
<!DOCTYPE html>

<html dir="auto">

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>

    <meta http-equiv="X-UA-Compatible" content="IE=edge"/>

    <style type="text/css">

      body {

        font-family:'Helvetica Neue', Helvetica, Arial, Geneva, sans-serif; font-size: 12px;

      }

      img {

        outline: none;

        text-decoration: none;

        -ms-interpolation-mode: bicubic;

      }

      a img {

        border: none;

      }

      table td {

        border-collapse: collapse;

      }

      table {

        border-collapse: collapse;

        mso-table-lspace: 0pt;

        mso-table-rspace: 0pt;

        border: none;

        table-layout: auto;

        display: block;

        width: 100%;

        overflow: auto;

        word-break: keep-all;

      }

      table,

      pre,

      blockquote {

        margin: 0 0 16px;

      }

      td, th {

        padding: 7px 12px;

      }

      th {

        font-weight: bold;

        text-align: center;

      }

      col {

        width: auto;

      }

      p {

        margin: 0;

      }

      code {

        border: none;

        background: hsl(0,0%,97%);

        white-space: pre-wrap;

      }

      blockquote {

        padding: 8px 12px;

        border-left: 5px solid #eee;

      }

      pre {

        padding: 12px 15px;

        font-size: 13px;

        line-height: 1.45;

        background: hsl(0,0%,97%);

        white-space: pre-wrap;

        border-radius: 3px;

        border: none;

        overflow: auto;

      }

    </style>

  </head>

  <body style="font-family:'Helvetica Neue', Helvetica, Arial, Geneva, sans-serif; font-size: 12px;;"><div>Hallo Freifunk-Kollegen,</div><div><br></div><div>mindestens einer Eurer User hat sich den Trojaner Zeus eingefangen. Vermutlich könnt Ihr den Betroffenen nicht lokalisieren, aber eventuell bei einem Eurer internen Treffen, darauf hinweisen.</div><br><div data-signature="true" data-signature-id="1">

<div>Viele Grüße</div>

<div>Dieter</div>

<div>PS: Wenn Ihr diese Mail erhalten habt, lasst es mich bitte wissen.</div>

<div>---</div>

<div>Dr. Dieter Winkler</div>

<div>Freifunk Rheinland e. V.</div>

<div>Hirzenrott 2-4</div>

<div>52076 Aachen</div>

<div><br></div>

<div><a href="https://freifunk-rheinland.net" title="https://freifunk-rheinland.net" rel="nofollow noreferrer noopener" target="_blank">https://freifunk-rheinland.net</a></div>

<div>kontakt@freifunk-rheinland.net</div>

</div><br><div>---Anfang der weitergeleiteten Nachricht:---<br><br>

</div><div><blockquote type="cite" style="border-left: 2px solid blue; margin: 0 0 16px; padding: 8px 12px 8px 12px;">

<div>Betreff: [CB-Report#20250925-10001978] Schadprogramm-Infektionen in AS201701<br>Datum: 25.09.2025 10:06<br>Von: "CERT-Bund Reports" <reports@reports.cert-bund.de><br>An: abuse@freifunk-rheinland.net<br><br>

</div>

<div>[English version below]</div>

<div><br></div>

<div>Sehr geehrte Damen und Herren,</div>

<div><br></div>

<div>CERT-Bund hat aus vertrauenswürdigen externen Quellen Informationen</div>

<div>zu IP-Adressen in Deutschland erhalten, unter denen sich mit sehr hoher</div>

<div>Wahrscheinlichkeit Systeme befinden, welche mit einem Schadprogramm</div>

<div>infiziert sind.</div>

<div><br></div>

<div>Nachfolgend senden wir Ihnen eine Liste betroffener IP-Adressen</div>

<div>in Ihrem Netzbereich. Neben IP-Adresse, Zeitstempel (UTC) und Bezeichnung</div>

<div>der Schadprogramm-Familie sind jeweils (soweit uns diese Daten vorliegen)</div>

<div>Quell-Port, Ziel-IP-Adresse, Ziel-Port, Ziel-Hostname und Protokoll zu der</div>

<div>Verbindung angegeben, die vermutlich von einem Schadprogramm ausgelöst wurde,</div>

<div>um Kontakt zu einem Kontrollserver der Täter aufzunehmen.</div>

<div><br></div>

<div>Die meisten der hier gemeldeten Schadprogramme verfügen über Funktionen</div>

