Competent Malware, Incompetent Infrastructure: A VIPKeylogger Operator Builds a Steganographic Kill Chain, Leaves XAMPP Dashboard Open, and Leaks Their Own SMTP Credentials
TL;DR: A VIPKeylogger campaign (SnakeKeylogger variant) delivered via DHL-themed phishing uses a three-stage infection chain -- VBScript with Unicode hex-nibble obfuscation, a steganographic JPEG hosted on Cloudinary CDN, WMI-spawned hidden PowerShell, in-memory .NET loading, and Caspol.exe hollowing. The operator hosted C2 on a Windows Server 2012 R2 box with stock XAMPP /dashboard/ exposed and WinRM open to the internet. Then the Tria.ge sandbox leaked their SMTP exfiltration credentials: result@miniorangeman.com with password bK6s^&G{UAh)Qh{7, sending stolen data to a Seychelles-registered bulletproof host. The Cloudinary payload is still live and serving malware despite the C2 going offline hours after detection. The C2 sits on Cloudzy/RouterHosting infrastructure -- an Iranian-linked hosting provider that Halcyon research found carries 40-60% malicious traffic and serves APTs from China, Iran, North Korea, and Russia alongside Ryuk and Conti ransomware operations.
The OPSEC Catastrophe
The story of this campaign is the gap between the malware and everything around it.
The operator -- likely a MaaS customer using the VIPKeylogger builder -- invested real effort into the kill chain. The VBScript dropper uses a custom Unicode separator (⩝Ɽ◮ڧᕒ) to split hex nibbles, pads 15,896 junk lines of emoji-laden Unicode to inflate the file to 1.14 MB, launches PowerShell invisibly via WMI's Win32_Process.Create with ShowWindow=0, downloads a fake JPEG from Cloudinary CDN containing a steganographic .NET assembly, and reflectively loads the payload entirely in memory before hollowing into a signed Microsoft binary. This is not amateur work.
Then they put it all on a server at 144.172.105.88 where anyone can visit https://144.172.105.88/dashboard/ and see the stock Apache XAMPP welcome page. WinRM is open on port 5985, meaning anyone with credentials -- or a brute-force script -- can establish a remote PowerShell session.
And then the Tria.ge sandbox captured the full SMTP exfiltration credentials in plaintext. The operator's entire data collection pipeline -- the inbox where every stolen credential from every victim ends up -- is now public: result@miniorangeman.com, password bK6s^&G{UAh)Qh{7, running on a cPanel mail server at 185.196.9.150. The domain was purpose-built for malware exfil, registered a year ago through a Hong Kong registrar, with a registrant claiming to be in Bay of Plenty, New Zealand. The server sits on a Seychelles-registered bulletproof host (Global-Data System IT Corporation, AS42624) -- neighbors with api.razershop.cc, a likely fraudulent gaming store.
The C2 went offline within hours of the sample hitting VirusTotal on March 14. The operator noticed. But the Cloudinary payload and the SMTP exfil server are both still live. They killed the C2 and forgot about everything else.
Correction from initial analysis: MariaDB on port 3306 was not wide open. Shodan's probe returned "Host is not allowed to connect" -- the operator configured IP-based access control on the database. Credit where it's due: one thing was locked down. Everything else was not.
The Hosting: An Iranian-Linked C2 Provider
The C2 IP's reverse DNS is 88.105.172.144.static.cloudzy.com. This is not incidental. Cloudzy, operating as RouterHosting LLC (AS14956) out of a Wyoming shell address, is a well-documented malicious hosting provider. Halcyon research concluded in 2023 that Cloudzy is "almost certainly a cutout for the actual hosting company, abrNOC, operating out of Tehran, Iran."
| Finding | Detail |
|---|---|
| Malicious traffic share | 40-60% of Cloudzy activity is malicious |
| APT customers | Groups from China, Iran, North Korea, Russia, India, Pakistan, Vietnam |
| Ransomware operations | Ryuk (hospital attacks), Exotic Lily (Conti initial access broker), Space Kook |
| Spyware | Candiru (Israeli spyware vendor, US-sanctioned November 2021) |
| Payment | Cryptocurrency VPS, minimal KYC |
The operator did not accidentally end up on Cloudzy. This is a deliberate choice of infrastructure designed to resist abuse takedowns. The irony is that the hosting choice -- the one thing they got right -- is rendered moot by everything else they got wrong.
