BGI Weekly Intelligence Roundup: March 2–8, 2026
48 investigations, 6 critical-severity operations, and the week’s biggest OPSEC failures
The first week of March 2026 witnessed an unprecedented volume of cunning threat actors — from Iranian APTs accidentally exposing their entire offensive toolkit to a Chinese state-backed group tunneling through South American telecom infrastructure. BGI published 48 original investigations in seven days, identifying 6 critical-severity operations and recovering live C2 access, full source code, and decrypted configurations across dozens of active campaigns. This is your executive briefing.
Nation-State Operations
The week's most consequential findings came from state-sponsored threat actors making critical operational security mistakes.
MuddyWater's Entire Toolkit — Recovered. An Iranian APT operator left a Python SimpleHTTPServer running on their /root directory, exposing four custom C2 frameworks with full source code, six weaponized CVE exploits (including zero-days), and complete operational documentation. This is one of the most significant OPSEC failures by a nation-state actor in recent memory.
Read full investigation →
TernDoor: Chinese APT Targeting South American Telecom. UAT-9244, a China-nexus group overlapping with FamousSparrow and Tropic Trooper, deployed three custom malware families against South American telecommunications providers. BGI fully reversed the multi-layer backdoor. Read full investigation →
Adaptix C2: Active APT Engagement Forensically Dumped. A full forensic dump from an Adaptix C2 server revealed an active intrusion into at least two Active Directory domains — AKRON-HOLDING and ICG — with complete operator tooling and session data. Read full investigation →
Kuwait Military Spearphishing. A targeted campaign hit Kuwait Air Force weapons procurement personnel with a multi-stage payload designed to exfiltrate desktop documents and Telegram Desktop session data via Rclone to attacker-controlled infrastructure. Read full investigation →
WaterHydra Resurfaces — Twice. The financially-motivated APT behind CVE-2024-21412 was tracked through two separate investigations: first via a Multi-RAT operation with five recovered AES keys spanning three continents, then through a 4-year DarkMe builder trail linked to the "vaeeva" OPSEC failure on GitHub.
SilverFox APT Goes West. ValleyRAT Stage 2 samples revealed SilverFox shifting C2 infrastructure from Tencent Cloud to Western VPS providers, specifically ANTBOX Networks — a notable pivot in Chinese APT hosting strategy. Read full investigation →
Ukraine-Targeted LNK Campaign. A phishing operation targeting Ukrainian organizations delivered ZIP archives with .lnk files disguised as quarterly financial reports, using Cyrillic homoglyphs, fileless PowerShell, and bulletproof hosting.
Read full investigation →
Surveillance & SIGINT
128,000-IP Russian Surveillance Empire. A routine 13-event PostgreSQL credential stuffing attempt against a BGI honeypot from a NEKOBYTE INTERNATIONAL LIMITED IP unraveled into one of the largest documented Man-in-the-Middle surveillance operations, spanning an estimated 128,000 IPs. Read full investigation →
Infostealer Ecosystem
The stealer economy showed aggressive evolution this week, with multiple families deploying novel encryption, anti-analysis, and distribution techniques.
AMOS Stealer v3 — Fully Decrypted. Two new Atomic macOS Stealer samples revealed triple S-Box encryption, wallet replacement attacks, and a three-tier C2 infrastructure. BGI fully cracked the multi-layer encryption chain (SplitMix64 PRNG, custom S-Boxes). A second AMOS campaign was caught impersonating a Claude Code skill called "OpenClaw" — both encryption schemes cracked, live C2 authenticated against. Read AMOS v3 →
LummaC2 v4.0. A deep technical dissection revealed Control Flow Flattening with 32-bit state constants, Heaven's Gate for WoW64 ntdll syscall bypass, MurmurHash2 API hashing, and — unusually — trigonometric functions used for anti-sandbox detection. Read full investigation →
ACRStealer. Nine live C2 servers, a compromised .edu WordPress site still hosting payloads, a stolen ASUS EV code-signing certificate, and a Go 1.26.0 loader with 7 obfuscation layers — all operating a multi-family stealer network.