<div>zum Identitätsdiebstahl (Ausspähen von Benutzernamen und Passwörtern)</div>

<div>und/oder zur Manipulation der Kommunikation beim Online-Banking.</div>

<div><br></div>

<div>Steckbriefe mit detaillierten Informationen zu vielen Schadprogrammen</div>

<div>finden Sie unter:</div>

<div><<a href="https://www.bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/" title="https://www.bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/" rel="nofollow noreferrer noopener" target="_blank">https://www.bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/</a>

</div>

<div>Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/</div>

<div>Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html></div>

<div><br></div>

<div>Wir möchten Sie bitten, den Sachverhalt umgehend zu prüfen und Maßnahmen</div>

<div>zur Bereinigung der Systeme einzuleiten bzw. Ihre betroffenen Kunden</div>

<div>entsprechend zu informieren.</div>

<div><br></div>

<div>Weitere Informationen zu dieser Benachrichtigung finden Sie unter:</div>

<div><<a href="https://reports.cert-bund.de/schadprogramme" title="https://reports.cert-bund.de/schadprogramme" rel="nofollow noreferrer noopener" target="_blank">https://reports.cert-bund.de/schadprogramme</a>></div>

<div><br></div>

<div>Diese E-Mail ist mittels PGP digital signiert.</div>

<div>Informationen zu dem verwendeten Schlüssel finden Sie unter:</div>

<div><<a href="https://reports.cert-bund.de/digitale-signatur" title="https://reports.cert-bund.de/digitale-signatur" rel="nofollow noreferrer noopener" target="_blank">https://reports.cert-bund.de/digitale-signatur</a>></div>

<div><br></div>

<div>Bitte beachten Sie:</div>

<div>Dies ist eine automatisch generierte Nachricht. Antworten an die</div>

<div>Absenderadresse <<a href="mailto:reports@reports.cert-bund.de" title="mailto:reports@reports.cert-bund.de">reports@reports.cert-bund.de</a>> werden NICHT gelesen</div>

<div>und automatisch verworfen. Bei Rückfragen wenden Sie sich bitte</div>

<div>unter Beibehaltung der Ticketnummer [CB-Report#...] in der</div>

<div>Betreffzeile an <<a href="mailto:certbund@bsi.bund.de" title="mailto:certbund@bsi.bund.de">certbund@bsi.bund.de</a>>.</div>

<div><br></div>

<div>!! Bitte lesen Sie zunächst unsere HOWTOs und FAQ, welche unter</div>

<div>!! <<a href="https://reports.cert-bund.de/" title="https://reports.cert-bund.de/" rel="nofollow noreferrer noopener" target="_blank">https://reports.cert-bund.de/</a>> verfügbar sind.</div>

<div><br></div>

<div>======================================================================</div>

<div><br></div>

<div>Dear Sir or Madam,</div>

<div><br></div>

<div>from trusted external sources, CERT-Bund received information on IP addresses</div>

<div>geolocated in Germany which are most likely hosting one or more systems</div>

<div>infected with malware.</div>

<div><br></div>

<div>Please find below a list of affected IP addresses on your network.</div>

<div>Each record includes a timestamp (UTC) and the name of the related malware family.</div>

<div>If available, the record also includes the source port, destination IP,</div>

<div>destination port and destination hostname for the connection most likely triggered</div>

<div>by the malware to connect to a command-and-control server.</div>

<div><br></div>

<div>Most of the malware families reported here include functions for identity theft</div>

<div>(harvesting of usernames and passwords) and/or online-banking fraud.</div>

<div><br></div>

<div>Detailed information on many malware families is available here:</div>

<div><<a href="https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/" title="https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/" rel="nofollow noreferrer noopener" target="_blank">https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/</a>

</div>

<div>Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/</div>

<div>Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze_node.html></div>

<div><br></div>

<div>We would like to ask you to check the issues reported and to take appropriate steps</div>

<div>to get the infected hosts cleaned up or notify your customers accordingly.</div>

<div><br></div>

<div>Additional information on this notification is available at:</div>

<div><<a href="https://reports.cert-bund.de/en/malware" title="https://reports.cert-bund.de/en/malware" rel="nofollow noreferrer noopener" target="_blank">https://reports.cert-bund.de/en/malware</a>></div>