Technical Analysis
Stage 1: VBScript Dropper
The initial delivery vector is a DHL-themed phishing email carrying a VBScript attachment. The file (17aaf09246b97db19f735f2fe9e26708.vbs) is 1.14 MB and 15,919 lines long. Only 23 of those lines do anything.
The remaining 15,896 lines are identical padding appended to an unused variable:
reallows = reallows & "😉ἳͯ⫈💼ሐᇌൽ🤉▏౪ὔཬᘩٵ"
This serves three purposes: inflates file size past certain sandbox thresholds, drowns out functional code in editors, and wastes analyst time. The actual payload is encoded using a hex-nibble scheme where individual hex characters are separated by the Unicode string ⩝Ɽ◮ڧᕒ:
alining = "2⩝Ɽ◮ڧᕒ4⩝Ɽ◮ڧᕒ6⩝Ɽ◮ڧᕒ4⩝Ɽ◮ڧᕒ6⩝Ɽ◮ڧᕒ5⩝Ɽ◮ڧᕒ..."
Stripping the separator and pairing hex nibbles yields ASCII bytes -- the PowerShell payload. Execution is handled through WMI rather than direct process creation:
Set infare = GetObject("winmgmts:root\cimv2")
Set circumsail = infare.Get("Win32_ProcessStartup").SpawnInstance_
circumsail.ShowWindow = 0
labellum = infare.Get("Win32_Process").Create(avaram, Null, circumsail, mayas)
This breaks the parent-child process relationship that most EDR products use for detection. Instead of wscript.exe spawning powershell.exe, the PowerShell process appears as a child of wmiprvse.exe -- a legitimate system process. The ShowWindow = 0 ensures complete invisibility.
At time of analysis, 17 out of 76 VirusTotal engines detected the dropper.
Stage 2: Steganographic Payload Delivery
The decoded PowerShell downloads a JPEG image from Cloudinary CDN:
https://res.cloudinary.com/dzptvoj1b/image/upload/v1773339102/MSI_PRO_with_b64_wavpuj.jpg
This URL is still live. The initial report incorrectly stated it returned 404. We downloaded, verified, and extracted the payload. The file is a legitimate 4K MSI PRO product photo (3840x2160, progressive JPEG) with 1.55 MB of Base64-encoded .NET assembly appended after the image data. Cloudinary serves it without complaint because it passes JPEG validation.
Cloudinary's auto-format feature makes this worse: the same payload is accessible as .jpg, .png, and .gif -- three distinct URLs serving identical malware. The operator gets format diversity for free.
| Property | Value |
|---|---|
| File Size | 2,945,189 bytes (2.8 MB) |
| SHA256 | b23f06a5bf75ae2335bac792574cb3bc5fdc11755f5f4a75617eb99fd3a56104 |
| Stego markers | IN- at offset 1,320,121 / -in1 at offset 2,874,556 |
| Payload size | 1,554,432 chars of encoded data |
The PowerShell extracts the substring between IN- and -in1 markers, replaces # with A, reverses the entire string, and Base64-decodes the result. The output is a .NET assembly loaded via AppDomain.CurrentDomain.Load() -- no file touches disk.
A sibling sample uses Internet Archive (ia601609.us.archive.org) for the same purpose, indicating the operator rotates staging infrastructure.
The Decoded Payload: Babel-Obfuscated .NET Loader
The extracted assembly is not what we expected.
| Property | Value |
|---|---|
| SHA256 | 240068f98bd3e3213351ebdac3a0e9657f9a17506e43425ea3ed19f14e17cf21 |
| Type | PE32 DLL (.NET v4.0.30319) |
| Size | 1,165,824 bytes (1.16 MB) |
| Compiled | 2026-03-12T18:06:06 UTC |
| Obfuscator | Babel Obfuscator |
| Original Name | Microsoft.Win32.TaskScheduler.dll v2.12.2.0 |
| MVID | eb2d219c-23d8-574d-6c10-bb48cb60a089 |
The binary was compiled two days before the campaign went live. It includes anti-analysis checks for dnspy, vsdbg, de4dot, plus CheckRemoteDebuggerPresent, IsDebuggerPresent, and NtQueryInformationProcess. An encrypted configuration blob in the User Strings heap contains the Telegram bot token and SMTP credentials -- protected by Babel's obfuscation layer, which Tria.ge's dynamic analysis bypassed by capturing the credentials in use.
