← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
OCRFix botnet hides C2 in BNB Smart Chain contract
WHITE PetrP.73 2026-03-18 Modified: 2026-04-17
47
IOCs
MEDIUM VOLUME
The OCRFix botnet exemplifies a sophisticated attack chain utilizing the BNB Smart Chain testnet to conceal its command and control (C2) infrastructure within smart contracts. This three-stage botnet employs JSON-RPC to query these smart contracts at runtime for the C2 domain, allowing seamless infrastructure updates through simple blockchain transactions. Notably, the malware's design necessitates no binary updates on infected machines; they simply check in for updates at defined intervals.
clickfixbotnetmalwarevbscriptetherhidingblockchainreverse-engineeringc2 backendcfgmgrmarchlayerc2 urlstageuuidjs loadercfghelpervbs payloadwavepersistencewinrarvidarrhadamanthysstagesdefendermsiphpreobfuscationvbsbsc testnetcontextnjallac2 trafficstatwin32win64
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (6 / 47 total)
All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 342f5ff3590de73965b8f25fc0654679b279a0c29592cce39799f09b3ab96aee 2026-03-18
FileHash-SHA256 5c4a3fe6a522da9251714b308061e58a4d47fd87aac367a3f9caf4da78cb3395 2026-03-18
FileHash-SHA256 82220e03c9b50959fda633576869c2744c3d45b77b7638b3e975ecaa5d2a6a64 2026-03-18
FileHash-SHA256 a6f7210ecc4769228081f0ea8b74d4d4c2b73baff05ec46e87cba996f04d296b 2026-03-18
FileHash-SHA256 c637ad6ad634f77f83a78302a0bfec8a21afe8f1852b3db262a76202bf118eb1 2026-03-18
FileHash-SHA256 e1016ff75db679ddb522f7e0e5321525f0dc22e2626b193680ce4389fcfb63ae 2026-03-18
References (1)
↗ https://www.derp.ca/research/ocrfix-etherhiding-botnet/