Threat researchers have uncovered an actively serving command and control (C2) server believed to be hosting a complete deployment of the BYOB (Build Your Own Bot) framework. The discovery followed the identification of an exposed open directory, revealing malicious payloads designed for persistent remote access across Windows, Linux, and macOS systems. The server, located at IP address 38.255.43.60 on port 8081 and hosted by Hyonix in the United States, contained a comprehensive set of tools including droppers, stagers, and post-exploitation modules.
This incident highlights a significant cybersecurity threat, as the BYOB framework facilitates sophisticated multi-stage infections that aim to evade detection while enabling extensive surveillance and control over compromised machines. The exposed directory provided a detailed view of the framework’s architecture, outlining a three-stage infection process designed for stealth and efficacy across diverse operating systems.
BYOB Framework’s Multi-Stage Infection Chain
The initial stage of the BYOB infection begins with a small, 359-byte dropper. This dropper employs multiple layers of obfuscation, including Base64 encoding, Zlib compression, and Marshal deserialization, to bypass signature-based detection systems. Its primary function is to fetch the second-stage component.
The second stage is a compact, 2 KB stager. This stager is equipped with anti-virtual machine detection capabilities. It scans environment variables for indicators associated with VirtualBox and examines running processes for virtualization software like VMware, Hyper-V, and XenServer. If the environment is deemed to be a legitimate user system and not a laboratory analysis environment, the stager proceeds to download the final payload.
The final payload is a 123 KB Remote Access Trojan (RAT). This RAT establishes encrypted HTTP communications with the command server and has the ability to download and load additional surveillance modules dynamically, based on the attacker’s directives.
Discovery and Operational Scope
Hunt.io analysts identified the exposed BYOB command and control infrastructure during proactive threat hunting operations utilizing their AttackCapture tooling. The detection occurred when their systems identified the characteristic pattern of an open directory on the active C2 server. According to analysis of the captured samples, the framework had been operational since at least March 2024, indicating a sustained campaign lasting approximately ten months.
The infrastructure exhibits deliberate geographic diversification, with command and control nodes distributed across Singapore, Panama, and multiple locations within the United States. This distribution suggests a well-organized and resourced threat actor group behind the deployment.
Cross-Platform Persistence Mechanisms
The BYOB framework demonstrates concerning cross-platform capabilities, making it a versatile threat in mixed computing environments. It implements seven distinct persistence mechanisms, tailored specifically for each operating system to ensure the malware remains active after reboots and attempted cleanup operations.
On Windows systems, persistence is achieved through several methods. These include creating registry run keys disguised as “Java-Update-Manager,” placing URL shortcut files within the startup folder, establishing scheduled tasks that execute hourly, and deploying Windows Management Instrumentation (WMI) subscriptions for event-triggered execution. For Linux systems, persistence is maintained via malicious crontab entries.
macOS devices are infected using LaunchAgent property list files, which are configured to execute automatically upon user login. The combination of these redundant persistence methods significantly complicates the removal of the malware and increases the likelihood that at least one mechanism will evade detection.
Post-Exploitation Surveillance Capabilities
Beyond establishing initial access and maintaining persistence, the BYOB RAT payload delivers extensive surveillance capabilities through modular components that can be deployed as needed. The keylogger module captures all keystrokes, recording the active window name to provide context, which is crucial for identifying sensitive data entered into specific applications.
The packet sniffer module utilizes raw sockets to intercept network traffic at the IP layer, parsing headers to extract vital information such as source and destination addresses, protocol details, and payload data. This can reveal credentials transmitted in cleartext or internal network communications.
One of the most concerning capabilities is the Outlook email harvesting module. This module leverages Windows COM automation to programmatically access Microsoft Outlook without requiring direct authentication. By connecting to an existing, authenticated Outlook session, the malware can search inbox contents, extract emails based on specific keywords, and enumerate message counts before performing full extraction operations. This capability is particularly dangerous in corporate environments where sensitive business and financial information is often communicated via email.
The framework also includes process manipulation functions that allow attackers to terminate security software, enumerate running applications, and actively block protective tools like Task Manager from being launched, thereby reducing the chances of detection by system administrators.
Infrastructure and Monetization Strategy
Analysis of the BYOB command and control infrastructure revealed additional concerning details regarding the campaign’s scope and potential monetization strategies. Two of the five identified C2 nodes were found hosting XMRig cryptocurrency mining software alongside the BYOB framework. This indicates a dual-purpose infrastructure designed to generate passive revenue through cryptojacking while simultaneously maintaining remote access capabilities.
This combination of deploying a remote access toolkit and incorporating cryptocurrency mining suggests a focus on financially motivated threat actors seeking multiple revenue streams from compromised systems. The presence of an exposed RDP port on the primary server, active since December 2023, coupled with an unusual configuration involving multiple simultaneous web servers running on different ports, strongly points towards dedicated attack infrastructure rather than legitimate business operations.
The ongoing operation of this BYOB framework, discovered through exposed infrastructure, underscores the persistent threat of sophisticated remote access tools. Organizations should remain vigilant by implementing robust security measures, including up-to-date threat intelligence, endpoint detection and response (EDR) solutions, and regular security awareness training for employees to mitigate the risks associated with such advanced malware campaigns.