Pulse Detail — Threat Intelligence

PULSE NAME

Long Live The Vo1d Botnet: New Variant Hits 1.6 Million TV Globally

WHITE CyberHunter_NL 2025-02-28 Modified: 2025-03-30

IOCs

HIGH VOLUME

A new variant of the Vo1d botnet is taking control of 1.6 million Android TV devices worldwide, according to a new report by cybersecurity researchers XLab and its artificial intelligence unit.

dga en android backdoor botnet vo1d vo1d botnet january february china below redirector c2 dga algorithm codomain system xxtea key downloader impact twitter fraud drop python dexloader test leave virustotal bigpanzi mirai dex

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1059 T1040 T1566 T1552 T1036 T1095 T1195 T1495 T1090 T1102 T1140 T1568

MALWARE FAMILIES

Bigpanzi Mirai DEX Vo1d

Indicators of Compromise (88)

All FileHash-MD5 FileHash-SHA1 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	01a692df9deb5e8db620e4fb7e687836	—	2025-02-28
FileHash-MD5	0c454831bdb679bdd083c5a7cc785733	—	2025-02-28
FileHash-MD5	2d6d91c5988dcab2eb4dab1ec55cfbb9	—	2025-02-28
FileHash-MD5	2de1775908db39f3c4edbb7a7d99268d	—	2025-02-28
FileHash-MD5	30da72fda6d0f5e3972272332d7fc47b	—	2025-02-28
FileHash-MD5	456e14aa644bd31d85e0fe6f78d8fc15	—	2025-02-28
FileHash-MD5	47c5bf4fbce983c2182ba103d2773dff	—	2025-02-28
FileHash-MD5	4efa4566794d86e033c2362cad05f1f8	—	2025-02-28
FileHash-MD5	4f4d5e37feda9e9556c816c100e1de30	—	2025-02-28
FileHash-MD5	53493b07fe423b1dbdc789803cbac7c1	—	2025-02-28
FileHash-MD5	5701ee051f80e92c1efc5ad32f8401d3	—	2025-02-28
FileHash-MD5	6168dafc5a1d297cf33b26b65db315cc	—	2025-02-28
FileHash-MD5	68ec86a761233798142a6f483995f7e9	—	2025-02-28
FileHash-MD5	6bb3258b688f81dfd03128bccf18823b	—	2025-02-28
FileHash-MD5	9e116f9ad2ff072f02aa2ebd671582a5	—	2025-02-28
FileHash-MD5	a07533a9504fff0756a8ba59ca0af4d6	—	2025-02-28
FileHash-MD5	a4df8a0484e04fe660563b69c93c7f14	—	2025-02-28
FileHash-MD5	a774eb68f60621bfddd8db461d978c12	—	2025-02-28
FileHash-MD5	aabbccddaabbccddaabbccddaabbccdd	—	2025-02-28
FileHash-MD5	b447aaf52c1efad388612f8220969c35	—	2025-02-28
FileHash-MD5	b6d5c945d61a73641e710f357214f3e3	—	2025-02-28
FileHash-MD5	bb6b9aec7d4bfa524c7c5117257e4d78	—	2025-02-28
FileHash-MD5	d9126d936d505b9fa9a8278fda1daaae	—	2025-02-28
FileHash-MD5	de252f9ac7624d723212e7e70972134d	—	2025-02-28
FileHash-MD5	de8f69efdb29cdf5fd12dd7b74584696	—	2025-02-28
FileHash-MD5	fc7dc3c5306d6a508023160953168a16	—	2025-02-28
FileHash-SHA1	70672a8ccee11976077ff4f3dc16966bbf67e965	—	2025-02-28
URL	http://adstat.ziyemy.shop:3389	—	2025-02-28
URL	http://csskkjw.com/s3/b7027626	—	2025-02-28
URL	http://dcsdk.100ulife.com/reportcompbin	—	2025-02-28
URL	http://dcsdk.100ulife.com/sdkbin	—	2025-02-28
URL	http://dcsdkos.dc16888888.com/reportcompbin	—	2025-02-28
URL	http://dcsdkos.dc16888888.com/sdkbin	—	2025-02-28
URL	http://jaguar-distributor.syslogcollector.com:12000/v1/agent/ctrl	—	2025-02-28
URL	http://ssl87362.com:9999	—	2025-02-28
URL	http://task.moyu88.xyz/cpc/api/proxy/origin	—	2025-02-28
URL	http://task.moyu88.xyz/cpc/api/task	—	2025-02-28
URL	http://task.moyu88.xyz/cpc/api/xml?productId=0	—	2025-02-28
URL	https://dcsdk.100ulife.com/reportcompbin	—	2025-02-28
URL	https://dcsdk.100ulife.com/sdkbin	—	2025-02-28
URL	https://dcsdkos.dc16888888.com/reportcompbin	—	2025-02-28
URL	https://dcsdkos.dc16888888.com/sdkbin	—	2025-02-28
domain	2940637fafa.com	—	2025-02-28
domain	catmore23.com	—	2025-02-28
domain	catmore88.com	—	2025-02-28
domain	catmos99.com	—	2025-02-28
domain	conannt.com	—	2025-02-28
domain	csok997.com	—	2025-02-28
domain	csskkjw.com	—	2025-02-28
domain	gmslb.net	—	2025-02-28
domain	haveits.com	—	2025-02-28
domain	kyc-holdings.com	—	2025-02-28
domain	lbk-sol.com	—	2025-02-28
domain	linkmob.org	—	2025-02-28
domain	peercon.org	—	2025-02-28
domain	phonegrid.org	—	2025-02-28
domain	phonemesh.org	—	2025-02-28
domain	pxleo5fbca7141b5.com	—	2025-02-28
domain	qocoll.com	—	2025-02-28
domain	remoredo.com	—	2025-02-28
domain	safernetwork.io	—	2025-02-28
domain	sklstech.com	—	2025-02-28
domain	snakeers.com	—	2025-02-28
domain	spiritlib.cyou	—	2025-02-28
domain	ssl87362.com	—	2025-02-28
domain	ssl8rrs2.com	—	2025-02-28
domain	synntre.com	—	2025-02-28
domain	ttekf42.com	—	2025-02-28
domain	ttss442.com	—	2025-02-28
domain	tumune3.com	—	2025-02-28
domain	works883.com	—	2025-02-28
domain	works883.xyz	—	2025-02-28
domain	wowokeys.com	—	2025-02-28
hostname	adstat.ad3g.com	—	2025-02-28
hostname	adstat.moyu88.xyz	—	2025-02-28
hostname	adstat.ziyemy.shop	—	2025-02-28
hostname	adstat2.ziyemy.shop	—	2025-02-28
hostname	dcsdk.100ulife.com	—	2025-02-28
hostname	dcsdkos.dc16888888.com	—	2025-02-28
hostname	g.sxim.me	—	2025-02-28
hostname	jaguar-distributor.syslogcollector.com	—	2025-02-28
hostname	ref.sxim.me	—	2025-02-28
hostname	reg.sxim.me	—	2025-02-28
hostname	task.moyu88.xyz	—	2025-02-28
hostname	task.mymoyu.shop	—	2025-02-28
hostname	task1.ziyemy.shop	—	2025-02-28
hostname	task2.ziyemy.shop	—	2025-02-28
hostname	update.ad3g.com	—	2025-02-28

References (1)

↗ https://blog.xlab.qianxin.com/long-live-the-vo1d_botnet/