One certificate to rule them all: the story of a Chinese-nexus botnet
Amaury-Jacques Garçon
NorthSec 2025 · Day 1 · Salle de bal
Sequoia CTI analyst Amaury-Jacques Garçon presented a two-year investigation into a Chinese-nexus Operational Relay Box (ORB) network that grew to approximately 70,000 compromised devices. The investigation began from a single shared self-signed TLS certificate observed across three GobRAT C2 servers, and expanded to expose a multi-layered infrastructure including a previously undocumented backdoor named Bulbature, full-featured C2 management panels with exposed source code, and — on one server — an unintentionally exposed export containing 75,000 compromised host records. ---
AI review
Sequoia CTI analyst Amaury-Jacques Garçon spent two years tracking a Chinese-nexus ORB botnet from a single pivot: a shared self-signed TLS certificate reused across all infrastructure. From three initial C2 servers (JPCERT's GobRAT report), he mapped 70+ dedicated servers, identified a previously undocumented backdoor (Bulbature), reconstructed C2 admin panel interfaces from exposed JavaScript assets, and found an unprotected directory export containing 75,000 compromised host records including operator-run shell command output.