Weaponizing gcc: Inside the Stealthy ‘Hex’ Botnet’s On-Host Compilation Strategy
Ddos 
IP Summary | Image: Hunt Intelligence
Security researchers at Hunt Intelligence have exposed a growing 15-node botnet operation that utilizes a unique “on-host compilation” strategy to evade traditional binary detection. The discovery, triggered by the analysis of a shared TLS certificate, revealed an infrastructure split between Finnish and Iranian data centers, designed specifically to circumvent regional internet filtering while staging large-scale attacks.
Unlike traditional botnets that push pre-compiled malicious binaries to victims, the operator of this campaign opted for a more stealthy approach. By pushing source code and using the standard gcc compiler directly on the infected host, the attacker effectively bypassed hash-based detection and binary scanning tools.
“On-host compilation to dodge binary detection. Rather than pushing pre-built binaries, the operator compiled DDoS tools directly on victim machines using gcc.”
Once compiled, the bot client was renamed to the inconspicuous “hex” to further blend into the system’s process list.
The expansion of the “Hex” botnet was driven by high-speed automation. Researchers recovered a Python-based deployment script named ohhhh.py designed to weaponize a massive list of stolen SSH credentials.
The script operates with efficiency:
- Mass Session Management: It opens up to 500 concurrent SSH sessions simultaneously.
- Automated Payload Delivery: It reads credentials in a host:port | username | password format.
- Zero-Touch Infection: The script automatically logs into the host, compiles the bot source code, and launches the “hex” client without further manual intervention.
The “Hex” botnet is built for persistence. Technical analysis of the compiled binary revealed specific reconnection logic that ensures the bot stays active even if the connection to the command-and-control (C2) server is interrupted.
“Bots reconnect automatically after disconnection… meaning infected hosts should be treated as independently compromised regardless of whether the C2 is reachable.”
Furthermore, the same infrastructure used for the botnet’s C2 also runs censorship bypass tools. A configuration file named config-client.yaml confirmed that the hosts forward traffic to Finnish exit nodes via KCP tunneling, allowing the operator to skirt regional internet blocks while managing the botnet.
While the operation shows significant technical effort, Hunt Intelligence assesses the threat actor’s sophistication as still evolving. Native Farsi comments found in the scripts, combined with hosting on Iranian ISPs and ArvanCloud DNS routing, suggest the operator is likely based within Iran.
However, the lack of geopolitical signatures in the observed targets suggests this is likely a private criminal endeavor rather than a state-directed espionage campaign.
Defenders are encouraged to revisit their controls:
- Harden SSH Access: Implement multi-factor authentication and move away from password-only SSH access.
- Monitor Compilers: Audit the use of gcc or other development tools on production servers where they are not required.
- Behavioral Tracking: Look for unauthorized connections to known relay IPs and monitor for unusual file renaming activity, such as the creation of the “hex” binary.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
