BORZ C2 Panel — Dual-Process Loader with Iranian Missile Theme, Chechen Branding, and Russian Infrastructure
A Slack decoy loader drops Khorramshahr-4 loaded while connecting to a BORZ (wolf) C2 panel on a Moscow ASN. Three geopolitical spheres, zero coherent attribution.
Case ID: borz-c2-94-232-46-16-20260417-priority-15f859c9 Date: 2026-04-17 Classification: TIER1 — Manual Lead (Score: 95/100) Source: jeffery (community threat intel, manual submission) Status: ACTIVE INVESTIGATION — C2 panel currently OFFLINE Analyst: Ghost OSINT (automated)
Executive Summary
A dual-process loader campaign was reported using a legitimate Slack application as a decoy while downloading and executing a second-stage payload from hxxp://94.232.46[.]16:8081/dl. The payload establishes persistence and connects to botnet C2 on ports 27015 and 27016. A dropped text file references "Khorramshahr-4 loaded" — the name of an active IRGC ballistic missile used in the 2025–2026 Iran conflict. The C2 infrastructure is hosted on a BORZ ("wolf" in Chechen) panel at hxxp://94.232.46[.]16:8081/login.
Key Findings:
- C2 panel is currently offline (ECONNREFUSED on HTTP and HTTPS as of 2026-04-17)
- Infrastructure hosted on AS48080 (Dmitriy Panchenko), a Moscow-registered ASN currently listed as inactive/depeered on IPinfo — 0 announced prefixes, suggesting covert transit or BGP manipulation
- The 94.232.46.0/24 range has extensive abuse history on AbuseIPDB (neighboring .202 has 84,932 reports; .20 has 7,399 reports)
- BORZ is a previously unreported C2 panel family — no existing public threat intelligence matches
- Ports 27015/27016 are Valve Source Engine game server ports — historically abused by Gafgyt/Mirai botnets for DDoS amplification
- No overlap with existing Breakglass investigations or IOC database
- No confirmed link to known Iranian APT groups (MuddyWater, APT35, APT42, Handala Hack, etc.)
- Attribution assessment: likely false flag or hacktivist — Iranian missile naming with Russian infrastructure and Chechen panel branding crosses three unrelated geopolitical spheres
1. Infrastructure Analysis
1.1 IP Address & Network
| Field | Value |
|---|---|
| IP Address | 94.232.46[.]16 |
| ASN | AS48080 |
| ASN Registrant | Dmitriy Panchenko |
| ASN Registry | RIPE |
| ASN Allocated | 2020-12-17 |
| ASN Status | Inactive (0 announced IPv4/IPv6 prefixes as of 2026-04-17) |
| Registrant Address | Shirokaya street 1, bld. 4, apt. 15, 127282, Moscow, Russian Federation |
| Shodan InternetDB | No data (404) |
| VirusTotal | No specific detections indexed for this IP |
| AbuseIPDB | No direct reports for .16; range heavily abused (see §1.2) |
1.2 Neighborhood Analysis (94.232.46.0/24)
Multiple IPs in the same /24 have significant abuse histories:
| IP | AbuseIPDB Reports | Registrant |
|---|---|---|
| 94.232.46[.]202 | 84,932 | Dmitriy Panchenko |
| 94.232.46[.]20 | 7,399 | Dmitriy Panchenko |
| 94.232.46[.]25 | 2,251 | Dmitriy Panchenko |
| 94.232.46[.]171 | Listed | Dmitriy Panchenko |
| 94.232.46[.]15 | 36 | Dmitriy Panchenko |
| 94.232.46[.]10 | 10 | Dmitriy Panchenko |
| 94.232.46[.]30 | 13 | Dmitriy Panchenko |
| 94.232.46[.]203 | Listed | RocketCloud.ru |
Assessment: This /24 block is controlled by a Moscow-based operator with extensive abuse history. The presence of RocketCloud.ru on one IP suggests reseller/bulletproof hosting characteristics. The ASN being "inactive" with 0 announced prefixes while the IPs were recently active indicates possible BGP hijacking, transit abuse, or deliberate stealth operation — the operator routes traffic through upstream providers without announcing their own prefix space to avoid BGP-based blocklists.
