RC4/XOR-concealed C2 configuration blob

discovered 2026-07-01

The C2 host is not stored as a resolvable string. It sits inside an embedded config blob wrapped in an RC4 layer over an XOR layer, so static string extraction and base64/alphabet remapping do not recover it. This defeats the static-decode recovery that succeeded against Waves 1-3 (which exposed oob.moika.tech in cleartext or via simple alphabet remapping). SafeDep recorded the Wave 4 C2 host as UNRESOLVED; no code was executed.

Seen in packages

Campaigns