Sign in

ET TROJAN Turkojan C&C nxt Command (nxt)


 IP AddressPortHostname
Source (United States) 40028  
Destination (local) 41041  




False Positive:

  • Possible code reuse or someone picked up old malware.
  • Suspicious:
    • Endpoint belongs to Microsoft. It is not in published Azure space, but it is adjacent to that space.
    • No PTR, no reverse DNS services or threat crowd turn it up.
    • Ports are 40k plus.
    • Traffic is all, or appears to be, encrypted.
  • Not suspicious:
    • Matching text is small.
    • Turkojan is very old malware. The probability that new infections are happening is low.
    • No other events on this system.



  • Enough indicators here to scan if possible.
  • This is an Android phone on the WiFi.
  • False Positive since this is a windows RAT.
  • No further action.


Powered by Zendesk