Stage 3: VIPKeylogger (SnakeKeylogger Variant)
Tria.ge classifies this sample as VIPKeylogger, not SnakeKeylogger. VIPKeylogger is a direct variant/rebrand of SnakeKeylogger (also known as 404 Keylogger) that uses dual-channel exfiltration -- both SMTP and Telegram simultaneously. Standard SnakeKeylogger typically uses one or the other.
The malware performs process hollowing into Caspol.exe, conducts victim recon via checkip.dyndns.org with a spoofed MSIE 6.0 User-Agent, and exfiltrates through two channels:
Channel 1 -- SMTP (persistent collection):
| Field | Value |
|---|---|
| Server | mail.miniorangeman.com:587 (STARTTLS) |
| Username | result@miniorangeman.com |
| Password | bK6s^&G{UAh)Qh{7 |
| Server IP | 185.196.9.150 |
Channel 2 -- Telegram (real-time notification):
PC Name: DESKTOP-ET51AJO
Date and Time: 3/14/2026 / 8:20:31 PM
Country Name: United States
[ DESKTOP-ET51AJO Clicked on the File If you see Nothing this's mean the system storage's empty. ]
The SMTP channel is the primary persistent data collector. Telegram is the operator's pager -- instant notification that a new victim has been compromised.
Kill Chain Summary
[DHL Phishing Email]
|
v
[VBS Dropper — 1.14 MB, 23 functional lines]
|- Unicode junk padding (15,896 lines)
|- Hex-nibble encoding (⩝Ɽ◮ڧᕒ separator)
'- WMI spawn (Win32_Process.Create, ShowWindow=0)
|
v
[PowerShell Stage 2 — in-memory]
|- Downloads JPEG from Cloudinary CDN (STILL LIVE)
|- Extracts base64 between IN- / -in1 markers
|- Reverse + #→A substitution + FromBase64String
'- AppDomain.Load() — no disk write
|
v
[VIPKeylogger — Babel-obfuscated .NET DLL]
|- Hollows Caspol.exe (signed .NET binary)
|- Recon: checkip.dyndns.org + reallyfreegeoip.org
|- C2: HTTP GET http://144.172.105.88/img_*.png
|- Persist: VBS startup + Scheduled Task
|- SMTP exfil → result@miniorangeman.com (STILL LIVE)
'- Telegram exfil → bot API (token encrypted)
Infrastructure
C2 Server: 144.172.105.88 (OFFLINE)
| Field | Value |
|---|---|
| IP | 144.172.105.88 |
| Reverse DNS | 88.105.172.144.static.cloudzy.com |
| ASN | AS14956 -- Cloudzy / RouterHosting LLC (Iranian-linked C2 provider) |
| Location | Salt Lake City, Utah |
| OS | Windows Server 2012 R2 |
| Web Stack | XAMPP: Apache/2.4.58, PHP/8.2.12, MariaDB |
| VT Detections | 3/94 (AlphaSOC, Cluster25, Criminal IP) |
| Status | OFFLINE since ~March 14, 22:00 UTC |
The C2 went dark within hours of the primary sample hitting VirusTotal and abuse.ch on March 14. A Let's Encrypt certificate was issued for the bare IP on February 1, 2026 (expired February 7) -- proving infrastructure staging began a full month before the campaign launched.
