i've got a new malware analysis describing what i have dubbed XorBee RAT

Reply to i've got a new malware analysis describing what i have dubbed XorBee RAT on Thu, 16 Apr 2026 20:04:25 GMT

rmceoin@infosec.exchange — Thu, 16 Apr 2026 20:04:25 GMT

@BrandonD i don't really know what their criteria is for the gateway url with the /g path. they do seem to toggle it off for periods of time. i speculate they only have it enabled during victim business hours and when they're on the clock, so to speak.

Reply to i've got a new malware analysis describing what i have dubbed XorBee RAT on Thu, 16 Apr 2026 19:58:23 GMT

brandond@infosec.exchange — Thu, 16 Apr 2026 19:58:23 GMT

@rmceoin Very interested if you get around to posting the logic they're using for when to display the ClickFix!

Seeing a compromised site that was reaching out to windlrr[.]com/file.js yesterday, now reaching out to a new initial C2: mermiston[.]com/file.js

Reply to i've got a new malware analysis describing what i have dubbed XorBee RAT on Thu, 16 Apr 2026 19:02:01 GMT

rmceoin@infosec.exchange — Thu, 16 Apr 2026 19:02:01 GMT

@da_667 ah! i just got around to noticing the ET TROJAN XorBee RAT CnC Domain in DNS Lookup rules. those are actually KongTuke domains. those may or may not lead you to XorBee RAT. the RAT didn't use any domains, it only used IP's directly.

Reply to i've got a new malware analysis describing what i have dubbed XorBee RAT on Mon, 13 Apr 2026 18:26:53 GMT

astraleureka@social.treehouse.systems — Mon, 13 Apr 2026 18:26:53 GMT

@rmceoin python based on windows? curious that's a feasible tactic these days

Reply to i've got a new malware analysis describing what i have dubbed XorBee RAT on Mon, 13 Apr 2026 18:02:26 GMT

rmceoin@infosec.exchange — Mon, 13 Apr 2026 18:02:26 GMT

@da_667 yea! i had a feeling you'd be able to chew on that

Reply to i've got a new malware analysis describing what i have dubbed XorBee RAT on Mon, 13 Apr 2026 17:58:24 GMT

da_667@infosec.exchange — Mon, 13 Apr 2026 17:58:24 GMT

@rmceoin oh hey, that's something I can use. I'll include that in today's release as well. Thank you so much for sharing.

alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XorBee RAT CNC Checkin M1"; flow:established,to_server; dsize:7; content:"|09 07 1b 52 52 55 68|"; reference:url,rmceoin.github.io/malware-analysis/2026/04/13/xorbee-rat.html; classtype:trojan-activity; sid:1; rev:1;)

Reply to i've got a new malware analysis describing what i have dubbed XorBee RAT on Mon, 13 Apr 2026 17:53:06 GMT

rmceoin@infosec.exchange — Mon, 13 Apr 2026 17:53:06 GMT

@da_667 cool! nice to get an add to ETOPEN. a quick check shows the C2 is still up. fyi, the authentication packet should have the same data payload for any C2 IP, so when they move, this will be the same assuming the AUTH_KEY stays the same

Reply to i've got a new malware analysis describing what i have dubbed XorBee RAT on Mon, 13 Apr 2026 17:42:16 GMT

da_667@infosec.exchange — Mon, 13 Apr 2026 17:42:16 GMT

@rmceoin can't see any sandbox results of the traffic, which sucks, but at the very least, I can grab the C2 and drop that into the ETOPEN ruleset for today's release. Thanks for sharing.

Reply to i've got a new malware analysis describing what i have dubbed XorBee RAT on Mon, 13 Apr 2026 17:31:45 GMT

rmceoin@infosec.exchange — Mon, 13 Apr 2026 17:31:45 GMT

@james_inthe_box thank you! i saw it back in october and had fun with it, then saw it again last week and it sure seemed like nobody else had written it up. i was overdue for a post on anything and this seemed like an interesting little beastie.

Reply to i've got a new malware analysis describing what i have dubbed XorBee RAT on Mon, 13 Apr 2026 17:13:35 GMT

james_inthe_box@infosec.exchange — Mon, 13 Apr 2026 17:13:35 GMT

@rmceoin Nicely done.