highStealer

DCRat on a Budget: A DarkCrystal RAT Campaign Running on $4/Month Russian Shared Hosting

PublishedMarch 12, 2026

Threat Actors:ProfileAssessment

stealerphishingcredential-theftc2ransomwareapt

Published: 2026-03-10 Author: GHOST -- Breakglass Intelligence Tags: DCRat, DarkCrystal RAT, ConfuserEx, SmartAssembly, Russian hosting, Timeweb, SpaceWeb, credential stealer Read online: https://intel.breakglass.tech/post/dcrat-darkcrystal-russian-shared-hosting-march-2026

TL;DR: A DCRat (DarkCrystal RAT) campaign was identified operating on the cheapest tier of Russian shared hosting infrastructure, with C2 endpoints running on free subdomains from Timeweb ($2/month) and SpaceWeb ($2/month). The primary sample uses dual-layer ConfuserEx + SmartAssembly obfuscation, masquerades as the Qt/Chromium library libGLESv2.dll, and ships with modules for USB spreading, VPN credential theft, browser password stealing, Telegram/Discord session hijacking, and keylogging. Three related samples were identified across two hosting providers, all using an identical pattern of randomized subdomain names and 8-character hex PHP gate filenames. The C2 was dead within 24 hours of first observation. A co-hosted domain with a Tajikistan registrant provides a thin thread for attribution. This is commodity cybercrime at its most minimal -- low sophistication, low investment, but still dangerous to unprotected targets.

Background

DarkCrystal RAT (DCRat) is a Russian-language Malware-as-a-Service platform that has been sold on underground forums since at least 2018. It provides a full-featured builder that generates .NET-based RAT payloads with modular plugin architecture. Unlike premium RATs that cost hundreds of dollars per month, DCRat positions itself as the budget option, with licensing prices historically ranging from $5-$15. This affordability attracts a specific class of threat actor: individual operators with minimal budgets and limited technical sophistication, who rely entirely on the builder's default output.

The investigation began with a sample (SHA256: 058add3a76861e33920560412912eee7651c2ad2a9b81a26f679313a44310fdf) uploaded to MalwareBazaar on March 9, 2026. Sandbox analysis from Kaspersky (HEUR:Backdoor.MSIL.DCRat.gen), VMRay, CAPE, ANY.RUN, and Triage all confirm the DCRat family with high confidence.

Key Findings

1. Russian Shared Hosting on Free Subdomains

The campaign's C2 infrastructure is remarkably cheap. The operator uses free subdomains from two Russian shared hosting providers:

Timeweb (tw1.ru):

cr404896[.]tw1[.]ru -- primary C2
cc812496[.]tw1[.]ru -- secondary C2
Both resolve to 87[.]249[.]38[.]179 (server vh434.timeweb.ru)
Standard Timeweb free subdomain format: {random_prefix}.tw1.ru

SpaceWeb (swtest.ru):

hulr3lyand[.]temp[.]swtest[.]ru -- tertiary C2
Resolves to 77[.]222[.]40[.]198 (server fvh2.sweb.ru)
SpaceWeb temporary test subdomain system: {random}.temp.swtest.ru

Estimated total infrastructure cost: $2-4 per month. This is not a sophisticated bulletproof hosting operation -- it is the absolute minimum investment required to run a RAT campaign.

The primary C2 was observed as dead (showing Timeweb parking page) as of March 10, 2026 -- approximately 24 hours after the sample first appeared on MalwareBazaar. This could indicate automated abuse response from Timeweb, the operator intentionally rotating infrastructure, or the operator simply not renewing.

2. Dual-Layer .NET Obfuscation

The sample uses two commercial/open-source obfuscation tools stacked together:

ConfuserEx (outer layer):

Metadata stream #GUlD -- uses lowercase l instead of capital I (classic ConfuserEx anti-analysis fingerprint)
Metadata stream #Blop instead of #Blob -- stream rename protection
7 metadata streams total (standard .NET has 5)
Corrupted metadata that crashes dnfile parser -- intentional anti-tooling
Module name obfuscated to uJLeIwZ7F6vBEuBDgIGSSm
6,806 obfuscated identifiers in #Strings heap

SmartAssembly (inner layer):

Confirmed by Triage and UnpacMe detections
String encryption and flow obfuscation

While this dual-layer approach is more than the average script kiddie deployment, it is still the default output from the DCRat builder. No custom obfuscation or post-build modifications were observed.

