highPhishing

ClickFix Drops SectopRAT Through Three Encryption Layers: 42 Domains, 156 Subdomains, and a 48-Hour Infrastructure Blitz on .in.net

PublishedMarch 12, 2026

Threat Actors:ProfileAssessmentorigindemonstrates strong operational security:

phishingacrstealercobalt-strikesectopratsocial-engineeringcredential-theftc2exploitaptspearphishing

TL;DR: A ClickFix social engineering campaign registered 42 parent domains on the .in.net TLD within a 48-hour window (March 7-9, 2026), spawning 156 distribution subdomains that serve SectopRAT payloads disguised as verification.google. The PowerShell dropper (bruce.php) unpacks through five stages -- XOR decryption, reflective .NET assembly loading, AES-256-CBC decryption, Donut shellcode injection via raw NTDLL syscalls -- before deploying the final SectopRAT info-stealer targeting browser credentials, email clients, and cryptocurrency wallets. All 42 domains share a single Cloudflare account (NS pair robin/merlin), and the campaign operates in two distinct waves with zero domain overlap, pointing to automated infrastructure rotation by a well-resourced operator.

The ClickFix Lure: "Please Verify You Are Human"

The campaign begins with a ClickFix social engineering page -- the same technique that has dominated initial access delivery throughout early 2026. Victims encounter a fake Google verification page that instructs them to open PowerShell and paste a command. The payload filename verification.google and the dropper name bruce.php reinforce the Google verification theme.

The ClickFix technique is effective because it transfers the execution burden to the victim. No exploit is needed. No attachment is opened. The user copies and pastes a PowerShell command into their own terminal, bypassing email security gateways, browser sandboxes, and most EDR behavioral triggers that watch for automated script execution.

Five-Stage Kill Chain

The infection chain uses an unusual depth of nesting -- five distinct stages, each adding a layer of obfuscation and evasion:

[ClickFix Lure Page]
       |
       v
[bruce.php -- PowerShell Dropper]
  - Forces 32-bit relaunch via SysWOW64
  - XOR decrypts embedded .NET assembly
  - Key: X9NWIZ34PDcDehY38N8n8Q==
       |
       v
[DataUpdateClient.exe -- .NET Loader]
  - Compiled: 2026-03-07 01:02:05 UTC
  - AES-256-CBC decrypts shellcode payload
  - Injects via NtAllocateVirtualMemory + NtCreateThreadEx
       |
       v
[Donut Shellcode]
  - Chaskey cipher (16 rounds)
  - x86/x64 architecture detection
  - Reflective PE loading
       |
       v
[SectopRAT]
  - Browser credential theft
  - Email client harvesting
  - Cryptocurrency wallet extraction
  - Software inventory enumeration

Each stage exists to defeat a different class of defense: the PowerShell dropper bypasses email and web security; the 32-bit relaunch evades 64-bit-only monitoring hooks; the XOR and AES layers defeat static analysis; the Donut shellcode avoids on-disk detection; and the NTDLL direct syscalls sidestep EDR userland hooks entirely.

Stage 1: PowerShell Dropper (bruce.php)

Attribute	Value
SHA-256	`ac3afdcdd6989262b365e5850c82bdd3e42c63714419acf891d8c4f8435f964c`
SHA-1	`f1205f3b2a18b65361dacb3bb9dc93b565b00702`
MD5	`a387480f5aca1bdaeb27da7d747a4d62`
Size	3,655,083 bytes
SSDEEP	`24576:wKiSF238xM8yuN/g3nFfBKiSF238xM8yuN/g3nFfk:/pM8tgf6pM8tgfk`

Despite the .php extension, this is pure PowerShell. The file contains 228 lines -- but most of them are noise. The obfuscation strategy is quantity over quality:

Architecture gate: Forces relaunch in 32-bit PowerShell via $env:WINDIR\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Junk comments: 10 generated comment blocks with random 4-letter identifiers (SLKY, RLPZ, PQHM, FMGW, KMCW)
Dead code loops: foreach loops computing random values with Start-Sleep -Milliseconds 1 delays
Tautological conditions: if (205 -eq 205) always-true branches
Useless functions: PxDAgSfVrK and qixCFkPiOx compute nothing meaningful
Random variable names: 16-character mixed-case strings (xpZBHjHtzHpppJC, iLlWUvgBsZLeRGx)
Execution logging: Writes to $env:TEMP\mGyLVtnG.log

The actual payload mechanism is straightforward: a 1,822,040-character base64 string decodes to 1,366,528 bytes of XOR-encrypted data. The XOR key is X9NWIZ34PDcDehY38N8n8Q== (16 bytes: 5fd356219df83c37037a1637f0df27f1). After decryption, the result is a valid PE32 .NET assembly loaded directly into memory via [System.Reflection.Assembly]::Load() -- entirely fileless.

