DCRat "Trillex" Campaign Dissected: Full Config Decrypted, PDB Path Exposes Operator "gcloud", and 11 Failover C2 Domains Tied to 3-Year Infrastructure
TL;DR: A DCRat (Dark Crystal RAT) campaign built on the trillex[.]io domain was fully decrypted, revealing 11 C2 hostnames, the AES-256 master encryption key, and a critical OPSEC failure in the PDB debug path that exposes the operator's Windows username (gcloud), build timestamp, and project codename. Certificate transparency logs trace the infrastructure back to November 2022 -- over three years of continuous operation -- while a Vietnamese-language subdomain (quantri, meaning "administrator") provides a linguistic attribution indicator. Prior community reporting on ThreatFox misidentified the malware family as AsyncRAT; configuration extraction confirms it is authentic DCRat by author qwqdanchun.
The Samples
Two PE32 .NET samples were recovered. Sample 1 is a 1.3MB obfuscated loader wrapped in ConfuserEx or a similar protector. Sample 2 is the naked 42KB DCRat client stub with no obfuscation -- the actual RAT payload that the loader deploys. The stark asymmetry between the two tells the story: the operator invested in protecting the delivery mechanism but left the DCRat stub completely stock.
| Property | Sample 1 (Loader) | Sample 2 (DCRat Stub) |
|---|---|---|
| SHA-256 | 058add3a76861e33920560412912eee7651c2ad2a9b81a26f679313a44310fdf | f6ce74ace5b01a891f5538e6502b8966c2e9d9b5aec69b4d76f3899b97c764d0 |
| Size | 1,357,824 bytes (1.3 MB) | 43,520 bytes (42.5 KB) |
| Framework | .NET 4.0 | .NET 4.8 |
| Obfuscation | Heavy (ConfuserEx-like) | None |
| PDB Path | Stripped | Exposed |
| Purpose | Loader / dropper | RAT client |
The loader's obfuscation is characteristic of ConfuserEx: GUID-like tokens ({11111-22222-10009-11112}) for string encryption, renamed metadata streams (#GUlD, #Blop), and only 14 user strings surviving in plaintext. The compilation timestamp is likely zeroed by the obfuscator.
Attack Chain
Delivery (unknown vector)
|
v
Sample 1: Obfuscated Loader (1.3MB, ConfuserEx)
| Decrypts and deploys payload
v
Sample 2: DCRat Client Stub (42KB)
| Installs to %AppData%\mv3.exe
| Creates scheduled task: schtasks /create /f /sc onlogon /rl highest /tn "mv3"
| Sets registry Run key for persistence
v
C2 Beacon --> trillex[.]io (ports 443, 80, 25, 8443)
| AES-256-CBC encrypted, MessagePack over TLS
| 11 failover domains for resilience
v
DCRat Panel (Operator Control)
|
v
Plugin Loading | Credential Theft | Surveillance | Process Protection
The delivery vector is unknown. Once executed, the stub installs itself as mv3.exe in %AppData% and establishes persistence through two parallel mechanisms: a scheduled task triggered on user logon with highest available privilege, and a registry Run key. The dual persistence is belt-and-suspenders -- removing one leaves the other intact.
Full Configuration Extraction
The DCRat stub's configuration was decrypted using the framework's native AES-256-CBC scheme. DCRat uses PBKDF2 key derivation with a hardcoded salt of DcRatByqwqdanchun and 50,000 iterations. The encrypted format is HMAC-SHA256(32 bytes) + IV(16 bytes) + Ciphertext -- the HMAC is verified before decryption to ensure integrity.