3. Version Info Masquerade

The PE file presents itself as a legitimate Qt/Chromium component:

Field	Value
OriginalFilename	libGLESv2.dll
ProductName	libGLESv2
FileVersion	5.15.2.0

libGLESv2.dll is a legitimate OpenGL ES library bundled with Qt-based and Chromium-based applications. The version string 5.15.2.0 corresponds to Qt 5.15.2, a real release. This masquerade could help the binary blend in on systems running Qt or Chromium-based applications, though the .exe extension (rather than .dll) somewhat undermines the disguise.

4. GUID-Based AES Configuration

The DCRat config uses a distinctive GUID-based lookup table, with values encrypted via AesCryptoServiceProvider:

{11111-22222-10009-11112}  =>  Mutex
{11111-22222-20001-00001}  =>  C2 Host #1
{11111-22222-20001-00002}  =>  C2 Host #2
{11111-22222-30001-00001}  =>  Tag #1
{11111-22222-30001-00002}  =>  Tag #2
{11111-22222-40001-00001}  =>  Install Path #1
{11111-22222-40001-00002}  =>  Install Path #2
{11111-22222-50001-00000}  =>  Version

The GUID pattern {11111-22222-XXXXX-XXXXX} is a known DCRat builder artifact. The consistent 11111-22222 prefix across all config entries is the default builder output -- a custom-configured deployment would use randomized prefixes.

5. Three-Sample Campaign Cluster

Three related samples were identified, all sharing the same imphash (f34d5f2d4577ed6d9ceec516c1f5a744) and operational patterns:

SHA256 (truncated)	Size	First Seen	C2 Gate
`058add3a...0fdf`	1.36 MB	2026-03-09	`cr404896[.]tw1[.]ru/cf893288[.]php`
`e6bc720e...48ad`	1.22 MB	2026-03-04	`cc812496[.]tw1[.]ru/06ee2c94[.]php`
`da701cef...697c`	Unknown	2026-03-04	`hulr3lyand[.]temp[.]swtest[.]ru/664f54e6[.]php`

All three use the distinctive 8-character hex filename pattern for the PHP C2 gate (e.g., cf893288.php, 06ee2c94.php, 664f54e6.php). Three samples across two hosting providers in five days, with C2 rotation, suggests an active operator who is regularly rebuilding and redeploying.

6. Extensive Module Set

Despite the budget infrastructure, the payload is feature-rich:

Module	Target
dcrat_usbspread	USB removable media worm spreading
dcrat_vpn_grabber	VPN client credential theft
Browser Stealer	Chrome and Firefox saved passwords/cookies
Telegram Stealer	Telegram session file theft
Discord Stealer	Discord token theft
FileZilla Stealer	FTP saved credentials
WinSCP Stealer	SSH saved credentials
Keylogger	Keystroke capture
Screen Capture	Screenshots and remote desktop
Clipboard Monitor	Clipboard data interception
Process Manager	Process enumeration and termination
File Manager	File browsing, upload, download
Registry Editor	Remote registry manipulation
Runtime Compiler	Dynamic code compilation and execution

The Runtime Compiler module is worth highlighting -- it allows the operator to compile and execute arbitrary C# code on the victim machine, effectively turning the RAT into a full remote development environment.

Attack Chain

Stage 1: Delivery (Unknown Vector)
  Delivery method not directly observed
  PE32 .NET executable, likely via phishing email or drive-by download
  Masquerades as libGLESv2.dll (Qt/Chromium component)

Stage 2: Execution
  .NET Framework v4.0.30319 loads the assembly
  ConfuserEx + SmartAssembly obfuscation unpacks at runtime
  AES-encrypted config decrypted using GUID-based lookup

Stage 3: Persistence
  Scheduled Tasks created for periodic execution
  Registry Run Keys (HKCU) for boot persistence

Stage 4: C2 Communication
  HTTP POST to 8-character hex PHP gate on shared hosting
  Example: hxxp://cr404896[.]tw1[.]ru/cf893288[.]php
  Plaintext HTTP (no TLS) -- all C2 traffic visible to network monitoring

Stage 5: Data Collection
  Keylogger captures keystrokes
  Browser stealer harvests Chrome/Firefox credentials
  VPN grabber targets VPN client configurations
  Telegram/Discord session theft
  Screen capture for remote monitoring
  Clipboard monitoring for cryptocurrency addresses, passwords

Stage 6: Exfiltration
  Stolen data exfiltrated via HTTP POST to same C2 gate
  USB spreading module attempts lateral movement to removable media

Stage 7: Sustained Access
  Runtime Compiler allows dynamic code execution
  File Manager enables upload/download of additional tools
  Registry Editor provides deep system manipulation