Stage 2: .NET Loader (DataUpdateClient.exe)

Attribute	Value
SHA-256	`f1c6397d57a8b1d0a931690e3703a13d95760a2b6a1623bdbfa71e25e886a64e`
MD5	`d755a657b5b90188eb49e50c6cff46f0`
Size	1,366,528 bytes
Type	PE32 .NET assembly (Mono/.NET, CLR v4.0.30319)
Compiled	2026-03-07 01:02:05 UTC
Assembly GUID	`{DADC732D-4D96-4984-B248-F40848DF6DC7}`

The compilation timestamp -- March 7, 2026, barely 24 hours before the first distribution URLs appeared -- confirms this is fresh tooling, not a recycled payload.

The loader's internal structure reveals deliberate anti-analysis design:

EncryptedShellcode -- a 357,456-byte static array containing the AES-encrypted Donut shellcode
JunkData0 through JunkData15 -- sixteen 65,536-byte arrays filled with NOP sleds (0x90), alternating patterns (0xAA55), and interrupt patterns (0xCCCC), inflating the binary size to slow sandbox processing
DecryptShellcode -- the AES-256-CBC decryption method
NTDLL direct imports -- NtAllocateVirtualMemory, NtCreateThreadEx, NtWaitForSingleObject, NtClose

The AES-256-CBC parameters extracted from the binary:

Key (Base64): K0ZX//j9YdGOJiIPuqXDsPDv1wosL8GR4IKvSbEHd3k=
IV  (Base64): tkkE36LgF0nvezCLBXiyMg==
Padding:      PKCS7

After decryption, the loader allocates executable memory via NtAllocateVirtualMemory, writes the shellcode, and creates a new thread with NtCreateThreadEx. Both calls go directly to NTDLL, bypassing the Win32 API layer where most EDR products place their hooks.

Stage 3: Donut Shellcode

Attribute	Value
SHA-256	`e7796671f9817ce4a90635589dfd2e21797d689aafa5cf5efe52072a058be67f`
MD5	`1d17416fa2662416c9d02b321dba08bd`
Size	357,451 bytes
Framework	Donut (open-source shellcode generator)

The shellcode is generated by the Donut framework, an open-source tool for creating position-independent shellcode from .NET assemblies, PE files, and DLLs. Key characteristics:

Entry point: E8 C0110500 (CALL +0x511C0) jumps over a 332,224-byte encrypted blob
Entropy: 7.95 out of 8.0 -- near-theoretical maximum, confirming strong encryption
Architecture detection: POP RCX; XOR EAX, EAX; JS -- on x86, the sign flag is set and execution takes the jump; on x64, it falls through. This allows a single shellcode blob to work on both architectures
Chaskey cipher: 16-byte master key and 16-byte counter at blob offsets 4-35, 16 rounds
SPECK-64/128: 27-round block cipher, likely used for API hash resolution

Stage 4: SectopRAT (Final Payload)

Triage sandbox scores the final payload 10/10 and identifies it as SectopRAT (also tracked as Arechclient2 / EternalRocks by abuse.ch). Behavioral analysis confirms comprehensive information-stealing capabilities:

Browser credential theft -- Chrome, Firefox, Edge profile data, saved passwords, cookies
Email client harvesting -- Outlook and Thunderbird data extraction
Cryptocurrency wallet access -- wallet file and key material theft
Software inventory -- enumeration of all installed applications
System reconnaissance -- language discovery, physical storage enumeration
Process manipulation -- WriteProcessMemory for injection, AdjustPrivilegeToken for escalation
Persistence -- PowerShell command execution, DLL side-loading

Infrastructure: 42 Domains in 48 Hours

The infrastructure behind this campaign is the most telling indicator of a well-resourced, automated operation.