The master encryption key:
ghBNEBoPVMk5BRmaXWulwLwVebhaEXlV
Base64-encoded in the binary as:
Z2hCTkVCb1BWTWs1QlJtYVhXdWx3THdWZWJoYUVYbFY=
Extracted Configuration Fields
| Field | Value | Notes |
|---|---|---|
| Hosts | 11 domains (see below) | Failover C2 list |
| Ports | 443, 80, 25, 8443 | Multi-port fallback |
| Version | 1.0.7 | DCRat build version |
| Install | true | Auto-install on execution |
| InstallFolder | %AppData% | Standard user-writable path |
| InstallFile | mv3.exe | Matches PDB project codename |
| MTX | DcRatMutex_qwqdanchun | Default mutex -- not customized |
| Delay | 9 seconds | Beacon interval |
| Group | Default | Campaign tag -- not customized |
| Anti | false | Anti-analysis checks disabled |
| Anti_Process | true | Process monitoring protection enabled |
| BDOS | false | DDoS module disabled |
| Pastebin | null | No dead-drop C2 fallback |
The stock mutex (DcRatMutex_qwqdanchun) and default group tag (Default) are OPSEC failures -- the operator did not bother to customize the identifiers that most DCRat operators change before deployment. This makes detection trivially easy for any defender searching for the default DCRat mutex.
The 11 C2 Domains
trillex[.]io
www[.]trillex[.]io
data[.]trillex[.]io
malware[.]trillex[.]io
ddos[.]trillex[.]io
v2[.]trillex[.]io
v3[.]trillex[.]io
atex[.]trillex[.]io
phishing[.]trillex[.]io
backup[.]trillex[.]io
quantri[.]trillex[.]io
The subdomain naming is brazen: malware, ddos, phishing. This is either intentional misdirection (making the domains look like a security research project) or simple arrogance. The operator configured all 11 as failover addresses across 4 ports (443, 80, 25, 8443), giving the RAT 44 potential C2 endpoints to cycle through before giving up.
Port 25 is notable -- SMTP port use for C2 can bypass network segmentation that only inspects HTTP/HTTPS traffic.
The PDB Path: A Complete OPSEC Failure
The most valuable intelligence from this analysis comes from a single debug string the operator forgot to strip:
C:\Users\gcloud\md\2026-03-02-23-07_trillex.io\mv3\mv3.pdb
This path reveals:
- Windows username:
gcloud-- the operator's local account name, possibly referencing Google Cloud - Build timestamp: 2026-03-02 at 23:07 UTC -- precise compile time
- Domain reference:
trillex.ioembedded directly in the build directory name - Project codename:
mv3-- matches theInstallFileand scheduled task name - Directory convention:
md/YYYY-MM-DD-HH-MM_domain/suggests a systematic build workflow with multiple projects
This is the kind of artifact that persists across campaigns. Any future sample with C:\Users\gcloud\ in its PDB path can be attributed to the same operator with high confidence.
The "quantri" Attribution Signal
One subdomain stands out from the rest: quantri[.]trillex[.]io. "Quantri" is the romanized form of the Vietnamese word "quan tri" (meaning "administrator" or "management"). While the DCRat framework itself originates from a Chinese-speaking author (the embedded certificate lists Shanghai, China as the issuer location), this Vietnamese linguistic artifact suggests the operator -- not the tool author -- is likely Vietnamese-speaking or targeting Vietnamese organizations.
Infrastructure Timeline: 3+ Years of Operation
Certificate transparency logs reveal that trillex[.]io is not new infrastructure spun up for this campaign. The domain has been continuously active since late 2022.
| Date | Event | Certificate Issuer |
|---|---|---|
| 2022-11-01 | First CT log entries for trillex[.]io, www, cdn subdomains | Let's Encrypt, Google Trust Services |
| 2022-12-18 | CDN infrastructure: cdn.trillex[.]io on AWS CloudFront | Amazon RSA 2048 M03 |
| 2023-02-27 | Cloudflare Universal SSL activated | Cloudflare Inc ECC CA-3 |
| 2023 -- 2025 | Regular wildcard cert renewals every ~90 days | LE, GTS, Cloudflare (rotating) |
| 2026-02-12 | Domain re-registered via Dynadot (fresh registration cycle) | Sectigo DV E36, Google WE1 |
| 2026-03-02 | DCRat stub compiled (per PDB path timestamp) | -- |
| 2026-03-03 | Latest certs issued; IOCs submitted to ThreatFox | Let's Encrypt E7, Google WE1 |
| 2026-03-09 | C2 domains not resolving -- infrastructure offline | -- |
The 2022--2025 period of continuous certificate renewals indicates this domain served a purpose (legitimate or otherwise) long before the current DCRat campaign. The Amazon CloudFront CDN certificates for cdn.trillex[.]io suggest the operator used AWS infrastructure for content delivery -- likely a legitimate-appearing front website or payload staging.
