{"id":27454,"date":"2023-12-18T03:34:13","date_gmt":"2023-12-18T03:34:13","guid":{"rendered":"https:\/\/nsfocusglobal.com\/?p=27454"},"modified":"2026-04-17T18:07:39","modified_gmt":"2026-04-17T18:07:39","slug":"xorbot-a-stealthy-botnet-family-that-defies-detection","status":"publish","type":"post","link":"https:\/\/nsfocusglobal.com\/pt-br\/xorbot-a-stealthy-botnet-family-that-defies-detection\/","title":{"rendered":"xorbot: A Stealthy Botnet Family That Defies Detection"},"content":{"rendered":"\n

I. Background of xorbot<\/h2>\n\n\n\n

In November 2023, NSFOCUS Global Threat Hunting System detected that a type of elf file was being widely distributed and accompanied by a large amount of suspected encrypted outbound communication traffic. However, the detection rate of mainstream antivirus engines on this file was close to zero, which aroused our curiosity. After further manual analysis, we identified a novel botnet family with strong occultness. Given that the family uses multiple rounds of xor operations in encryption and decryption algorithms, NSFOCUS Research Labs named the Trojan xorbot<\/strong>.<\/p>\n\n\n\n

Unlike a large number of botnet families secondary developed based on open source code, xorbot was built from scratch with a brand-new architecture. Developers attached great importance to the concealment of Trojan horses and even sacrificed propagation efficiency for better concealment effect. The latest version of Trojan horse added a large amount of garbage codes on the basis of the initial version, which increased the file volume by more than 30 times. On the traffic side, it also took painstaking efforts to randomly generate data sent during the initial online interaction stage, and introduced encryption and decryption algorithms to encrypt and store key information, thus invalidating the method of detecting character features in communication traffic.<\/p>\n\n\n\n

II. Sample Analysis of xorbot<\/h2>\n\n\n\n

Version change<\/h3>\n\n\n\n

Shortly after the initial propagation version of xorbot, which first appeared in November 2023 with a file size around 30 KB, NSFOCUS Global Threat Hunting System detected another variant of the Trojan that soared nearly 30-fold to close to 1200 KB.<\/p>\n\n\n

\n
\"Red<\/a>
Figure 1 Comparison of file sizes in different versions of xorbot<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n\n

Through further analysis, we confirm that the xorbot Trojan communicates in the new version by introducing _libc_connect() and _libc_recv() series functions of the libc library, but the core function modules remain unchanged.<\/p>\n\n\n

\n
\"Red<\/a>
Figure 2 xorbot core function module<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n\n

Trojan developers have added a large amount of invalid code to mask malicious branches, making the current antivirus engine detection rate close to zero. Although junk code can oversize files and affect their propagation efficiency, these codes seem normal, thus enhancing the occultness of Trojans. In recent years, more and more attack groups have mastered independent communication tools, which makes the spread of Trojan horses controllable to some extent. It takes a certain time cost to build a brand-new architecture of botnet Trojan horses. Under this circumstance, attackers pay more attention to the concealment of Trojan horses.<\/p>\n\n\n

\n
\"Red<\/a>
Figure 3 Comparison of string tables between new and old versions of xorbot<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n\n

Encryption and decryption algorithms<\/h3>\n\n\n\n

Xorbot developers use a set of encryption and decryption algorithms that borrow Mirai source code. When interacting with C&C, they will encrypt the data to be sent before sending it. After receiving the command from the server, it will also be decrypted by this algorithm before use.<\/p>\n\n\n

\n
\"Red<\/a>
Figure 4 Decrypt data received<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n\n

In addition, some sensitive string information in the file is also stored in encryption mode, which needs to be decrypted by this algorithm before use. In addition, many junk codes that will not be used are embedded in the Trojan, which also makes the strings in the file look normal and reduces the probability of exposure.<\/p>\n\n\n

\n
\"Red<\/a>
Figure 5 Decrypt sensitive string information<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n\n