Read full investigation →
CountLoader. A professionally operated MaaS platform disguised as a CCleaner installer, deploying modular credential-stealing payloads targeting 50+ cryptocurrency wallet extensions with Active Directory reconnaissance capabilities. Read full investigation →
Stealc Dropper. A fresh Amadey-delivered dropper using a custom ARX cipher, hardware-bound key derivation, and process hollowing to deploy its payload — with a 342KB encrypted blob hidden inside an oversized resource section. Read full investigation →
Salat Stealer. A Go-compiled RAT/stealer hybrid using DNS-over-HTTPS for C2 resolution, targeting 30+ browsers, 62 crypto wallet extensions, with a live MaaS panel on Russian infrastructure. Read full investigation →
InstallFix. A malvertising campaign exploiting Google Ads to serve pixel-perfect clones of Claude Code installation pages — victims copying the install command unknowingly execute a multi-stage Lumma Stealer dropper chain. Read full investigation →
Kent-Loader. A Counter-Strike 2 "web radar" cheat sold for 20 RUB/day (~$0.20) via Telegram, doubling as a full-featured backdoor with admin privilege escalation and registry persistence. Read full investigation →
RAT Operations & Remote Access Abuse
A staggering number of active RAT deployments were mapped this week, with operators showing increasingly creative distribution and infrastructure choices.
AsyncRAT Targeting Children. Three AsyncRAT 0.5.8 samples — two disguised as Spotify, one as a Roblox cheat — were submitted to MalwareBazaar within a 5.5-hour window. Identical mutexes and PBKDF2 salts confirmed a single operator deliberately targeting young users. Read full investigation →
QuasarRAT v1.4.1 — Fake Client Built. BGI extracted the full configuration from two QuasarRAT samples operated by a Russian-speaking actor ("evilgrou-tech"), derived all cryptographic material from the live C2, and built a functional fake client that passed IP-based access control. Read full investigation →
Khan Islam's XWorm — Fully Compromised. A routine ThreatFox hunt led to RCE against an XWorm MaaS panel operated by Khan Islam from Bangladesh. The operator's own RAT gave up every secret. Read full investigation →
Five RATs, One Tunnel. A threat actor operated a multi-stage delivery chain across four Cloudflare Tunnels backed by WsgiDAV, delivering XWorm, AsyncRAT, and three other RAT families. A parallel campaign — SERPENTINE#CLOUD — used the same Cloudflare tunnel technique against German businesses specifically.
Hook Android Banking Trojan. A live C2 panel was discovered, its Laravel/PHP backend mapped across 26 enumeration phases, and the operator's mistakes documented for future attribution. Read full investigation →
NFe-RAT: Brazilian Banking Trojan. BGI obtained root access to the C2 relay and monitored live victim connections across five Brazilian states over a 5+ hour window — the malware targeted 11 financial institutions. Read full investigation →
No Malware Required. A legitimately code-signed GoToResolve MSI installer, disguised as a Portuguese-language financial document, installed persistent unattended remote access — no traditional malware involved. Read full investigation →
AnyDesk as a Management Plane. Four "silent C2 listeners" turned out to be AnyDesk installations — the operator's own management channel for GUI access to their RAT infrastructure. Read full investigation →
Also investigated: Steaelite RAT on bulletproof hosting, Remcos RAT with mutual TLS, and a multi-RAT cluster on GALEON-AS serving five malware families from one bulletproof /24.
Botnets & Loader Infrastructure
SmokeLoader's "InsureFlow Pro." A live SmokeLoader and Fuery botnet operation disguised as an insurance SaaS application, using Raft protocol obfuscation. The related Fuery implant — a garble-obfuscated Go binary dropped by Amadey — used Raft consensus data structures as a novel C2 obfuscation layer, funding a $117 Monero mining operation. Read full investigation →
SenNight Botnet — Full Server Compromise. An eval() injection in a Flask-based DDoS panel gave BGI root-level RCE on a Mirai-fork botnet's C2 server, yielding 850KB+ of exfiltrated source code, operator credentials, and evidence of a 30Gbps DDoS capability.
