One IOC, 24 Domains, 100 Subdomains: Inside a ClearFake WebDAV Campaign With Three Zero-Detection Payloads
Go/garble DLLs masquerading as Logitech and Intel — zero VirusTotal hits, Cloudflare-fronted WebDAV, and a typo that gave it away
One subdomain. pilot-svc.aerovector.in.net. A ClearFake indicator sitting in ThreatFox with four siblings, tagged and forgotten. No samples attached. No infrastructure analysis. No payload recovery. Just a domain name and a malware family label.
We pulled the thread. Behind that single indicator was a 24-domain payload delivery network spanning two Cloudflare account clusters, a fully exposed WebDAV backend with no authentication, an HTML lure mimicking Cloudflare's own phishing interstitial -- complete with a typo that betrays its forgery -- and three previously unknown payloads that had zero detections across VirusTotal and MalwareBazaar before this investigation.
This is the story of how a ClearFake JavaScript injection campaign built a disposable empire under the .in.net TLD, and how a single PROPFIND request tore the curtain off the entire operation.
Five Subdomains Become a Hundred
ThreatFox had five IOCs for aerovector.in.net -- five subdomains tagged as ClearFake. The standard analyst workflow would be to add them to a blocklist and move on. But ClearFake campaigns don't operate on single domains. They burn through infrastructure at industrial scale.
So we queried ThreatFox for the full ClearFake family. Within the same 6-hour reporting window -- March 31 at 22:50 UTC through April 1 at 04:10 UTC -- 100 IOCs had been submitted across 24 parent domains. All .in.net. All reported by threatcat_ch and anonymous contributors. None with attached samples or infrastructure analysis.
The domains split into two distinct naming conventions. Twenty of them followed a pattern: tech-compound words like cryptovault, neurovector, pixelmatrix, signalforge. The kind of names a domain generation algorithm produces when seeded with a cyberpunk thesaurus. The remaining four were different -- batkascript, beltfloor, radiatebeef, and one that caught our eye immediately: chernomofnothes. "Cherno" -- black, in Russian and Ukrainian.
Two naming styles. Two operators, or one operator using two different generation methods. We needed to look deeper.
Two Clusters, One Backend
DNS told the story. Every domain pointed to Cloudflare, but not to the same Cloudflare account. The nameserver pairs split cleanly:
Cluster A -- 20 domains: collins.ns.cloudflare.com / rajeev.ns.cloudflare.com
Cluster B -- 4 domains: ajay.ns.cloudflare.com / poppy.ns.cloudflare.com
Cloudflare assigns nameserver pairs per account. Two NS pairs means two accounts. The TLS certificates confirmed the timeline: Cluster B's certs were issued at 06:42 UTC on March 31. Cluster A followed nine hours later at 15:11 UTC -- twenty certificates minted within seconds of each other. Someone had a script.
All 24 domains carried wildcard certificates (*.domain.in.net + domain.in.net). Combined with wildcard DNS resolution, this meant any subdomain on any of these 24 domains would resolve and serve content over HTTPS. The 100+ subdomains reported to ThreatFox weren't individually configured -- they were arbitrary labels. pilot-svc, ghost-shell, brain-scan, qubit-sync -- pick any string, prepend it to any domain, and you get a valid HTTPS endpoint. The subdomain diversity is an illusion. The infrastructure is flat.
But the real proof came from the ETags.
When we fetched the same file path across all 24 domains, every response carried an identical ETag. Not similar -- identical. "18a2082e47971c004e3600" for /verification.google. "18a01c63886a8e00670a00" for /google.report. Same file sizes. Same Last-Modified timestamps. Two Cloudflare accounts, 24 domains, 100+ subdomains -- all pointing to a single origin server running WebDAV behind the CDN layer.
Every Cloudflare CF-Ray header routed through the AMS (Amsterdam) POP, placing the origin server in or near the Netherlands.
The Open Door
WebDAV servers support a method called PROPFIND. It's the protocol's equivalent of a directory listing -- send a PROPFIND request with Depth: infinity, and a properly configured server returns every file and directory in the tree. On a locked-down server, this returns nothing useful. On this server, it returned everything.