The encryption and decryption algorithm is implemented by multiple exclusive OR operations. Take decryption as an example. During decryption, the data to be decrypted is taken out byte by byte, and then the table_key (0x89F16) hard-coded in the file is split into 4 bytes (0x16, 0x9F, 0x08, 0x00), followed by multiple rounds of exclusive OR operations. Finally, the decryption result is obtained after splicing. In this version, the actual effect is equivalent to the overall exclusive OR 0x81.<\/p>\n\n\n

\n
\"Red<\/a>
Figure 6 Decryption process<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n\n

Persistence<\/h3>\n\n\n\n

Xorbot maintains persistence by adding crontab. The character information involved is encrypted and stored, and written after being decrypted during Trojan running.<\/p>\n\n\n

\n
\"Red<\/a>
Figure 7 Add scheduled task<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n\n

It also better hides itself by disguising the malicious file name as “ld-unixdev.so.6” (similar in name to a system dynamic library).<\/p>\n\n\n

\n
\"Red<\/a>
Figure 8 Rename to ld-unixdev.so.6<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n\n

Communication and C&C Instructions<\/h3>\n\n\n\n

Unlike most traditional botnet families, xorbot is not eager to actively send packets after establishing a connection with the server, but passively waits for a reply from the server. The data sent by the server for the first time is randomly generated.<\/p>\n\n\n

\n
\"Red<\/a>
Figure 9 Data returned by server<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n\n

After receiving the data returned by the server, xorbot will decrypt it first and then divide the decrypted string into multiple substrings with space as a separator. Usually, the packet length returned by the server in the first round is 0x62, 0x68, 0xAC or 0x40. The data obtained after decryption does not have spaces and only has a string. Then, the controlled terminal will generate a random string of indefinite length and feed it back to the server, and continuous interaction is required to maintain the connection until an attack instruction is received.<\/p>\n\n\n

\n
\"Red<\/a>
Figure 10 Generate random string<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n\n

The interaction process is as follows:<\/p>\n\n\n

\n
\"Red<\/a>
Figure 11 Interaction process<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n\n

When the packet length received by the bot is 0x5B, the bot will choose to exit or upload system data in combination with the received content, wherein the collected system information data is organized in json format and then encrypted for transmission.<\/p>\n\n\n\n

\"Red<\/a>
Figure 12 Collected system information<\/figcaption><\/figure>\n\n\n\n

<\/p>\n\n\n\n

In another case, the Trojan will launch DDoS attacks in different ways according to the number of substrings divided by spaces and the length of the first substring based on the received data. The DDoS attack methods supported by the current version are as follows:<\/p>\n\n\n\n

Table 1 DDoS attack modes supported by xorbot<\/p>\n\n\n\n

GRE_F<\/td>gre_flood<\/td><\/tr>
UDP_F<\/td>udp_flood<\/td><\/tr>
tcphandshake<\/td>tcp_flood<\/td><\/tr>
TCP_SYNF<\/td>syn_flood<\/td><\/tr>
TCP_ACKF<\/td>ack_flood<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Each DDoS instruction consists of a fixed-length random string and target information separated by spaces. Monitoring data show that xorbot is in the early stage of development, and its primary purpose is still to obtain enough bots. Its controllers are more inclined to use gre_flood and TCP_flood to launch DDoS attacks on targets. The attack targets are mainly selected from European and United States countries.<\/p>\n\n\n\n

\"Red<\/a>
Figure 13 Commands issued by xorbot<\/figcaption><\/figure>\n\n\n\n

<\/p>\n\n\n\n

Compared with the traditional botnet-like family, xorbot is unique in the design of communication flow and instruction format. Although it does not choose strong concealment such as tunneling or tor proxy, it seems to know well about the idea of botnet monitoring and tracing, and every detail of its design creates certain obstacles to instruction tracing. On the one hand, encrypted instructions make Trojan communication traffic highly concealed; on the other hand, passively sending online packets and randomly generating online data packets with variable length also make it difficult for analysts to extract traffic features based on character information.<\/p>\n\n\n\n

