← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
OCRFix botnet hides C2 in BNB Smart Chain contract
WHITE PetrP.73 2026-03-18 Modified: 2026-04-17
47
IOCs
MEDIUM VOLUME
The OCRFix botnet exemplifies a sophisticated attack chain utilizing the BNB Smart Chain testnet to conceal its command and control (C2) infrastructure within smart contracts. This three-stage botnet employs JSON-RPC to query these smart contracts at runtime for the C2 domain, allowing seamless infrastructure updates through simple blockchain transactions. Notably, the malware's design necessitates no binary updates on infected machines; they simply check in for updates at defined intervals.
clickfixbotnetmalwarevbscriptetherhidingblockchainreverse-engineeringc2 backendcfgmgrmarchlayerc2 urlstageuuidjs loadercfghelpervbs payloadwavepersistencewinrarvidarrhadamanthysstagesdefendermsiphpreobfuscationvbsbsc testnetcontextnjallac2 trafficstatwin32win64
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (47)
All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
URL https://bsc-testnet.publicnode.com 2026-03-18
FileHash-MD5 20b8714b6e0f2459a21b8e315b79d290 MD5 of 82220e03c9b50959fda633576869c2744c3d45b77b7638b3e975ecaa5d2a6a64 2026-03-18
FileHash-MD5 3536f953ee2381215ecc1001653b03c2 MD5 of c637ad6ad634f77f83a78302a0bfec8a21afe8f1852b3db262a76202bf118eb1 2026-03-18
FileHash-MD5 80a095591dbb72de31241006a75366b7 MD5 of 5c4a3fe6a522da9251714b308061e58a4d47fd87aac367a3f9caf4da78cb3395 2026-03-18
FileHash-MD5 a16e9e1a7187baa722ae7d62b43351df MD5 of 342f5ff3590de73965b8f25fc0654679b279a0c29592cce39799f09b3ab96aee 2026-03-18
FileHash-MD5 b5ad76ef744401aa648f56a83e0db00c MD5 of a6f7210ecc4769228081f0ea8b74d4d4c2b73baff05ec46e87cba996f04d296b 2026-03-18
FileHash-MD5 e2d8dac1c3fe671f4244198953759827 MD5 of e1016ff75db679ddb522f7e0e5321525f0dc22e2626b193680ce4389fcfb63ae 2026-03-18
FileHash-SHA1 4496afeb004df243b656d620f76ffdceef00b345 SHA1 of a6f7210ecc4769228081f0ea8b74d4d4c2b73baff05ec46e87cba996f04d296b 2026-03-18
FileHash-SHA1 507e814c39b200b05f596d9569675aeb6c25ab4a SHA1 of 342f5ff3590de73965b8f25fc0654679b279a0c29592cce39799f09b3ab96aee 2026-03-18
FileHash-SHA1 96f2c607aec4432ccc7b762f9927c91ee04fb0e3 SHA1 of e1016ff75db679ddb522f7e0e5321525f0dc22e2626b193680ce4389fcfb63ae 2026-03-18
FileHash-SHA1 974a3768946a5d6c7c1d1991cc01efdfdf21cedb SHA1 of 5c4a3fe6a522da9251714b308061e58a4d47fd87aac367a3f9caf4da78cb3395 2026-03-18
FileHash-SHA1 af6bbae2933e65d632f4f4624315c00d205bf6f7 SHA1 of 82220e03c9b50959fda633576869c2744c3d45b77b7638b3e975ecaa5d2a6a64 2026-03-18
FileHash-SHA1 c519a422d68e8d93f2b98ecb3fa064398045535e SHA1 of c637ad6ad634f77f83a78302a0bfec8a21afe8f1852b3db262a76202bf118eb1 2026-03-18
FileHash-SHA256 342f5ff3590de73965b8f25fc0654679b279a0c29592cce39799f09b3ab96aee 2026-03-18
FileHash-SHA256 5c4a3fe6a522da9251714b308061e58a4d47fd87aac367a3f9caf4da78cb3395 2026-03-18
FileHash-SHA256 82220e03c9b50959fda633576869c2744c3d45b77b7638b3e975ecaa5d2a6a64 2026-03-18
FileHash-SHA256 a6f7210ecc4769228081f0ea8b74d4d4c2b73baff05ec46e87cba996f04d296b 2026-03-18
FileHash-SHA256 c637ad6ad634f77f83a78302a0bfec8a21afe8f1852b3db262a76202bf118eb1 2026-03-18
FileHash-SHA256 e1016ff75db679ddb522f7e0e5321525f0dc22e2626b193680ce4389fcfb63ae 2026-03-18
URL http://25.0.54.0 2026-03-18
URL http://8.4.17.0 2026-03-18
URL https://gamepinxjzr.com/configpack.zip 14621a2a5513825f058530c8c5f64178003ec4aa5ae6c00bab99161e27c5042e 2026-03-18
URL https://gamepinxjzr.com/data.php 2026-03-18
URL https://gamepinxjzr.com/data.zip 85e9861e75cba417f29b7fa941fafdbfe27ba2d55e5f64ac67fc31d8ce3de173 2026-03-18
URL https://gamepinxjzr.com/helpU.php 2026-03-18
URL https://gamepinxjzr.com/server.php 2026-03-18
URL https://gamepinxjzr.com/test.php 2026-03-18
domain agfaireland.com 2026-03-18
domain basennwrpin.com 2026-03-18
domain beloads.com 2026-03-18
domain checkpointviewzen.com 2026-03-18
domain dlderi.com 2026-03-18
domain dltruek.com 2026-03-18
domain dltucra.com 2026-03-18
domain dyna-ns.net 2026-03-18
domain gamepinxjzr.com 2026-03-18
domain gatcachesec.com 2026-03-18
domain ldture.com 2026-03-18
domain ldveriz.com 2026-03-18
domain oklefe.com 2026-03-18
domain opsecdefcloud.com 2026-03-18
domain sendwatcherzzv.com 2026-03-18
domain stormplayavia.com 2026-03-18
domain tryyourselfs.com 2026-03-18
domain yutoridesignpty.com 2026-03-18
hostname bsc-testnet.drpc.org 2026-03-18
hostname bsc-testnet.publicnode.com 2026-03-18
References (1)
↗ https://www.derp.ca/research/ocrfix-etherhiding-botnet/