Open Directory Leaks BYOB Framework on Windows, Linux,

An exposed open directory led threat researchers to uncover an actively serving command and control (C2) server hosting a complete deployment of the BYOB framework.

The server, located at IP address 38[.]255[.]43[.]60 on port 8081, was found distributing malicious payloads designed to establish persistent remote access across Windows, Linux, and macOS systems.

Hosted by Hyonix in the United States, the infrastructure contained a full collection of droppers, stagers, and post-exploitation modules that enable attackers to maintain control over compromised machines.

This framework poses significant risks as it operates through a multi-stage infection chain that cleverly avoids detection while delivering dangerous surveillance and control capabilities.

The exposed directory revealed the complete architecture of the BYOB post-exploitation toolkit, which uses a three-stage infection process.

The first stage begins with a tiny 359-byte dropper that implements multiple layers of obfuscation using Base64 encoding, Zlib compression, and Marshal deserialization to evade signature-based detection systems.

This dropper fetches the second stage, a 2 KB stager that performs anti-virtual machine checks by scanning environment variables for VirtualBox indicators and examining running processes for virtualization software like VMware, Hyper-V, and XenServer.

Once the environment is deemed safe, the stager retrieves the final payload, a 123 KB Remote Access Trojan that establishes encrypted HTTP communications with the command server and loads additional surveillance modules on demand.

Hunt.io analysts identified the exposed infrastructure during proactive threat hunting operations using their AttackCapture tooling. The discovery occurred when their systems detected the characteristic open directory pattern on the active command and control server.

Analysis of the captured samples revealed that the framework had been operational since at least March 2024, representing a sustained campaign lasting approximately ten months.

The infrastructure shows deliberate geographic diversification, with nodes distributed across Singapore, Panama, and multiple United States locations, suggesting organized planning and resource allocation by the threat actors behind the deployment.

The BYOB framework demonstrates concerning cross-platform capabilities that make it particularly dangerous in diverse computing environments.

It implements seven different persistence mechanisms tailored to each operating system, ensuring the malware survives reboots and cleanup attempts.

On Windows systems, it creates registry run keys disguised as “Java-Update-Manager,” places URL shortcut files in the startup folder, establishes scheduled tasks that execute hourly, and deploys Windows Management Instrumentation subscriptions for event-triggered execution.

Linux systems are compromised through malicious crontab entries, while macOS devices are infected using LaunchAgent property list files that execute automatically during user login.

These redundant persistence methods significantly complicate removal efforts and increase the likelihood that at least one mechanism will remain undetected.

Post-Exploitation Surveillance Capabilities

Beyond establishing access, the BYOB payload delivers extensive surveillance capabilities through modular components that can be loaded based on the attacker’s objectives.

The keylogger module implements platform-specific keyboard hooking using pyHook for Windows and pyxhook for Unix-based systems, capturing every keystroke along with the active window name to provide context about which application was in use when sensitive information like passwords or credit card numbers were entered.

The packet sniffer module uses raw sockets to intercept network traffic at the IP layer, parsing headers to extract source and destination addresses, protocol information, and payload data that could reveal credentials transmitted in cleartext or internal network communications.

The Outlook email harvesting module represents one of the most concerning capabilities, as it leverages Windows COM automation to access Microsoft Outlook programmatically without requiring authentication.

By connecting to the already-authenticated Outlook session, the malware can search through inbox contents, extract emails containing specific keywords, and enumerate the total message count before performing full extraction operations.

This capability is particularly dangerous in corporate environments where business-critical communications, financial information, and internal documents are routinely shared through email.

The framework also includes process manipulation functions that enable attackers to terminate security software, enumerate running applications, and automatically block protective tools like Task Manager from launching.

Infrastructure analysis revealed additional concerning details about the campaign’s scope and monetization strategy.

Two of the five identified command and control nodes were found hosting XMRig cryptocurrency mining software alongside the BYOB framework, indicating dual-purpose infrastructure that generates passive revenue through cryptojacking while maintaining remote access capabilities.

This combination of remote access toolkit deployment and cryptocurrency mining suggests financially motivated threat actors seeking multiple revenue streams from compromised systems.

The exposed RDP port on the primary server, active since December 2023, combined with the unusual configuration of multiple simultaneous web servers running on different ports, strongly indicates dedicated attack infrastructure rather than legitimate business operations.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.