Read full investigation →
Mirai Variant Source Code Recovered. The complete source of a Mirai-variant IoT botnet — C-based bot client and Go-based C2 server — was recovered from an exposed build environment. Read full investigation →
NEKOBYTE Redis Botnet. A 2.5-year cryptominer operation exploiting unauthenticated Redis instances via crontab injection, still active and mining via XMRig payloads from b.clu-e.eu.
Read full investigation →
GoLoader LaaS. A two-year-old Go-based loader-as-a-service framework delivering at least seven malware families — Vidar, StealC, SmokeLoader, Rhadamanthys, LummaStealer, RemcosRAT, and more — via DLL sideloading. Read full investigation →
16,000-Bot PPI Network. A Pay-Per-Install botnet using a trojanized copy of the legitimate BCUninstaller application, operating across 60+ countries since January 2026. BGI cracked its predictable DGA — the operator's C2 credentials were admin:admin123.
Read full investigation →
Phorpiex/Twizt. A fresh build clipping 30+ blockchains behind a Ukrainian charity false flag, actively distributing from OMEGATECH bulletproof hosting. Read full investigation →
SmokeLoader's Egyptian Shadow. A SmokeLoader C2 domain sharing a Hetzner VPS with a genuine, fully-functional Arabic Learning Management System — an unusual infrastructure overlap. Read full investigation →
Phishing & Social Engineering
Smishing Triad — Still Running. Despite Google's November 2025 RICO lawsuit, this Chinese-origin PhaaS operation continues targeting US government services across four distinct Javalin-based phishing kits. Read full investigation →
BrowserWare ClickFix. A commercially operated ClickFix-as-a-Service platform using Polygon smart contracts to store its C2 panel URL on-chain — making traditional domain takedowns ineffective. Read full investigation →
Fake CVS Recruiters. A threat actor impersonating CVS Health recruiters on Indeed, delivering malware through a purpose-built phishing domain and a compromised Jordanian WordPress site. Read full investigation →
Four European Phishing Campaigns. BGI mapped shared registrars, Russian hosting, and a complete OPSEC disaster on DigitalOcean across campaigns targeting French banking, postal services, and European classifieds. Read full investigation →
NetSupport RAT via Open Directory. An exposed server at 193.111.117.17:8080 was actively serving 9 malicious executables targeting freight and government sectors.
Read full investigation →
OPSEC Failures of the Week
Threat actors made our job easier this week:
- Turkish Sliver C2 operator accidentally served their entire home directory — including
.bashhistoryand.sliver/configs — viapython3 -m http.server. Full writeup → - Blake C2 operator left an unauthenticated open directory with 9 offensive tools including Sil-Crypter v1.3 droppers and GUID-encoded Meterpreter shellcode. Full writeup →
- Bucklog SARL ran a 21-node Kubernetes credential-harvesting cluster with customer-facing infrastructure visible to anyone who looked. Full writeup →
IoT & Embedded
58,895 Baby Monitors Exposed. Hangzhou Meari Technology's CloudEdge platform — 35 million registered users, 10+ white-label brands — was found operating four regional MQTT brokers with default credentials, leaving nearly 59,000 baby monitors and security cameras accessible. Read full investigation →
By the Numbers
| Metric | Count |
|---|---|
| Investigations published | 48 |
| Critical severity | 6 |
| High severity | 42 |
| Unique malware families analyzed | 30+ |
| Live C2 servers identified | 50+ |
| Nations with geolocated IOCs | 82 |
| Source code sets recovered | 4 |
| Encryption schemes cracked | 8 |
| Operator identities exposed | 5 |
All investigations are backed by original forensic analysis. IOCs, YARA rules, and technical indicators are available in each report. Explore our data on the BGI Pew Pew Map — 1,212 geolocated IPs across 82 nations, replayed investigation by investigation.
— Breakglass Intelligence