III. Conclusion<\/h2>\n\n\n\n

Xorbot is a fast-growing new botnet family. The current version covers various CPU architectures such as x86, MIPS, Renesas SH and ARM. Although there is no built-in propagation module in the current version of this Trojan, it is not difficult to speculate that there is a professional attack group behind it from the countermeasures shown by malicious samples and their huge number of propagations, which is very likely to have independent propagation tools. In addition, the attacker pays great attention to the concealment of malicious samples and adopts many technical means to make the Trojan have a high concealment effect on both the file side and the traffic side. By the time of publication, the detection rate of mainstream antivirus engines on the Trojan is still close to 0, which is worthy of our vigilance.<\/p>\n\n\n\n

IV. IOC<\/h2>\n\n\n\n

203.55.81.214<\/p>\n\n\n\n

073202212CCF6A58EBC04E33D5B90833<\/p>\n\n\n\n

598E8D8D2AEBA46DDBD9155480FEA972<\/p>\n<\/body><\/html>\n","protected":false},"excerpt":{"rendered":"

I. Background of xorbot In November 2023, NSFOCUS Global Threat Hunting System detected that a type of elf file was being widely distributed and accompanied by a large amount of suspected encrypted outbound communication traffic. However, the detection rate of mainstream antivirus engines on this file was close to zero, which aroused our curiosity. After further […]<\/p>\n","protected":false},"author":1,"featured_media":27487,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","footnotes":""},"categories":[3],"tags":[118],"class_list":["post-27454","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-botnet"],"acf":[],"yoast_head":"\nxorbot: A Stealthy Botnet Family That Defies Detection - NSFOCUS<\/title>\n<meta name=\"description\" content=\"NSFOCUS identifies xorbot, a stealthy botnet with a near-zero detection rate. Explore its advanced concealment strategies.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/nsfocusglobal.com\/xorbot-a-stealthy-botnet-family-that-defies-detection\/\" \/>\n<meta property=\"og:locale\" content=\"pt_BR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"xorbot: A Stealthy Botnet Family That Defies Detection - NSFOCUS\" \/>\n<meta property=\"og:description\" content=\"NSFOCUS identifies xorbot, a stealthy botnet with a near-zero detection rate. Explore its advanced concealment strategies.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/nsfocusglobal.com\/xorbot-a-stealthy-botnet-family-that-defies-detection\/\" \/>\n<meta property=\"og:site_name\" content=\"NSFOCUS\" \/>\n<meta property=\"article:published_time\" content=\"2023-12-18T03:34:13+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-17T18:07:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2023\/12\/xorbot.jpg\" \/>\n<meta name=\"author\" content=\"NSFOCUS\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"xorbot: A Stealthy Botnet Family That Defies Detection - NSFOCUS\" \/>\n<meta name=\"twitter:description\" content=\"NSFOCUS identifies xorbot, a stealthy botnet with a near-zero detection rate. Explore its advanced concealment strategies.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2023\/12\/xorbot.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Escrito por\" \/>\n\t<meta name=\"twitter:data1\" content=\"NSFOCUS\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. tempo de leitura\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutos\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/xorbot-a-stealthy-botnet-family-that-defies-detection\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/xorbot-a-stealthy-botnet-family-that-defies-detection\\\/\"},\"author\":{\"name\":\"NSFOCUS\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/#\\\/schema\\\/person\\\/fd9ab61c9c77a81bbd870f725cc0c61d\"},\"headline\":\"xorbot: A Stealthy Botnet Family That Defies Detection\",\"datePublished\":\"2023-12-18T03:34:13+00:00\",\"dateModified\":\"2026-04-17T18:07:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/xorbot-a-stealthy-botnet-family-that-defies-detection\\\/\"},\"wordCount\":1269,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/xorbot-a-stealthy-botnet-family-that-defies-detection\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/xorbot.jpg\",\"keywords\":[\"Botnet\"],\"articleSection\":[\"Blog\"],\"inLanguage\":\"pt-BR\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/nsfocusglobal.com\\\/xorbot-a-stealthy-botnet-family-that-defies-detection\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/xorbot-a-stealthy-botnet-family-that-defies-detection\\\/\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/xorbot-a-stealthy-botnet-family-that-defies-detection\\\/\",\"name\":\"xorbot: