BreakglassIntelligence
Back to reports
highPhishing

AllSyDevs C2 Infrastructure

InvestigatedApril 10, 2026PublishedApril 10, 2026
Threat Actors:ProfileAssessment
allsydevsdumpc2ratphishingstealerbotnethetznercpaneltor

TLP: WHITE Date: 2026-04-10 Analyst: GHOST (Breakglass Intelligence) Classification: Cybercrime -- Multi-Campaign Information Stealer / RAT Operation

Executive Summary

A compromised Syrian web development company's cPanel server (allsydevs[.]com / 5[.]9[.]215[.]3) is being used to host a .NET RAT payload disguised as a WordPress image file. The payload (SHA256: a888fb84a000df02eb54d7e63746609f4a348fd2026eef40c9198a42d1b3ee32) is an AES-encrypted process-injection loader classified as MSIL/Benin trojan, detected by 49/76 AV engines. The real C2 server operates at 172[.]93[.]167[.]12:4263 on a Windows VPS hosted by Amanah Tech/Nexeon Technologies in North America, using a self-signed TLS certificate with the fake CN "Mesh Data". This C2 serves at least 6 different malware variants targeting Middle Eastern businesses (construction, export companies). The infrastructure was set up in early April 2026 and is LIVE as of this writing.

Key Findings

  • LIVE C2 server at 172[.]93[.]167[.]12:4263 responding to /ping beacons (HTTP/2 + TLS 1.3)
  • Compromised legitimate server (allsydevs[.]com) hosting malware payload in WordPress directory
  • 6 malware samples communicating with this C2, all MSIL stealers/RATs with obfuscated names
  • Middle Eastern targeting evident from lure filenames (Al Fadala Export, BOQ construction lists)
  • 3 co-hosted domains on compromised cPanel server: allsydevs[.]com, abdullaclinic[.]com, tharwaa[.]com
  • SPF record reveals 5 related IPs across Hetzner infrastructure including a Serbian hosting company (hostingsrbija[.]com)
  • C2 cert issued April 1, 2026 -- infrastructure is only 9 days old
  • ThreatFox already flagged this C2 as botnet_cc on March 18, 2026

Attack Chain

[1] Spear-phishing email with construction/export-themed lure
    |
    v
[2] RAR/TXZ archive containing .NET loader (obfuscated names: Igkwxppl.exe, Xcupeqygygb.exe)
    |
    v
[3] Loader fetches or contains AES-encrypted payload (~324KB embedded blob)
    |
    v  
[4] AES decryption -> Process injection (VirtualAlloc + WriteProcessMemory)
    |
    v
[5] Injected RAT/Stealer beacons to C2 at 172.93.167.12:4263 via HTTPS POST
    |
    v
[6] Data exfiltration (credentials, browser data, crypto wallets)

Infrastructure Analysis

Payload Hosting -- Compromised cPanel Server

AttributeValue
Domainallsydevs[.]com
IP5[.]9[.]215[.]3
ASNAS24940 (Hetzner Online GmbH)
LocationGermany
ServerLiteSpeed + OpenResty 1.27.1.1
cPanelActive (ports 2082/2083/2086/2087/2095/2096)
OSLinux
PHP7.4.33 (EOL)
SSHOpenSSH 8.0 (ancient, vulnerable)
RegistrarRealtime Register B.V.
Created2021-03-20
StatusLIVE -- COMPROMISED

Co-hosted Domains:

DomainRegistrarNotes
allsydevs[.]comRealtime RegisterSyrian web dev company -- primary payload host
abdullaclinic[.]comUnknownMedical clinic -- cert on cPanel port 2083
tharwaa[.]comGoDaddy (since 2006)WordPress site, user "customer" exposed via REST API

SPF-Linked IPs (from TXT record):

IPrDNS / Purpose
5[.]9[.]215[.]3Primary server
167[.]235[.]182[.]97Hetzner client (static)
46[.]4[.]161[.]220ns2.hostingsrbija[.]com -- Serbian hosting company
162[.]55[.]100[.]173Hetzner client (static)
148[.]251[.]154[.]252Hetzner client (static)
148[.]251[.]154[.]253Hetzner client (static)

