Blake C2 Torn Open: Sil-Crypter Droppers, GUID-Encoded Meterpreter, and a Multi-Country Infrastructure Built on a 5-Year-Dead Domain

TL;DR: A live C2 server at 141.11.107.134 was caught hosting an unauthenticated open directory with 9 offensive tools -- including Sil-Crypter v1.3 droppers that inject GUID-encoded Meterpreter shellcode into WUDFHost.exe, a Ligolo-ng tunneling agent, and a MeshCentral RMM implant. Full reverse engineering of the 606KB stageless payload decoded 11,556 GUID strings into a 184KB reflective Meterpreter DLL, revealing a hidden C2 domain (dl.lsa.az) pointing to an Iranian VPS. The entire operation runs on lsa.az, an Azerbaijani domain that sat dormant for 5 years before the actor reactivated it in May 2025 to dodge new-domain detection heuristics.

---

The Open Directory: 9 Tools, Zero Authentication

The primary finding came from port 8000 on 141.11.107.134, where a Python SimpleHTTP/0.6 server was serving a directory listing with no authentication. Every file was downloadable. Here is what was staged:

File	Size	Type	Purpose
4040.bin	510 B	Raw shellcode	Windows x64 Meterpreter reverse_tcp stager
reverse.elf	250 B	ELF 64-bit x86-64	Linux x64 Meterpreter reverse_tcp stager
agent.exe	7.3 MB	PE32+ (Go binary)	Ligolo-ng tunneling agent
meshagent32-Access.exe	3.8 MB	PE32 (32-bit)	MeshCentral RMM agent
hfsSer.exe	606 KB	PE32+	Sil-Crypter v1.3 -- stageless Meterpreter
hfsServ.exe	18 KB	PE32+	Sil-Crypter v1.3 -- staged Meterpreter stager
Stnon.exe	18 KB	PE32+	Sil-Crypter v1.3-Copy -- Meterpreter stager
TCity.exe	18 KB	PE32+	Sil-Crypter v1.3-Copy -- Cloudflare-tunneled Meterpreter
TeamServ.exe	18 KB	PE32+	Sil-Crypter v1.3-Copy -- Meterpreter stager

The naming conventions are interesting. hfsServ and hfsSer masquerade as HFS (HTTP File Server) binaries. TeamServ mimics TeamViewer or TeamCity server components. TCity is likely short for "Tunnel City." None of these are what they claim to be.

37 additional paths were enumerated (.env, .git, config.py, backup/, db/, etc.) -- all returned 404. The server was purpose-built to stage exactly these 9 files and nothing else.

Infrastructure Architecture

The actor operates a multi-node C2 network across three countries, unified under the lsa.az domain with Cloudflare DNS:

lsa.az (Azerbaijan TLD, Cloudflare DNS, dormant 2020-2025, reactivated 2025-05-31)
│
├── az.lsa.az → 141.11.107.134 (Netherlands, rack400.com/NForce, AS43350)
│   ├── :4040   Meterpreter reverse_tcp handler (ACTIVE)
│   ├── :5000   Flask/Werkzeug 3.1.5 "BLAKE ADMIN LOGIN" panel (ACTIVE)
│   ├── :8000   Python SimpleHTTP open directory (ACTIVE)
│   ├── :11601  Ligolo-ng tunnel proxy (ACTIVE, TLS cert 2026-02-18)
│   └── :444    MeshCentral WSS (DOWN)
│
├── dl.lsa.az → 194.33.105.183 (Iran, ParsVDS/IAUAHWAZ, Ahwaz)
│   └── :2083   Stageless Meterpreter C2 (ALL PORTS FILTERED)
│
├── cov.lsa.az → 202.71.14.75 (Netherlands, servers.guru/Moula World, AS43641)
│   └── ALL PORTS FILTERED (served /en-us/ pages in June 2025)
│
└── 188.114.99.0 (Cloudflare anycast)
    └── :8181   Cloudflare-tunneled Meterpreter (TCity.exe)

Notable: port 22 is closed on the primary server. There is no SSH. The operator manages their infrastructure through Ligolo-ng tunnels and MeshCentral -- meaning even their own server administration is routed through the same C2 channels they use against victims.