A Stealthy Botnet Family That Defies Detection - NSFOCUS\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/xorbot-a-stealthy-botnet-family-that-defies-detection\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/xorbot-a-stealthy-botnet-family-that-defies-detection\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/xorbot.jpg\",\"datePublished\":\"2023-12-18T03:34:13+00:00\",\"dateModified\":\"2026-04-17T18:07:39+00:00\",\"description\":\"NSFOCUS identifies xorbot, a stealthy botnet with a near-zero detection rate. Explore its advanced concealment strategies.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/xorbot-a-stealthy-botnet-family-that-defies-detection\\\/#breadcrumb\"},\"inLanguage\":\"pt-BR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/nsfocusglobal.com\\\/xorbot-a-stealthy-botnet-family-that-defies-detection\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/xorbot-a-stealthy-botnet-family-that-defies-detection\\\/#primaryimage\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/xorbot.jpg\",\"contentUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/xorbot.jpg\",\"width\":544,\"height\":252,\"caption\":\"Xorbot logo with digital blue background.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/xorbot-a-stealthy-botnet-family-that-defies-detection\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/nsfocusglobal.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"xorbot: A Stealthy Botnet Family That Defies Detection\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/#website\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/\",\"name\":\"NSFOCUS\",\"description\":\"Security Made Smart and Simple\",\"publisher\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/nsfocusglobal.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"pt-BR\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/#organization\",\"name\":\"NSFOCUS\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/logo-ns.png\",\"contentUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/logo-ns.png\",\"width\":248,\"height\":36,\"caption\":\"NSFOCUS\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/#\\\/schema\\\/person\\\/fd9ab61c9c77a81bbd870f725cc0c61d\",\"name\":\"NSFOCUS\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"caption\":\"NSFOCUS\"},\"sameAs\":[\"https:\\\/\\\/nsfocusglobal.com\"],\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/author\\\/admin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"xorbot: A Stealthy Botnet Family That Defies Detection - NSFOCUS","description":"NSFOCUS identifies xorbot, a stealthy botnet with a near-zero detection rate. Explore its advanced concealment strategies.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/nsfocusglobal.com\/xorbot-a-stealthy-botnet-family-that-defies-detection\/","og_locale":"pt_BR","og_type":"article","og_title":"xorbot: A Stealthy Botnet Family That Defies Detection - NSFOCUS","og_description":"NSFOCUS identifies xorbot, a stealthy botnet with a near-zero detection rate. Explore its advanced concealment strategies.","og_url":"https:\/\/nsfocusglobal.com\/xorbot-a-stealthy-botnet-family-that-defies-detection\/","og_site_name":"NSFOCUS","article_published_time":"2023-12-18T03:34:13+00:00","article_modified_time":"2026-04-17T18:07:39+00:00","og_image":[{"url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2023\/12\/xorbot.jpg","type":"","width":"","height":""}],"author":"NSFOCUS","twitter_card":"summary_large_image","twitter_title":"xorbot: A Stealthy Botnet Family That Defies Detection - NSFOCUS","twitter_description":"NSFOCUS identifies xorbot, a stealthy botnet with a near-zero detection rate. Explore its advanced concealment strategies.","twitter_image":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2023\/12\/xorbot.jpg","twitter_misc":{"Escrito por":"NSFOCUS","Est. tempo de leitura":"9 minutos"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/nsfocusglobal.com\/xorbot-a-stealthy-botnet-family-that-defies-detection\/#article","isPartOf":{"@id":"https:\/\/nsfocusglobal.com\/xorbot-a-stealthy-botnet-family-that-defies-detection\/"},"author":{"name":"NSFOCUS","@id":"https:\/\/nsfocusglobal.com\/#\/schema\/person\/fd9ab61c9c77a81bbd870f725cc0c61d"},"headline":"xorbot: