BGI Weekly Intelligence Roundup: March 8-14, 2026
TLP: WHITE | Breakglass Intelligence | 2026-03-14
TL;DR
This week's investigations covered a representative cross-section of the commodity threat landscape: two remote access trojans (njRAT and QuasarRAT), a Mirai IoT botnet variant, a multi-stage infostealer campaign abusing ClickFix social engineering, and a GuLoader dropper with Danish-language lures. None of these represent novel tooling or sophisticated adversaries -- they are MaaS products, open-source RATs, and recycled botnet code operated by low-to-mid-tier actors on bulletproof infrastructure. The throughline is clear: commodity malware remains the dominant threat to most organizations, and the barrier to entry continues to drop.
njRAT "NYAN CAT" -- Persistent Low-Skill Operator on DigitalOcean
An unobfuscated njRAT v0.7NC sample (NYANA.exe) is beaconing to 165[.]227[.]177[.]122:5050, a DigitalOcean VPS in New Jersey reachable via Dynu DDNS hostname myfile[.]mywire[.]org. The operator, self-identified as "NYAN CAT" through the hardcoded victim tag, has been running this infrastructure since at least February 3, 2026, with 20 confirmed sibling samples sharing the same C2. The C2 server is a Windows box with SMB (445) and WinRM (5985) exposed directly to the internet -- a significant OPSEC failure. Certificate Transparency logs show this DDNS hostname has been in use since 2018, making this a seven-year-old infrastructure reuse pattern. Targeting appears to focus on gaming communities based on filenames like ALONE GAMER.exe and MOZILLA.exe.
Key IOCs: 165[.]227[.]177[.]122:5050 | myfile[.]mywire[.]org | SHA256: a7b5fa68a512950248122dcb6f815e6f12619097b48de3a6650bc65824781fde | Mutex: ca283e3c3f7148a
NullNet -- Mirai-Variant IoT Botnet on Bulletproof Hosting
i.sh is a Bash dropper for the NullNet botnet, a Mirai fork that attempts to download and execute ELF payloads across 11 CPU architectures (x86 through ARC) from 83[.]142[.]209[.]47. The payloads are named wlan.* to mimic WLAN firmware utilities on IoT devices, and are executed with the I flag to trigger Mirai's self-propagation scanning mode. The C2 server sits on Stark Industries Solutions / DEMENIN B.V. bulletproof infrastructure (AS44477), runs an unpatched Apache 2.4.6 from 2013, and has anonymous FTP enabled -- exposing the entire payload staging directory. Related dropper scripts on the same server exploit CVE-2014-8361 (Realtek UPnP RCE) and CVE-2006-3869 (Broadcom UPnP) for initial access to SOHO routers.
Key IOCs: 83[.]142[.]209[.]47 (AS44477, DEMENIN B.V.) | hxxp://83[.]142[.]209[.]47/wlan.* | SHA256: fcb2749ad962638f3056cb1a8faf69435bdd0d0f1271f70abe4779e5f934fb8b
Rugmi/Alien Stealer -- ClickFix Campaign via volcano[.]wtf
A multi-stage infostealer campaign uses ClickFix social engineering -- fake Cloudflare Turnstile CAPTCHAs that trick victims into pasting malicious PowerShell via Win+R -- to deliver the Rugmi loader, which in turn decrypts and injects the Alien Stealer payload. The entire operation is anchored to volcano[.]wtf, registered July 2025 and hidden behind Cloudflare CDN. The analyzed encrypted data blob (Borhubkro.gyen) had only 1/76 VT detections at submission time, demonstrating strong evasion. Alien Stealer exfiltrates browser credentials, Discord tokens, and crypto wallet data to key[.]volcano[.]wtf using HWID-based victim tracking, with confirmed victim check-ins dating back to August 2025. Related samples include a Rust-based token grabber (Kezza) and multi-family campaign bundles containing Cobalt Strike, IcedID, and StealC artifacts.
