Pivoting for Nosviak

Summary

Censys has found evidence of a network of botnet management systems running a modified version of Nosviak, a little-known command-and-control service that has gained traction over the past few months. Many of this network’s systems share resources such as SSH keys, domains, and service branding, which alludes to a more extensive operation around selling denial-of-service attacks and proxy services to willing customers.

Introduction

Nosviak is a botnet command-and-control (C2) system that supports various callback communication protocols, including those used by Mirai and Qbot. Despite its capabilities, it has yet to be the subject of much research or scrutiny compared to other systems in this domain. However, over the past seven months, there has been an increase in hosts tagged as Nosviak in ThreatFox, a platform dedicated to sharing indicators of compromise (IOCs) associated with malware. Yet, still, we could not find anything more detailed than a label on a community-driven website.

ThreatFox entry for Nosviak

After developing a Nosviak fingerprint for Censys, we set out to uncover more information about this software. At the time, information on Nosviak was scarce, scattered across obscure corners of the internet. What we did find, however, was a fragmented trail of clandestine GitHub repositories, some littered with insults and cryptic taunts, while others surprisingly contained the complete Nosviak2 source code alongside custom branding and configuration files.

We then focused on the hosts already flagged in Censys running Nosviak2. Through various pivoting strategies, we began identifying patterns and characteristics that provided some insight into a specific ecosystem built around the Nosviak2 software. What started as a simple analysis of Nosviak soon unraveled into a broader discovery of a small network of interconnected hosts that managed a Nosviak-derived “DDoS-as-a-Service” operation.

“Stress-Testing” as a Service

Censys uncovered a botnet frontend operating under multiple aliases and storefronts, primarily offering DDoS and proxy services disguised as “stress testing” tools. These storefronts often share identical HTML templates, differentiated only by unique branding, names, and pricing structures. Our analysis reveals a strong reliance on the Nosviak C2 server, with many of these services using its branding API to apply distinct themes while potentially operating on shared infrastructure.

At the time of writing, the network consisted of over 150 hosts spanning twenty countries and autonomous systems, serving in the control, operation, and sale of these DDoS and proxy services. Some hosts may also function as operational relay boxes (ORBs). Despite operating under different names, many of these entities maintain direct or semi-direct connections.

Key examples of these storefronts include Moonrise c2, Rotate C2, Monolith C2, Runtz C2, and the Cindy Network. While these services flaunt distinct names, their websites follow a near-identical template – the only meaningful variations lie in the superficial elements like branding and wording.

The promotional language on these storefronts often includes slogans like “Feel the true power” or “Test your website security,” which consistently appear across all these websites. Below are some examples of this:

While we cannot definitively confirm that these servers are running Nosviak without direct access to the physical machines, several key indicators support this conclusion. In the following sections, we will reference the Nosviak2 source code, which we have mirrored here.

Banners and Branding

In the Nosviak2 source code (core/clients/produce.go), the default SSH server banner is initialized with the format string:

Many of the servers identified in this investigation followed this exact versioning scheme. In some instances, the Nosviak string was replaced with a more customized identifier, or the name was stripped out entirely, but the OpenSSH version (8.6p1) remained consistent across these cases.

We also note that the default configuration for Nosviak binds SSH to port 1337 as seen here in assets/config.json, and many of the services we identified were actively listening on this port as well.

Shared Nosviak SSH Key

One of the most incriminating pieces of evidence was an SSH private key (in PPK format) within the Nosviak source code. A key that seems to be used on several hosts found in this investigation.

Below is a table of the hosts and ports where this SSH key was observed. While some hosts used the default Nosviak banner, others had modified it to include custom branding.

Despite operating under different names and aliases, many of these DDoS “services” share striking similarities. These include (other) shared SSH server keys, nearly identical web pages, and reused favicons.

These services heavily rely on Discord, Telegram, or both as their primary communication platforms. These channels act as central hubs for promoting their offerings, providing user support and updates, and showcasing “proofs” of their activities. Operators frequently share screenshots of successful attacks to demonstrate their capabilities and attract new customers.