No authentication. No access control. The entire payload inventory, laid bare:
/verification.google 5,125,632 bytes Modified: 2026-03-31 20:49:58 UTC
/google.report 6,752,768 bytes Modified: 2026-03-25 14:37:47 UTC
/ae228216-ad43-473f-94dd-b2c8616a2122/
verification.google 4,984,832 bytes Modified: 2026-03-29 09:38:34 UTC
Three files. Two at the root, one tucked inside a UUID-named directory -- a staging path that was never meant to be visible. The ms-author-via: DAV response header identified the server implementation, likely WsgiDAV or a similar Python-based WebDAV server. The Depth: infinity PROPFIND worked because nobody configured access restrictions. The UUID directory was exposed because nobody thought to check.
We downloaded all three.
The Lure: Cloudflare vs. "Cloudflare"
The first file -- verification.google at the root -- was a 5.1 MB HTML document. That size alone is suspicious. A typical HTML page is kilobytes, not megabytes. Opening it revealed an almost perfect replica of Cloudflare's "Suspected Phishing" interstitial page: the warning banner, the explanatory text, the Turnstile CAPTCHA widget with sitekey 0x4AAAAAABDaGKKSGLylJZFA, and a bypass form that submits to /cdn-cgi/phish-bypass with an atok parameter.
Almost perfect. One detail gives it away.
The atok value embedded in the bypass form contains the path /werification.google. Not "verification." "Werification." A w where there should be a v. In every Slavic language that uses the Latin alphabet -- Polish, Czech, Croatian -- w and v are phonetically close. In Russian transliteration, the Cyrillic в maps to both v and w depending on the system. This isn't a random typo. It's a native-language phonetic substitution that survived into production.
The attack flow is straightforward. A victim lands on a ClearFake-compromised website. The injected JavaScript presents a fake browser update or verification prompt. The victim clicks through and is redirected to one of the 100+ subdomains, where this Cloudflare interstitial -- familiar, authoritative, trustworthy -- asks them to complete a verification. The CAPTCHA makes it feel legitimate. The bypass form delivers them to the real payload.
The Payloads Nobody Had Seen
idpagent.dll -- The Logitech Impersonator
/google.report is a 6.7 MB PE32+ DLL for x86-64 Windows. Its export table identifies it as idpagent.dll. Its embedded manifest declares the publisher as LogitechInternationalS.A..idpagent version 10.7.223.7. On a Windows machine with Logitech peripherals installed, this filename blends seamlessly into the expected software landscape.
The DLL exports two functions: ServiceMain and a garbled string 9LVD<{YOe9X5C\HFu. The ServiceMain export is the critical one. This is the entry point Windows calls when starting a service. This DLL is designed to be registered as a Windows service, giving it persistence across reboots and the ability to run under the SYSTEM account without user interaction.
Under the hood, it's a Go binary compiled with garble, an obfuscation tool that mangles package names, function names, and string literals at build time. The original package structure is gone, replaced with fragments like oCwEoKC, jJ1jzqMS, dL_hhnqj. But garble isn't perfect. Structural information leaks through: the import table reveals 54 KERNEL32 functions including VirtualAlloc, VirtualProtect, CreateThread, and AddVectoredExceptionHandler -- the building blocks of in-memory code execution and anti-analysis evasion.
The compile timestamp reads December 17, 2024. The WebDAV last-modified date is March 25, 2026. A 15-month gap between compilation and deployment. This DLL wasn't built for this campaign -- it's from a shared toolkit, pulled off the shelf and dropped into the ClearFake delivery pipeline as needed.
SHA256: 4a1af31f881671df1ee3d4c3e8c0aa07c1da4aaf8142849543b80962c56839f1
Imphash: 3271ee162568f50a6810be9b8973807f
At the time of recovery: zero VirusTotal submissions. Zero MalwareBazaar entries. A production infostealer-loader with Windows service persistence, and nobody had ever uploaded it for scanning.
strprov.dl -- The Intel Forgery
The second DLL lived in the UUID staging directory: /ae228216-ad43-473f-94dd-b2c8616a2122/verification.google. A 4.8 MB PE32+ DLL, also Go/garble, this one masquerades as IntelCorporation.strprov version 4.0.248.4. The export name is strprov.dl -- note the truncated extension, missing the final l. Whether this is deliberate or an artifact of the build process is unclear, but it's another fingerprint.
