i've got a new malware analysis describing what i have dubbed XorBee RAT
-
i've got a new malware analysis describing what i have dubbed
XorBee RAT- delivered by #kongtuke via #clickfix
- Python based
- targets domain-joined Windows
- uses port tcp/4444 for C2 traffic
- obfuscates C2 traffic with XOR of the letter
b - continuously runs a thread checking for monitoring tools and exists if seen
- after authenticating with C2, enters reverse shell
- related to ModeloRAT
- first seen in October 2025
XorBee RAT
A technical breakdown of XorBee RAT, a Python-based reverse shell deployed by the KongTuke threat actor via ClickFix social engineering against domain-joined Windows environments.
Malware Analysis (rmceoin.github.io)
-
i've got a new malware analysis describing what i have dubbed
XorBee RAT- delivered by #kongtuke via #clickfix
- Python based
- targets domain-joined Windows
- uses port tcp/4444 for C2 traffic
- obfuscates C2 traffic with XOR of the letter
b - continuously runs a thread checking for monitoring tools and exists if seen
- after authenticating with C2, enters reverse shell
- related to ModeloRAT
- first seen in October 2025
XorBee RAT
A technical breakdown of XorBee RAT, a Python-based reverse shell deployed by the KongTuke threat actor via ClickFix social engineering against domain-joined Windows environments.
Malware Analysis (rmceoin.github.io)
@rmceoin Nicely done.
-
R relay@relay.infosec.exchange shared this topic
-
@rmceoin Nicely done.
@james_inthe_box thank you! i saw it back in october and had fun with it, then saw it again last week and it sure seemed like nobody else had written it up. i was overdue for a post on anything and this seemed like an interesting little beastie.
-
i've got a new malware analysis describing what i have dubbed
XorBee RAT- delivered by #kongtuke via #clickfix
- Python based
- targets domain-joined Windows
- uses port tcp/4444 for C2 traffic
- obfuscates C2 traffic with XOR of the letter
b - continuously runs a thread checking for monitoring tools and exists if seen
- after authenticating with C2, enters reverse shell
- related to ModeloRAT
- first seen in October 2025
XorBee RAT
A technical breakdown of XorBee RAT, a Python-based reverse shell deployed by the KongTuke threat actor via ClickFix social engineering against domain-joined Windows environments.
Malware Analysis (rmceoin.github.io)
@rmceoin can't see any sandbox results of the traffic, which sucks, but at the very least, I can grab the C2 and drop that into the ETOPEN ruleset for today's release. Thanks for sharing.
-
@rmceoin can't see any sandbox results of the traffic, which sucks, but at the very least, I can grab the C2 and drop that into the ETOPEN ruleset for today's release. Thanks for sharing.
@da_667 cool! nice to get an add to ETOPEN. a quick check shows the C2 is still up. fyi, the authentication packet should have the same data payload for any C2 IP, so when they move, this will be the same assuming the AUTH_KEY stays the same
-
@da_667 cool! nice to get an add to ETOPEN. a quick check shows the C2 is still up. fyi, the authentication packet should have the same data payload for any C2 IP, so when they move, this will be the same assuming the AUTH_KEY stays the same
@rmceoin oh hey, that's something I can use. I'll include that in today's release as well. Thank you so much for sharing.
alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XorBee RAT CNC Checkin M1"; flow:established,to_server; dsize:7; content:"|09 07 1b 52 52 55 68|"; reference:url,rmceoin.github.io/malware-analysis/2026/04/13/xorbee-rat.html; classtype:trojan-activity; sid:1; rev:1;) -
@rmceoin oh hey, that's something I can use. I'll include that in today's release as well. Thank you so much for sharing.
alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XorBee RAT CNC Checkin M1"; flow:established,to_server; dsize:7; content:"|09 07 1b 52 52 55 68|"; reference:url,rmceoin.github.io/malware-analysis/2026/04/13/xorbee-rat.html; classtype:trojan-activity; sid:1; rev:1;)@da_667 yea! i had a feeling you'd be able to chew on that
-
i've got a new malware analysis describing what i have dubbed
XorBee RAT- delivered by #kongtuke via #clickfix
- Python based
- targets domain-joined Windows
- uses port tcp/4444 for C2 traffic
- obfuscates C2 traffic with XOR of the letter
b - continuously runs a thread checking for monitoring tools and exists if seen
- after authenticating with C2, enters reverse shell
- related to ModeloRAT
- first seen in October 2025
XorBee RAT
A technical breakdown of XorBee RAT, a Python-based reverse shell deployed by the KongTuke threat actor via ClickFix social engineering against domain-joined Windows environments.
Malware Analysis (rmceoin.github.io)
@rmceoin python based on windows? curious that's a feasible tactic these days
-
@rmceoin can't see any sandbox results of the traffic, which sucks, but at the very least, I can grab the C2 and drop that into the ETOPEN ruleset for today's release. Thanks for sharing.
@da_667 ah! i just got around to noticing the
ET TROJAN XorBee RAT CnC Domain in DNS Lookuprules. those are actuallyKongTukedomains. those may or may not lead you toXorBee RAT. the RAT didn't use any domains, it only used IP's directly. -
i've got a new malware analysis describing what i have dubbed
XorBee RAT- delivered by #kongtuke via #clickfix
- Python based
- targets domain-joined Windows
- uses port tcp/4444 for C2 traffic
- obfuscates C2 traffic with XOR of the letter
b - continuously runs a thread checking for monitoring tools and exists if seen
- after authenticating with C2, enters reverse shell
- related to ModeloRAT
- first seen in October 2025
XorBee RAT
A technical breakdown of XorBee RAT, a Python-based reverse shell deployed by the KongTuke threat actor via ClickFix social engineering against domain-joined Windows environments.
Malware Analysis (rmceoin.github.io)
@rmceoin Very interested if you get around to posting the logic they're using for when to display the ClickFix!
Seeing a compromised site that was reaching out to windlrr[.]com/file.js yesterday, now reaching out to a new initial C2: mermiston[.]com/file.js
-
@rmceoin Very interested if you get around to posting the logic they're using for when to display the ClickFix!
Seeing a compromised site that was reaching out to windlrr[.]com/file.js yesterday, now reaching out to a new initial C2: mermiston[.]com/file.js
@BrandonD i don't really know what their criteria is for the gateway url with the
/gpath. they do seem to toggle it off for periods of time. i speculate they only have it enabled during victim business hours and when they're on the clock, so to speak.
