Hello everyone, it's been a while.
One of the first affiliate systems I ever infiltrated was BestAV, back in 2011, the same year I started XyliBox.
Over the years i infiltrated most of the major FakeAV affiliate programs and BestAV was the biggest player in this scene.
It was also the one i kept coming back to, a bit like me vs darkode :)
It became something of a coup de cœur for me, even if that term doesn’t quite translate outside of French.
Eventually i watched it fall, not from law enforcement, but simply because more lucrative threats arrived like ransomware and cryptolockers, they kinda made fakeAVs irrelevant.
Although BestAV launched a ransomware affiliate later and put lot of efforts into it, they didn't survive.
I also never really gave this blog a proper farewell.
Like most things from that era, it just… slowed down.
There’s still a pile of never-published stories and drafts sitting in my backend; hacked panels, and half-finished notes, strange old artifacts from a time where everything was fast, broken, and fascinating.
BestAV feels like the right way to close this circle.
It was the beginning, the obsession, and the last of its kind.
So this post is both a final deep dive and the official end of XyliBox.
Before we dive in, a bit of context for those who weren’t there or just want to refresh their memory about BestAV.
The first time I looked into a FakeAV affiliate and also the first time i heard of the BestAV program was in 2011, and it all started with a tweet that led to my first write-up: Tracking Cyber Crime: Inside FakeAV (June 2011)
From there, i kept watching them from the shadows, sometimes giving them hints on the fact that i had still access to their system, just in case they were reading (and I was pretty sure they were): Personal Shield Pro (July 2011)
I went back again into BestAV, where the real obsession began: Tracking Cyber Crime: BestAV and BlackSoftware (August 2011)
In 2012, I even infiltrated an affiliate who was built based on BestAV backend: Star-stat.com Reseller (February 2012)
A bit later i also wrote a small guide on how to infiltrate affiliate programs, not just FakeAV anymore, but any affiliate system. Of course, I used BestAV as example: How to Infiltrate Affiliate Programs (June 2012)
I stayed hidden in this affiliate for a long time, monitoring their activity, quietly collecting samples, and following their moves.
Along the way, I teamed up with Siri, Kafeine, Antelox, and many other friends I met on the path, working together to excavate their exploit kits, samples, and test setups.
We see them evolve, and even launching a ransomware affiliate (Urausy).
Sometimes we pulled datas at scale, like in 2013 when we massively burnt their crypt system by dumping lustrami.com infrastructure on VXVault, this one was tied to BestAV.
And finally, we’re in 2014, the fall of fake antivirus had already begun.
So what can we say about BestAV at this point?
Their affiliate system was already in bad shape, plagued by frequent downtime and a clear loss of momentum.
Keys players stopped working with them, we could feel the collapse coming.
So instead of looking at it "again" from an affiliate level, let's switch perspective to the administrator side.
It’s been over 10 years, so i guess i can finally say it: We pwned them!
The intelligence was of course shared at that time with some agencies who were interested, mostly because of the key players involved in participating on BestAV.
I never made that public on the blog the operation was too tight back in time to just drop a "good day, you’re pwned!" or similar like i used to do on my posts.
Not due to the BestAV admins reading this blog, but because of all the affiliates being monitored in some way.
So I hope you'll enjoy these screenshots it’s one last chance to document the inside operation before their ultimate take-down the same year.
I think it's also the first time that a FakeAV affiliate program will be documented this way.