Certificates on 5[.]9[.]215[.]3:

PortCertificate CNIssuerIssuedNotes
443*.allsydevs[.]comLet's Encrypt R122026-02-09Wildcard -- covers all subdomains
2083*.abdullaclinic[.]comLet's Encrypt R122026-02-09cPanel uses abdullaclinic cert
2087server.allsydevs[.]comLet's Encrypt E82026-04-06WHM -- renewed 4 days ago
2096server.allsydevs[.]comLet's Encrypt E82026-04-06Webmail

Command & Control Server

AttributeValue
IP172[.]93[.]167[.]12
Port4263 (HTTPS)
ASNAS32489 (Amanah Tech Inc.)
Network172.93.167.0/24
Registered toNexeon Technologies, Inc. (Stafford, TX)
OSWindows (Microsoft HTTPAPI 2.0)
RDPPort 3650 (non-standard)
ProtocolHTTP/2 + TLS 1.3
VT Reputation-11 (13 malicious detections)
ThreatFoxKnown botnet_cc since 2026-03-18
StatusLIVE

C2 TLS Certificate:

FieldValue
SubjectC=US, OU=Monitoring, O=Enterprise, CN=Mesh Data
IssuerSelf-signed
Seriala3:e5:c3:8c:d4:43:96:dd
Not Before2026-04-01 06:27:02 UTC
Not After2027-04-08 06:27:02 UTC
KeyRSA 4096-bit
SKI59:98:C7:5C:4F:88:9A:F2:7E:E5:D8:89:41:3D:2A:6F:4E:34:EE:E5

C2 Endpoint Behavior:

  • GET /ping -> 200 "OK" (beacon health check)
  • POST /ping -> 200 "OK" (beacon check-in)
  • GET /* -> 405 "Method Not Allowed" (POST-only C2)
  • POST /gate -> 404 "Not Found" (deprecated/unused endpoint)
  • All POST endpoints require Content-Length header

Malware Analysis

Primary Sample

AttributeValue
SHA256a888fb84a000df02eb54d7e63746609f4a348fd2026eef40c9198a42d1b3ee32
MD538408b5a8c39b0ac1f586a16fd86306e
Imphashf34d5f2d4577ed6d9ceec516c1f5a744
TypePE32 .NET assembly (GUI)
Size640,000 bytes (exact)
Hosted asalign-none1.png (disguised as WordPress image)
Original nameIgkwxppl.exe
Framework.NET v4.0.30319
Compile timeFalsified (2053-07-16)
ObfuscationConfuserEx-style (heavy name mangling)
VT Detection49/76
Classificationtrojan.msil/benin
Tagsassembly, peexe, spreader

.NET Metadata

FieldValue
Assembly nameXngpwrsns
Module GUID{A1876656-F21C-4071-A2F2-25C72D15CFBE}
Private Impl GUID{7209BB42-DC9E-43C7-9F45-347A22CCD901}
Properties namespaceIgkwxppl.Properties
#US heap size1,404 bytes
#Strings size28,508 bytes
#~ size46,128 bytes

Sections

SectionSizeEntropyNotes
.text622.5 KB7.26Contains code + 324KB encrypted payload
.rsrc1.5 KB3.95Minimal resources
.reloc0.5 KB0.08Relocation data

Capabilities (from User Strings)

  • AES Encryption: References System.Security.Cryptography.AesCryptoServiceProvider
  • Process Injection: VirtualAlloc, WriteProcessMemory, OpenProcess, CloseHandle via kernel32.dll P/Invoke
  • Resource Loading: Accesses embedded "ResourceA" resource
  • Delegate Marshaling: GetDelegateForFunctionPointer for dynamic API resolution

Encrypted Payload

A 324KB high-entropy blob is embedded in the .text section (file offset 0x4A200 to 0x9B200). This blob is AES-encrypted and contains the actual RAT/stealer payload. The loader decrypts it using keys derived from obfuscated string constants and injects it into a target process via process hollowing.

