdpv.exe)
  • E0DB0BF8929CCAAF6C085431BE676C45(mass.dll)
  • DF218168BF83D26386DFD4ECE7AEF2D0(mspass.exe)
  • 35861F4EA9A8ECB6C357BDB91B7DF804(pspv.exe)

URLs And C2s

  • 223.223.188[.]19
  • 185.141.26[.]116/stats.php
  • 185.141.26[.]116/hotfixl.ico
  • 185.141.26[.]116/winupdate.css
  • 84.46.22[.]158:7000
  • 46.59.214[.]14:7000
  • 46.59.210[.]69:7000
  • 47.99.155[.]111
  • d.mymst[.]top
  • m.mymst[.]top
  • frp.mymst007[.]top

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Share
Published by
Tushar Subhra Dutta
Tags: BondnetBotsC2 Servercyber security
11 months ago

Recent Posts

Critical Linux Kernel Vulnerability Exposes Systems to Privilege Escalation Attacks

A significant vulnerability in the Linux kernel's Virtual Socket (vsock) implementation, designated as CVE-2025-21756, has…

17 minutes ago

Researchers Uncovered SuperShell Payloads & Multiple Tools From Hacker’s Open Directories

Cybersecurity researchers have uncovered a concerning cache of hacking tools, including SuperShell payloads and Cobalt…

44 minutes ago

Apache Tomcat Vulnerability Let Attackers Bypass Rules & Trigger DoS Condition

The Apache Software Foundation disclosed a significant security vulnerability in Apache Tomcat that could allow…

2 hours ago

CISA Issues Warning on Commvault Web Server Flaw Exploited in the Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has added the Commvault Web Server vulnerability (CVE-2025-3928)…

3 hours ago

Kali Linux Warns that Update Process is Going to Fail for All Users

Kali Linux users worldwide are facing an imminent disruption as the security-focused distribution has announced…

6 hours ago

Threat Actors Leverage Access to Valid Accounts via Phishing Attack

In a significant shift observed during the first quarter of 2025, cybersecurity experts have documented…

14 hours ago