Home:
Edit article:
Statistic Soft 1:
News:
Agreements:
Users:
Details for users:
'Support' account:
Action log, detail for the partner 'Severa':
Payements detail for the partner 'Severa':
Edit user infos for the partner 'Severa':
FakeAV to distribute:
Role of Severa inside BestAV:
Tickets made by Severa (none):
Mass payements:
Full list for mass payement:
136 Payment till 2014-03-02 2014-03-02 14:15 2014-03-02 46995.00 $ soft1
135 Payment till 2013-10-07-s2 2013-10-07 11:43 2013-10-07 12030.36 $ soft2
134 Payment till 2013-10-07 2013-10-07 11:43 2013-10-07 25580.00 $ soft1
133 Payment till 2013-08-29-s1 2013-08-29 04:21 2013-08-29 25145.00 $ soft1
132 Payment till 2013-08-29 2013-08-29 04:20 2013-08-29 13492.62 $ soft2
131 Payment till 2013-08-24-s2 2013-08-24 09:10 2013-08-24 41466.03 $ soft2
130 Payment till 2013-08-24 2013-08-24 09:10 2013-08-24 1425.00 $ soft1
129 Payment till 2013-08-06-s2 2013-08-06 18:00 2013-08-06 22527.60 $ soft2
128 Payment till 2013-08-06-s1 2013-08-06 18:00 2013-08-06 20068.00 $ soft1
126 Payment till 2013-07-30 2013-07-30 18:43 2013-07-30 7645.00 $ soft1
127 Payment till 2013-07-30-s2 2013-07-30 18:43 2013-07-30 15429.69 $ soft2
125 Payment till 2013-07-24-s2 2013-07-24 14:25 2013-07-24 2886.27 $ soft2
124 Payment till 2013-07-24 2013-07-24 14:25 2013-07-24 10250.00 $ soft1
123 Payment till 2013-07-22-s2 2013-07-22 20:59 2013-07-22 23516.16 $ soft2
122 Payment till 2013-07-22 2013-07-22 20:58 2013-07-22 1074.98 $ soft1
121 Payment till 2013-07-16-s2 2013-07-16 18:53 2013-07-16 39988.23 $ soft2
120 Payment till 2013-07-16 2013-07-16 18:53 2013-07-16 4860.00 $ soft1
118 Payment till 2013-07-10-s1 2013-07-10 19:19 2013-07-10 9980.00 $ soft1
119 Payment till 2013-07-10-s2 2013-07-10 19:19 2013-07-10 11510.35 $ soft2
117 Payment till 2013-07-08-s3 2013-07-08 21:44 2013-07-08 34.77 $ soft3
116 Payment till 2013-07-08-s2 2013-07-08 21:44 2013-07-08 29119.00 $ soft2
115 Payment till 2013-07-08 2013-07-08 21:44 2013-07-08 22120.00 $ soft1
114 Payment till 2013-07-01-s2 2013-07-01 20:05 2013-07-01 38150.70 $ soft2
113 Payment till 2013-07-01 2013-07-01 20:05 2013-07-01 725.00 $ soft1
112 Payment till 2013-06-18-s2 2013-06-18 20:04 2013-06-18 1463.64 $ soft2
111 Payment till 2013-06-18-s1 2013-06-18 20:04 2013-06-18 16450.00 $ soft1
108 Payment till 2013-06-11 2013-06-11 17:50 2013-06-11 1935.00 $ soft1
109 Payment till 2013-06-11-s2 2013-06-11 17:50 2013-06-11 51693.56 $ soft2
110 Payment till 2013-06-11-s3 2013-06-11 17:51 2013-06-11 200.78 $ soft3
107 Payment till 2013-06-08-s1 2013-06-08 07:25 2013-06-08 14940.00 $ soft1
106 Payment till 2013-06-08-s2 2013-06-08 07:25 2013-06-08 291.55 $ soft2
105 Payment till 2013-06-01-s2 2013-06-01 21:06 2013-06-01 30226.79 $ soft2
104 Payment till 2013-06-01 2013-06-01 21:06 2013-06-01 13170.00 $ soft1
102 Payment till 2013-05-27-s1 2013-05-27 20:50 2013-05-27 905.00 $ soft1
103 Payment till 2013-05-27-s2 2013-05-27 20:50 2013-05-27 31070.58 $ soft2
101 Payment till 2013-05-22-s3 2013-05-22 11:08 2013-05-22 36.08 $ soft3
100 Payment till 2013-05-22-s2 2013-05-22 11:08 2013-05-22 9115.38 $ soft2
99 Payment till 2013-05-22 2013-05-22 11:08 2013-05-22 4600.00 $ soft1