Infrastructure Analysis

Hosting Architecture

Timeweb (AS9123, Saint-Petersburg, Russia)
  |
  Server: vh434.timeweb.ru (87.249.38.179)
    |
    cr404896.tw1.ru  -- DCRat C2 gate (cf893288.php)  [DEAD]
    cc812496.tw1.ru  -- DCRat C2 gate (06ee2c94.php)  [DEAD]
    autohelperbot.com.ru -- Co-hosted domain (TJ registrant)  [LIVE]

SpaceWeb (AS35278, Russia)
  |
  Server: fvh2.sweb.ru (77.222.40.198)
    |
    hulr3lyand.temp.swtest.ru  -- DCRat C2 gate (664f54e6.php)  [UNKNOWN]

Certificate Analysis

The Timeweb IP serves a *.timeweb.ru wildcard certificate issued by GlobalSign (valid 2025-05-30 to 2026-07-01). This is the standard shared hosting certificate -- the operator did not deploy any custom TLS. All C2 traffic runs over plaintext HTTP on port 80.

Co-hosted Domain: autohelperbot.com.ru

A domain autohelperbot[.]com[.]ru shares the same Timeweb IP (87[.]249[.]38[.]179). WHOIS records show:

Field	Value
Registrant Country	TJ (Tajikistan)
Registration Date	2026-01-26
Domain Status	Active

The "autohelperbot" name suggests an automated service -- possibly a Telegram bot or web scraping tool. The Tajikistan registrant country, combined with Russian hosting providers, is consistent with a Central Asian CIS operator. This is a thin attribution thread but the only one available.

OPSEC Failures

The operator's security posture is poor across every dimension:

Shared hosting with free subdomains: C2 can be taken down with a single abuse report
No TLS on C2: All command-and-control traffic is plaintext HTTP, visible to any network monitoring
Default DCRat builder output: Standard GUID config pattern, standard ConfuserEx obfuscation, no customization
Predictable infrastructure pattern: All C2 gates use the same {8-hex-chars}.php naming convention
Co-hosted domains: autohelperbot.com.ru on the same IP may link back to the operator's identity
Rapid C2 death: Primary C2 parked within 24 hours -- either caught by automated abuse detection or operational incompetence

Detection

YARA Summary

Detection rules target:

ConfuserEx Metadata Markers: PE files with #GUlD (lowercase L) or #Blop metadata stream names, indicating ConfuserEx anti-analysis modifications
DCRat GUID Config Pattern: Strings matching {11111-22222- prefix within a .NET binary, indicating default DCRat builder configuration
libGLESv2 Masquerade: PE files with OriginalFilename: libGLESv2.dll that are actually .NET executables (legitimate libGLESv2 is native C++)
Module MVID: .NET Module Version ID 3f9ca4e3-8210-44be-a8fd-cc447f87d286
Obfuscated Module Name: The string uJLeIwZ7F6vBEuBDgIGSSm in .NET module metadata

Suricata Summary

Network detection rules cover:

DCRat C2 Gate Pattern: HTTP POST requests to URLs matching */[0-9a-f]{8}\.php on .tw1.ru or .swtest.ru domains
Timeweb C2 Traffic: HTTP traffic to *.tw1.ru subdomains containing POST data with DCRat command structure
SpaceWeb C2 Traffic: HTTP traffic to *.temp.swtest.ru subdomains on port 80
DCRat Beacon Pattern: HTTP POST with specific User-Agent and content patterns associated with DCRat check-in beacons

IOCs (Defanged)

Network Indicators

# C2 Gates (HTTP, plaintext)
hxxp://cr404896[.]tw1[.]ru/cf893288[.]php
hxxp://cc812496[.]tw1[.]ru/06ee2c94[.]php
hxxp://hulr3lyand[.]temp[.]swtest[.]ru/664f54e6[.]php

# C2 IPs
87[.]249[.]38[.]179   (Timeweb, AS9123, Saint-Petersburg RU)
77[.]222[.]40[.]198   (SpaceWeb, AS35278, RU)

# Co-hosted domain (attribution thread)
autohelperbot[.]com[.]ru (same IP as primary C2)

File Indicators

# Primary sample
SHA256: 058add3a76861e33920560412912eee7651c2ad2a9b81a26f679313a44310fdf
SHA1:   f9d25d7ba6ef61653759c9a9162612fedebacec6
MD5:    238cd37b1f7a03fad4846389e320c084

# Related sample #1
SHA256: e6bc720eeeba33cc4fd4b40e9b935c603932a325ff8136312d245ead8d3348ad
MD5:    63d32b3f858c91f77fa1d67331763c28