Primary Server Details

Field	Value
IP	141.11.107.134
Hosting	rack400.com, Netherlands
ASN	AS43350 (NForce Entertainment)
Registration	Private Customer, Singapore
Abuse Contact	report@abuseradar.com
Open Ports	4040, 5000, 8000, 11601
No SSH	Port 22 closed -- access via tunnels/RMM only

Sil-Crypter v1.3: The Dropper Framework

All five PE executables (excluding agent.exe and meshagent32-Access.exe) were built with the same tool: Sil-Crypter v1.3. The PDB paths left in the binaries expose the attacker's development environment:

E:\.Mal\1.Stealers\First\Sil-Crypter\Project SIL 1.3\Templates\Sil-Crypter\x64\Release\Sil-Crypter.pdb
E:\.Mal\1.Stealers\First\Sil-Crypter\Project SIL 1.3 - Copy\Templates\Sil-Crypter\x64\Release\Sil-Crypter.pdb

The attacker's workspace structure:

E:\.Mal\
  └── 1.Stealers\
      └── First\
          └── Sil-Crypter\
              ├── Project SIL 1.3\          (original)
              └── Project SIL 1.3 - Copy\   (duplicated for variant generation)

The E:\.Mal\1.Stealers\First\ path hierarchy suggests this is one tool in a larger organized malware library, with 1.Stealers implying numbered categories. The "- Copy" suffix indicates the actor duplicates Visual Studio project folders to generate variants -- crude but effective for producing binaries with slightly different characteristics.

Shared Execution Chain

All Sil-Crypter samples share the same injection technique:

1. Dynamic API resolution -- function addresses are resolved at runtime using XOR-encoded hashes with the key securekey
2. GUID-encoded shellcode -- payload bytes are stored as GUID-format strings in .rdata and decoded via UuidFromStringA
3. Process injection -- decoded shellcode is injected into WUDFHost.exe (Windows User-mode Driver Framework Host)

The GUID encoding is the clever part. Each GUID string encodes 16 bytes of payload, and the entropy of the .rdata section stays around 3.8 -- well below the ~7.0 threshold that most AV engines flag as packed/encrypted. The payload hides in plain sight as what looks like a table of COM class identifiers.

C2 Configurations per Binary

File	C2 Target	Port	Notes
hfsServ.exe	194.33.105.183	2083	Iranian VPS (ParsVDS), hardcoded IP
hfsSer.exe	dl.lsa.az	2083	Same Iranian VPS, domain-based (discovered via RE)
Stnon.exe	141.11.107.134	4040	Primary C2
TeamServ.exe	141.11.107.134	4040	Primary C2
TCity.exe	188.114.99.0	8181	Cloudflare tunnel -- domain-fronted Meterpreter

Deep Dive: The 606KB Stageless Payload

The hfsSer.exe binary stood out immediately -- at 606KB, it is 33x larger than its 18KB siblings. Full reverse engineering revealed why.

The .rdata section contains 11,556 GUID-format strings totaling 456.5KB. Each GUID encodes 16 bytes via UuidFromStringA. Total decoded payload: 184,896 bytes.

First GUID:  52415A4D-4855-E589-4883-EC204883E4F0
Decoded:     4D 5A 41 52 55 48 89 E5 ...  (MZAR -- reflective DLL header)

The decoded payload is a stageless Meterpreter reflective DLL (sRDI format):

Property	Value
Type	Stageless Meterpreter (Reflective DLL)
Size	184,896 bytes
SHA-256	76056f0b34dfb2959918a8beced30c71750faacaeec88f8fc0851162e7b38cb1
Compile Time	2025-05-22 21:39:49 UTC
C2 URL	tcp://dl.lsa.az:2083
UUID	9f112744-6b69-5046-0fd6-0ed46648f79f
Encryption	RSA key exchange + AES bulk
comm_timeout	300s (5 min)
retry_total	3600s (1 hour)
retry_wait	10s

Key strings extracted from the decoded DLL:

server.dll                                    (Meterpreter core)
PACKET TRANSMIT / PACKET RECEIVE              (TLV protocol markers)
\\%s\pipe\%s                                  (Named pipe transport)
SeDebugPrivilege                              (Privilege escalation)
NtQueueApcThread / NtMapViewOfSection         (Injection primitives)
Microsoft Enhanced RSA and AES Cryptographic Provider
inflate 1.0.4 / deflate                       (zlib compression)

Staged vs Stageless Comparison

The 45-minute compilation gap between the two variants suggests the actor built the staged version first, tested it, then compiled the stageless version with the full Meterpreter DLL embedded:

	hfsServ.exe (18KB)	hfsSer.exe (606KB)
GUIDs	32	11,556
Payload	512B staged stager	184,896B full Meterpreter DLL
C2	194.33.105.183:2083 (hardcoded IP)	tcp://dl.lsa.az:2083 (domain)
Compiled	2026-02-25 12:41 UTC	2026-02-25 13:26 UTC (45 min later)

The stageless variant uses a domain (dl.lsa.az) instead of a hardcoded IP, enabling infrastructure rotation without recompiling. This is the operational version -- the staged variant was the test build.

