Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

New Malware Lays P2P Network on Top of IPFS’

A newly discovered piece of malware uses a peer-to-peer (p2p) network on top of InterPlanetary File System’s (IPFS) p2p network, Anomali’s security researchers report. 

A newly discovered piece of malware uses a peer-to-peer (p2p) network on top of InterPlanetary File System’s (IPFS) p2p network, Anomali’s security researchers report. 

Discovered in May 2019 and dubbed IPStorm, the malware is written in the Go (Golang) programming language and targets Windows machines. Once it has infected a system, the malicious program allows its operator to execute arbitrary PowerShell code. 

The use of a p2p network for communication ensures not only that the generated traffic blends into the legitimate traffic, but also that the infected machines don’t need to maintain a constant connection to the command and control (C&C) server. 

Being connected directly to each other via a p2p network, the machines form a p2p botnet, where commands propagate from one bot to another. A p2p botnet is more difficult to implement, as the attacker needs to ensure bots can communicate with each other at all times, even when behind a NAT, but are more difficult to detect, especially with the increased use of p2p in corporate environments. 

The newly discovered botnet leverages IPFS, a p2p filesystem project that aims to decentralize the Internet to improve it. The filesystem can be used to host a broad range of files that can be accessed via a client or public gateways. 

IPFS’ network code has been released in open source as “libp2p,” a modular network stack that includes support for bootstrapping, NAT-traversal, relays, peer discovery, and pubsub functionality. The library can be used to build a p2p network by providing bootstrapping nodes and also includes IPFS’ bootstrapping nodes, which can be used to layer the new p2p network on top of IPFS’. 

This is exactly what the IPStorm (InterPlanetary Storm) malware does, making it difficult to determine which machines are infected and which are legitimate IPFS peers, Anomali reveals. Written in Go, it appears to have been developed on a macOS machine, is large, with the unpacked binary at around 15 MB in size, but is split into multiple packages. 

Advertisement. Scroll to continue reading.

The threat also includes simple antivirus (AV) evasion techniques, such as sleeps, memory allocations, and generation of random numbers. The malware uses third-party package “single” to ensure only one instance is running. It also adds a rule to the firewall, to make sure it can connect to the p2p network. 

The malware supports the download and upload of files, which are sent over the PubSub network. Reverse shell (called “backshell” by the author) functionality is also included, allowing the actor to execute any arbitrary PowerShell code on the infected machine. 

Based on the analyzed tree structure, Anomali suggests that the malware can either be compiled for other operating systems than Windows, or that the actor is in the process of building versions for other operating systems. 

To date, the malware infected several thousand machines, given that 2847 unique p2p nodes were observed announcing themselves with the identifier used by the malware during a ten-hour period. However, this number does not reflect the actual number of bots, but suggests that the botnet is evolving. 

“This is the first malware found in the wild that is using IPFS’ p2p network for its C&C communication. By using a legitimate p2p network, the malware can hide its network traffic among legitimate p2p network traffic. This method also provides some protection against takedowns, since sinkholing the p2p network potentially could take down the whole IPFS network,” Anomali concludes. 

Related: P2P Flaws Expose Millions of IoT Devices to Remote Attacks

Related: Hide ‘N Seek IoT Botnet Can Infect Database Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...