Registration Pattern

Attribute	Value
Registrar	PDR Ltd. d/b/a PublicDomainRegistry.com (IANA ID: 303)
TLD	`.in.net` (CentralNic registry)
Registration window	2026-03-07 to 2026-03-09 (48 hours)
TLS	Let's Encrypt wildcard certificates
CDN/Proxy	Cloudflare (shared account: NS `robin` + `merlin`)
Total parent domains	42
Total distribution subdomains	156+

Domain Generation Pattern

The actor uses a consistent naming convention: [function]-[descriptor].[parent].in.net

Function prefixes draw from a word list: star-zone, peak-flow, glac-net, grove-base, harvest-sync. Parent domains use compound words: starbend, glacierpeak, harvestgrove, amperesilence, bobikcleavage. This pattern strongly suggests automated domain generation from curated word lists -- not manual registration.

Two Waves, Zero Overlap

The campaign operates in two distinct waves with completely separate infrastructure:

Wave 1 (March 8, 13:28 UTC) -- 20 parent domains, 74 subdomains

Payload: verification.google (821,760 bytes, PE DLL i386)

SHA-256: 03b4722296d5e7163bd58e2dddf38159e4eec34ab2a4a05225e8cd0119e297db
MD5:     1921ee83b5f39b95b9b8c8b464ebb7ba
imphash: 000a4df4beffc7e55729dacb598b66f5

Domains:

amperesilence[.]in[.]net    autumnbrook[.]in[.]net
bobikcleavage[.]in[.]net    boynitsameow[.]in[.]net
breezefield[.]in[.]net      conesemison[.]in[.]net
excitfollower[.]in[.]net    glacierpeak[.]in[.]net
goodtime[.]in[.]net         granitevalley[.]in[.]net
harborcliff[.]in[.]net      harvestgrove[.]in[.]net
limbsingle[.]in[.]net       navignord[.]in[.]net
oakumsenile[.]in[.]net      overtmantram[.]in[.]net
silvermeadow[.]in[.]net     starbend[.]in[.]net
summitgrove[.]in[.]net      thunderplain[.]in[.]net

Wave 2 (March 9, 12:49 UTC) -- 22 parent domains, 82 subdomains

Payload: SecuriteInfo.com.Win32.MalwareX-gen (1,360,384 bytes, PE DLL i386)

SHA-256: 0a62b065688ebbb636fb8f800881da22d6cb480bb458870909a39c0228c10c90
MD5:     6d60b4ed70a575a60beabe430210efee
imphash: 2b6cf70a28379515c8e174f9b5717856

Domains:

askloop[.]in[.]net      astronis[.]in[.]net
blackford[.]in[.]net    cryptixy[.]in[.]net
fullgate[.]in[.]net     kronosis[.]in[.]net
lumitron[.]in[.]net     moxura[.]in[.]net
nexoris[.]in[.]net      niventa[.]in[.]net
oakbend[.]in[.]net      redclay[.]in[.]net
rollbend[.]in[.]net     slowbend[.]in[.]net
solarisx[.]in[.]net     spinpath[.]in[.]net
terravia[.]in[.]net     toolbend[.]in[.]net
veloxis[.]in[.]net      veritax[.]in[.]net
windright[.]in[.]net    zenithra[.]in[.]net

The zero overlap between waves is significant. The operator burns an entire domain set after a single use cycle, then rotates to fresh infrastructure. This is not ad hoc -- it is automated provisioning at scale.

Cloudflare Account Pivot

Nearly all 42 domains share the same Cloudflare nameserver pair:

NS Pair	Domains	Significance
`robin.ns.cloudflare.com` + `merlin.ns.cloudflare.com`	~40	Primary Cloudflare account -- single point of attribution
`brianna.ns.cloudflare.com` + unknown	1 (`fullgate`)	Secondary account, possibly a test or fallback

This shared NS pair is a strong clustering indicator. All 40 domains under robin/merlin are controlled by the same Cloudflare account, which means a single abuse report to Cloudflare could neutralize the majority of this infrastructure.

