Tuesday, June 2, 2026

Use of MQTT in malware

I'm alive but very busy!! 
It's been 10 years since I started this blog.
 
Changed the blog theme to dark mode because it's easier on the eyes. 
 
If text formatting/spacing sucks or you can't see images, it's Bloggers fault.  


Intro

 
Note: I've had limited time to work on this. I took some time off to finish some training but wanted to finish this project as well since it's been sitting on my todo list for months. 
I'm not a professional malware analyst or threat intel person. I'm not super confident in my analysis. I also have a limited set of tools, services, and time. 
 

What is MQTT?
MQTT is a pub/sub protocol, sometimes in IOT. It involves a broker/server where publishers and subscribers connect to, in order to send and/or receive messages/data. 
 
Usually there will be a topic or "channel" where sub/pub can happen. You can use wildcard and monitor everything for a specific topic. 
 
These links provide better explanation: 
 
MQTT uses port 1883 for clear text traffic, 8883 for TLS/SSL, and 443 over websocket. 
 
Reason for looking into this
I looked at Tox before. I'm looking at MQTT now. It's another protocol that can be abused for C2, data transfer, etc... 

  
(a message I got on discord) 

I often discuss using free services for doing offsec/threat stuff. There are some projects that already cover some of these services:  https://lots-project.com/ & https://lolfsaas.github.io/

There are a bunch of MQTT brokers that can be used for testing and also can be abused. 
 
 
(image from some fancy quotes site that came up in google images) 
 
The other reason I looked into this was because I thought it'd be easy to find some malware family and monitor a public broker & topic for what the malware is doing and get a presentation or at least a blog post out of it... 
 
One of the benefits of malware using public brokers is that you can monitor the specific topic being used and MQTT supporting wildcard makes it much easier.  
 

Known activity

 
While doing research into MQTT use by malware, I found several articles talking about it. 
 
"WailingCrab’s core component is its backdoor, which is installed on the system only if the malware’s initial stages are completed successfully. Since mid-2023, WailingCrab’s backdoor component has communicated with the C2 using the MQTT protocol which is a lightweight IoT messaging protocol. MQTT uses a publish/subscribe architecture, whereby messages are published to ‘topics’ and received by subscribers, with message distribution handled by a centralized broker. In this instance, WailingCrab uses the legitimate, third-party broker, broker.emqx[.]io, which allows it to hide the true address of the C2 server." 
 
"MQsTTang is a barebones backdoor that allows the attacker to execute arbitrary commands on a victim’s machine and get the output. Even so, it does present some interesting characteristics. Chief among these is its use of the MQTT protocol for C&C communication." 
 
 
 
Prevalence
So MQTT is def used/abused by threat actors but I'm not sure about the prevalence as I don't really have enough data. This might be one of the reasons nobody really cares too much about this until they find a sample using MQTT, which is completely fair. 
 

Finding samples

 
To look for samples, I started by making a list of free brokers that you can use for testing/dev. If I was a threat actor, I'd just use the free brokers.
 
 
I started by searching the domains on VirusTotal, AnyRun, Tria.ge, and Hybrid-Analysis. 
 
I mainly focused on VirusTotal and started going through some of the referring files or connecting files. 
 
Hybrid-Analysis also lead to a few samples.  

One thing I messed up and wasted time on was looking through VT and saw a bunch of similar files in Referring files section. I thought I was onto something and found some interesting undetected malware. It turned out to be GONC (Golang-based netcat tool): https://github.com/threatexpert/gonc#used-public-serversstun--mqtt
 
One of the biggest issues with looking for samples, especially with VT free is that I found a bunch of stuff that was just devs using free services for their projects.
 
Ideally, I would look for communication with MQTT brokers AND some other activity such as sandbox behavior or file attributes or content with queries or samples I had on disk. 
 
I manually found some samples that I thought were interesting based on what I saw in VT behavior and in Triage analysis and focused on analyzing those.  
 
I also avoided ELF/linux stuff and MQTT over wss to make my life easier.

Potential detections 

 
Network traffic analysis
For detection, you could look for:
- traffic to brokers
- MQTT traffic
- traffic on default MQTT ports
- traffic content with specific topics or patterns on MQTT ports (with suricata or snort) 
 
File detection
I didn't think about this very much. I guess you can look at strings for broker domains or MQTT libraries being imported. 
Posted by at