Throughout our investigation, we identified hard-coded C2 IP addresses embedded in Open Source Projects through multiple methods:
1. Exploits and Proof-of-Concept (PoC) code
Several public PoCs included “hidden callbacks pointing to external servers, often without any justification. These callbacks were triggered during code execution, potentially exposing analysts and researchers to silent compromise.
2. Backdoored or modified source code
We found source code that had been intentionally altered to introduce outbound connections to attacker-controlled IPs.
3. Code comments
In some cases, the malicious C2 endpoint wasn’t in the active code at all, it was placed inside commented sections. Such patterns suggest failed attempts at obfuscation, abandoned backdoors, or developer testing artifacts.
The full report includes four detailed case studies and a full list of IoCs.