Advent of Configuration Extraction – Part 1: Pipeline Overview – First Steps with Kaiji Configuration Unboxing

This post introduces Sekoia TDR's Assemblyline ConfigExtractor pipeline and demonstrates extracting C2 configuration from the Go-based Kaiji IoT botnet. It explains static-analysis findings (Base64-encoded C2:Port strings, a distinctive "use ParseCertificate" marker), the extractor implementation (FLOSS string extraction, regex decoding, YARA matching, MACO mapping), and notes Kaiji variants (including Chaos) that incorporate vulnerability exploitation (CVE-2024-7954, CVE-2023-1389) and expanded capabilities.