high🐀RAT

investigatedMarch 7, 2026publishedMarch 7, 2026

AnyDesk as a Management Plane: How a RAT Operator Backdoors Their Own C2 Infrastructure

Threat Actors:DarkMe

#rat#darkme#c2#exploit

Published: 2026-03-08 Tags: threat-intelligence, remote-access, AnyDesk, DarkMe-RAT, infrastructure-analysis, TLS-fingerprinting TLP: AMBER (infrastructure-specific IOCs — share with trusted peers only)

TL;DR

Four "silent C2 listeners" on port 7070 across a ThinkHuge-hosted /21 block turned out to be stock AnyDesk remote desktop installations — the operator's own management channel for GUI access to Windows servers running DarkMe RAT, Flask bot relays, and other C2 tooling. Each instance has a unique self-signed TLS certificate (CN=AnyDesk Client, RSA-2048, 50-year validity), and the installation timeline spanning Feb 2024 to May 2025 maps directly to the infrastructure's expansion. This cluster remains completely unreported in public threat intelligence feeds.

1. Why "Silent Listeners" Were Actually AnyDesk

The original ThinkHuge infrastructure scan flagged four IPs with open TCP port 7070 as "custom C2 listeners running an unknown protocol." The classification was wrong — and the reason it was wrong reveals a common gap in automated scanning methodology.

AnyDesk on port 7070 accepts TCP connections but immediately expects a proper TLS ClientHello. No banner. No HTTP. No response to raw bytes. When a scanner like netcat connects and sends a newline, AnyDesk silently drops the connection:

$ nc -w5 38.57.44.11 7070
[connection established, no data received, timeout]

Only a TLS-aware probe reveals the service:

$ openssl s_client -connect 38.57.44.11:7070 -servername anydesk 2>/dev/null | openssl x509 -noout -subject -dates -fingerprint

subject=CN = AnyDesk Client
notBefore=Feb 16 16:43:03 2024 GMT
notAfter=Feb  3 16:43:03 2074 GMT
SHA256 Fingerprint=C0:2C:B0:8A:D4:21:4C:EC:07:CD:C8:B5:85:D2:6B:55:9D:34:52:E3:5F:FF:E9:43:3D:40:C5:04:8D:D6:B4:CB

The fingerprint pattern is unmistakable: CN=AnyDesk Client, serial 01, RSA-2048, and a 50-year validity window. This is AnyDesk's default self-signed certificate configuration.

2. Four Installations, 15 Months of Expansion

Each AnyDesk instance carries a unique RSA key pair and certificate generation date, giving us a precise installation timeline:

Feb 2024  ───[38.57.44.11]──────────────────────────────────────────
Mar 2025  ──────────────────────────[38.57.40.237]──────────────────
May 2025  ──────────────────────────────────────[38.57.41.81]──[38.57.44.232]──▶

IP	Cert Generated	Cipher Suite	Key Exchange	Subnet	Co-located With
`38.57.44.11`	Feb 16, 2024	ECDHE-RSA-AES256-GCM-SHA384	X25519	.44.0/24	DarkMe RAT (.173), Express.js (.59)
`38.57.40.237`	Mar 25, 2025	DHE-RSA-AES256-GCM-SHA384	DH 2048-bit	.40.0/24	Flask C2 (.95)
`38.57.41.81`	May 7, 2025	ECDHE-RSA-AES256-GCM-SHA384	X25519	.41.0/24	(standalone)
`38.57.44.232`	May 24, 2025	ECDHE-RSA-AES256-GCM-SHA384	X25519	.44.0/24	DarkMe RAT (.173)

The cipher suite difference on .237 (DHE vs ECDHE) suggests an older AnyDesk version — or a deliberate configuration choice. The remaining three all use ECDHE with X25519, consistent with AnyDesk builds from late 2023 onward.

A sweep of all 2,048 IPs across the /21 for port 7070 confirmed: no additional AnyDesk instances exist beyond these four.

3. TLS Certificate Forensics

All four certificates share the same template but carry unique cryptographic material:

Common Name:    AnyDesk Client
Serial Number:  01 (AnyDesk always uses serial 01)
Key Type:       RSA-2048
Validity:       50 years (AnyDesk default)
Self-signed:    Yes

The RSA modulus hashes confirm four distinct key pairs — four separate installations, not cloned images:

38.57.40.237  → 9e545a10bd5c0a7e1176c9d076955ece70395ebc9c36b7217bede7e3fb4dbe0e
38.57.41.81   → 193ff072967ba3d7eb003398a780cbb007e09c1f4ddde38d1902361f5ca21321
38.57.44.11   → f43108309c1e6f5589048e68d44750b038c3a4ea1182db14c659c7a274c45328
38.57.44.232  → 329fdfd3fdc128f5027664259c8e400ebabb4cc3f38f7b363357772f46157189

These modulus hashes can be used to track the certificates across internet-wide scan datasets (Censys, Shodan) if the operator migrates to new IP ranges.

