216.73.217.22

Long Live The Vo1d Botnet: New Variant Hits 1.6 Million TV Globally

· Published 28/02/2025 10:35 · Modified 28/02/2025 11:10

Export JSON

Essential information

Published
28/02/2025 10:35
Modified
28/02/2025 11:10
Tags
2025-02-28 android tv botnet proxy network set-top box vo1d
Related entities
48 observables, 1 intrusion sets (apt), 20 techniques (mitre), 3 malware, 20 others

Description

The has infected 1.6 million devices across 200+ countries, posing a significant cybersecurity threat. This new variant demonstrates enhanced stealth and resilience, utilizing RSA encryption, DGA-based infrastructure, and a modified XXTEA algorithm. The 's scale and capabilities surpass previous major attacks, potentially enabling devastating DDoS attacks or unauthorized content broadcasting. Analysis reveals a sophisticated multi-component system including downloaders, backdoors, and modular malware for proxy services and ad fraud. The 's rapid growth and evasion techniques highlight the urgent need for improved security measures in smart TV devices and set-top boxes.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (48)

  • 69.28.62.61
  • 69.28.62.60
  • 69.28.62.52
  • 69.28.62.51
  • 69.28.62.50
  • 69.28.62.49
  • 69.28.62.48
  • 69.28.62.41
  • 69.28.62.42
  • 69.28.62.39
  • 69.28.62.38
  • 38.61.8.33
  • 38.61.8.31
  • 38.61.8.14
  • 38.61.8.13
  • 38.61.8.12
  • 38.61.8.11
  • 38.46.218.39
  • 38.46.218.38
  • 38.46.218.36
  • 38.46.218.37
  • 156.236.118.48
  • 156.236.118.27
  • 128.1.71.243
  • https://dcsdkos.dc16888888.com/sdkbin
  • https://dcsdkos.dc16888888.com/reportcompbin
  • https://dcsdk.100ulife.com/sdkbin
  • https://dcsdk.100ulife.com/reportcompbin
  • http://task.moyu88.xyz/cpc/api/xml?productId=0
  • http://task.moyu88.xyz/cpc/api/task
  • http://ssl87362.com:9999
  • http://task.moyu88.xyz/cpc/api/proxy/origin
  • http://jaguar-distributor.syslogcollector.com:12000/v1/agent/ctrl
  • http://dcsdkos.dc16888888.com/sdkbin
  • http://dcsdk.100ulife.com/sdkbin
  • http://dcsdkos.dc16888888.com/reportcompbin
  • http://dcsdk.100ulife.com/reportcompbin
  • http://csskkjw.com/s3/b7027626
  • http://adstat.ziyemy.shop:3389
  • update.ad3g.com
  • wowokeys.com
  • ssl87362.com
  • spiritlib.cyou
  • csskkjw.com
  • csok997.com
  • conannt.com
  • catmore23.com
  • 2940637fafa.com

Intrusion sets (APT) (1)

  • Vo1d
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 12:38 · Modified 21/12/2025 12:38

Techniques (MITRE) (20)

  • T1568
    Dynamic Resolution
  • T1036.004
    Masquerade Task or Service
  • T1608
    Stage Capabilities
  • T1027.002
    Software Packing
  • T1012
    Query Registry
  • T1573
    Encrypted Channel
  • T1016
    System Network Configuration Discovery
  • T1129
    Shared Modules
  • T1082
    System Information Discovery
  • T1105
    Ingress Tool Transfer
  • T1071
    Application Layer Protocol
  • T1102
    Web Service
  • T1055
    Process Injection
  • T1036
    Masquerading
  • T1140
    Deobfuscate/Decode Files or Information
  • T1132
    Data Encoding
  • T1027
    Obfuscated Files or Information
  • T1112
    Modify Registry
  • T1001
    Data Obfuscation
  • T1059
    Command and Scripting Interpreter

Malware (3)

  • Vo1d
    Family
    Published 17/02/2026 12:39 · Modified 17/02/2026 12:39
  • Mzmess
    Family
    Published 28/02/2025 10:35 · Modified 28/02/2025 10:35
  • BigPanzi
    Family
    Published 28/02/2025 10:35 · Modified 28/02/2025 10:35

Others (20)

  • British Indian Ocean Territory
  • Iraq
  • South Africa
  • India
  • China
  • Argentina
  • Thailand
  • Malaysia
  • Indonesia
  • Germany
  • Morocco
  • Philippines
  • Ecuador
  • Mexico
  • Pakistan
  • Brazil
  • United States of America
  • Russian Federation
  • Media
  • Telecommunications

External references