Unmasking OCRFix: The New Russian Botnet Hiding its C2 Infrastructure in the Blockchain
Ddos 
Cybersecurity researchers have uncovered a sophisticated new threat dubbed OCRFix, a three-stage botnet that utilizes an innovative “EtherHiding” technique to mask its command-and-control (C2) infrastructure. By storing its C2 URLs inside BNB Smart Chain (BSC) testnet smart contracts, the botnet achieves a level of resilience that standard network defenses struggle to counter.
The campaign, which was active as of March 3, 2026, represents a shift in how modern malware handles infrastructure rotation.
The botnet’s initial entry point relies on “ClickFix,” a clever social engineering lure disguised as a fake CAPTCHA.
The lure site walks the victim through a series of steps, instructing them to open the Windows Run box (Win+R) and paste a command from their clipboard. Unknown to the user, the webpage has already written a malicious PowerShell command to their clipboard. Executing this command downloads an MSI dropper that masquerades as a legitimate PHP installer from the “PHP Group”.
The defining feature of OCRFix is its use of the blockchain as a persistent “phonebook” for its C2 servers. Each of the three stages queries a different smart contract on the BSC testnet to resolve its current operational URL.
As the report explains, “To rotate infrastructure, the author updates the contract storage with a single blockchain transaction”. This means that “Every infected machine follows on next check-in. No binary update required”. Because the botnet communicates with legitimate, high-traffic blockchain nodes, the HTTP requests themselves contain no malicious indicators, making detection exceptionally difficult.
The malware is built using VBScript payloads compiled with VBSEdit, with each stage handling a specific part of the compromise.
- Stage 1 (Update1): Acts as a downloader. It queries the first blockchain contract, resolves a URL, and downloads the second stage.
- Stage 2 (setup_helper): Manages privilege escalation and persistence. It uses a persistent PowerShell loop to trigger a UAC prompt until the user accepts, then creates scheduled tasks to ensure the bot remains active.
- Stage 3 (CfgHelper): The final bot payload. It checks in every 60 seconds and waits for operator commands, such as executing shell scripts or downloading further malicious files
Analysis of the deobfuscated VBScript and the bot’s management panel revealed several indicators of Russian-speaking authors. Researchers found Cyrillic HTML comments in the backend source code and a specific developer comment: “‘ ReceiveTimeout Π΄Π»Ρ Π±ΠΎΠ»ΡΡΠΈΡ ΡΠ°ΠΉΠ»ΠΎΠ² (“ReceiveTimeout for large files”)”. Additionally, the panel’s default timezone offset of UTC+3 is consistent with these Russian-language indicators.
Standard blocking strategies based on DNS or request content are largely ineffective against OCRFix. Security experts recommend that organizations monitor for BSC testnet interactions at known contract addresses or inspect JSON-RPC response bodies for hex-encoded URLs.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