The RMM and Tunneling Layer

Beyond Meterpreter, the actor deploys two legitimate tools for persistence and lateral movement:

Ligolo-ng Agent

Field	Value
File	agent.exe
Size	7.3 MB
Tool	Ligolo-ng (github.com/nicocha30/ligolo-ng)
Default Port	11601 (confirmed listening on target)
Transport	TLS 1.3 (yamux multiplexing)
C2 Address	Runtime parameter (--connect) -- no hardcoded server
Embedded String	http://admin:secret@127.0.0.1:8080 (SOCKS proxy auth)

The Ligolo proxy server is confirmed active on port 11601 with a self-signed TLS certificate:

Subject:     O = ligolo
Issuer:      O = ligolo (self-signed)
Algorithm:   ECDSA P-256
Valid:       2026-02-18 to 2027-02-18
SHA256 FP:   C6:DD:75:9D:78:46:FE:CD:BB:5F:D3:E5:AB:23:07:70:
             9C:C6:0C:9A:57:C5:A2:A8:B3:39:43:58:C2:3E:6F:25

MeshCentral Agent

Field	Value
File	meshagent32-Access.exe
Size	3.8 MB
MeshName	Access
C2 Server	wss://az.lsa.az:444/agent.ashx
C2 Port	444 (currently DOWN)
MeshID	0xB551D33F...
ServerID	A99A9C7B...
Features	Remote desktop, file transfer, terminal, JS engine (Duktape)

MeshCentral is a legitimate open-source RMM tool. The actor uses it as a persistent backdoor under the mesh name "Access" -- a generic name that blends with legitimate enterprise deployments.

The "BLAKE ADMIN LOGIN" Panel

Port 5000 hosts a Flask/Werkzeug 3.1.5 web application with a login page titled "BLAKE ADMIN LOGIN." The UI features a matrix rain animation background and glitch CSS effects -- the footer reads "Black & White -- Glitch UI."

The application has exactly three routes:

Method	Path	Response
GET	/	302 to /login (session-aware via Vary: Cookie)
GET/POST	/login	Login form, alert('Invalid credentials') on failure
POST	/logout	302 to /login, clears session

Extensive authentication testing was conducted against this panel:

Vector	Tests	Result
Default credentials	700+ combinations	All failed
Binary-derived credentials	50+ combos (securekey, Access, ligolo, etc.)	All failed
SQL injection	14 payloads (OR, UNION, comment, blind)	No injection
NoSQL injection	$gt, $ne, $regex via JSON	No injection
SSTI (Jinja2)	{{7*7}}, {{config}}, ${7*7}	Input never reflected
Session forging	100+ Flask secret keys tested	No valid session
Timing attacks	Character-by-character analysis	No measurable difference
Werkzeug debugger	/console, /__debugger__	404 (disabled)

The panel is locked down. No debug mode, no CSRF tokens (unnecessary since there is no reflected input), and strong credentials that survived exhaustive brute-forcing. Whatever victim management data sits behind this login remains inaccessible.

Domain History: Hijacking the Dead

The lsa.az domain was not newly registered. Certificate Transparency logs reveal it was a legitimate Azerbaijani domain from 2019 that went dormant and was reactivated by the threat actor:

2019-06 to 2020-07: Legitimate — co-hosted with cmsproperties.az on cPanel shared hosting
2020-07 to 2025-05: DORMANT — no certificates, no DNS activity (5 years)
2025-05-31:         REACTIVATED — LE certs issued for lsa.az + cov.lsa.az same day
2025-06-02:         Cloudflare proxy + Google Trust wildcard certs begin
2025-06-20:         cov.lsa.az serves /en-us/ pages (possible Cobalt Strike/Covenant)
2026-02-18:         Ligolo-ng TLS cert generated on 141.11.107.134
2026-02-24:         agent.exe + TeamServ.exe served from open directory (OTX)
2026-02-25:         Sil-Crypter droppers compiled (hfsServ.exe 12:41, hfsSer.exe 13:26)
2026-03-03:         Current analysis — primary server active, secondary nodes dark

Reactivating a 5-year-dormant domain is a deliberate OPSEC choice. New domain registrations trigger threat intelligence heuristics (newly observed domain, low reputation, etc.). A domain with 2019-era certificate history and an .az country-code TLD flies under most automated filters.