Potential key material from #US heap (16-char strings = AES-128 candidates):

  • 7Am6AotaNR5hyDy3 (at offset 0x44876)
  • XeLjmrfAsUIojTZr (at offset 0x448C4)
  • 2SUUCAP4yPDmWBy8 (at offset 0x4495C)

Full decryption requires disassembly of the obfuscated key derivation logic in the ConfuserEx-protected .NET IL code.

Sandbox Behavior (VirusTotal)

  • C2 Communication: HTTPS POST to 172[.]93[.]167[.]12:4263/ping
  • Mutex: 273c525444af
  • Scheduled Task Deletion: Deletes Microsoft\Windows\Customer Experience Improvement Program\Uploader (anti-forensics)
  • Process Creation: schtasks.exe /delete /f /TN ...
SHA256NameDetectionFamilyFirst Seen
356692ba...Upgtrtnxtyu.exe57/76MSIL Stealer2026-03-16
35e91bbf...New BOQ List 2026-03 East Project.txz27/76PasswordStealer2026-03-14
4aca40c1...Xcupeqygygb.exe48/76MSIL/Bobik2026-03-27
83e0352d...New Enquiry order list_Al fadala Export project.00117/75Trojan2026-03-28
a888fb84...Igkwxppl.exe (this sample)49/76MSIL/Benin2026-04-06
d9c520ec...Jjdjtqrj.exe54/76MSIL Stealer2026-03-20

Threat Actor Profile

Attribution Assessment

  • Confidence: MEDIUM
  • Region: Likely Middle East or South Asia (based on targeting patterns and infrastructure choices)
  • Motivation: Financial -- information stealing and credential theft
  • Sophistication: MODERATE -- uses ConfuserEx obfuscation, AES encryption, process injection, compromised legitimate infrastructure for payload hosting, but relies on known stealer frameworks rather than custom tooling

OPSEC Observations

  • Uses compromised legitimate Syrian web server for payload hosting (reduces domain reputation flags)
  • C2 on separate infrastructure from payload hosting (operational segmentation)
  • Non-standard RDP port (3650 vs 3389) to avoid scanning
  • Self-signed cert with generic "Enterprise/Monitoring/Mesh Data" names to blend with legitimate corporate services
  • Falsified PE compilation timestamp
  • ConfuserEx obfuscation on all samples
  • However: same C2 IP used across multiple campaigns without rotation (OPSEC failure)

Targeting Patterns

  • "New BOQ List 2026-03 East Project" -- BOQ (Bill of Quantities) = construction industry lure
  • "New Enquiry order list_Al fadala Export project" -- Al Fadala is a UAE-based trading/export company
  • Both lures use business/procurement themes targeting Middle Eastern commercial entities

MITRE ATT&CK Mapping

TacticTechniqueIDApplication
Initial AccessSpear-phishing AttachmentT1566.001RAR/TXZ lures with business themes
ExecutionUser ExecutionT1204.002User opens disguised .NET executable
Defense EvasionObfuscated FilesT1027ConfuserEx obfuscation
Defense EvasionMasqueradingT1036.008.exe disguised as .png
Defense EvasionDeobfuscate/Decode FilesT1140AES decryption of embedded payload
Defense EvasionProcess InjectionT1055.012Process hollowing via VirtualAlloc/WriteProcessMemory
Defense EvasionIndicator RemovalT1070.004Deletes scheduled tasks
Command and ControlEncrypted ChannelT1573.002HTTPS with self-signed cert on non-standard port
Command and ControlNon-Standard PortT1571Port 4263 for C2
CollectionCredentials from Password StoresT1555Stealer capability
ExfiltrationExfiltration Over C2 ChannelT1041HTTPS POST to C2

IOC Summary

Network Indicators

C2 Infrastructure:

  • 172[.]93[.]167[.]12:4263 -- Primary C2 (LIVE)
  • 172[.]93[.]167[.]12:3650 -- Operator RDP (LIVE)