<div><br></div>

<div>This message is digitally signed using PGP.</div>

<div>Information on the signature key is available at:</div>

<div><<a href="https://reports.cert-bund.de/en/digital-signature" title="https://reports.cert-bund.de/en/digital-signature" rel="nofollow noreferrer noopener" target="_blank">https://reports.cert-bund.de/en/digital-signature</a>></div>

<div><br></div>

<div>Please note:</div>

<div>This is an automatically generated message. Replies to the</div>

<div>sender address <<a href="mailto:reports@reports.cert-bund.de" title="mailto:reports@reports.cert-bund.de">reports@reports.cert-bund.de</a>> will NOT be read</div>

<div>but silently be discarded. In case of questions, please contact</div>

<div><<a href="mailto:certbund@bsi.bund.de" title="mailto:certbund@bsi.bund.de">certbund@bsi.bund.de</a>> and keep the ticket number [CB-Report#...]</div>

<div>of this message in the subject line.</div>

<div><br></div>

<div>!! Please make sure to consult our HOWTOs and FAQ available at</div>

<div>!! <<a href="https://reports.cert-bund.de/en/" title="https://reports.cert-bund.de/en/" rel="nofollow noreferrer noopener" target="_blank">https://reports.cert-bund.de/en/</a>> first.</div>

<div><br></div>

<div>============================================================================</div>

<div>Bitte teilen Sie uns unter <<a href="mailto:certbund@bsi.bund.de" title="mailto:certbund@bsi.bund.de">certbund@bsi.bund.de</a>> mit, wenn Sie die Daten zu</div>

<div>betroffenen Systemen zukünftig als Dateianhang statt inline erhalten möchten.</div>

<div><br></div>

<div>Please let us know at <<a href="mailto:certbund@bsi.bund.de" title="mailto:certbund@bsi.bund.de">certbund@bsi.bund.de</a>> if you would like to receive</div>

<div>the data on affected systems as a file attachment instead of inline.</div>

<div>============================================================================</div>

<div><br></div>

<div>Betroffene Systeme in Ihrem Netzbereich:</div>

<div>Affected hosts on your networks:</div>

<div><br></div>

<div>"asn","ip","timestamp","malware","src_port","dst_ip","dst_port","dst_host","proto"</div>

<div>"201701","185.66.195.80","2025-09-24 22:48:19","android.badboxloader","40269","34.229.166.50","8899","<a href="http://ardai.duoproxys.com" title="http://ardai.duoproxys.com" rel="nofollow noreferrer noopener" target="_blank">ardai.duoproxys.com</a>","tcp"</div>

<div>"201701","185.66.193.115","2025-09-24 13:10:38","android.vo1d","36233","3.250.92.156","55530","","tcp"</div>

<div>"201701","185.66.193.27","2025-09-24 09:45:45","zeus","1154","3.229.117.57","80","<a href="http://setup.ghwr87ytiuwhgf4ihsjdnbbdvsh.com" title="http://setup.ghwr87ytiuwhgf4ihsjdnbbdvsh.com" rel="nofollow noreferrer noopener" target="_blank">setup.ghwr87ytiuwhgf4ihsjdnbbdvsh.com</a>","tcp"</div>

<div>"201701","185.66.195.4","2025-09-24 13:07:16","android.vo1d","37690","3.250.92.156","55530","","tcp"</div>

<div>"201701","185.66.193.44","2025-09-24 13:40:36","nymaim","64667","216.218.185.162","80","<a href="http://efsxhz.org" title="http://efsxhz.org" rel="nofollow noreferrer noopener" target="_blank">efsxhz.org</a>","tcp"</div>

<div>"201701","185.66.193.43","2025-09-24 00:25:47","android.badbox2","60556","5.79.71.225","443","","tcp"</div>

<div>"201701","185.66.195.90","2025-09-24 01:47:09","android.badbox2","47828","178.162.203.211","443","","tcp"</div>

<div>"201701","185.66.193.85","2025-09-24 12:26:42","android.badbox2","45772","178.162.203.202","443","","tcp"</div>

<div>"201701","185.66.195.4","2025-09-24 13:08:27","android.vo1d2","42577","5.79.71.225","55530","","tcp"</div>