1.3 Port Services
| Port | Protocol | Service Assessment |
|---|---|---|
| 8081 | TCP | BORZ C2 panel (HTTP) — /login (admin panel), /dl (payload distribution) |
| 27015 | TCP/UDP | Valve Source Engine port — likely botnet C2 channel or DDoS amplification relay |
| 27016 | TCP/UDP | Source TV / secondary game server — likely botnet C2 channel |
Port 27015/27016 Analysis: These are the default ports for Valve Source Engine dedicated game servers (Counter-Strike, TF2, Left 4 Dead, Garry's Mod). They have been historically abused by:
- Gafgyt botnet variants — for DDoS amplification via A2S query reflection
- Mirai variants — targeting game servers with VSE (Valve Source Engine) attack module
- Botnet C2 channels — using game server protocols as covert communication channels to blend with legitimate gaming traffic
The use of these ports suggests the botnet component either:
- Repurposes game server infrastructure for C2 communication (protocol blending)
- Operates a DDoS-for-hire service using game server amplification
- Uses game server protocol as a covert channel to evade network-layer detection
2. Malware Analysis
2.1 Infection Chain
┌──────────────────────────┐
│ STAGE 0: Initial Access │
│ Dual-process loader │
│ (delivery unknown) │
└──────────┬───────────────┘
│
▼
┌──────────────────────────────────┐
│ STAGE 1: Decoy + Loader │
│ Process A: Launch Slack.exe │
│ Process B: Download from │
│ hxxp://94.232.46[.]16:8081/dl │
└──────────┬───────────────────────┘
│
▼
┌──────────────────────────────────┐
│ STAGE 2: Payload Execution │
│ - Establish persistence │
│ - Drop "Khorramshahr-4 loaded" │
│ - Connect to botnet C2: │
│ 94.232.46[.]16:27015 │
│ 94.232.46[.]16:27016 │
└──────────────────────────────────┘
2.2 Behavioral Indicators
| Behavior | Detail |
|---|---|
| Decoy Application | Legitimate Slack desktop application launched as distraction |
| Payload Download | HTTP GET to hxxp://94.232.46[.]16:8081/dl |
| Persistence | Mechanism unknown (requires sample analysis) |
| Artifact Drop | TXT file containing "Khorramshahr-4 loaded" |
| C2 Communication | Connects to 94.232.46[.]16 on ports 27015 and 27016 |
| C2 Protocol | Likely Source Engine query protocol or custom binary protocol |
2.3 Payload Status
The payload endpoint (/dl) is currently OFFLINE. The C2 panel at port 8081 refused all connections on 2026-04-17. This could indicate:
- Operator took infrastructure offline after detection
- IP was null-routed by upstream provider
- Temporary maintenance / infrastructure rotation
- The ASN depeering may have severed routing
Action Required: Monitor for infrastructure resurrection. The operator may re-deploy on a different IP within the same /24 or on new infrastructure.
3. C2 Panel: BORZ
3.1 Panel Characteristics
| Field | Value |
|---|---|
| Panel Name | BORZ |
| Meaning | "Wolf" in Chechen language (Борз) |
| Login URL | hxxp://94.232.46[.]16:8081/login |
| Payload URL | hxxp://94.232.46[.]16:8081/dl |
| Known Family | No — BORZ does not match any known C2 panel family in public reporting |
| Public Reporting | None found — no threat intel vendors, OSINT databases, or security research references this panel |
3.2 Assessment
BORZ appears to be a custom or emerging C2 framework not yet documented by the security community. The name's Chechen origin combined with Russian hosting infrastructure and Iranian military theming creates a deliberate multi-cultural attribution puzzle. This could indicate:
- Cybercriminal tooling — a commercial C2-as-a-Service product with cosmetic theming
- Hacktivist creation — ideologically motivated actor using provocative naming
- False flag operation — deliberate attribution confusion mixing Iranian, Chechen, and Russian indicators
- New threat actor — previously unknown group with multicultural membership or interests
4. Attribution Analysis
4.1 "Khorramshahr-4" Reference
The Khorramshahr-4 is a real, actively deployed IRGC medium-range ballistic missile:
| Field | Detail |
|---|---|
| Type | Medium-Range Ballistic Missile (MRBM) |
| Developer | Aerospace Industries Organization (AIO), Iran |
