MALWARE FAMILY

ReedBed

Internal ID: win.reedbed
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

ReedBed, identified as a malware proxy backdoor, is suspected to be developed by QAKBOT devs, and was deployed by the threat actor Storm-1811 in campaigns observed during late October and early November 2024. These campaigns are typically initiated with email bombing, a tactic involving mass email distribution, followed by social engineering strategies where the actor impersonates help desk personnel to gain access to victim systems.

Upon execution, ReedBed ensures single-instance operation via the mutex "JhishdiI2Uhsvoc94keiojn7ns19m0do" and hooks critical system APIs (NtCreateUserProcess, RtlExitUserProcess) for defense evasion, process interference, and anti-termination. It reads its Command and Control (C2) configuration, typically from the "Software\TitanPlus" registry key, establishes a persistent SSL/TLS encrypted connection, and transmits an initial system information beacon. Subsequently, ReedBed enters its main operational loop, acting as a versatile network proxy based on C2 commands; this includes initiating outgoing TCP connections, relaying data bi-directionally, and establishing reverse SOCKS5 (with authentication) or direct TCP port mapping services via locally opened listening ports. If commanded or upon connection failure, it transitions into a restart/wait cycle guided by registry values, leveraging its hooked exit function to hinder termination before attempting to reconnect to the C2.

Threat Analysis

ReedBed is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

win.reedbed

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.