360Netlab’s BotMon system has continuously detected a new variant of the Gafgyt family, which uses Tor for C2 communication to hide the real C2 and encrypts sensitive strings in the samples. The family is closely related to the Necro family we made public in January, and is behind the same group of people, the so-called keksec group [1] [2] The core function is still DDoS attacks and scanning, the core function of the group.”]
Source: https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/