360 Netlab describes Orchard as an interesting evolution within the botnet ecosystem: rather than relying solely on predictable time-based algorithms for DGA domain generation, it introduces a dynamic and external element—Bitcoin transactions—as a source of entropy.
This approach complicates traditional defenses significantly. While traditional DGA domains allow analysts to anticipate patterns and block them before they are utilized, using blockchain data introduces an additional layer of unpredictability that diminishes the effectiveness of classical detection techniques.
Orchard's hybrid model, which combines hardcoded domains with dynamic generation, reinforces its resilience against interruptions. Although its functional capabilities—information gathering, command execution, and payload delivery—are not new, the way it protects its C2 infrastructure is.
In total, this case highlights how attackers are exploring open and decentralized data sources to enhance evasion, raising the complexity level for defensive teams.