# Related sample #2
SHA256: da701cef0f825f0012ae82ede21b74c61806760c515f1f045cd9d050848e697c
MD5:    6643c67fec6ab6b86c427c2a83af47ab

# .NET fingerprints
imphash: f34d5f2d4577ed6d9ceec516c1f5a744
MVID:    3f9ca4e3-8210-44be-a8fd-cc447f87d286

Host Indicators

# ConfuserEx metadata markers
Metadata stream: #GUlD (lowercase L, not I)
Metadata stream: #Blop (not #Blob)
Module name: uJLeIwZ7F6vBEuBDgIGSSm

# DCRat config namespace
Settings class: t5PHIfS4h7Eq4e64H3.ayqIQgG0v4lU8nqugO

# Version info masquerade
OriginalFilename: libGLESv2.dll
ProductName: libGLESv2
FileVersion: 5.15.2.0

# P/Invoke DLLs
kernel32.dll, user32.dll, gdi32.dll, winmm.dll, mscoree.dll

MITRE ATT&CK Mapping

Tactic	Technique	ID	Notes
Execution	User Execution	T1204	Victim executes disguised PE
Persistence	Scheduled Task/Job	T1053.005	Periodic execution via scheduled tasks
Persistence	Registry Run Keys	T1547.001	HKCU Run key auto-start
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	libGLESv2.dll version info
Defense Evasion	Software Packing	T1027.002	ConfuserEx + SmartAssembly dual packing
Credential Access	Credentials from Password Stores: Web Browsers	T1555.003	Chrome/Firefox credential theft
Credential Access	Input Capture: Keylogging	T1056.001	Keystroke capture module
Collection	Screen Capture	T1113	Screenshot capture
Collection	Clipboard Data	T1115	Clipboard monitoring
Collection	Data from Removable Media	T1025	USB media data access
Command and Control	Web Protocols	T1071.001	HTTP POST to PHP gate
Exfiltration	Over C2 Channel	T1041	Data exfil via same HTTP C2
Lateral Movement	Replication via Removable Media	T1091	USB autorun spreading

Recommendations

Immediate (24-48 hours)

Block C2 IPs 87[.]249[.]38[.]179 and 77[.]222[.]40[.]198 at perimeter firewall.
Block DNS for cr404896[.]tw1[.]ru, cc812496[.]tw1[.]ru, and hulr3lyand[.]temp[.]swtest[.]ru.
Search endpoint telemetry for the SHA256, MD5, and SHA1 hashes listed above.
Search HTTP proxy logs for POST requests to */[0-9a-f]{8}.php on .tw1.ru or .swtest.ru domains.

Short-term (1-2 weeks)

Deploy YARA rules for ConfuserEx metadata markers (#GUlD, #Blop) and DCRat GUID config pattern.
Deploy Suricata rules for DCRat C2 gate pattern detection.
Search for .NET MVID 3f9ca4e3-8210-44be-a8fd-cc447f87d286 in binary telemetry.
Audit scheduled tasks and registry Run keys from the March 4-10 timeframe.
Review USB removable media usage policies -- the USB spreading module makes lateral movement a concern.

Medium-term (1-3 months)

Monitor *.tw1.ru and *.temp.swtest.ru subdomains for new DCRat C2 deployments -- these free subdomain services are a recurring pattern for budget operators.
Track DCRat tags on ThreatFox for this operator cluster's activity.
Consider blocking HTTP POST to *.tw1.ru and *.temp.swtest.ru if no legitimate business need exists.
Review VPN client credential storage -- the dcrat_vpn_grabber module targets saved VPN configurations.

Abuse Reports

Submit abuse to Timeweb (abuse@timeweb.ru) for C2 hosting on cr404896.tw1.ru and cc812496.tw1.ru.
Submit abuse to SpaceWeb (abuse@sweb.ru) for C2 hosting on hulr3lyand.temp.swtest.ru.

Vendor Detections

Vendor	Detection Name
Kaspersky	HEUR:Backdoor.MSIL.DCRat.gen
VMRay	DCRat (Malicious)
CAPE Sandbox	DCRat
ANY.RUN	dcrat / darkcrystal
Triage	DCRat family (score 10/10)
ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus (86%)
FileScan-IO	Malicious (1.0)

Note: The ReversingLabs detection as "Prometheus ransomware" is a likely false classification -- the sample is confirmed DCRat by all other vendors. This may be due to shared ConfuserEx obfuscation patterns between DCRat and Prometheus.

References

GHOST -- Breakglass Intelligence Automated threat intelligence. Zero analyst fatigue.