Friday 26 September 09:30 - 10:00, Green room
Chanbin Jeon, ChangGyun Kim & SeungBeom Lim (SANDS Lab)
In January 2025, we identified a previously unreported IoT bot named "x86", confirmed to be a variant of the Gafgyt (BASHLITE) family, which had infected over one million IoT devices. Upon execution, the bot connects to a command-and-control server in Germany and sends the message "Joined RebirthReborn As". Unlike typical variants, "x86" lacks propagation features and supports only six hard-coded commands, indicating a simplified operational model.
IoT botnet analysis is increasingly difficult due to widespread code reuse and minor modifications by threat actors to evade detection. Manual analysis methods are insufficient to manage the growing number of variants, highlighting the need for automated techniques to track malware lineage and identify relationships between variants.
To meet this challenge, we introduce a hybrid automated analysis framework that combines function-level embedding vector similarity with Large Language Models (LLMs). Decompiled malware functions are transformed into embedding vectors, with similarity measured using cosine and Euclidean distance. This enables efficient clustering, accurate variant detection, and comprehensive malware genealogy tracking.
Using this technique, we analysed the lineage of "x86" and correlated it with contextual intelligence derived from open-source social channels commonly used by threat actors, including YouTube, Discord, Telegram, Instagram and Twitch. Our investigation revealed a clear evolution from the "qBot" variant, progressing through "Demon" and "Rebirth", to the current "Rebirth Reborn".
We named the threat actor group behind this lineage "CTX-5341", comprising actors such as "SelfRepNeTiS". CTX-5341 has operated through cooperative frameworks and reseller models. One member recently launched a standalone DDoS service, "Eternal Stresser", indicating further fragmentation.
Although "SelfRepNeTiS" reportedly exited the scene around 2022 after selling all related source code, the reappearance of Rebirth Reborn in late 2024 suggests renewed activity or third-party operators. Our framework proved highly effective in tracing this lineage. It can also be adapted to other malware families depending on the structure of the analysis dataset, making it a valuable tool for modern malware investigations.
 |
Chanbin Jeon Chanbin Jeon is a research engineer on the Threat Analysis Team at SANDSLab, specializing in malware analysis and cyber threat intelligence. He began his career in intrusion response and network security at AhnLab's Computer Emergency Response Team (CERT), and has since expanded his expertise into behavioural malware analysis and intelligence generation. His current research focuses on malware analysis and threat intelligence development, with a strong interest in attacker attribution and threat profiling based on real-world incident cases.
|
 |
ChangGyun Kim ChangGyun Kim is a research engineer on the AI Tech & Development Team at SANDS Lab. He holds an M.Sc. in computing with a specialization in artificial intelligence and machine learning from Imperial College London. His current research focuses on leveraging large language models to enhance cybersecurity data analysis. He is passionate about applying cutting-edge technologies to the field of cybersecurity, with the aim of making meaningful contributions to society.
|
 |
SeungBeom Lim SeungBeom Lim is a research engineer on the AI Tech & Development Team at SANDS Lab. He holds an M.Sc. in AI / machine learning and information security from Hoseo University in South Korea. His current research focuses on solving cybersecurity challenges through AI technologies, utilizing both large language models (LLMs) and deep learning architectures. He primarily investigates threats in areas such as network security, botnet detection, and ransomware analysis, aiming to apply advanced AI techniques to real-world security problems and make impactful contributions to the field. |
Back to VB2025 conference page