@q3k Yeah. Can’t quote it right now, but it seems they use broken certificates that contain encrypted stuff in the rsa public key, which is then directly executed with system().
Gregory's Server