This sample carries different DNA than its sibling. The exports are WppGetRegistryAsync and ordinal_2 -- WPP is the Windows software trace preprocessor, suggesting this DLL is designed to load as a driver or diagnostic provider component. The string blob contains references to EnumDependentServicesW, NtSetSystemInformation, SetupDiEnumDriverInfoW, and CertGetCertificateChain -- deeper system manipulation than the service-based persistence of idpagent.dll.
The .bss section has an entropy of 7.43 -- near the theoretical maximum of 8.0. Something in that section is encrypted or compressed, waiting to be unpacked at runtime.
Most intriguing: the binary contains approximately 60 blocks of encoded configuration data, each prefixed with 16: followed by a 24-byte encoded string. These likely decode to C2 server addresses, encryption keys, or operational parameters. An embedded SHA256 hash (5f566b8060af5dcf2bb32599f0d90d9b6c002cd445f22159b86edf45e23a5dae) sits nearby -- possibly an integrity check for a next-stage payload.
Compiled June 21, 2025. Deployed March 29, 2026. Nine months on the shelf.
SHA256: 4d22efd2ea58e7643c5b6b82143c8978de7102356346fe4f5357807268cbad5d
Imphash: 534141bbeafb0cfa024f8b6830c176a9
Also zero VirusTotal submissions. Also zero MalwareBazaar entries. Two Go/garble DLLs masquerading as drivers from two of the most trusted hardware manufacturers on the planet, and neither had ever been analyzed publicly.
The Kill Chain
Laid end to end, the attack chain follows ClearFake's established pattern with a WebDAV twist:
- Compromise: A legitimate website is injected with ClearFake JavaScript
- Overlay: The victim sees a fake browser update or verification prompt
- Redirect: The victim is sent to a random subdomain across the 24-domain pool
- Interstitial: The Cloudflare phishing lure presents a convincing "verification" page with a working Turnstile CAPTCHA
- Delivery: The WebDAV backend serves one of the two DLLs, disguised as
google.reportorverification.google - Execution: The victim runs the DLL -- via direct execution, DLL side-loading,
regsvr32, orrundll32 - Persistence:
idpagent.dllinstalls as a Windows service;strprov.dlregisters as a driver provider - Blending: The Logitech and Intel manifest identities make the files appear legitimate in task managers and process explorers
- C2: The Go-based implant phones home using addresses decoded from its embedded configuration blocks
The WebDAV backend is the linchpin. By serving payloads through Cloudflare's CDN with valid HTTPS certificates on seemingly legitimate subdomains, the delivery infrastructure inherits Cloudflare's reputation. URL scanners see a Cloudflare-fronted domain with a valid cert. Network filters see HTTPS traffic to a CDN. The actual malicious content sits behind the CDN layer on a WebDAV server that nobody can resolve directly.
The OPSEC Ledger
For all the sophistication in the payload toolchain -- garble obfuscation, legitimate vendor masquerading, service-based persistence -- the infrastructure side is riddled with failures:
- Identical ETags across all 24 domains prove they share a single backend. One fingerprint blocks the entire network.
- Open PROPFIND directory listing without authentication. We didn't need to brute-force file paths. They gave us the inventory.
- Exposed UUID staging directory. The path
ae228216-ad43-473f-94dd-b2c8616a2122reveals their workflow -- payloads are staged in UUID-named directories before being promoted to the root. ms-author-via: DAVheader leaks the WebDAV server implementation type.- The "werification" typo -- a Slavic phonetic substitution that survived from development into the production lure, linking the HTML author to a native speaker of a language where
wandvare interchangeable. - The Cloudflare Turnstile sitekey (
0x4AAAAAABDaGKKSGLylJZFA) is potentially linkable to the operator's Cloudflare account. - Go garble type information leaks -- package name fragments and struct definitions survive obfuscation, giving reverse engineers structural footholds.
- Cleartext manifest strings -- the Logitech and Intel identities are trivially detectable with a static scan.
The pattern is familiar: competent malware engineering paired with careless infrastructure management. The person who compiled the DLLs with garble and crafted the ServiceMain persistence is not the same person who left PROPFIND open and a UUID directory exposed. This is a supply chain -- toolsmiths build the weapons, operators deploy the infrastructure, and the gaps between them are where intelligence leaks out.
