BIGO Ads Deploys C2-Style Infrastructure to Survive Domain Bans. Here's the Decrypted Config.
The BIGO Ads SDK ships with an encrypted configuration file that maps out a global network of ad-serving domains, backup hosts, and failover infrastructure. The file is AES-encrypted with a hardcoded key, served from Alibaba Cloud, and designed to make the ad network resilient to domain blocking. The SDK source code calls the class that loads it AntiBanUtils.
BIGO Ads is the ad platform under JOYY Inc. (NASDAQ: JOYY). It is integrated into thousands of apps through Google AdMob mediation and distributed as a CocoaPods/Maven dependency (com.bigossp:bigo-ads).
How I Found It
While reviewing mobile proxy traffic, I noticed recurring requests to an Alibaba Cloud OSS bucket:
GET https://ad-host-backup-america.oss-us-west-1.aliyuncs.com/uni/v2/au.pj
Every request carried a custom header: BIGO-Ad-Request-Id. The response was application/octet-stream, 8,544 bytes of uppercase hex characters. The same file, same content, served to every user. I observed 257 requests to this URL from 7 unique devices over 30 days.
The requests originated from HelloTalk, a language learning app with millions of users, running through Google AdMob mediation. I identified this by correlating the BIGO-Ad-Request-Id header with adjacent AdMob bid requests from the same device, which contained the app bundle ID com.helloTalk.helloTalk.
What the File Looks Like
The file is a hex-encoded binary blob. Decoded, it is 4,272 bytes with near-perfect entropy (7.95 out of 8.0 bits per byte), aligned to 16-byte AES blocks, with zero repeated blocks. The first 16 bytes have lower entropy than the rest, consistent with an initialization vector.
Finding the Key
The BIGO Ads SDK is not bundled inside the HelloTalk APK. It is distributed separately as an Android AAR (com.bigossp:bigo-ads on Maven Central) and an iOS framework via CocoaPods. I downloaded version 5.6.2 of the Android SDK and decompiled it with jadx.
The URL appeared immediately:
// sg/bigo/ads/controller/a/a/f.java
arrayList.add(new a("AWS", "https://ad-host-backup-asia.oss-ap-southeast-1.aliyuncs.com/uni/v2/au.pj", true, "asia"));
arrayList.add(new a("AWS", "https://ad-host-backup-europe.oss-eu-central-1.aliyuncs.com/uni/v2/au.pj", true, "europe"));
arrayList.add(new a("AWS", "https://ad-host-backup-america.oss-us-west-1.aliyuncs.com/uni/v2/au.pj", true, "america"));
Three regional copies. Asia, Europe, America. All on Alibaba Cloud OSS.
The decryption function was in sg/bigo/ads/controller/a/a.java, with the key logged in plaintext:
sg.bigo.ads.common.t.a.a(0, 3, "AntiBanUtils",
"decrypt, cryptStr=" + str5 +
", hexStringSecKey=FEFFFFFFFFFAFFFDCBFFFFFFFFFFFF4F, decryptStr=" + strA);
The cipher implementation in sg/bigo/ads/common/utils/o.java:
SecretKeySpec secretKeySpec = new SecretKeySpec(bArr2, "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
AES-128-CBC. Hardcoded key: FEFFFFFFFFFAFFFDCBFFFFFFFFFFFF4F. First 16 bytes of the payload are the IV.
Decryption
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import binascii
key = binascii.unhexlify("FEFFFFFFFFFAFFFDCBFFFFFFFFFFFF4F")
data = binascii.unhexlify(open("au.pj").read().strip())
cipher = AES.new(key, AES.MODE_CBC, data[:16])
plaintext = unpad(cipher.decrypt(data[16:]), 16)
Decrypted size: 4,253 bytes. Valid JSON.
What Is Inside
The decrypted config is a server routing map with three sections: cfg_svr (SDK configuration), ad_svr (ad serving), and report_svr (impression/click tracking). Each section contains per-country primary hosts and backup hosts.
Ad Serving Domains (ad_svr)
| Country | Primary Host | Backup Host |
|---|---|---|
| Global | tr.acobt.tech |
api.antibanads.com |
| Russia | trk.appleads.ru |
edu.zoly.tech |
| Saudi Arabia | d10sbd116h2zht.cloudfront.net |
d10sbd116h2zht.cloudfront.net |
| UAE | api.companinons.site |
api.cpmmax.site |
| India | api.successwe.site |
api.successwe.site |
Config Delivery (third_pay_svr and third_free_svr)
The config file contains URLs to itself, creating a self-bootstrapping loop:
| Provider | URL |
|---|---|
| Alibaba OSS (Asia) | ad-host-backup-asia.oss-ap-southeast-1.aliyuncs.com/uni/v2/au.pj |
| Alibaba OSS (Europe) | ad-host-backup-europe.oss-eu-central-1.aliyuncs.com/uni/v2/au.pj |
| Alibaba OSS (America) | ad-host-backup-america.oss-us-west-1.aliyuncs.com/uni/v2/au.pj |
| Yandex Cloud | storage.yandexcloud.net/ad-host-config/nonvpn.pj |
| Google Drive | drive.google.com/uc?export=download&id=1ms4F7Cn_aInE9oFMMaZEiwMIuMKt1DZc |
The SDK refreshes the config hourly (interval: 3600). If the primary host fails after 3 attempts (threshold: 3), it falls back to the backup. The Google Drive URL serves as a last-resort free tier, refreshing daily on success and retrying every 30 minutes on failure.
