Part 1 covered NeTiS as a propagation-capable MIPS IoT implant: staged initialization, multi-architecture payload fan-out, fallback downloader orchestration, process masquerading, competitor suppression, and SIGTRAP-driven anti-analysis. This second part continues from those mechanics into the encrypted control channel, Cloudflare-aware HTTP behavior, attribution boundaries, and defensive pivots that remain useful when operators rotate infrastructure or rebuild the binary.
Technical Findings, Continued
Cryptography and key derivation
The control channel uses a stream cipher from the ChaCha20/Salsa20 family. The strongest static anchors are the presence of the sigma constant expand 32-byte k and a 256-bit embedded key blob:
The surrounding encrypt and decrypt routines support a ChaCha20 interpretation, but the highest-confidence conclusion from the recovered static artifacts is that NeTiS uses a 32-byte-key stream-cipher construction rather than simple fixed XOR for its primary C2 traffic. That is a meaningful step up from older IoT bot variants that expose commands or infrastructure with only superficial obfuscation.
The nonce is assembled inside the encryption routine from pseudorandom output and a time-derived value before the cipher state is initialized. The supplied static excerpts do not expose the exact mixing expression with enough certainty to publish it as a definitive formula, but they do show that the bot does not reuse a fixed IV-like value across transmissions. In practice, that forces defenders to lean on framing, handshake values, and traffic shape rather than raw ciphertext reuse.
The sample still uses simpler obfuscation where speed matters more than secrecy. Attack type strings are protected with single-byte XOR using key 0x2E. That split is common in production malware: strong enough crypto for operator traffic, cheap reversible transforms for strings the developer does not want exposed by static triage.
C2 protocol design and network fingerprinting
The primary command path is a TCP session on port 5632 managed through non-blocking sockets and select(). The protocol is compact and structured. Commands are length-prefixed with a two-byte big-endian field followed by up to 1024 bytes of payload. A two-byte 00 00 heartbeat is sent every sixth loop iteration. On successful connection, the bot transmits an identity structure carrying header 0x73c0 and session magic 0x0B6F0B73.
That combination is operationally useful. Even when the body is encrypted, the framing behavior persists. Analysts can look for a small-interval reconnect loop, short heartbeat records, and a control session that pairs big-endian length fields with low-latency polling.
The HTTP beacon path is more distinctive. The malware generates browser-shaped GET requests with current desktop user-agent strings, fetch metadata headers, Accept-Encoding, and other browser-adjacent fields that do not belong on a headless embedded service. It then parses cf_clearance= from the server response and reuses that token in later requests via a Cookie header. Static evidence supports Cloudflare-aware cookie reuse against gated infrastructure. It does not prove that the bot solves Cloudflare challenges on its own, but it does show that the operator built the implant to operate behind that control surface.
The bot also exposes a broad attack surface once tasked. Application-layer floods include browser-spoofed GET traffic, POST floods with Content-Length: 10485760, and HTTP/2-preface traffic beginning with PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n. Reflection and amplification mechanisms include SSDP M-SEARCH, Source Engine query logic, and memcached-style stats\r\n probes on port 11211. One of the more recognizable oddities is the mixing of HTTP/2-preface material with SSDP discovery syntax, which creates a useful hunting pivot because legitimate software does not blend those protocol artifacts in a single attack workflow.
Attribution Considerations
The sample is attributable to a malware family and a variant label, not to a named actor.
The Gafgyt/BASHLITE lineage is well supported by the propagation model, process-killing behavior, multi-architecture payload strategy, and DDoS-centric command set. The embedded “NeTiS” banner is credible as operator branding or campaign labeling, and it is worth carrying into reporting because it gives defenders a consistent handle for clustering. That string is reproduced verbatim only because it is a high-confidence identifier.
There is still not enough evidence to tie the sample to a specific intrusion set, crew, or geographic actor. The evidence supports “Gafgyt/BASHLITE-derived IoT botnet variant with operator branding NeTiS.” It does not support more than that. Gafgyt source code has circulated publicly for years, and the most plausible reading of this sample is custom development layered onto that leaked codebase rather than a wholesale rewrite. The additions worth tracking are the encrypted control channel, Cloudflare-aware beaconing, and the specific staging and masquerade logic, not the family baseline that is already widely reused.
Detection Opportunities
Network
The cleanest network pivots are structural. Watch for outbound TCP control sessions to port 5632 that use two-byte big-endian length fields, emit 00 00 keepalives at a fixed cadence, and begin with a connect structure containing 0x73c0 and 0x0B6F0B73. Independently, flag embedded Linux devices that generate browser-like HTTP requests carrying modern desktop user-agent strings and later introduce a cf_clearance cookie. That is abnormal for routers, DVRs, and similar appliances.
The DDoS modules provide additional signatures. POST requests with Content-Length: 10485760, SSDP M-SEARCH floods from non-UPnP roles, memcached stats\r\n probes from IoT nodes, and any traffic stream that includes the HTTP/2 client preface in obviously non-browser contexts are all strong candidates. The strongest single oddity is the coexistence of SSDP discovery grammar and HTTP/2-preface material in the same attack tooling.
Host and Behavioral
On-host, focus on process identity and staging behavior. A newly daemonized process renamed to httpd, telnetd, or dropbear that executes/tmp, /var, /mnt, /root, /boot, or /data/local/tmp is suspicious on embedded devices. So is a single process invoking multiple fallback downloaders in sequence until one succeeds.
The architecture filename set is also useful. Binaries or scripts that reference main_mips, main_mipsel, main_arm5, main_arm6, main_arm7, main_x86, and main_x86_64 in one infection chain are exhibiting botnet propagation logic, not ordinary firmware behavior. Add process enumeration followed by repeated SIGKILL against service names such as telnet, sshd, dropbear, httpd, and telnetd, and the pattern becomes strong enough for high-confidence triage.
Conclusion
The most unusual part of NeTiS is not its flood set or its family lineage. It is the Cloudflare-aware beacon path that parses and reuses cf_clearanc cookies while the rest of the implant retains the ruthless efficiency of a classic Gafgyt bot. That combination makes the sample more operationally flexible than commodity predecessors: it can still propagate broadly across fragile IoT fleets, but it can also hide tasking and staging behind infrastructure that looks less obviously botnet-operated. Defenders should prioritize detection around the cf_clearance reuse pattern, the 0x0B6F0B73 control-session marker, and the multi-architecture staging behavior, because those elements are the most durable pivots if operators rotate domains or rebuild the binary.
Annex A: Indicators of Compromise
Annex B: YARA Hunting Rules
This rule is scoped to the NeTiS-labeled Gafgyt variant and adds the hardcoded encryption key as an alternate anchor. That keeps the rule useful even if a future build strips the taunting banner but preserves the same crypto material and surrounding execution artifacts.