SMTP Exfil Server: 185.196.9.150 (LIVE)
| Field | Value |
|---|---|
| IP | 185.196.9.150 |
| ASN | AS42624 -- Global-Data System IT Corporation |
| Registration | Seychelles (House of Francis, Room 303, Ile Du Port, Mahe) |
| Contact | UK mobile: +447465226377 |
| LIR Created | 2024-05-28 |
| Services | Full mail stack (SMTP, IMAP, POP3, cPanel on 2083) |
| Neighbor | 185.196.9.148 hosts api.razershop.cc (likely fraudulent) |
| Status | LIVE |
SMTP Exfil Domain: miniorangeman.com
| Field | Value |
|---|---|
| Registered | 2025-03-31 (one year ago) |
| Registrar | NICENIC International Group Co. (Hong Kong) |
| Registrant Location | Bay of Plenty, New Zealand |
| Nameservers | arely.ns.cloudflare.com / keanu.ns.cloudflare.com |
| Certificates | 58 certificates issued since October 2025 |
| Website | "Coming Soon" placeholder |
| Status | LIVE |
This domain was purpose-built for malware exfiltration. The "Coming Soon" page is a facade. 58 certificate issuances over 5 months show continuous, active maintenance -- auto-renewing TLS on a cPanel installation. The operator invests more care in their exfil infrastructure than their C2.
Staging: Cloudinary (LIVE)
| Service | Account/URL | Status |
|---|---|---|
| Cloudinary | dzptvoj1b -- MSI_PRO_with_b64_wavpuj.jpg | LIVE (3 format variants) |
| Internet Archive | ia601609 -- MSI_PRO_with.png | 403 (removed) |
Operator Timeline
| Date (UTC) | Event |
|---|---|
| 2025-03-31 | miniorangeman.com registered (SMTP exfil domain) |
| 2025-10-19 | First Cloudflare wildcard cert for miniorangeman.com |
| 2026-02-01 | Let's Encrypt cert issued for C2 IP -- infrastructure staging begins |
| 2026-03-12 18:06 | .NET payload compiled (PE timestamp) |
| 2026-03-11 10:41 | TC.docx.z delivery archive first seen on VT |
| 2026-03-14 19:14 | Primary VBS sample reported by abuse.ch |
| 2026-03-14 20:00 | C2 XAMPP dashboard indexed by URLScan |
| 2026-03-14 ~22:00 | C2 goes offline (operator reacts to detection) |
| 2026-03-15 04:30 | Cloudinary payload and SMTP exfil still live |
Infrastructure Map
OPERATOR (registrant: Bay of Plenty, New Zealand)
|
|-- Cloudflare Account: arely.ns / keanu.ns
| \-- miniorangeman.com (exfil domain, "Coming Soon" facade)
|
|-- Stage 1 Hosting (multi-provider):
| |-- Cloudinary (dzptvoj1b) [STILL LIVE]
| | \-- MSI_PRO_with_b64_wavpuj.jpg (.jpg/.png/.gif variants)
| | \-- Embedded: 1.16 MB Babel-obfuscated .NET DLL
| \-- Internet Archive (ia601609) [removed]
|
|-- C2 Server: 144.172.105.88 [OFFLINE]
| |-- AS14956 — Cloudzy/RouterHosting (Iranian-linked C2P)
| |-- XAMPP on Windows Server 2012 R2
| \-- Payloads: /img_085906.png, /img_092322.png
|
|-- SMTP Exfil: mail.miniorangeman.com [STILL LIVE]
| |-- IP: 185.196.9.150
| |-- AS42624 — Global-Data System IT Corp (Seychelles BPH)
| |-- User: result@miniorangeman.com
| \-- cPanel: cp.miniorangeman.com:2083
|
\-- Telegram Exfil: api.telegram.org [LIVE]
\-- Bot token in Babel-encrypted config blob
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Detail |
|---|---|---|---|
| Initial Access | Phishing: Spearphishing Attachment | T1566.001 | DHL-themed email with VBS attachment |
| Execution | Command and Scripting Interpreter: Visual Basic | T1059.005 | VBScript dropper with hex-nibble encoding |
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | Hidden PowerShell via WMI |
| Execution | Windows Management Instrumentation | T1047 | Win32_Process.Create with ShowWindow=0 |
| Defense Evasion | Obfuscated Files or Information | T1027 | Unicode junk padding + hex-nibble encoding |
| Defense Evasion | Obfuscated Files or Information: Steganography | T1027.003 | .NET assembly hidden in JPEG between markers |
| Defense Evasion | Obfuscated Files or Information: Software Packing | T1027.002 | Babel Obfuscator on .NET payload |