Hosting Infrastructure

IP	Provider	Location	ASN	Notes
141.11.107.134	rack400.com / NForce	Netherlands	AS43350	IPXO-leased, "Private Customer" (Singapore reg, Estonian phone)
194.33.105.183	ParsVDS	Ahwaz, Iran	--	Org: Dade Pardazi Novin Yaran Tosei, Contact: Taha Sebtonabi
202.71.14.75	servers.guru / Moula World LLC	Netherlands	AS43641	Crypto-accepting, privacy-focused hosting

The hosting choices are deliberate: IPXO IP leasing for anonymity on the primary, an Iranian VPS for jurisdictional complexity, and a crypto-accepting privacy hoster for the tertiary node. Multi-jurisdictional infrastructure maximizes the difficulty of coordinated takedowns.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Resource Development	Acquire Infrastructure: Domains	T1583.001	Reactivated dormant lsa.az domain
Resource Development	Acquire Infrastructure: Virtual Private Server	T1583.003	Netherlands, Iran, Cloudflare tunnel
Resource Development	Develop Capabilities: Malware	T1587.001	Sil-Crypter v1.3 dropper framework
Resource Development	Stage Capabilities: Upload Malware	T1608.001	Open directory on :8000 with 9 tools
Execution	User Execution: Malicious File	T1204.002	Sil-Crypter PE executables
Defense Evasion	Obfuscated Files or Information	T1027	GUID-encoded shellcode (entropy ~3.8)
Defense Evasion	Obfuscated Files or Information: Dynamic API Resolution	T1027.007	XOR-encoded API hashes (securekey)
Defense Evasion	Process Injection	T1055	Injection into WUDFHost.exe
Defense Evasion	Masquerading	T1036	Filenames mimicking HFS, TeamViewer
Privilege Escalation	Access Token Manipulation	T1134	SeDebugPrivilege in Meterpreter payload
Persistence	Remote Access Software	T1219	MeshCentral agent ("Access" mesh)
Command and Control	Application Layer Protocol	T1071	Meterpreter TLV over raw TCP
Command and Control	Proxy: Multi-hop Proxy	T1090.003	Ligolo-ng tunnel proxy
Command and Control	Protocol Tunneling	T1572	Cloudflare tunnel for TCity.exe C2
Command and Control	Non-Standard Port	T1571	Ports 4040, 2083, 8181, 11601
Command and Control	Encrypted Channel: Asymmetric Cryptography	T1573.002	RSA+AES in stageless Meterpreter
Command and Control	Ingress Tool Transfer	T1105	Open directory tool staging

Detection Signatures

Snort/Suricata

# Sil-Crypter XOR key in network traffic
alert tcp any any -> any any (msg:"Sil-Crypter XOR key securekey"; \
  content:"securekey"; sid:3000001; rev:1;)

# Meterpreter reverse_tcp to Blake C2
alert tcp any any -> 141.11.107.134 4040 (msg:"Meterpreter callback to Blake C2"; \
  sid:3000002; rev:1;)

# Ligolo-ng TLS fingerprint
alert tls any any -> 141.11.107.134 11601 (msg:"Ligolo-ng tunnel to Blake C2"; \
  tls.subject:"O=ligolo"; sid:3000003; rev:1;)

# MeshCentral callback
alert tcp any any -> any 444 (msg:"MeshCentral agent callback"; \
  content:"agent.ashx"; sid:3000004; rev:1;)

# Cloudflare-tunneled Meterpreter
alert tcp any any -> 188.114.99.0 8181 (msg:"Cloudflare-tunneled Meterpreter"; \
  sid:3000005; rev:1;)