Live Infrastructure (as of 2026-03-09)

Domain	IPs	Status
`starbend[.]in[.]net`	104.21.46.67 / 172.67.136.13	LIVE
`kronosis[.]in[.]net`	104.21.5.234 / 172.67.154.191	LIVE
`zenithra[.]in[.]net`	172.67.203.131 / 104.21.85.74	LIVE
`astronis[.]in[.]net`	172.67.202.208 / 104.21.69.17	LIVE
`cryptixy[.]in[.]net`	172.67.159.165	LIVE
`lumitron[.]in[.]net`	172.67.177.227	LIVE
`nexoris[.]in[.]net`	172.67.207.23	LIVE
`veloxis[.]in[.]net`	172.67.182.176	LIVE
`redclay[.]in[.]net`	104.21.60.104	LIVE
`terravia[.]in[.]net`	172.67.164.21	LIVE
`glacierpeak[.]in[.]net`	--	OFFLINE
`harborcliff[.]in[.]net`	--	OFFLINE
`amperesilence[.]in[.]net`	--	OFFLINE
`autumnbrook[.]in[.]net`	--	OFFLINE

All live IPs resolve to Cloudflare's anycast ranges, meaning the actual origin server remains hidden behind Cloudflare's reverse proxy.

Vendor Attribution Conflict

Different security vendors attribute this payload to different threat actors, which is worth examining:

Vendor	Attribution	Assessment
ReversingLabs	`Script-PowerShell.Dropper.Gamaredon`	Gamaredon (Russian FSB-linked APT)
Kaspersky	`Trojan.PowerShell.Cobalt.sb`	Cobalt Strike framework association
Triage Sandbox	SectopRAT (score 10/10)	Cybercrime info-stealer
MalwareBazaar	Origin: AU (Australia)	Likely victim location, not actor origin

The Gamaredon attribution from ReversingLabs is notable but should be treated with caution. Gamaredon is a Ukrainian-focused Russian APT, and while they use PowerShell droppers extensively, the SectopRAT final payload and the spray-and-pray distribution model (156+ URLs) are more consistent with cybercrime operations than targeted espionage. The infrastructure pattern -- bulk domain registration, Cloudflare proxying, rapid rotation -- aligns more closely with financially motivated actors running commodity stealers at scale.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Initial Access	Phishing: Spearphishing Link	T1566.002	ClickFix fake Google verification page
Execution	User Execution: Malicious File	T1204.002	Victim pastes PowerShell command
Execution	Command and Scripting Interpreter: PowerShell	T1059.001	bruce.php PowerShell dropper
Execution	Native API	T1106	NtAllocateVirtualMemory, NtCreateThreadEx
Defense Evasion	Obfuscated Files or Information	T1027	Three-layer encryption (XOR, AES-256-CBC, Chaskey)
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	bruce.php, verification.google, DataUpdateClient
Defense Evasion	Process Injection	T1055	Donut shellcode injection via NTDLL syscalls
Defense Evasion	Reflective Code Loading	T1620	Assembly::Load() fileless .NET execution
Defense Evasion	System Binary Proxy Execution	T1218	32-bit PowerShell relaunch via SysWOW64
Credential Access	Credentials from Web Browsers	T1555.003	SectopRAT browser credential theft
Collection	Email Collection: Local Email Collection	T1114.001	SectopRAT email client harvesting
Collection	Data from Local System	T1005	Cryptocurrency wallet theft
Discovery	Software Discovery	T1518	Installed software enumeration
Discovery	System Language Discovery	T1614.001	Language and locale identification
Command and Control	Application Layer Protocol: Web Protocols	T1071.001	HTTPS C2 via Cloudflare
Command and Control	Proxy: External Proxy	T1090.002	Cloudflare CDN as C2 proxy layer

Indicators of Compromise

File Indicators

# PowerShell Dropper (bruce.php)
SHA-256: ac3afdcdd6989262b365e5850c82bdd3e42c63714419acf891d8c4f8435f964c
SHA-1:   f1205f3b2a18b65361dacb3bb9dc93b565b00702
MD5:     a387480f5aca1bdaeb27da7d747a4d62

# .NET Loader (DataUpdateClient.exe) -- decrypted from bruce.php
SHA-256: f1c6397d57a8b1d0a931690e3703a13d95760a2b6a1623bdbfa71e25e886a64e
MD5:     d755a657b5b90188eb49e50c6cff46f0