Domain Fronting
The config includes a domain_front field for Saudi Arabia, indicating the SDK supports domain fronting: connecting to a legitimate CDN endpoint while routing traffic to a hidden backend. AWS and Google banned domain fronting in 2018 due to its use in censorship circumvention and C2 infrastructure.
What This Means
The AES encryption serves one purpose: preventing network inspection tools and ad blockers from reading the domain list in transit. The hardcoded key means any researcher with the SDK binary can decrypt it. The encryption is not protecting user data or securing a communication channel. It is hiding infrastructure from automated detection.
The domain naming is deliberately deceptive. trk.appleads.ru impersonates Apple's ad service. edu.zoly.tech mimics an educational domain. api.antibanads.com is self-descriptive. These names are designed to pass casual inspection of network logs.
The multi-cloud hosting across Alibaba OSS (3 regions), Yandex Cloud, and Google Drive means the config file cannot be blocked without simultaneously blocking three major cloud providers. The self-referencing bootstrap ensures the SDK can always locate fresh domain lists even if every ad-serving domain is already blocked.
The resp_decrypt_enable parameter in the SDK's bid requests suggests ad response content can also be encrypted, making the entire ad-serving data flow opaque to network inspection.
Context
JOYY Inc. has faced scrutiny before. In 2020, Muddy Waters Research published a report alleging that 90% of YY Live revenue and 80% of BIGO revenue was fraudulent, driven by bot-generated transactions. In 2025, The New York Times reported that Bigo Live was used to facilitate child sexual abuse, leading Apple and Google to remove the app from their stores. Bigo Live represented 89% of JOYY's revenue at the time.
In January 2026, BIGO Ads announced an expanded partnership with Pixalate for anti-fraud measures.
I am not alleging that BIGO Ads is committing ad fraud. I am documenting that their SDK deploys encrypted, self-updating server configuration infrastructure with deceptive domain names, domain fronting capability, and multi-cloud redundancy. These are techniques more commonly associated with C2 infrastructure than legitimate ad serving.
Full Decrypted Config
{
"cfg_svr": {
"country_hosts": [
{
"country": "all",
"host": "api.onegg.site",
"app_flag": 0
},
{
"country": "ru",
"host": "trk.deepads.ru",
"app_flag": 0
},
{
"country": "all",
"host": "newjeans.pckqac.tech",
"app_flag": 2
},
{
"country": "ru",
"host": "api.pckqac.tech",
"app_flag": 2
},
{
"country": "sa",
"host": "topmax.cizaa.tech",
"app_flag": 0,
"domain_front": ""
},
{
"country": "sa",
"host": "api.topnotchs.tech",
"app_flag": 2
},
{
"country": "ae",
"host": "api.companinons.site",
"app_flag": 0
},
{
"country": "in",
"host": "api.successwe.site",
"app_flag": 0
}
],
"backup_hosts": [
{
"country": "all",
"hosts": [
"api.antibanads.com"
],
"app_flag": 0
},
{
"country": "ru",
"hosts": [
"topmax.cizaa.tech"
],
"app_flag": 0
},
{
"country": "all",
"hosts": [
"newjeans.pckqac.tech"
],
"app_flag": 2
},
{
"country": "ru",
"hosts": [
"d1mt01ixprehg5.cloudfront.net"
],
"app_flag": 2
},
{
"country": "sa",
"hosts": [
"d10sbd116h2zht.cloudfront.net"
],
"app_flag": 0
},
{
"country": "sa",
"hosts": [
"api.topnotchs.tech"
],
"app_flag": 2
},
{
"country": "ae",
"hosts": [
"api.cpmmax.site"
],
"app_flag": 0
},
{
"country": "in",
"hosts": [
"api.successwe.site"
],
"app_flag": 0
}
],
"threshold": 3,
"interval": 3600
},
"report_svr": {
"country_hosts": [
{
"country": "all",
"host": "api.onegg.site",
"app_flag": 0
},
{
"country": "ru",
"host": "trk.deepads.ru",
"app_flag": 0
},
{