98 Payment till 2013-05-20-s3 2013-05-20 12:01 2013-05-20 4.85 $ soft3
97 Payment till 2013-05-20-s2 2013-05-20 12:01 2013-05-20 17522.47 $ soft2
96 Payment till 2013-05-20 2013-05-20 12:01 2013-05-20 23605.00 $ soft1
93 Payment till 2013-05-14-s1 2013-05-14 09:31 2013-05-14 8145.00 $ soft1
94 Payment till 2013-05-14-s2 2013-05-14 09:31 2013-05-14 37932.57 $ soft2
95 Payment till 2013-05-14-s3 2013-05-14 09:31 2013-05-14 147.23 $ soft3
92 Payment till 2013-05-12-s3 2013-05-12 20:10 2013-05-12 45.94 $ soft3
91 Payment till 2013-05-12-s2 2013-05-12 20:10 2013-05-12 7742.64 $ soft2
90 Payment till 2013-05-12-s1 2013-05-12 20:10 2013-05-12 18495.00 $ soft1
89 Payment till 2013-05-09-s2 2013-05-09 18:05 2013-05-09 15787.84 $ soft2
88 Payment till 2013-05-09 2013-05-09 18:05 2013-05-09 1525.00 $ soft1
87 Payment till 2013-05-06-s2 2013-05-06 12:36 2013-05-06 41202.71 $ soft2
86 Payment till 2013-05-06 2013-05-06 12:36 2013-05-06 1000.00 $ soft1
85 Payment till 2013-05-03-s2 2013-05-03 20:16 2013-05-03 15549.01 $ soft2
84 Payment till 2013-05-03 2013-05-03 20:15 2013-05-03 10260.00 $ soft1
83 Payment till 2013-04-26-s3 2013-04-26 10:22 2013-04-26 19.98 $ soft3
82 Payment till 2013-04-26-s2 2013-04-26 10:21 2013-04-26 302.14 $ soft2
81 Payment till 2013-04-26-s1 2013-04-26 10:21 2013-04-26 26370.00 $ soft1
78 Payment till 2013-04-22 2013-04-22 16:30 2013-04-22 1650.00 $ soft1
79 Payment till 2013-04-22-s2 2013-04-22 16:30 2013-04-22 51337.47 $ soft2
80 Payment till 2013-04-22-s3 2013-04-22 16:30 2013-04-22 50.26 $ soft3
77 Payment till 2013-04-19-s3 2013-04-19 11:42 2013-04-19 312.18 $ soft3
76 Payment till 2013-04-19-s2 2013-04-19 11:42 2013-04-19 9142.67 $ soft2
75 Payment till 2013-04-19-s1 2013-04-19 11:41 2013-04-19 40610.00 $ soft1
74 Payment till 2013-04-12-s1 2013-04-12 12:52 2013-04-12 13810.00 $ soft1
73 Payment till 2013-04-12 2013-04-12 12:52 2013-04-12 9717.46 $ soft2
72 Payment till 2013-04-10 2013-04-10 19:18 2013-04-10 22673.76 $ soft2
71 Payment till 2013-04-08-s1 2013-04-08 14:57 2013-04-08 11020.00 $ soft1
70 Payment till 2013-04-08-s2 2013-04-08 14:56 2013-04-08 40822.98 $ soft2
69 Payment till 2013-03-27 2013-03-27 03:51 2013-03-27 1819.36 $ soft3
68 Payment till 2013-03-22 2013-03-22 14:02 2013-03-22 0.12 $ soft3
67 Payment till 2013-03-09-s2 2013-03-09 18:35 2013-03-09 18825.00 $ soft1
66 Payment till 2013-03-09 2013-03-09 18:34 2013-03-09 2749.03 $ soft2
65 Payment till 2013-03-06 2013-03-06 15:30 2013-03-06 72766.77 $ soft2
64 Payment till 2013-02-17-s2 2013-02-17 17:59 2013-02-17 8707.66 $ soft2
63 Payment till 2013-02-17-s1 2013-02-17 17:59 2013-02-17 11145.00 $ soft1
62 Payment till 2013-02-14-s1 2013-02-14 18:49 2013-02-14 11580.00 $ soft1
61 Payment till 2013-02-14 2013-02-14 18:45 2013-02-14 33485.69 $ soft2
60 Payment till 2013-02-13 2013-02-13 15:51 2013-02-13 540.00 $ soft1
59 Payment till 2013-02-12 2013-02-12 19:42 2013-02-12 8087.24 $ soft2
58 Payment till 2013-02-11-dw 2013-02-11 17:13 2013-02-11 475.00 $ soft1
57 Payment till 2013-02-11 2013-02-11 09:39 2013-02-11 2040.00 $ soft1
56 Payment till 2013-02-10 2013-02-10 19:53 2013-02-10 694.00 $ soft2
54 Payment till 2013-02-09-peek 2013-02-09 18:27 2013-02-09 1566.83 $ soft2