The .in.net Question
Every domain in this campaign uses the .in.net TLD, managed by PDR Ltd (Public Domain Registry). This is an unusual choice. ClearFake campaigns typically favor cheap gTLDs like .top, .xyz, .click, or .online. The .in.net TLD is obscure enough that many domain reputation systems don't have strong baselines for it, and PDR Ltd's abuse response timelines tend to be slower than major registrars.
Twenty-four domains registered simultaneously under a niche TLD with wildcard DNS and wildcard certificates -- this is bulk infrastructure provisioned by script. The operator likely has a registration pipeline that can stamp out a new wave of domains in minutes. When these 24 burn out, expect 24 more with the same pattern and a different TLD.
Indicators of Compromise
Domains (24 parent domains, all .in.net, all LIVE as of 2026-04-01)
Cluster A -- collins/rajeev Cloudflare NS (20 domains):
| Domain | Sample Subdomains |
|---|---|
| aerovector[.]in[.]net | pilot-svc, air-traffic, flight-path, sky-route, alt-logic |
| astrahaven[.]in[.]net | cosmic-link, deep-sky, pilot-auth, safe-ship, void-storage |
| cryptovault[.]in[.]net | anon-auth, enc-tunnel, hash-store, lock-box, secure-key |
| cyberhaven[.]in[.]net | anon-relay, ghost-shell, threat-log |
| datacrest[.]in[.]net | archive-top, base-record, bulk-export, high-ridge, info-summit, meta-stack |
| digisphere[.]in[.]net | cloud-ring, data-field, info-orbit, point-edge, static-cdn, web-portal |
| infocircuit[.]in[.]net | board-mgr, bus-bridge, chip-set, logic-gate, wire-sync |
| logicmatrix[.]in[.]net | brain-base, decision-svc, main-frame, process-io, rule-engine, truth-table |
| luminflux[.]in[.]net | glow-portal, light-trace, photo-sync |
| mechaforge[.]in[.]net | heavy-duty, iron-works |
| nanovector[.]in[.]net | atom-trace, micro-scale, particle-api, scan-core, small-unit |
| neurobloom[.]in[.]net | brain-scan, pulse-logic, thought-api |
| neurovector[.]in[.]net | impulse-api, mind-node, nerve-center, synapse-log, thought-hub |
| orbitforge[.]in[.]net | cycle-monitor, gravity-io, launch-pad, path-finder, round-trip, spin-control |
| pixelmatrix[.]in[.]net | color-bit, display-svc, image-stack, raster-node, render-grid, video-buffer |
| quantacircuit[.]in[.]net | bit-stream, packet-flow, qubit-sync, speed-test |
| quantaflux[.]in[.]net | atom-split, bit-stream, logic-gate, micro-pulse, packet-flow, speed-test |
| signalcrest[.]in[.]net | broad-cast, ping-gate, radio-freq, tower-sync, wave-crest |
| signalforge[.]in[.]net | beam-relay, broad-cast, ping-gate, radio-freq, tower-sync, wave-form |
| technosphere[.]in[.]net | global-net, meta-layer, urban-hub, world-view |
Cluster B -- ajay/poppy Cloudflare NS (4 domains):
| Domain | Sample Subdomains |
|---|---|
| batkascript[.]in[.]net | xxhq |
| beltfloor[.]in[.]net | value9-mesh |
| chernomofnothes[.]in[.]net | kvvfusu |
| radiatebeef[.]in[.]net | mer-lithen |
File Indicators
| SHA256 | Filename | Type | Size |
|---|---|---|---|
4a1af31f881671df1ee3d4c3e8c0aa07c1da4aaf8142849543b80962c56839f1 | google.report / idpagent.dll | PE32+ DLL x64 (Go/garble) | 6,752,768 |
4d22efd2ea58e7643c5b6b82143c8978de7102356346fe4f5357807268cbad5d | verification.google / strprov.dl | PE32+ DLL x64 (Go/garble) | 4,984,832 |
4e4b991e3f39a37ded079c9e0089d7c06ed2d8c5cd907b7af72e7fa78c726e4f | verification.google (HTML lure) | HTML | 5,125,632 |
Imphashes
| Hash | Sample |
|---|---|
3271ee162568f50a6810be9b8973807f | idpagent.dll |
534141bbeafb0cfa024f8b6830c176a9 | strprov.dl |
Behavioral Indicators
| Indicator | Value |
|---|---|
| WebDAV ETag (HTML lure) | "18a2082e47971c004e3600" |
| WebDAV ETag (idpagent.dll) | "18a01c63886a8e00670a00" |
| Staging UUID | ae228216-ad43-473f-94dd-b2c8616a2122 |