| Operator | Islamic Revolutionary Guard Corps (IRGC) |
| Range | 2,000 km |
| Warhead | 1,500 kg (MIRV/cluster capable) |
| Propulsion | Hypergolic fuel, 12-minute launch prep |
| Unveiled | 25 May 2023 |
| Deployed | February 2026 (IRGC "missile cities") |
| Combat Use | Strikes on Tel Aviv, Ben Gurion Airport (2026); US bases in Qatar/Bahrain (March 2026) |
Significance: The "Khorramshahr-4 loaded" artifact string directly references an active weapons system used in ongoing military operations. This is either:
- Genuine IRGC cyber-kinetic signaling — using a missile name as a calling card (low confidence — Iranian APTs typically use Farsi strings, not English transliterations; no known Iranian APT uses Russian infrastructure or Chechen branding)
- False flag / intimidation — non-Iranian actor leveraging current events for psychological impact (medium-high confidence)
- Hacktivist bravado — pro-Iranian hacktivist group signaling support for IRGC operations (medium confidence)
4.2 Attribution Matrix
| Indicator | Points Toward | Points Away From |
|---|---|---|
| "BORZ" (Chechen for wolf) | Chechen/Caucasus actor | Iranian state actor |
| Khorramshahr-4 reference | Iranian alignment/sympathy | Russian/Chechen origin |
| AS48080 Moscow hosting | Russian infrastructure | Iranian state infrastructure (typically Hosterdaddy/AS136557, NameCheap) |
| Slack decoy technique | Sophistication (APT-level TTP) | Commodity malware |
| Dual-process loader | Common in Iranian APT chains (decoy PDF + loader) | Pattern also used by Chinese, Russian, North Korean APTs |
| Game server ports (27015/27016) | Botnet/DDoS operation | Nation-state espionage |
| No Telegram C2 | Unusual for Iranian APTs (MuddyWater, MOIS groups favor Telegram) | — |
| Custom C2 panel | New actor or private tooling | Established APT (would reuse known tools) |
4.3 Attribution Assessment
| Hypothesis | Confidence |
|---|---|
| False flag / multi-national hacktivist group | HIGH (60%) |
| Cybercriminal botnet operator with provocative theming | MEDIUM (25%) |
| IRGC-affiliated proxy using cutout infrastructure | LOW (10%) |
| Chechen/Caucasus nationalist cyber group | LOW (5%) |
Rationale: The mixing of Iranian missile naming (Khorramshahr-4), Chechen linguistic branding (BORZ = wolf), and Russian hosting infrastructure (AS48080, Moscow) is inconsistent with known Iranian APT operational patterns. Known Iranian groups (MuddyWater, APT35, APT42, Handala Hack, FAD Team) use:
- Hosterdaddy (AS136557), NameCheap, M247, EDIS GmbH for hosting — not Dmitriy Panchenko/AS48080
- Telegram API, Wasabi S3, MEGA for C2/exfil — not game server ports
- Decoy PDFs, KeePass, Telegram authenticator executables — Slack as a decoy is atypical
- Farsi-language artifacts — English-language "Khorramshahr-4 loaded" is atypical
5. MITRE ATT&CK Mapping
| Tactic | Technique | ID | Evidence |
|---|---|---|---|
| Initial Access | Phishing / Malicious File | T1566 | Dual-process loader distribution (method TBD) |
| Execution | User Execution: Malicious File | T1204.002 | User executes loader, triggers Slack + payload |
| Defense Evasion | Masquerading: Match Legitimate Name | T1036.005 | Slack used as decoy to appear legitimate |
| Defense Evasion | Indicator Removal: File Deletion | T1070.004 | Likely cleanup of loader after execution |
| Persistence | Boot or Logon Autostart Execution | T1547 | Persistence mechanism (requires sample) |
| Command and Control | Application Layer Protocol | T1071 | C2 via port 8081 HTTP |
| Command and Control | Non-Standard Port | T1571 | C2 on ports 27015, 27016 (game server ports) |
| Command and Control | Protocol Tunneling | T1572 | Possible game protocol tunneling on 27015/27016 |
| Command and Control | Ingress Tool Transfer | T1105 | Payload download from /dl endpoint |
| Discovery | System Information Discovery | T1082 | Likely (standard botnet behavior) |
| Impact | Resource Hijacking | T1496 | Possible DDoS botnet participation |
6. IOC Table
Network Indicators
| Type | Value | Context | Confidence | Status |
