{
  "name": "The Group Theory Inside Bedep's DGA",
  "slug": "the-group-theory-inside-bedeps-dga",
  "description": "Bedep was an ad-fraud botnet active from late 2014 through 2015, delivered through the Angler exploit kit. It employed an unusually sophisticated domain generation algorithm that used real foreign exchange rates from the European Central Bank combined with advanced group theory mathematics to generate command-and-control domains. Unlike typical DGAs that rely solely on date-based seeds, Bedep's algorithm fetched currency exchange rates and UTC timestamps from legitimate public sources, making future domains unpredictable until the data was published. The malware implemented mathematical concepts including cyclic groups, primitive root generators, and modular arithmetic to ensure collision-free domain generation. This unique approach made it significantly harder for defenders to pre-compute and block domains compared to conventional DGAs, as the exchange rates couldn't be predicted in advance.",
  "published": "2026-04-22T20:57:30+00:00",
  "created_at": "2026-04-22T20:57:30+00:00",
  "modified_at": "2026-04-27T12:36:49+00:00",
  "created_at_opencti": "2026-04-22T20:57:30+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-04-22",
    "CVE-2015-0311",
    "ad-fraud botnet",
    "angler",
    "angler exploit kit",
    "bedep",
    "cyclic groups",
    "dga",
    "domain generation algorithm",
    "foreign exchange rates",
    "group theory"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "d0fb1b66b6e4da395892327be9f39adb4533e7759ace39f67bdde0bb1cdaef35"
      }
    ],
    "malware": [
      {
        "id": "878f1515-ac35-4f75-bc31-bef889e09a25",
        "name": "Angler",
        "slug": "angler"
      },
      {
        "id": "legacy:malware:6f3f255709b11320",
        "name": "Bedep",
        "slug": "bedep"
      }
    ],
    "attack_patterns": [
      {
        "id": "5d890f18-8c7e-47eb-89aa-d2b82a61a7d7",
        "name": "T1008"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb",
        "name": "T1132"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7",
        "name": "T1018"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "6c31e3ae-7a24-4c3b-8a2a-f769c351a2af",
        "name": "T1568.002"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "e46a9411-d2a1-47c9-8820-c7f818f4c0b5",
        "name": "T1203"
      },
      {
        "id": "4bbdf41c-817c-448a-9513-aaea6bfbe8b4",
        "name": "T1568"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2015-0311"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "rrpohktjlscncqxvt3.com"
      },
      {
        "id": "",
        "name": "wjavcjhazzxyxotkbi.com"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69e9525a37098f168ad6064f",
    "https://www.gendigital.com/blog/insights/research/the-group-theory-inside-bedeps-dga"
  ]
}