Bulbature, beneath the waves of GobRAT

Since mid‑2023 Sekoia TDR tracked an active infrastructure that compromises internet‑exposed edge devices, installing GobRAT and Bulbature to turn them into Operational Relay Boxes (ORBs) used for on‑demand proxying, DDoS and large‑scale exploitation; the report documents 63 servers (20 active at cut‑off), staging and admin interfaces, extensive bash installation scripts, C2/dispenser lists, over 74,944 exported compromised hosts in one snapshot and large asset lists totaling ~22.6M entries, and provides IPs, domains and malware hashes while attributing the activity with high confidence to Chinese operators.