4. The Flask C2 Relay — A Bug That Tells a Story

Sitting alongside the AnyDesk cluster at 38.57.40.95:80 is a live Flask application that functions as a bot check-in relay:

Server:       Werkzeug/3.1.3 Python/3.12.3
Debug Mode:   ENABLED
Debug Secret:  UbEujrIJ0uRq66vpJ5nD
EVALEX:       false (no debug console RCE)
View Function: telnet_server

The sole route is POST /, which accepts JSON payloads with a message field — a classic bot beacon pattern. But there is a bug: the handler has no return statement, causing every valid request to crash with HTTP 500:

POST / HTTP/1.1
Content-Type: application/json

{"message": "checkin"}

→ HTTP 500 (handler returns None — Flask cannot serialize)

The view function is named telnet_server, suggesting this relay was designed to bridge telnet-based bot communications over HTTP. Whether the bug is intentional (stealth via consistent 500s) or a development oversight is unclear — but the Werkzeug debug mode being left on, combined with the leaked debug secret, points to the latter.

The debug console is neutralized (EVALEX=false), so the secret alone is not exploitable. But it confirms sloppy operational security consistent with the broader infrastructure pattern.

5. Infrastructure Map — The Operator's Management Plane

The AnyDesk instances form a management overlay across the actor's C2 infrastructure:

38.57.40.0/21 (ThinkHuge / Cogent AS174)
│
├── 38.57.40.0/24
│   ├── .95  ── Flask C2 "telnet_server" (Werkzeug debug ON) ............. LIVE
│   └── .237 ── AnyDesk (Mar 2025) + OpenSSH_for_Windows_9.5 + MS-RPC ... LIVE
│
├── 38.57.41.0/24
│   └── .81  ── AnyDesk (May 2025) ...................................... LIVE
│
├── 38.57.44.0/24 — Primary C2 Subnet
│   ├── .11  ── AnyDesk (Feb 2024, OLDEST) .............................. LIVE
│   ├── .59  ── Express.js (Node.js) + Windows .......................... LIVE
│   ├── .173 ── DarkMe RAT C2 (port 4242) .............................. OFFLINE
│   └── .232 ── AnyDesk (May 2025, NEWEST) .............................. LIVE
│
└── 56 IPs ── Dormant snowshoe spam (rDNS patterns) ..................... DORMANT

The pattern is clear: the actor provisions a Windows VPS, installs AnyDesk for persistent GUI access, then deploys C2 tooling (DarkMe, Flask relay, Express.js handlers) on the same or adjacent hosts. AnyDesk gives them:

Full graphical desktop access to manage RAT panels, review bot check-ins, and operate C2 consoles
Reboot persistence — AnyDesk runs as a Windows service and survives restarts
NAT traversal via AnyDesk's relay network — the operator can reconnect from any IP using an AnyDesk ID
Plausible deniability — port 7070 is AnyDesk's default, making it look like legitimate remote support traffic

The oldest installation (38.57.44.11, Feb 2024) is in the same /24 as the DarkMe C2 at .173. This host was likely the operator's first foothold — a management station deployed before the C2 infrastructure was built out.

6. MITRE ATT&CK Mapping

Technique	ID	Usage
Remote Access Software	T1219	AnyDesk for persistent operator access to C2 infrastructure
Proxy	T1090	Flask relay bridging bot check-ins over HTTP
Valid Accounts	T1078	AnyDesk ID + password for GUI authentication
Encrypted Channel	T1573.002	TLS 1.2 on AnyDesk connections
Non-Standard Port	T1571	AnyDesk on 7070, DarkMe on 4242
Masquerading	T1036	AnyDesk disguised as legitimate remote support
Application Layer Protocol	T1071	Flask C2 using HTTP POST with JSON

7. Threat Intel Coverage — A Blind Spot

Source	Results
Shodan InternetDB	`.237` shows 9 ports (no 7070 indexed); other 3 IPs have no data
ThreatFox	No IOCs for any of the 5 IPs
MalwareBazaar	AnyDesk tag shows trojanized MSI installers (SilverFox/ValleyRAT/Gh0stRAT) — no link to these IPs
OTX AlienVault	No pulses
URLhaus	No entries

This infrastructure is completely dark in public threat intelligence. No feeds, no reports, no community indicators. The combination of legitimate software (AnyDesk) on a default port, hosted on a bullet-proof-adjacent provider (ThinkHuge/Cogent), makes it effectively invisible to reputation-based detection.