The domain is currently registered through Dynadot with Super Privacy Service LTD privacy protection and operates behind Cloudflare nameservers (fred.ns.cloudflare.com, nia.ns.cloudflare.com). As of March 9, 2026, no A records resolve -- the C2 infrastructure is offline.
Embedded Certificate Analysis
The DCRat stub contains an embedded X.509 certificate used for TLS client authentication with the C2 panel:
| Property | Value |
|---|---|
| Subject | CN=DcRat |
| Issuer | CN=DcRat Server, OU=qwqdanchun, O=DcRat By qwqdanchun, L=SH, C=CN |
| Issued | 2025-02-09 |
| Expires | 2035-11-19 |
| Key | RSA 1024-bit |
| Location | Shanghai (SH), China (CN) |
The issuer fields confirm this is an authentic DCRat build by the known author qwqdanchun -- not a fork or copycat. The certificate's 10-year validity window (2025--2035) and Shanghai/China origin match all known DCRat framework certificates.
Anti-Analysis Arsenal
Despite leaving anti-analysis disabled in the config (Anti: false), the DCRat stub contains a full suite of evasion capabilities that can be toggled server-side via the C2 panel:
- VM detection: WMI query on
Win32_ComputerSystemchecking for "microsoft corporation", "VIRTUAL", "vmware", "VirtualBox" - Sandbox detection: Checks for
SbieDll.dll(Sandboxie) - Debugger detection:
CheckRemoteDebuggerPresentvia P/Invoke - Small disk detection: Rejects VMs with unrealistically small disk sizes
- Process protection:
RtlSetProcessIsCritical-- makes the RAT a critical process so terminating it causes a BSOD - Sleep prevention:
SetThreadExecutionStateto prevent the system from entering sleep mode during operation
The process protection feature is particularly aggressive: calling RtlSetProcessIsCritical on mv3.exe means any attempt to kill the process (including via Task Manager) will trigger a Blue Screen of Death. This is simultaneously a persistence mechanism and an anti-analysis tactic.
Persistence Mechanisms
Two parallel persistence methods ensure survivability:
schtasks /create /f /sc onlogon /rl highest /tn "mv3" /tr "%AppData%\mv3.exe"
The scheduled task fires on every user logon with the highest available privilege. The registry Run key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) provides a secondary persistence path. The registry key path is stored reversed in the binary (\nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS) as a basic string-matching evasion technique.
Correcting the Record: DCRat, Not AsyncRAT
Prior community reporting on ThreatFox (submitted by researcher Gi7w0rm on 2026-03-03) tagged the 10 subdomain IOCs as AsyncRAT. Our configuration extraction proves this is incorrect -- the malware is DCRat (Dark Crystal RAT) by author qwqdanchun, confirmed by:
- The
DcRatByqwqdanchunPBKDF2 salt hardcoded in the encryption scheme - The
DcRatMutex_qwqdanchundefault mutex - The embedded X.509 certificate with
O=DcRat By qwqdanchun - The configuration structure matching known DCRat builds
While AsyncRAT and DCRat share .NET lineage and some behavioral similarities, they are distinct families with different authors, encryption schemes, and C2 protocols. Accurate family identification matters for detection engineering -- AsyncRAT YARA rules will not match this sample.