A Stealthy Botnet Family That Defies Detection","datePublished":"2023-12-18T03:34:13+00:00","dateModified":"2026-04-17T18:07:39+00:00","mainEntityOfPage":{"@id":"https:\/\/nsfocusglobal.com\/xorbot-a-stealthy-botnet-family-that-defies-detection\/"},"wordCount":1269,"commentCount":0,"publisher":{"@id":"https:\/\/nsfocusglobal.com\/#organization"},"image":{"@id":"https:\/\/nsfocusglobal.com\/xorbot-a-stealthy-botnet-family-that-defies-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2023\/12\/xorbot.jpg","keywords":["Botnet"],"articleSection":["Blog"],"inLanguage":"pt-BR","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/nsfocusglobal.com\/xorbot-a-stealthy-botnet-family-that-defies-detection\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/nsfocusglobal.com\/xorbot-a-stealthy-botnet-family-that-defies-detection\/","url":"https:\/\/nsfocusglobal.com\/xorbot-a-stealthy-botnet-family-that-defies-detection\/","name":"xorbot: A Stealthy Botnet Family That Defies Detection - NSFOCUS","isPartOf":{"@id":"https:\/\/nsfocusglobal.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/nsfocusglobal.com\/xorbot-a-stealthy-botnet-family-that-defies-detection\/#primaryimage"},"image":{"@id":"https:\/\/nsfocusglobal.com\/xorbot-a-stealthy-botnet-family-that-defies-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2023\/12\/xorbot.jpg","datePublished":"2023-12-18T03:34:13+00:00","dateModified":"2026-04-17T18:07:39+00:00","description":"NSFOCUS identifies xorbot, a stealthy botnet with a near-zero detection rate. Explore its advanced concealment strategies.","breadcrumb":{"@id":"https:\/\/nsfocusglobal.com\/xorbot-a-stealthy-botnet-family-that-defies-detection\/#breadcrumb"},"inLanguage":"pt-BR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/nsfocusglobal.com\/xorbot-a-stealthy-botnet-family-that-defies-detection\/"]}]},{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/nsfocusglobal.com\/xorbot-a-stealthy-botnet-family-that-defies-detection\/#primaryimage","url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2023\/12\/xorbot.jpg","contentUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2023\/12\/xorbot.jpg","width":544,"height":252,"caption":"Xorbot logo with digital blue background."},{"@type":"BreadcrumbList","@id":"https:\/\/nsfocusglobal.com\/xorbot-a-stealthy-botnet-family-that-defies-detection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/nsfocusglobal.com\/"},{"@type":"ListItem","position":2,"name":"xorbot: A Stealthy Botnet Family That Defies Detection"}]},{"@type":"WebSite","@id":"https:\/\/nsfocusglobal.com\/#website","url":"https:\/\/nsfocusglobal.com\/","name":"NSFOCUS","description":"Security Made Smart and Simple","publisher":{"@id":"https:\/\/nsfocusglobal.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/nsfocusglobal.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"pt-BR"},{"@type":"Organization","@id":"https:\/\/nsfocusglobal.com\/#organization","name":"NSFOCUS","url":"https:\/\/nsfocusglobal.com\/","logo":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/nsfocusglobal.com\/#\/schema\/logo\/image\/","url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/08\/logo-ns.png","contentUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/08\/logo-ns.png","width":248,"height":36,"caption":"NSFOCUS"},"image":{"@id":"https:\/\/nsfocusglobal.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/nsfocusglobal.com\/#\/schema\/person\/fd9ab61c9c77a81bbd870f725cc0c61d","name":"NSFOCUS","image":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","caption":"NSFOCUS"},"sameAs":["https:\/\/nsfocusglobal.com"],"url":"https:\/\/nsfocusglobal.com\/pt-br\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts\/27454","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/comments?post=27454"}],"version-history":[{"count":0,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts\/27454\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/media\/27487"}],"wp:attachment":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/media?parent=27454"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/categories?post=27454"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/tags?post=27454"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}