Payload Hosting (Compromised):

  • allsydevs[.]com / 5[.]9[.]215[.]3 -- Compromised cPanel hosting payload
  • hxxps://allsydevs[.]com/wp-admin/images/align-none1.png -- Payload URL

Related Infrastructure:

  • abdullaclinic[.]com -- Co-hosted on compromised server
  • tharwaa[.]com -- Co-hosted on compromised server
  • 46[.]4[.]161[.]220 (ns2.hostingsrbija[.]com) -- In SPF record
  • 167[.]235[.]182[.]97 -- In SPF record (Hetzner)
  • 162[.]55[.]100[.]173 -- In SPF record (Hetzner)
  • 148[.]251[.]154[.]252 -- In SPF record (Hetzner)
  • 148[.]251[.]154[.]253 -- In SPF record (Hetzner)

File Indicators

Hash TypeValue
SHA256a888fb84a000df02eb54d7e63746609f4a348fd2026eef40c9198a42d1b3ee32
MD538408b5a8c39b0ac1f586a16fd86306e
Imphashf34d5f2d4577ed6d9ceec516c1f5a744
File size640,000 bytes

Behavioral Indicators

  • Mutex: 273c525444af
  • Deleted Task: Microsoft\Windows\Customer Experience Improvement Program\Uploader
  • C2 Beacon: HTTPS POST to /ping on port 4263
  • TLS Cert CN: Mesh Data
  • TLS Cert Serial: a3:e5:c3:8c:d4:43:96:dd
  • TLS Cert SKI: 59:98:C7:5C:4F:88:9A:F2:7E:E5:D8:89:41:3D:2A:6F:4E:34:EE:E5

Immediate (24-48 hours)

  1. Block 172[.]93[.]167[.]12 at perimeter firewall (all ports)
  2. Block 5[.]9[.]215[.]3 at perimeter firewall
  3. Search proxy/DNS logs for connections to allsydevs[.]com and 172[.]93[.]167[.]12:4263
  4. Hunt for mutex 273c525444af on endpoints
  5. Deploy YARA rules below to scan file shares and email gateways

Short-term (1-2 weeks)

  1. Search for all SHA256 hashes from the Related Samples table
  2. Deploy Suricata rules for network detection
  3. Check for deleted scheduled task Customer Experience Improvement Program\Uploader as IOC
  4. Review any connections to Nexeon Technologies IP space (172.93.128.0/17)

Medium-term (1-3 months)

  1. Monitor TLS certificates with CN "Mesh Data" via CT logs
  2. Track imphash f34d5f2d4577ed6d9ceec516c1f5a744 for new variants

Abuse Reports

Nexeon Technologies (C2 Hosting)

  • Email: abuse@nexeontech.com
  • Subject: Active C2 server on 172.93.167.12 -- MSIL Stealer/RAT operation
  • Content: IP 172.93.167.12 is hosting a live command and control server for an information stealing malware campaign on port 4263. At least 6 malware samples communicate with this server. ThreatFox reference: ID 1770720. VirusTotal reputation: -11 with 13 malicious detections.

Hetzner (Compromised Server)

  • Email: abuse@hetzner.com
  • Subject: Compromised cPanel server at 5.9.215.3 hosting malware
  • Content: Server 5.9.215.3 (allsydevs.com) has been compromised and is hosting a .NET RAT payload at /wp-admin/images/align-none1.png. The server runs EOL PHP 7.4.33 and OpenSSH 8.0 with multiple CVEs. The payload is detected by 49/76 antivirus engines on VirusTotal.

Realtime Register (Domain Registrar)

  • Email: rtr-security-threats@realtimeregister.com
  • Subject: allsydevs.com hosting malware payload
  • Content: Domain allsydevs.com (Registry ID: 2599400540_DOMAIN_COM-VRSN) is being used to distribute malware via its WordPress installation. Recommend notifying the domain owner of the compromise.

GHOST -- Breakglass Intelligence Investigation: allsydevs-c2-dump "One indicator. Total infrastructure."

Share