MoonlyC2 Discord (discord[.]gg/moonlyc2) “proofs”	Cindy Network Telegram (t[.]me/cindynetwork) “proofs”.

Some of these services even extend their marketing efforts to YouTube, where they maintain channels to advertise and showcase video demonstrations of their offerings. While most of these services focus on DDoS attacks, others, such as Moonrise C2, hint at broader capabilities such as proxies.

Pivoting from the Nosviak SSH Fingerprint

By pivoting from the default Nosviak SSH key, we can find links to other hosts that share some commonality with different hosts.  For example, while Sentinel Network, Moonly C2, RCNC, and Cindy Network use the default Nosviak SSH key, they also run web servers that include HTML elements found on several other hosts offering similar services. We can then use those elements as a jumping-off point to find other potentially related infrastructure.

Pivoting from Runtz C2

Runtz C2 (runtznetwork[.]icu) at IP address 45.90.13.179 was identified by pivoting from the shared HTML element described in the previous section, and in addition to the HTTP server, the SSH fingerprint on port 1337 (2af0…14cc) revealed 90 other hosts using the same key; below is a sample of hosts we found with this method that we could attribute:

Many of these hosts led us to uncover even more infrastructure; for example, Elite Proxy’s web server at IP address 185.17.0.31 was identified using the same Runtz SSH key. This server hosted four distinct SSH services on ports 22, 1337, 8080, and 9090. The SSH service on port 9090 used a different SSH key shared with five additional hosts. Among these hosts, two were running Nosviak login panels.

67.211.216.8 (capital-consulting[.]ru)	178.215.238.160 (unknown domain)

Another host that was discovered using the Runtz SSH fingerprint was Dream C2 at 37.114.63.131 that operated a secondary SSH server on TCP port 9999 with a fingerprint (d281…69b6) shared with 18 additional hosts, a subset of which was branded as “Erf CNC”.

ErfCNC Login Panel

… And these Erf CNC hosts include a unique HTTP response body, which allowed us to pivot to other associated hosts. Among these, three specific hosts—37.114.50.59, 45.13.225.73, and 109.71.252.43 present an administrative login form that seems to be rebranded Nosvik.

Tracer C2 is linked to other services, such as 93.123.85.191 (WaterNetworkk / 2af0…14cc), which ran a status page on port 80 listing the types of attacks it supports.

But this Tracer C2 status page makes use of a rarely-used GitLab favicon found on only a small number of other hosts.

For instance, 103.211.201.207 (with an HTML title of “SSN Funnel Build” (possibly related to Nosviak’s “Funnel” feature)) and 167.114.4.98 (“SSN API Build”) both host HTTP servers on port 80 that appear to be API build status pages specific to the botnet.

The same GitLab favicon is also present on several standalone hosts: 160.30.21.74 features a status page on port 80 with the HTML title “Tajima C2/API”, while 212.193.31.66 identifies itself as the “CRIMINALITY API”.

160.30.21.74	212.193.31.66

This suggests that admins are automating the provisioning of new API servers using GitLab as a CI/CD, allowing them to iterate faster on new releases.

Along with the various domain names that we’ve already discussed, several others were found to be associated with this network:

At the time of writing, the majority of this infrastructure is hosted on OVH (AS16276) and Aeza (AS216246), all geographically spread across Germany, the Netherlands, the United States, Russia, and other regions where such operations can seemingly go unnoticed or without enforcement.

The reality is that many of these services appear deceptively innocent, often reflecting a network of individuals—possibly younger enthusiasts—applying their technical skills and interests in ways that could lead to harmful outcomes. While the primary target audience seems to be those aiming to disrupt game servers and chat servers, this does not rule out the potential for these networks to be abused for far more malicious purposes.

We have developed a single Censys search query consolidating all the indicators discussed in this post.  At the time of writing, the query identifies over 155 hosts.

Below is a table that breaks down each element in the search query into the specific thing it is looking for.