Trojan.Heloag malware is pretty certainly from China. DDoS commands are all encoded in the same byte. The code uses different types of strings to control what DDoS is carried out to where. There is one Chinese IP hardcoded in the binary, which cannot be attacked by DDoS no matter what command is given to the bot. The DDoS related code makes heavy usage of C++ std::strings while the rest of the main code uses wsprintf for string handling.”]
Source: https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/