| PE Manifest (Sample 1) | LogitechInternationalS.A..idpagent v10.7.223.7 |
| PE Manifest (Sample 2) | IntelCorporation.strprov v4.0.248.4 |
| DLL Export (Sample 1) | ServiceMain |
| DLL Export (Sample 2) | WppGetRegistryAsync |
| Cloudflare Turnstile Sitekey | 0x4AAAAAABDaGKKSGLylJZFA |
| Embedded SHA256 (Sample 2) | 5f566b8060af5dcf2bb32599f0d90d9b6c002cd445f22159b86edf45e23a5dae |
Cloudflare NS Pairs (Account Attribution)
| Cluster | NS1 | NS2 |
|---|---|---|
| A (20 domains) | collins.ns.cloudflare.com | rajeev.ns.cloudflare.com |
| B (4 domains) | ajay.ns.cloudflare.com | poppy.ns.cloudflare.com |
MITRE ATT&CK
| Technique | ID | Application |
|---|---|---|
| Acquire Infrastructure: Domains | T1583.001 | 24 .in.net domains |
| Acquire Infrastructure: Web Services | T1583.006 | Two Cloudflare proxy accounts |
| Stage Capabilities: Upload Malware | T1608.001 | WebDAV payload staging |
| Drive-by Compromise | T1189 | ClearFake JS injection |
| User Execution: Malicious File | T1204.002 | DLL download and execution |
| System Services: Service Execution | T1569.002 | ServiceMain export |
| Create/Modify System Process: Windows Service | T1543.003 | Service persistence |
| Masquerading: Match Legitimate Name | T1036.005 | Logitech/Intel identities |
| Obfuscated Files: Software Packing | T1027.002 | Go garble obfuscation |
| Application Layer Protocol: Web | T1071.001 | Go-based C2 |
| Proxy: Multi-hop Proxy | T1090.003 | Cloudflare CDN fronting |
Takeaways
For defenders: Block all 24 parent domains at the DNS layer -- wildcard resolution means subdomain-level blocking is pointless. Hunt for idpagent.dll or strprov.dl registered as Windows services or loaded as provider DLLs. Search PE manifests for LogitechInternationalS.A..idpagent or IntelCorporation.strprov. The imphashes above will catch repackaged variants with the same import tables.
For threat intel teams: These samples had zero public coverage before this investigation. The compile-to-deploy gap (9-15 months) suggests a shared toolkit that predates this specific ClearFake campaign. Track the imphash clusters. Monitor .in.net TLD registrations matching the naming patterns. Watch the Cloudflare NS pairs collins/rajeev and ajay/poppy for new domains -- operators reuse accounts.
For Cloudflare: Two accounts on your platform are actively serving malware through WebDAV behind your CDN. The Turnstile sitekey 0x4AAAAAABDaGKKSGLylJZFA may be linked to one of them. The CF-Ray headers route through AMS. The certificates were issued by Let's Encrypt via your integration within seconds of each other for 20 domains simultaneously.
The actor built a resilient, scalable delivery network: wildcard DNS, wildcard TLS, Cloudflare CDN fronting, WebDAV backend, and enough domain diversity to survive partial takedowns. The payloads are professionally engineered with garble obfuscation and legitimate vendor masquerading. The operational tempo -- 24 domains and 100+ subdomains deployed in hours -- shows a mature, automated pipeline.
But they left the front door unlocked. No PROPFIND authentication. An exposed staging directory with a UUID that maps their workflow. A typo in their lure that pins the author to a Slavic language background. And identical ETags across every domain that collapse 24 "different" servers into one.
One indicator in ThreatFox. Five subdomains for aerovector.in.net. That's all we started with.
This investigation was conducted by Breakglass Intelligence's autonomous GHOST investigation system. Initial IOC sourced from ThreatFox (ID: 1779889). All three payloads were previously unknown to VirusTotal and MalwareBazaar at time of recovery. Abuse reports have been filed with Cloudflare and PDR Ltd (in.net registry).
Breakglass Intelligence | April 1, 2026