8. IOCs

Network Indicators

38.57.40.237:7070/tcp    AnyDesk — operator management access
38.57.41.81:7070/tcp     AnyDesk — operator management access
38.57.44.11:7070/tcp     AnyDesk — operator management access (oldest, Feb 2024)
38.57.44.232:7070/tcp    AnyDesk — operator management access (newest, May 2025)
38.57.40.95:80/tcp       Flask C2 relay — Werkzeug/3.1.3 Python/3.12.3
38.57.40.237:22/tcp      OpenSSH_for_Windows_9.5

TLS Certificate Fingerprints (SHA-256)

56:40:AE:B0:2A:C2:E0:E6:36:DB:6A:1E:6C:95:E7:DE:5E:35:27:F2:9A:B4:8E:E0:AF:5A:5A:2E:FF:CF:ED:7C  38.57.40.237
7F:78:95:42:6E:B2:56:9D:26:C7:2C:D8:9C:D7:06:0D:00:D7:F9:67:8D:31:B0:1C:E7:E9:B5:FD:35:AC:7B:12  38.57.41.81
C0:2C:B0:8A:D4:21:4C:EC:07:CD:C8:B5:85:D2:6B:55:9D:34:52:E3:5F:FF:E9:43:3D:40:C5:04:8D:D6:B4:CB  38.57.44.11
69:68:00:2F:50:BA:60:34:8B:1E:24:BD:51:3D:83:03:EC:7A:11:3B:E2:AA:15:F4:CC:EE:D5:CB:35:70:BE:32  38.57.44.232

TLS Certificate Fingerprints (SHA-1)

B8:D1:FF:2C:1B:29:28:ED:E3:E8:5B:F4:11:95:16:51:C4:9E:BC:AE  38.57.40.237
8B:0C:F0:4A:9B:D5:77:EC:42:26:44:5C:EE:D7:78:28:A2:5F:16:60  38.57.41.81
2E:6C:7F:35:36:2D:C3:AC:4D:5F:55:33:5A:6B:4F:8F:4D:77:45:11  38.57.44.11
99:28:65:B9:1F:97:3E:A8:74:E6:E9:0F:A0:42:FC:AE:A4:BD:63:D8  38.57.44.232

RSA Modulus Hashes (SHA-256)

9e545a10bd5c0a7e1176c9d076955ece70395ebc9c36b7217bede7e3fb4dbe0e  38.57.40.237
193ff072967ba3d7eb003398a780cbb007e09c1f4ddde38d1902361f5ca21321  38.57.41.81
f43108309c1e6f5589048e68d44750b038c3a4ea1182db14c659c7a274c45328  38.57.44.11
329fdfd3fdc128f5027664259c8e400ebabb4cc3f38f7b363357772f46157189  38.57.44.232

Flask C2 Debug Secret

UbEujrIJ0uRq66vpJ5nD

Suricata Rule

alert tls $HOME_NET any -> [38.57.40.237,38.57.41.81,38.57.44.11,38.57.44.232] 7070 (
    msg:"MALWARE evilgrou-tech AnyDesk operator access (ThinkHuge C2 infrastructure)";
    flow:to_server,established;
    tls.cert_subject;
    content:"CN=AnyDesk Client";
    classtype:trojan-activity;
    sid:2026030810;
    rev:1;
    metadata:author BGI, created_at 2026_03_08, tlp amber, campaign evilgrou-tech;
)

9. Detection Guidance

For network defenders:

Alert on outbound connections to any of the four IPs on port 7070 — these are confirmed C2 management hosts
Monitor DNS queries for *.net.anydesk.com from the ThinkHuge /21 block to detect AnyDesk relay traffic
The Flask relay at .95:80 responds with Werkzeug/3.1.3 in the Server header and always returns HTTP 500 on valid POSTs — a signature in itself

For threat hunters:

The TLS certificate pattern (CN=AnyDesk Client, serial 01, 50-year validity, RSA-2048 self-signed) on non-AnyDesk-relay infrastructure is a strong indicator of operator-installed remote access
Submit the SHA-256 certificate fingerprints to Censys/Shodan saved searches for infrastructure migration alerts
The DH key exchange on .237 (vs ECDHE on the other three) may indicate a different AnyDesk version — worth tracking as a version fingerprint

For abuse reporting:

AnyDesk GmbH: TOS violation — software used to manage malware C2 infrastructure
Cogent (AS174) / ThinkHuge: hosting infrastructure actively used for DarkMe RAT operations and bot relay

Investigation by BGI. No public threat intelligence coverage exists for this infrastructure as of 2026-03-08.