|---|---|---|---|---|
| IPv4 | 94.232.46[.]16 | Primary C2 server | HIGH | OFFLINE (2026-04-17) |
| URL | hxxp://94.232.46[.]16:8081/login | BORZ C2 panel login | HIGH | OFFLINE |
| URL | hxxp://94.232.46[.]16:8081/dl | Payload download endpoint | HIGH | OFFLINE |
| IP:Port | 94.232.46[.]16:27015 | Botnet C2 channel | HIGH | UNKNOWN |
| IP:Port | 94.232.46[.]16:27016 | Botnet C2 channel | HIGH | UNKNOWN |
| IP:Port | 94.232.46[.]16:8081 | BORZ panel HTTP | HIGH | OFFLINE |
| ASN | AS48080 | Dmitriy Panchenko, Moscow, RU | MEDIUM | INACTIVE |
Host Indicators
| Type | Value | Context | Confidence |
|---|---|---|---|
| File Content | "Khorramshahr-4 loaded" | Dropped TXT artifact | HIGH |
| Process | Slack.exe (legitimate) | Decoy application | MEDIUM |
| Behavior | Dual-process execution | Loader spawns Slack + payload | HIGH |
Infrastructure Pivot Indicators
| Type | Value | Context | Confidence |
|---|---|---|---|
| IP Range | 94.232.46[.]0/24 | Same hosting block, high abuse | MEDIUM |
| IPv4 | 94.232.46[.]202 | Same range, 84,932 abuse reports | LOW |
| IPv4 | 94.232.46[.]20 | Same range, 7,399 abuse reports | LOW |
| Registrant | Dmitriy Panchenko | ASN operator | MEDIUM |
| Hosting | RocketCloud.ru | Related hosting brand on .203 | LOW |
7. Recommendations
Immediate Actions
- Block all traffic to/from
94.232.46[.]16on all ports (firewall/IDS) - Block the entire
94.232.46[.]0/24range if operationally feasible (high abuse neighborhood) - Hunt for network connections to
94.232.46[.]16on ports 8081, 27015, 27016 in SIEM/NDR - Hunt for the string "Khorramshahr-4 loaded" on endpoints (EDR file content scan)
- Hunt for anomalous Slack.exe process trees (Slack spawning from non-standard parent processes)
- Monitor for infrastructure resurrection — the operator may re-deploy on adjacent IPs
Sample Acquisition (Priority)
- Acquire payload sample — check MalwareBazaar, VirusTotal, Any.Run for submissions from
94.232.46[.]16:8081/dl - Request sample from submitter (jeffery) if available
- Deploy honeypot monitoring the /dl endpoint for when the panel comes back online
Intelligence Sharing
- Submit IOCs to MISP, OTX, ThreatFox
- File abuse report with RIPE NCC for AS48080
- Notify Slack security team about brand abuse in decoy loader
- Share with CISA/IC3 given the Iranian military naming connection
8. Intelligence Gaps
| Gap | Priority | Action |
|---|---|---|
| No malware sample available | CRITICAL | Acquire from submitter or monitor /dl endpoint |
| C2 panel offline — cannot assess panel capabilities | HIGH | Monitor for resurrection; check web archives |
| Persistence mechanism unknown | HIGH | Requires sample analysis |
| C2 protocol on 27015/27016 unknown | HIGH | Requires PCAP or sample analysis |
| No reverse DNS for 94.232.46[.]16 | MEDIUM | Check historical passive DNS databases |
| SSL/TLS certificate history unknown | MEDIUM | Check crt.sh, Censys for historical certs |
| Payload hash unknown | CRITICAL | Cannot check VT/MalwareBazaar without hash |
| Full port scan not conducted | MEDIUM | Requires active scanning authorization |
| Actor identity/group unknown | MEDIUM | Continue OSINT monitoring for BORZ panel sightings |
Appendix A: YARA Rules
See: yara_rules.yar
Appendix B: STIX 2.1 Bundle
See: stix_bundle.json
Appendix C: Related Investigations
No overlap found with existing Breakglass investigations in the current IOC database. The IP 94.232.46[.]16 does not appear in any prior investigation.
Appendix D: Sources
- CYFIRMA Weekly Intelligence Report — 17 April 2026
- Unit 42 — Iranian Cyberattacks 2026
- Seqrite — Iran-US-Israel Cyberwar 2026
- Hunt.io — Iranian APT Infrastructure
- SOCRadar — Iran-Israel Cyber Conflict Dashboard
- CISA — Iranian Cyber Threat Advisories
- Halcyon — Iranian Cybercriminal Tactics 2026
- CCCS — Iranian Cyber Threat Bulletin Feb 2026
- Army Recognition — Khorramshahr-4 Missile
- Wikipedia — Khorramshahr Missile
- IPinfo — AS48080
- AbuseIPDB — 94.232.46.x range
- Threatpost — Gafgyt Variant Targeting Source Engine
- Krebs on Security — Bulletproof Hosting