| Defense Evasion | Reflective Code Loading | T1620 | AppDomain.Load() -- no disk write |
| Defense Evasion | Process Injection: Process Hollowing | T1055.012 | Injection into signed Caspol.exe |
| Defense Evasion | Masquerading | T1036 | Payloads disguised as PNG image files |
| Defense Evasion | Debugger Evasion | T1622 | CheckRemoteDebuggerPresent, IsDebuggerPresent, NtQueryInformationProcess, tool name checks |
| Persistence | Boot or Logon Autostart Execution | T1547 | VBS in startup location |
| Persistence | Scheduled Task/Job: Scheduled Task | T1053.005 | Windows Scheduled Task |
| Discovery | System Information Discovery | T1082 | PC name, date/time collection |
| Discovery | System Network Configuration Discovery | T1016 | External IP via checkip.dyndns.org |
| Discovery | System Location Discovery | T1614 | Country via reallyfreegeoip.org |
| Collection | Input Capture: Keylogging | T1056.001 | Keystroke capture |
| Collection | Clipboard Data | T1115 | Clipboard monitoring |
| Collection | Screen Capture | T1113 | Periodic screenshots |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 | HTTP to C2 (img_*.png URLs) |
| Command and Control | Web Service | T1102 | Cloudinary/Internet Archive for staging |
| Exfiltration | Exfiltration Over Alternative Protocol | T1048 | SMTP exfil to miniorangeman.com:587 |
| Exfiltration | Exfiltration Over Web Service | T1567 | Telegram bot API |
Indicators of Compromise
Network Indicators
| Type | Indicator | Description | Status |
|---|---|---|---|
| IP | 144.172.105.88 | C2 server (Cloudzy, AS14956) | OFFLINE |
| IP | 185.196.9.150 | SMTP exfil server (Global-Data, AS42624) | LIVE |
| Domain | miniorangeman[.]com | SMTP exfil domain | LIVE |
| Domain | mail[.]miniorangeman[.]com | SMTP server | LIVE |
| Domain | cp[.]miniorangeman[.]com | cPanel management | LIVE |
| URL | http://144.172.105.88/img_085906.png | C2 payload (primary) | OFFLINE |
| URL | http://144.172.105.88/img_092322.png | C2 payload (sibling) | OFFLINE |
| URL | https://res.cloudinary.com/dzptvoj1b/image/upload/v1773339102/MSI_PRO_with_b64_wavpuj.jpg | Steganographic payload | LIVE |
result@miniorangeman[.]com | SMTP exfil account | LIVE | |
| ASN | AS14956 | Cloudzy/RouterHosting (Iranian-linked C2P) | |
| ASN | AS42624 | Global-Data System IT Corp (Seychelles BPH) | |
| CIDR | 144.172.104.0/21 | RouterHosting allocation | |
| CIDR | 185.196.8.0/22 | Global-Data allocation |
File Indicators
| Type | Value | Description |
|---|---|---|
| SHA256 | 2497074eb3708b530f8aeef43812d6a4a57c10f0d6a8b4ed2529bb4e778b1712 | VBS dropper (primary) |
| SHA256 | 5c0185c100ce56224d9b68155fbd079012ba0a5de94aedf2bcffdda092b2f010 | VBS dropper (sibling) |
| SHA256 | bd2b70d45507a1060b59a8f255cdefb7488884277bbe345fea081fd062600702 | TC.docx.z delivery archive |
| SHA256 | b23f06a5bf75ae2335bac792574cb3bc5fdc11755f5f4a75617eb99fd3a56104 | Cloudinary JPEG (steganographic carrier) |
| SHA256 | 240068f98bd3e3213351ebdac3a0e9657f9a17506e43425ea3ed19f14e17cf21 | Decoded .NET DLL (VIPKeylogger loader) |
| MVID | eb2d219c-23d8-574d-6c10-bb48cb60a089 | .NET Module Version ID |
Host Indicators
| Type | Indicator | Description |
|---|---|---|
| Process | wscript.exe → wmiprvse.exe → powershell.exe -NoProfile -WindowStyle Hidden | Execution chain |
| Process | Caspol.exe with network activity | Injection host |
| Path | C:\Users\Public\Downloads\ | Drop directory |
| User-Agent | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) | Victim recon fingerprint |
String Indicators
| Indicator | Context |
|---|---|
Fiber.Program | VIPKeylogger .NET namespace/class |
IN- / -in1 | Steganographic payload delimiters |