# Donut Shellcode -- decrypted from .NET loader
SHA-256: e7796671f9817ce4a90635589dfd2e21797d689aafa5cf5efe52072a058be67f
MD5:     1d17416fa2662416c9d02b321dba08bd

# SectopRAT DLL -- Wave 1
SHA-256: 03b4722296d5e7163bd58e2dddf38159e4eec34ab2a4a05225e8cd0119e297db
SHA-1:   c81295c8a43a4631c8d086158dacf6dd686a88eb
MD5:     1921ee83b5f39b95b9b8c8b464ebb7ba
imphash: 000a4df4beffc7e55729dacb598b66f5

# SectopRAT DLL -- Wave 2
SHA-256: 0a62b065688ebbb636fb8f800881da22d6cb480bb458870909a39c0228c10c90
SHA-1:   4c33913517f56b663a228a52b745b1b4310c390e
MD5:     6d60b4ed70a575a60beabe430210efee
imphash: 2b6cf70a28379515c8e174f9b5717856

Behavioral Indicators

# Temp log file (unique to this campaign)
$env:TEMP\mGyLVtnG.log

# .NET Assembly GUID
{DADC732D-4D96-4984-B248-F40848DF6DC7}

# Encryption keys (Base64)
XOR Key: X9NWIZ34PDcDehY38N8n8Q==
AES Key: K0ZX//j9YdGOJiIPuqXDsPDv1wosL8GR4IKvSbEHd3k=
AES IV:  tkkE36LgF0nvezCLBXiyMg==

# Payload filenames
verification.google
SecuriteInfo.com.Win32.MalwareX-gen

# 32-bit PowerShell relaunch
$env:WINDIR\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Network Indicators

# Cloudflare NS pair (shared account -- 40+ domains)
robin[.]ns[.]cloudflare[.]com
merlin[.]ns[.]cloudflare[.]com

# All 42 parent domains listed in Wave 1 and Wave 2 sections above

Detection Opportunities

YARA Rules

rule ClickFix_SectopRAT_BrucePhp_Dropper {
    meta:
        description = "Detects the bruce.php ClickFix PowerShell dropper for SectopRAT"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"
        severity = "HIGH"
        reference = "https://intel.breakglass.tech"
    strings:
        $xor_key = "X9NWIZ34PDcDehY38N8n8Q==" ascii
        $log_file = "mGyLVtnG.log" ascii wide
        $syswow = "SysWOW64\\WindowsPowerShell" ascii wide nocase
        $junk1 = "PxDAgSfVrK" ascii
        $junk2 = "qixCFkPiOx" ascii
        $assembly_load = "Assembly]::Load" ascii nocase
    condition:
        2 of ($xor_key, $log_file, $assembly_load) or
        ($syswow and 1 of ($junk*))
}

rule ClickFix_SectopRAT_DotNet_Loader {
    meta:
        description = "Detects the DataUpdateClient .NET loader used in ClickFix SectopRAT campaign"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"
        severity = "HIGH"
    strings:
        $guid = "DADC732D-4D96-4984-B248-F40848DF6DC7" ascii nocase
        $product = "DataUpdateClient" ascii wide
        $aes_key = "K0ZX//j9YdGOJiIPuqXDsPDv1wosL8GR4IKvSbEHd3k=" ascii
        $aes_iv = "tkkE36LgF0nvezCLBXiyMg==" ascii
        $ntalloc = "NtAllocateVirtualMemory" ascii
        $ntcreate = "NtCreateThreadEx" ascii
        $junk_class = "JunkData" ascii
    condition:
        uint16(0) == 0x5A4D and
        ($guid or $product) and
        (1 of ($aes*) or 2 of ($nt*) or $junk_class)
}

rule ClickFix_SectopRAT_InNet_Domain_Pattern {
    meta:
        description = "Detects network traffic or artifacts referencing the .in.net ClickFix campaign domains"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"
    strings:
        $d1 = "starbend.in.net" ascii wide nocase
        $d2 = "glacierpeak.in.net" ascii wide nocase
        $d3 = "harvestgrove.in.net" ascii wide nocase
        $d4 = "kronosis.in.net" ascii wide nocase
        $d5 = "zenithra.in.net" ascii wide nocase
        $d6 = "astronis.in.net" ascii wide nocase
        $d7 = "cryptixy.in.net" ascii wide nocase
        $d8 = "amperesilence.in.net" ascii wide nocase
        $d9 = "veloxis.in.net" ascii wide nocase
        $d10 = "nexoris.in.net" ascii wide nocase
        $payload = "verification.google" ascii wide
    condition:
        2 of ($d*) or $payload
}