# Secondary C2 Iran
alert tcp any any -> 194.33.105.183 2083 (msg:"Meterpreter to Iranian C2"; \
  sid:3000006; rev:1;)

YARA

rule SilCrypter_v13 {
    meta:
        description = "Detects Sil-Crypter v1.3 dropper binaries"
        author = "Breakglass Intelligence"
        date = "2026-03-03"
        tlp = "TLP:CLEAR"
        reference = "https://intel.breakglass.tech"
    strings:
        $pdb1 = "Sil-Crypter" ascii
        $pdb2 = "E:\\.Mal" ascii wide
        $xor_key = "securekey" ascii
        $inject_target = "WUDFHost" ascii wide
        $s1 = "KERNEL32.dll" ascii
        $s2 = "VCRUNTIME140.dll" ascii
    condition:
        uint16(0) == 0x5A4D and
        (($pdb1 and $xor_key) or ($pdb2) or ($xor_key and $inject_target))
}

rule Blake_Meterpreter_Stager {
    meta:
        description = "Detects Meterpreter stager targeting Blake C2 141.11.107.134:4040"
        author = "Breakglass Intelligence"
        date = "2026-03-03"
        tlp = "TLP:CLEAR"
    strings:
        $ip_hex = { 8D 0B 6B 86 }  // 141.11.107.134 in network byte order
        $port = { 0F C8 }           // 4040 in network byte order
        $ws2 = "ws2_32" ascii
    condition:
        $ip_hex and ($port or $ws2)
}

rule Blake_Stageless_Meterpreter_GUID {
    meta:
        description = "Detects GUID-encoded stageless Meterpreter payload (Blake campaign)"
        author = "Breakglass Intelligence"
        date = "2026-03-03"
        tlp = "TLP:CLEAR"
    strings:
        $guid_header = "52415A4D-4855-E589" ascii  // MZAR reflective DLL header as GUID
        $uuid = "9f112744-6b69-5046-0fd6-0ed46648f79f" ascii
        $c2_domain = "dl.lsa.az" ascii wide
    condition:
        any of them
}

rule Ligolo_Agent {
    meta:
        description = "Detects Ligolo-ng tunneling agent"
        author = "Breakglass Intelligence"
        date = "2026-03-03"
        tlp = "TLP:CLEAR"
    strings:
        $s1 = "ligolo-ng" ascii
        $s2 = "nicocha30" ascii
        $s3 = "Made in France" ascii
        $s4 = "yamux" ascii
    condition:
        uint16(0) == 0x5A4D and 2 of them
}

Indicators of Compromise

Network Indicators

Type	Indicator	Context
IPv4	141.11.107.134	Primary C2 -- Netherlands, rack400.com, AS43350
IPv4	194.33.105.183	Secondary C2 -- Iran, ParsVDS/IAUAHWAZ, Ahwaz
IPv4	202.71.14.75	Tertiary infrastructure -- Netherlands, servers.guru, AS43641
IPv4	188.114.99.0	Cloudflare tunnel endpoint
Port	4040/tcp	Meterpreter handler
Port	5000/tcp	Flask admin panel ("BLAKE ADMIN LOGIN")
Port	8000/tcp	Open directory / tool staging
Port	11601/tcp	Ligolo-ng tunnel proxy
Port	2083/tcp	Stageless Meterpreter C2 (Iranian VPS)
Port	8181/tcp	Cloudflare-tunneled Meterpreter
Port	444/tcp	MeshCentral WebSocket (currently down)

Domain Indicators

Domain	Resolution	Purpose
lsa.az	-- (apex, no A record)	Parent C2 zone (.az TLD, Cloudflare DNS)
az.lsa.az	141.11.107.134	MeshCentral C2 + primary server
dl.lsa.az	194.33.105.183	Stageless Meterpreter C2
cov.lsa.az	202.71.14.75	Secondary staging/C2

URL Indicators

hxxp://141.11.107[.]134:5000/login          (Flask admin panel)
hxxp://141.11.107[.]134:8000/               (Open directory / tool staging)
hxxp://141.11.107[.]134:4040                (Meterpreter handler)
hxxp://141.11.107[.]134:11601               (Ligolo-ng proxy)
wss://az.lsa[.]az:444/agent.ashx            (MeshCentral C2)
tcp://dl.lsa[.]az:2083                      (Stageless Meterpreter C2)
hxxp://194.33.105[.]183:2083                (Secondary Meterpreter -- direct IP)
hxxp://188.114.99[.]0:8181                  (Cloudflare-tunneled Meterpreter)
hxxp://cov.lsa[.]az/en-us/index.html        (Historical staging -- June 2025)