⩝Ɽ◮ڧᕒ | VBS hex-nibble obfuscation separator |
😉ἳͯ⫈💼ሐᇌൽ🤉▏౪ὔཬᘩٵ | VBS junk padding character |
img_[0-9]{6}\.png | C2 payload naming convention |
bK6s^&G{UAh)Qh{7 | Leaked SMTP password |
SMTP Credentials (for CERT notification/takedown)
| Property | Value |
|---|---|
| Server | mail.miniorangeman.com:587 |
| Username | result@miniorangeman.com |
| Password | bK6s^&G{UAh)Qh{7 |
Detection Recommendations
Endpoint:
- Alert on PowerShell processes spawned by
wmiprvse.exe. Legitimate WMI-spawned PowerShell is rare in most environments. - Monitor
Caspol.exefor any network activity or child process creation. This binary has no legitimate reason to make outbound connections. - Flag VBScript files exceeding 500 KB containing repeated Unicode character sequences.
- Detect
AppDomain.Load()calls from PowerShell processes -- indicates reflective .NET assembly loading. - Hunt for processes checking
CheckRemoteDebuggerPresentor scanning fordnspy/de4dottool names.
Network:
- Block outbound connections to
144.172.105.88,185.196.9.150, and consider blocking entire allocations144.172.104.0/21and185.196.8.0/22. - Alert on SMTP connections (port 587) to
185.196.9.150or any host resolving tominiorangeman.com. - Alert on HTTP GET to
checkip.dyndns.orgwith MSIE 6.0 User-Agent. No legitimate software has used this UA since approximately 2009. - Monitor for Telegram API calls from non-Telegram processes.
- Hunt for HTTP GET matching
img_[0-9]{6}\.pngto non-CDN hosts. - Monitor downloads from
res.cloudinary.com/dzptvoj1b-- this Cloudinary account is actively serving malware.
Proactive Hunting:
- Search proxy logs for Cloudinary downloads where response bodies contain
IN-and-in1markers. - Monitor crt.sh for new certificates issued to
miniorangeman.comsubdomains -- indicator of new exfil mailboxes being created. - Track .NET MVID
eb2d219c-23d8-574d-6c10-bb48cb60a089across malware repositories for builder reuse. - Pivot on NICENIC registrar for domains registered to Bay of Plenty, NZ around March-April 2025.
Conclusion
This campaign tells two stories about one operator.
The first story is competence. The VIPKeylogger builder produces genuine technical sophistication -- Unicode-separated hex-nibble encoding, steganographic CDN-hosted payloads, WMI-based execution that breaks process lineage, reflective .NET loading, Babel obfuscation with anti-debugger checks, process hollowing into signed Microsoft binaries. The dual-channel exfiltration (SMTP + Telegram) provides redundancy. The SMTP domain was registered a year in advance and maintained with auto-renewing certificates. The C2 was hosted on an Iranian-linked bulletproof provider and killed within hours of detection. None of this is amateur work.
The second story is everything the builder can't automate. A stock XAMPP dashboard left exposed. WinRM open to the internet. SMTP credentials captured in plaintext by a public sandbox. A Cloudinary payload still serving malware days after the C2 went dark. The operator shut down the C2 and walked away, apparently unaware that their staging infrastructure and exfil pipeline remain fully operational and fully documented.
The MaaS model means the malware author's skill does not transfer to the customer's operational security. The product is better than the person using it. For defenders, this is the pattern to exploit: the kill chain is strong, but the infrastructure around it leaks from every joint.
Updated 2026-03-15 with deep-dive findings: SMTP credentials, live Cloudinary payload, VIPKeylogger reclassification, Cloudzy/Iranian hosting attribution, corrected MariaDB assessment.
IOCs are provided for defensive use. Handle responsibly.
Published 2026-03-15 | BGI Autonomous Threat Hunting | Breakglass Intelligence