55 Payment till 2013-02-09 2013-02-09 21:44 2013-02-09 11760.00 $ soft1
53 Payment till 2013-02-08-123321 2013-02-08 21:06 2013-02-08 2369.42 $ soft2
52 Payment till 2013-02-08-dun 2013-02-08 21:05 2013-02-08 256.30 $ soft2
51 Payment till 2013-02-08 2013-02-08 13:23 2013-02-08 52957.66 $ soft2
50 Payment till 2013-02-06 2013-02-06 12:55 2013-02-06 7087.86 $ soft2
49 Payment till 2013-02-05-bobo 2013-02-05 16:18 2013-02-05 5000.00 $ soft2
48 Payment till 2013-02-05 2013-02-05 08:25 2013-02-05 21466.66 $ soft2
47 Payment till 2013-02-01 2013-02-01 17:17 2013-02-01 5777.70 $ soft2
46 Payment till 2013-01-28 2013-01-29 18:23 2013-01-28 23743.88 $ soft2
44 Payment till 2013-01-24 2013-01-24 17:55 2013-01-24 83145.00 $ soft1
45 Payment till 2013-01-24-s2 2013-01-24 21:32 2013-01-24 26272.27 $ soft2
42 Payment till 2013-01-22 2013-01-22 07:59 2013-01-22 24400.00 $ soft1
41 Payment till 2013-01-12 2013-01-12 17:46 2013-01-12 20200.00 $ soft1
39 Payment till 2012-12-25 2012-12-25 13:36 2012-12-25 5515.00 $ soft1
38 Payment till 2012-12-18 2012-12-18 21:31 2012-12-18 13905.00 $ soft1
37 Payment till 2012-12-11 2012-12-11 19:47 2012-12-11 46435.00 $ soft1
36 Payment till 2012-12-05 2012-12-05 07:38 2012-12-05 27045.00 $ soft1
35 Payment till 2012-11-20 2012-11-20 10:37 2012-11-20 27320.00 $ soft1
34 Payment till 2012-11-16 2012-11-16 11:13 2012-11-16 17440.00 $ soft1
33 Payment till 2012-11-12 2012-11-12 18:15 2012-11-12 7705.00 $ soft1
32 Payment till 2012-11-11 2012-11-11 16:03 2012-11-11 2450.00 $ soft1
31 Payment till 2012-11-09 2012-11-09 14:44 2012-11-09 37095.00 $ soft1
30 Payment till 2012-11-07 2012-11-07 16:19 2012-11-07 6170.00 $ soft1
29 Payment till 2012-10-16 2012-10-16 17:12 2012-10-16 18435.00 $ soft1
28 Payment till 2012-09-26 2012-09-26 09:23 2012-09-26 40610.00 $ soft1
27 Payment till 2012-08-14 2012-08-14 18:41 2012-08-14 24150.00 $ soft1
26 Payment till 2012-08-09 2012-08-09 19:10 2012-08-09 19760.00 $ soft1
25 Payment till 2012-08-02 2012-08-02 08:30 2012-08-02 24890.00 $ soft1
24 Payment till 2012-07-27 2012-07-27 18:31 2012-07-27 24677.00 $ soft1
23 Payment till 2012-07-23 2012-07-23 15:38 2012-07-23 29102.00 $ soft1
22 Payment till 2012-07-18 2012-07-18 15:41 2012-07-18 11528.00 $ soft1
21 Payment till 2012-07-17 2012-07-17 00:26 2012-07-17 25035.00 $ soft1
20 Payment till 2012-07-12 2012-07-12 19:11 2012-07-12 4600.00 $ soft1
19 Payment till 2012-07-10 2012-07-10 15:32 2012-07-10 5940.00 $ soft1
18 Payment till 2012-07-05 2012-07-05 13:39 2012-07-05 4435.00 $ soft1
17 Payment till 2012-07-01 2012-07-01 13:25 2012-07-01 835.00 $ soft1
16 Payment till 2012-06-27 2012-06-27 17:13 2012-06-27 9905.00 $ soft1
14 Payment till 2012-06-19 2012-06-19 16:47 2012-06-19 3570.00 $ soft1
15 Payment till 2012-06-19-2 2012-06-21 20:53 2012-06-19 17350.00 $ soft1
13 Payment till 2012-06-06 2012-06-06 18:34 2012-06-06 3365.00 $ soft1
12 Payment till 2012-05-25 2012-05-25 12:06 2012-05-25 4480.00 $ soft1
11 Payment till 2012-05-18 2012-05-18 22:35 2012-05-18 9725.00 $ soft1
10 Payment till 2012-05-10 2012-05-10 21:04 2012-05-10 8575.00 $ soft1
9 Payment till 2012-04-26 2012-05-03 14:46 2012-04-26 3980.00 $ soft1