File Hashes (SHA-256)

Filename	SHA-256	Notes
4040.bin	b4d245e7ac0ce26a3d7cfcdf261697a2fcb7b3eee896d2a3bcd94ae3c7721e47	Windows x64 Meterpreter stager
reverse.elf	80b18e4ea12101e482f9a9b0b880c2364a9f8879b9c0dd07939b841aa946ca24	Linux x64 Meterpreter stager
agent.exe	4b41f36f82db6da8767a0a1c2997c8242d80b2d10a8f1d28c252a9306ec152b5	Ligolo-ng tunneling agent
meshagent32-Access.exe	6545b109e575cc3a60d80e7155a4a5f70d770adbe96965cb7e42a2d62ca83043	MeshCentral RMM agent
hfsSer.exe	5ad5865b4fbfd641322ad9a81feef73dd5595c1a2581ddc597e2e59ef39264ff	Sil-Crypter v1.3 (606KB stageless)
hfsServ.exe	deb4f380d5161558f6346b3454bc6940e448d42331c18d5897e5b584c541ea01	Sil-Crypter v1.3 (18KB staged)
Stnon.exe	6a3a4b0552cc98c9e45f85eecee968c0108535b52ec0f8c5f835e7e0322c66f9	Sil-Crypter v1.3-Copy
TCity.exe	b1e7e3f50e10a731bd145b6d6e1ee38641ce30a4a2c73e8b54582de5926b3059	Sil-Crypter v1.3-Copy (CF tunnel)
TeamServ.exe	d0e6c07c094c482eed3ebe6441a1348db9668ef4f596e563ad2f1637bb5ed5fb	Sil-Crypter v1.3-Copy
(decoded payload)	76056f0b34dfb2959918a8beced30c71750faacaeec88f8fc0851162e7b38cb1	Stageless Meterpreter DLL (184KB)

Host-Based Indicators

Type	Indicator	Context
PDB Path	E:\.Mal\1.Stealers\First\Sil-Crypter\Project SIL 1.3\Templates\Sil-Crypter\x64\Release\Sil-Crypter.pdb	Attacker dev environment
PDB Path	C:\MeshAgent\MeshAgent\Release\MeshService.pdb	MeshCentral agent
XOR Key	securekey	Sil-Crypter API hash decryption
Process	WUDFHost.exe	Injection target
User-Agent	loader-updater/1.0	Dropper network activity
Meterpreter UUID	9f112744-6b69-5046-0fd6-0ed46648f79f	Stageless payload identifier

TLS Indicators

Field	Value
Ligolo Certificate SHA-256	C6:DD:75:9D:78:46:FE:CD:BB:5F:D3:E5:AB:23:07:70:9C:C6:0C:9A:57:C5:A2:A8:B3:39:43:58:C2:3E:6F:25
Ligolo Subject	O=ligolo
Ligolo Created	2026-02-18

MeshCentral Identifiers

Field	Value
MeshName	Access
MeshID	0xB551D33F9968B8F334AE69A015C933B1A9F79868B74E7A1A63CF71B06D8150C48FD381FC3B5797AE231736FF80B3E47A
ServerID	A99A9C7B7E30B89F71E9BA5CCFAEC2456BB64A64A35F4780F205ABAD0014AEE6B883CF6316F998EBC54A98188853AD02

Conclusion

This investigation fully mapped a live multi-node C2 infrastructure from an unauthenticated open directory through to decoded stageless Meterpreter payloads and historical domain intelligence. The actor behind "Blake C2" demonstrates competent operational security -- no SSH, multi-jurisdictional hosting, dormant domain reuse, Cloudflare tunneling, strong panel credentials -- but made a critical mistake by leaving their tool staging server wide open. That single misconfiguration exposed the entire kill chain: the Sil-Crypter builder framework, the GUID-based evasion technique, the Ligolo/MeshCentral persistence layer, and a hidden Iranian C2 node that would have been invisible from network telemetry alone.

The E:\.Mal\1.Stealers\ path in the PDB strings tells us this actor has more tools we have not seen yet. The numbered directory structure suggests an organized library. We found category 1 (Stealers), tool "First" (Sil-Crypter). The rest of that E: drive remains unknown.

The server was operational and serving payloads as of 2026-03-03 08:15 UTC.

---

Published by Breakglass Intelligence. Investigation conducted 2026-03-03. Classification: TLP:CLEAR