Search Results for: RedKit

Slight change in RedKit URI

As noticed by @Set_Abominae and @kafeine, redkit has made a slight modification to it’s URI.

Looks to now be four characters in the html, jar and jnlp. EXE remains 2 digits.

Redkit JNLP

HTTP Method = GET
HTTP URI ends with *.jnlp
Regex HTTP URI ^http:\/\/[a-z0-9A-Z-.]+\/[a-z0-9A-Z]{4}\.jnlp$

RedKit JAR

HTTP Method = GET
HTTP URI ends with *.jar
Content-type = application/java-archive
Regex HTTP URI ^http:\/\/[a-z0-9A-Z-.]+\/[a-z0-9A-Z]{4}\.jar$

*Is this change related to the Sophos article? Hmm… :)*

Current Event Redirectors to Redkit

Have been seeing these a lot recently in conjunction with recent events…

HTTP Method = GET
HTTP URI ends with */news.html OR */boston.html OR */texas.html
Regex HTTP Request for ^http:\/\/(\d\d?\d?\.){3}\d\d?\d?\/(news|texas|boston)\.html$

See examples of this on

Slight changes in RedKit URI

Finally seeing some changes/customization in Redkit payloads, a departure from the static files. > encoded (application/octet-stream) > encoded (application/octet-stream)


HTTP Method = GET
Content-Type = application/java-archive
Regex HTTP URI for \/[a-z0-9]{3}\.jar$

Confirmed by @node5 and @xanda on twitter


HTTP Method = GET
Content-Type = application/octet-stream
HTTP Destination = *.html
User-Agent = *Java/1.*

Regex HTTP URI for \/[0-9]{2}\.html$ <-- Optional

Redkit Random Gates

Here’s some more recent strings to locate redkit gates.

Regex HTTP URI for “\/(hfrn|azhd|eesb|hfqf|mapn|wmhd|mzyp|oegu|efgv|acsu|acej|hmod|aoei|aoef|asyq|asju|awtg|zmyg|awtg|

Can regex with \/[a-z]{4}\.html?$

There will be false positives, use a 4-letter-word dictionary as a csv to weed out common words.

See examples of Random Redkit Gates on

Some Redkit Gates also have a parameter on the end of the gate url which makes it easier to weed out fp’s.


Can regex with \/[a-z]{4}\.html?\?[a-z]=[0-9]+$

See examples of Redkit Gate w/ Param on

Redkit Exploit Kit

Redkit like to download payload as an executable named like a html file.

HTTP Request Method = GET
HTTP URI = *.html or *.htm
Content Type = application/octet-stream

RedKit Gate

Regex URI for “\/h(m|f)[a-z]{2}\.html?$” — This is now out of date. They seem to have turned to random.



Can regex for ^http:\/\/[a-z0-9-.]+?\/[a-z]{4}\.html?$ but very prone to false positives.

JARs and PDFs are still easiest to spot.


EXE’s are still easy too.

/33.html (application/octet-stream)
/62.html (application/octet-stream)


See Examples of RedKit Gates in

See examples of RedKit PDF and JAR files in

See examples of RedKit EXE files in

REM RedKit Redirector – Not sure if still active

HTTP Request Method = GET
HTTP URI = */rem*.htm OR */rem*.html



See examples of REM redirectors on

Probable ZBOT Post-Compromise Activity

Found these in a very noisy redkit attack…not totally sure that it’s ZBOT. Corrections welcome…

POST naurg. com/xhobdogfz.db
POST naurg. com/fjgmzzllvqoycbsustahfwbsuytqzhtidcjihpgvtu.rtf
POST naurg. com/issrxrdzlpofezkwhmuhymmorkplnc.7z
POST naurg. com/ixzygseaenf.log
POST ronavo .com/npjvncroe.log
POST ronavo .com/lwtirttzxoevcaztzylqbou.7z
POST ronavo .com/kaaaaaabnqayupqau.rar
POST ronavo .com/bzmqvwtwbrejgqibfkgmjirjcpwoclitfdshtsmftyuhvtwbdsqrkvgpnozym.php3

HTTP Method = POST
Content-Type = “application/x-www-form-urlencoded”
Regex HTTP URI for ^http:\/\/[a-zA-Z0-9-.]+\/[a-z]+\.(db|pif|log|rar|tpl|7z|rtf|tiff|php3|doc|pl|cgi)$

http://kargid. org/c.htm?uvZA8kUIv7AwOZCMqkqhwl7jDZUOEtWFwErdgRUr
http://joshuagsilverman .com/q.htm?tVgNliikvKhhITo2QcV1ooZ6QICtS8
http://homedecorreviews. com/g.htm?Eyl5gRHaELSinXQ9fvb8k3XUOfoOTq
http://heritageclothingcompany .com/w.htm?OomDwn2fWkkW598iEtR5afe
http://solomaquetas. com/l.htm?ZQjpwNPWV1o94aEFkSdd1vYt1ZjKWC4zOr
http://gorgeoregon. com/w.htm?f9QAXSZ4vUh6qvt43YOaauWiEfSqvZKlDjI
http://compstar .us/k.htm?oyQWBuciU6G3qqIu73gpbnxia7m2m8A8baezO51
http://canadabook .ca/y.htm?qELp27uE4QF76X65tsSEitdFC63ymvKqICc16

HTTP Method = GET
Content-Type = “application/octet-stream”
User-Agent = “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
Regex HTTP URI for \/[a-z]\.htm\?

Regex HTTP URI for ^[a-zA-Z0-9:/.?-_]{57,64}$ > they all seem to be 57-64 char right now…