<div>"201701","185.66.195.80","2025-09-24 00:03:11","android.badbox2","41543","5.79.71.205","80","<a href="http://ycxrl.com" title="http://ycxrl.com" rel="nofollow noreferrer noopener" target="_blank">ycxrl.com</a>","tcp"</div>

<div>"201701","185.66.194.17","2025-09-24 00:07:47","android.badbox2","38928","178.162.203.202","80","<a href="http://apotube.com" title="http://apotube.com" rel="nofollow noreferrer noopener" target="_blank">apotube.com</a>","tcp"</div>

<div>"201701","185.66.193.61","2025-09-24 00:12:31","android.badbox2","35600","178.162.203.226","80","<a href="http://ycxrl.com" title="http://ycxrl.com" rel="nofollow noreferrer noopener" target="_blank">ycxrl.com</a>","tcp"</div>

<div>"201701","185.66.195.94","2025-09-24 09:01:24","android.badbox2","48167","85.17.31.82","80","<a href="http://dcylog.com" title="http://dcylog.com" rel="nofollow noreferrer noopener" target="_blank">dcylog.com</a>","tcp"</div>

<div>"201701","185.66.193.106","2025-09-24 09:16:21","android.badbox2","43908","178.162.203.226","80","<a href="http://sc.dqmop.com" title="http://sc.dqmop.com" rel="nofollow noreferrer noopener" target="_blank">sc.dqmop.com</a>","tcp"</div>

<div>"201701","185.66.193.48","2025-09-24 10:04:33","android.badbox2","60512","5.79.71.225","80","<a href="http://ycxrl.com" title="http://ycxrl.com" rel="nofollow noreferrer noopener" target="_blank">ycxrl.com</a>","tcp"</div>

<div>"201701","185.66.193.121","2025-09-24 15:52:28","android.badbox2","48294","5.79.71.225","80","<a href="http://apotube.com" title="http://apotube.com" rel="nofollow noreferrer noopener" target="_blank">apotube.com</a>","tcp"</div>

<div>"201701","185.66.193.114","2025-09-24 19:54:45","android.badbox2","59860","5.79.71.225","80","<a href="http://ycxrl.com" title="http://ycxrl.com" rel="nofollow noreferrer noopener" target="_blank">ycxrl.com</a>","tcp"</div>

<div>"201701","2a03:2260:2009::","2025-09-24 00:40:40","android.badbox2","42886","2001:470:1:332::fe","80","<a href="http://ycxrl.com" title="http://ycxrl.com" rel="nofollow noreferrer noopener" target="_blank">ycxrl.com</a>","tcp"</div>

<div>"201701","2a03:2260:100c:20c:4103:a5fa:32b1:7356","2025-09-24 02:34:10","android.badbox2","48994","2001:470:1:332::fe","80","<a href="http://apotube.com" title="http://apotube.com" rel="nofollow noreferrer noopener" target="_blank">apotube.com</a>","tcp"</div>

<div>"201701","2a03:2260:3017:500:8928:3566:6924:a5e","2025-09-24 03:49:22","android.badbox2","41220","2001:470:1:332::fe","80","<a href="http://ycxrl.com" title="http://ycxrl.com" rel="nofollow noreferrer noopener" target="_blank">ycxrl.com</a>","tcp"</div>

<div>"201701","2a03:2260:2342:400:ec17:708b:6dec:b16d","2025-09-24 09:47:19","android.badbox2","53110","2001:470:1:332::fe","80","<a href="http://dcylog.com" title="http://dcylog.com" rel="nofollow noreferrer noopener" target="_blank">dcylog.com</a>","tcp"</div>

<div>"201701","2a03:2260:115:6100:5416:8483:b69a:89f8","2025-09-24 08:52:11","android.badbox2","40362","2001:470:1:332::ef","80","<a href="http://ycxrl.com" title="http://ycxrl.com" rel="nofollow noreferrer noopener" target="_blank">ycxrl.com</a>","tcp"</div>

<div><br></div>

<div>Mit freundlichen Grüßen / Kind regards</div>

<div>Team CERT-Bund</div>

<div><br></div>

<div>Bundesamt für Sicherheit in der Informationstechnik</div>

<div>Federal Office for Information Security (BSI)</div>

<div>CERT-Bund</div>

<div>Godesberger Allee 87, 53175 Bonn, Germany</div>

</blockquote></div><div><br></div><br><br></body>

</html>