"country": "all",
"host": "newjeans.pckqac.tech",
"app_flag": 2
},
{
"country": "ru",
"host": "api.pckqac.tech",
"app_flag": 2
},
{
"country": "sa",
"host": "d10sbd116h2zht.cloudfront.net",
"app_flag": 0
},
{
"country": "sa",
"host": "api.topnotchs.tech",
"app_flag": 2
},
{
"country": "ae",
"host": "api.companinons.site",
"app_flag": 0
},
{
"country": "in",
"host": "api.successwe.site",
"app_flag": 0
},
{
"country": "all",
"host": "curb.okvmm.tech",
"app_flag": 28
},
{
"country": "ru",
"host": "zoo.zxphiz.tech",
"app_flag": 28
}
],
"backup_hosts": [
{
"country": "all",
"hosts": [
"api.antibanads.com"
],
"app_flag": 0
},
{
"country": "ru",
"hosts": [
"topmax.cizaa.tech"
],
"app_flag": 0
},
{
"country": "all",
"hosts": [
"newjeans.pckqac.tech"
],
"app_flag": 2
},
{
"country": "ru",
"hosts": [
"d1mt01ixprehg5.cloudfront.net"
],
"app_flag": 2
},
{
"country": "sa",
"hosts": [
"d10sbd116h2zht.cloudfront.net"
],
"app_flag": 0
},
{
"country": "sa",
"hosts": [
"api.topnotchs.tech"
],
"app_flag": 2
},
{
"country": "ae",
"hosts": [
"api.cpmmax.site"
],
"app_flag": 0
},
{
"country": "in",
"hosts": [
"api.successwe.site"
],
"app_flag": 0
}
],
"threshold": 3
},
"ad_svr": {
"country_hosts": [
{
"country": "all",
"host": "tr.acobt.tech",
"app_flag": 0
},
{
"country": "ru",
"host": "trk.appleads.ru",
"app_flag": 0
},
{
"country": "all",
"host": "newjeans.pckqac.tech",
"app_flag": 2
},
{
"country": "ru",
"host": "jet.pckqac.tech",
"app_flag": 2
},
{
"country": "sa",
"host": "d10sbd116h2zht.cloudfront.net",
"app_flag": 0
},
{
"country": "sa",
"host": "api.topnotchs.tech",
"app_flag": 2
},
{
"country": "ae",
"host": "api.companinons.site",
"app_flag": 0
},
{
"country": "in",
"host": "api.successwe.site",
"app_flag": 0
},
{
"country": "all",
"host": "done.acobt.tech",
"app_flag": 28
},
{
"country": "ru",
"host": "api.adeeply.ru",
"app_flag": 28
}
],
"backup_hosts": [
{
"country": "all",
"hosts": [
"api.antibanads.com"
],
"app_flag": 0
},
{
"country": "ru",
"hosts": [
"edu.zoly.tech"
],
"app_flag": 0
},
{
"country": "all",
"hosts": [
"newjeans.pckqac.tech"
],
"app_flag": 2
},
{
"country": "ru",
"hosts": [
"pack.miskyc.tech"
],
"app_flag": 2
},
{
"country": "sa",
"hosts": [
"d10sbd116h2zht.cloudfront.net"
],
"app_flag": 0
},
{
"country": "sa",
"hosts": [
"api.topnotchs.tech"
],
"app_flag": 2
},
{
"country": "ae",
"hosts": [
"api.cpmmax.site"
],
"app_flag": 0
},
{
"country": "in",
"hosts": [
"api.successwe.site"
],
"app_flag": 0
}
],
"threshold": 5
},
"third_pay_svr": {
"interval": 7200,
"urls": [
{
"name": "yandex",
"region": "all",
"url": "https://storage.yandexcloud.net/ad-host-config/nonvpn.pj"
},
{
"name": "aliyun",
"region": "asia",
"url": "https://ad-host-backup-asia.oss-ap-southeast-1.aliyuncs.com/uni/v2/au.pj"
},
{
"name": "aliyun",
"region": "europe",
"url": "https://ad-host-backup-europe.oss-eu-central-1.aliyuncs.com/uni/v2/au.pj"
},
{
"name": "aliyun",
"region": "america",
"url": "https://ad-host-backup-america.oss-us-west-1.aliyuncs.com/uni/v2/au.pj"
}
]
},
"third_free_svr": {
"suc_interval": 86400,
"fail_interval": 1800,
"urls": [
{
"name": "Google",
"url": "https://drive.google.com/uc?export=download&id=1ms4F7Cn_aInE9oFMMaZEiwMIuMKt1DZc"
}
]
},
"uri_opt_timeout": {
"getsdkconfig": 0,
"getuniad": 0,
"unicallback": 0,
"getuniconfig": 0,
"reportunibaina": 0
},
"req_pool_size": {
"sdk_config": 3,
"report": 2,
"config_ad": 200,
"callback": 3,
"vast_wrapper": 10,
"tracker": 12,
"creative": 20
},
"ip_list": {}
}Methodology
The BIGO Ads SDK (version 5.6.2) was downloaded from Maven Central and decompiled with jadx. No systems were accessed without authorization. No individual user data is disclosed. All traffic was observed from consented devices.