1 comment

[ 2.7 ms ] story [ 12.5 ms ] thread
The part that surprised me most when decoding it: there's no hardcoded C2 URL anywhere in the file. It fetches the last outgoing transaction from a TRON wallet and uses the raw_data field as an XOR key to decrypt what it actually runs. Static analysis gets you the wallet address but nothing else — what the malware does changes whenever the attacker sends a new transaction.