Suricata / Snort Signatures

# ClickFix SectopRAT -- .in.net distribution domain pattern
alert dns any any -> any any (msg:"CLICKFIX SECTOPRAT .in.net Campaign Domain"; \
  dns.query; content:".in.net"; endswith; \
  pcre:"/\.(starbend|glacierpeak|harvestgrove|kronosis|zenithra|astronis|cryptixy|lumitron|nexoris|veloxis|redclay|terravia)\.in\.net$/i"; \
  sid:2026030901; rev:1;)

# ClickFix SectopRAT -- verification.google payload request
alert http any any -> any any (msg:"CLICKFIX SECTOPRAT verification.google Payload Download"; \
  content:"verification.google"; http_uri; \
  sid:2026030902; rev:1;)

# ClickFix SectopRAT -- 32-bit PowerShell relaunch from 64-bit context
alert any any any -> any any (msg:"CLICKFIX SysWOW64 PowerShell Relaunch"; \
  content:"SysWOW64"; content:"WindowsPowerShell"; content:"powershell.exe"; \
  sid:2026030903; rev:1;)

Hunting Queries

Endpoint telemetry -- search for temp log file:

file_path:*\\Temp\\mGyLVtnG.log

PowerShell execution launching 32-bit from 64-bit context:

process_name:"powershell.exe" AND
parent_command_line:*SysWOW64*WindowsPowerShell* AND
NOT user:"SYSTEM"

Assembly GUID in loaded modules:

loaded_module_guid:"DADC732D-4D96-4984-B248-F40848DF6DC7"

DNS queries to .in.net with Cloudflare NS:

dns_query:*.in.net AND
dns_nameserver:(robin.ns.cloudflare.com OR merlin.ns.cloudflare.com)

Certificate transparency monitoring (proactive): Monitor crt.sh for new wildcard certificates matching *.{compound-word}.in.net issued by Let's Encrypt within the past 72 hours. New certificates matching this pattern likely indicate the next wave of infrastructure.

Connection to ACRStealer Ecosystem

This SectopRAT campaign does not exist in isolation. SectopRAT is the .NET variant of the Arechclient2 family -- the same family behind ACRStealer. Our prior investigation into ACRStealer identified shared C2 infrastructure between ACRStealer's Go-based loader and SectopRAT at IPs 94.26.106.216 and 91.84.123.250, confirming a single operator running both variants. The ClickFix delivery mechanism is also shared: ACRStealer uses ClickFix/FakeCAPTCHA pages for initial access, and this SectopRAT campaign uses the same technique with the same verification.google payload naming convention.

The operator is running a multi-family stealer network: ACRStealer (Go), SectopRAT (.NET), AmateraStealer, and NetSupport RAT -- all sharing infrastructure, delivery mechanisms, and operational patterns.

References

MalwareBazaar: https://bazaar.abuse.ch/sample/ac3afdcdd6989262b365e5850c82bdd3e42c63714419acf891d8c4f8435f964c/
CAPE Sandbox (Wave 1): https://www.capesandbox.com/analysis/56666/
CAPE Sandbox (Wave 2): https://www.capesandbox.com/analysis/56814/
Triage (Wave 1): https://tria.ge/reports/260308-vqc2bsdz2m/
Triage (Wave 2): https://tria.ge/reports/260309-p23hgahv8q/
Donut Framework: https://github.com/TheWover/donut
SectopRAT / Arechclient2: https://malpedia.caad.fkie.fraunhofer.de/details/win.sectop_rat

Published by Breakglass Intelligence. Investigation conducted 2026-03-09. 42 parent domains mapped. 156 distribution subdomains identified. 5 payload hashes extracted across 3 encryption layers. Classification: TLP:CLEAR