New “Whiffy Recon” Malware: Triangulating Infected Device Location via Wi-Fi Every Minute

Wifi Connection Sign

In the ever-evolving landscape of cyber threats, cybersecurity experts are raising concerns about a newly discovered malware strain known as “Whiffy Recon.” This sophisticated malware, uncovered by researchers from Secureworks Counter Threat Unit (CTU), leverages Wi-Fi scanning and Google’s geolocation API to triangulate the location of infected devices. With the capability to continuously track compromised systems, Whiffy Recon poses significant risks and opens the door to a multitude of potential nefarious activities. In this article, we will explore the intricacies of Whiffy Recon, its modus operandi, and the implications it holds for cybersecurity.

Understanding Whiffy Recon

Whiffy Recon is a custom Wi-Fi scanning executable deployed by the Smoke Loader botnet onto compromised systems. Unlike typical malware strains, Whiffy Recon has a single objective: to triangulate the locations of infected devices by scanning nearby Wi-Fi access points and leveraging Google’s geolocation API. This unique approach allows threat actors to acquire precise location data, effectively mapping the digital landscape onto the physical realm.  The operations of Whiffy Recon commence with a check for the WLANSVC service on the compromised system. This service indicates the presence of wireless capability in a Windows system. If the service name is not found, the malware terminates itself. However, if the service is present, Whiffy Recon persists on the system by creating a shortcut in the user’s Startup folder, ensuring execution upon system boot.

The Scanning Process

Whiffy Recon’s scanning process consists of two primary loops. The initial loop involves registering the bot with the command and control (C2) server. During this phase, the malware checks for the presence of a specific file, %APPDATA%\wlan\str-12.bin. If the file exists, it triggers the second loop, which initiates Wi-Fi scanning. However, if the file does not exist, Whiffy Recon proceeds to register the compromised system with the C2 server by sending a JSON payload in an HTTPS POST request.  Once successfully registered, the second loop commences, performing Wi-Fi access point scanning using the Windows WLAN API. This loop is executed every 60 seconds, allowing for near-real-time tracking of the compromised system. The scan results are then sent to the Google Geolocation API via an HTTPS POST request. In return, the Geolocation API provides coordinates based on the collected Wi-Fi access point data. Whiffy Recon further processes these coordinates to generate a comprehensive report, offering detailed information about each access point’s geographic position and encryption methods.

Implications and Motivations

The reasons behind the development and use of Whiffy Recon are still unclear. Cybersecurity experts express concerns about the scanning process occurring every minute and the ability to track infected devices’ geolocation. This data could potentially be exploited for targeted attacks on specific regions or urban areas, or to intimidate victims and exert pressure for compliance.
The capability of Whiffy Recon to triangulate infected devices’ locations in near-real-time is a unique and rarely observed trait among criminal actors. This raises concerns about the potential malicious activities it could facilitate. While the exact intentions of threat actors remain unknown, the risks associated with this malware strain are evident. Robust security measures are necessary to mitigate its impact.

Mitigating Whiffy Recon’s Threat

To protect against the threat posed by Whiffy Recon, organizations should implement robust security measures. It is crucial to review and restrict access using indicators such as MD5, SHA1, and SHA256 hashes associated with Whiffy Recon samples. Additionally, monitoring network traffic for connections to known C2 servers and blocking access to suspicious IP addresses, such as, can help mitigate the spread of the malware. However, it is important to note that IP addresses can be reallocated, so continuous monitoring and timely updates are essential.


The emergence of Whiffy Recon and its unique capabilities exemplify the ever-evolving landscape of cyber threats. The ability to track infected devices’ geolocation through minute-by-minute Wi-Fi scanning presents significant risks, highlighting the utmost importance of robust cybersecurity measures. To counteract this malware, organizations must maintain unwavering vigilance, consistently monitor for indicators of compromise, and proactively update their security protocols to outmaneuver threat actors. By understanding the complexity of Whiffy Recon and implementing proactive measures, we can fortify our resilience against these ever-changing cyber threats.

Purple Shield Security is not your typical cybersecurity consulting firm. We are the guardians of your digital realm, committed to protecting your business from the constantly evolving landscape of cyber threats. With a dedicated team of passionate security professionals by your side, we go above and beyond mere data and system protection – we provide you with peace of mind. Our comprehensive range of services includes Security Assessments, Penetration Testing, Incident Response, and more. By harnessing cutting-edge solutions and leveraging our expertise, we empower you to fortify your web applications and minimize vulnerability to attacks.

Don’t wait to secure your business. Get in touch with us today and discover how Purple Shield Security can revolutionize your cybersecurity defenses.