8 Payment till 2012-04-19 2012-04-26 09:55 2012-04-19 9210.00 $ soft1
7 Payment till 2012-04-12 2012-04-20 19:56 2012-04-12 8875.00 $ soft1
5 Payment till 2012-04-02 2012-04-02 13:48 2012-04-02 12800.00 $ soft1
4 Payment till 2012-03-26 2012-03-26 19:32 2012-03-26 2755.00 $ soft1
2 Payment till 2012-03-16 2012-03-16 20:34 2012-03-16 2212.25 $ soft1
1 Payment till 2012-03-12 2012-03-12 14:19 2012-03-12 4753.17 $ soft1
The numbers are kinda crazy, so let's breakdown that in charts.
If we total everything up and regroup by year, we get:
- 2012: $526632.42 → $526.63K
- 2013: $1440845.73 → $1.44M
- 2014: $46995.00 → $46.99K
Here are the total payments per software type across all years:
- soft1: $1,095,100.40 → $1.10M
- soft2: $916,701.20 → $916.70K
- soft3: $2,671.55 → $2.67K
The most 'busy' year is 2013:
- soft2: $916,701.20 → $916.70K
- soft1: $521,472.98 → $521.47K
- soft3: $2,671.55 → $2.67K
A lot of money was distributed among affiliates.
Mass payement for 2014 to do:
Edit texts:
Home page text edit:
Private AV scanner config (chk4me.com connection):
Allowed IPs:
Tickets:
BestAV later changed their urls to farotexsoft.com, webalizer was leaking informations:
Interesting referrers:
Prime affiliate who are in relation with the group behind BestAV:
BestAV old affiliate Exploit kit:
https://odysee.com/@XyliboxFranceVXCVE:3/sibhost-exploit-kit:e
BestAV was doing nothing since the end of 2013 and got back to work in end of jully 2014:
19:42 29.07.2014 Перезагрузка. Reload. 3 2 1, Go go go!
Colleagues, we’ve restarted our services and looking forward to work!
---
15:53 27.03.2014 инсталлы починили
Installs are fixed now. Everything is fixed.
---
10:02 27.03.2014 Installs Update 2.
Setting up new callback server. Promised to be ready by tonight. Once more – payforms and sales are going through, there is no problem there
---
05:33 27.03.2014 Инсталлы
Callback proxy is broken. Fixing.
Payforms are working, sales are going through.
No reason to be worried.
---
21:02 04.03.2014 Payments.
Hello everyone, about the payments.
The situation is the next.. to unfreeze merchants I need 30-40 AV sales a day..
not so much, right? But due to some adverts stopped working after the New Year and some others experienced some problems and also stopped working there is almost no sales happening.
Huge regards to all the webmasters who support me in this difficult time!
I’m trying to bring the sales to the required level (buying traffic, etc.).
If my calculations are correct and no other surprises I’ll be at the required level next week and start pushing payments through, but would like to give you a warning in advance that the first ones to receive the payments will be the webmasters who have most of the sales – thanks to them we’re still operating.
The last RAW sample we saw before the final shutdown of the program: https://www.virustotal.com/en/file/988c4604de2aec510c2d3242895b24c988bb115069c3834d47552fe7c2b86370/analysis/
Voilà, so long, and thanks for all the fish !
This blog will be kept online (but inactive) for the numerous records about the malware scene of 2010-2016 era.
Thank you everyone and see you in night city.
--
Xyl