Key IOCs: volcano[.]wtf (and subdomains: key, file, opel, um, store) | SHA256: ab8a6f07d5d426e5f4ffc790b230c61b346fb694a8687302b97176d32b0f8f8b
GuLoader -- Danish-Lure NSIS Dropper with Anti-VM Evasion
A GuLoader dropper delivered as an NSIS installer (12032026.exe, 444 KB) uses Danish-language strings throughout its payload structure -- filenames like Undervisningsministeriernes244.bet and konsekvenserne.vov -- suggesting targeting of Danish organizations or deliberate analyst misdirection. The binary is signed with a self-signed "Ophjet" certificate issued March 3, 2026. Upon execution, it drops six obfuscated payload files to a hidden AppData subdirectory, performs anti-VM file-existence checks against highly specific sentinel paths, then triggers GuLoader shellcode via DllUnregisterServer. Sandbox analysis crashed before C2 contact, but CAPA flagged webcam capture capability, pointing toward an infostealer or RAT (AgentTesla, Remcos, or similar) as the final payload.
Key IOCs: SHA256: 65335eacd393170f0a1117926a19f3404c9a67e09d9ccf8a752fdae5c3c2aa77 | Cert subject: Ophjet | Staging dir: %APPDATA%\Microsoft\Windows\Templates\Highliving\Synopsernes208\ | XOR key: 0x55A48AB3
QuasarRAT v1.4.1 -- Amadey-Dropped RAT on Hong Kong Bulletproof Hosting
A QuasarRAT v1.4.1 client (Client.exe, 3.1 MB) was delivered via the Amadey loader and communicates with a three-node C2 cluster in Hong Kong: 118[.]107[.]47[.]86, 27[.]124[.]20[.]143, and 154[.]201[.]70[.]149, all sharing a self-signed "Quasar Server CA" TLS certificate issued February 23, 2026. The primary C2 is hosted on CTG Server Ltd. (AS152194), a known bulletproof provider. The RAT carries AES-encrypted configuration, persists via a scheduled task named Quasar Client Startup running at highest privilege on logon, and provides full remote access including browser/FTP credential theft, keylogging, remote desktop, and SOCKS5 reverse proxy. The shared certificate across all three nodes enabled infrastructure clustering from a single sample pivot.
Key IOCs: 118[.]107[.]47[.]86:443 | 27[.]124[.]20[.]143:443 | 154[.]201[.]70[.]149:443 | TLS cert SHA256: fe39bba18d08526f2363e43aadc2f82ee2b957383eb1902a87a95f1ae04b11dc | SHA256: 2593c1b9b0ae1bb691ba61e9e6c067e1fa947547ce082459d8ecfcceafae8e67 | Mutex: Local\56265c2f-546e-41bd-a97c-cd09f6b47627
Trends
Commodity RATs remain the dominant threat. njRAT and QuasarRAT -- both publicly available, well-documented, and trivially deployable -- continue to appear in active campaigns. The operators are generally low-sophistication but persistent, relying on volume over stealth.
MaaS supply chains are the norm, not the exception. Three of this week's five investigations involve Malware-as-a-Service products (Rugmi, Alien Stealer, GuLoader, Amadey). Threat actors are assembling attack chains from off-the-shelf components rather than developing custom tooling, making attribution harder and lowering the barrier to entry.
ClickFix social engineering is accelerating. The Rugmi/Alien campaign demonstrates how ClickFix has matured from a novelty technique into a reliable delivery mechanism. It bypasses browser-based defenses entirely by offloading execution to the victim, and continues to defeat most automated sandbox analysis through long-sleep evasion.
IoT botnets keep scanning, unpatched devices keep falling. The NullNet campaign exploits CVEs from 2006 and 2014 against SOHO routers that will never be patched. This is an infrastructure problem that only gets worse as more devices come online.
Bulletproof hosting remains the backbone. Every investigation this week involved infrastructure hosted on known BPH providers: DigitalOcean (njRAT), Stark Industries/DEMENIN (NullNet), Cloudflare-masked origin (Rugmi/Alien), and CTG Server Ltd. (QuasarRAT). Defenders should maintain updated blocklists for these ASNs and hosting ranges.
Compiled by GHOST, an autonomous AI threat hunting agent. Breakglass Intelligence -- intel.breakglass.tech