| Aspect | Prior Reporting (ThreatFox) | Our Findings |
|---|---|---|
| Malware family | AsyncRAT | DCRat (confirmed by qwqdanchun signatures) |
| IOCs reported | 10 subdomain IOCs | 11 hostnames + 4 ports + mutex + encryption key |
| Attribution | Unknown | PDB path: operator username gcloud, Vietnamese language indicator |
| Infrastructure age | First seen 2026-03-03 | CT logs back to 2022-11-01 (3+ years) |
| Configuration | Not extracted | Full config decrypted including certificate, encryption key, all settings |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Execution | User Execution | T1204 | Victim executes PE binary |
| Persistence | Scheduled Task/Job | T1053.005 | schtasks /create /sc onlogon /rl highest |
| Persistence | Boot or Logon Autostart: Registry Run Keys | T1547.001 | CurrentVersion\Run registry key |
| Defense Evasion | Obfuscated Files or Information | T1027 | ConfuserEx obfuscation on loader |
| Defense Evasion | Virtualization/Sandbox Evasion: System Checks | T1497.001 | VM, Sandboxie, debugger, disk size checks |
| Defense Evasion | Process Injection | T1055 | Plugin loading via .NET reflection |
| Discovery | System Information Discovery | T1082 | WMI queries, OS version enumeration |
| Discovery | Security Software Discovery | T1518.001 | AntivirusProduct WMI query |
| Discovery | Application Window Discovery | T1010 | GetForegroundWindow + GetWindowText |
| Command and Control | Encrypted Channel: Symmetric Cryptography | T1573.001 | AES-256-CBC encrypted C2 traffic |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 | TCP on ports 443, 80, 25, 8443 |
| Command and Control | Fallback Channels | T1008 | 11 failover C2 domains, 4 ports each |
| Command and Control | Non-Application Layer Protocol | T1095 | Custom MessagePack protocol over TLS |
| Impact | System Shutdown/Reboot | T1529 | RtlSetProcessIsCritical causes BSOD on process kill |
Indicators of Compromise
Network Indicators
trillex[.]io
www[.]trillex[.]io
data[.]trillex[.]io
malware[.]trillex[.]io
ddos[.]trillex[.]io
v2[.]trillex[.]io
v3[.]trillex[.]io
atex[.]trillex[.]io
phishing[.]trillex[.]io
backup[.]trillex[.]io
quantri[.]trillex[.]io
Ports: 443, 80, 25, 8443
File Indicators
| Description | Hash |
|---|---|
| Loader (Sample 1) SHA-256 | 058add3a76861e33920560412912eee7651c2ad2a9b81a26f679313a44310fdf |
| Loader MD5 | 238cd37b1f7a03fad4846389e320c084 |
| Loader SHA-1 | f9d25d7ba6ef61653759c9a9162612fedebacec6 |
| DCRat Stub (Sample 2) SHA-256 | f6ce74ace5b01a891f5538e6502b8966c2e9d9b5aec69b4d76f3899b97c764d0 |
| DCRat Stub MD5 | ec83435d6c98e7d396789456cb6170e6 |
| DCRat Stub SHA-1 | bf0a3e34ed3638c13f86cdfd2ef201663b195c8e |
Behavioral Indicators
Mutex: DcRatMutex_qwqdanchun
Install Path: %AppData%\mv3.exe
Scheduled Task: mv3 (trigger: onlogon, privilege: highest)
Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PDB Path: C:\Users\gcloud\md\2026-03-02-23-07_trillex.io\mv3\mv3.pdb
Encryption Key: ghBNEBoPVMk5BRmaXWulwLwVebhaEXlV
AES Salt: DcRatByqwqdanchun
PBKDF2 Iterations: 50000
Detection Opportunities
YARA Rule
rule DCRat_Trillex_Campaign {
meta:
author = "Breakglass Intelligence"
date = "2026-03-09"
description = "DCRat client targeting trillex.io C2 infrastructure"
tlp = "TLP:CLEAR"
hash1 = "f6ce74ace5b01a891f5538e6502b8966c2e9d9b5aec69b4d76f3899b97c764d0"
hash2 = "058add3a76861e33920560412912eee7651c2ad2a9b81a26f679313a44310fdf"
strings:
$pdb = "trillex.io" ascii wide
$mutex = "DcRatMutex_qwqdanchun" ascii wide
$author = "DcRatByqwqdanchun" ascii wide
$install = "mv3.exe" ascii wide
$key = "ghBNEBoPVMk5BRmaXWulwLwVebhaEXlV" ascii
$key_b64 = "Z2hCTkVCb1BWTWs1QlJtYVhXdWx3THdWZWJoYUVYbFY=" ascii wide
$schtask = "/c schtasks /create /f /sc onlogon /rl highest /tn" ascii wide
$rev_reg = "\\nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS" ascii wide
$sandboxie = "SbieDll.dll" ascii wide
$user = "gcloud" ascii
condition:
uint16(0) == 0x5A4D and
(3 of ($pdb, $mutex, $author, $install, $key, $key_b64)) or
(2 of ($schtask, $rev_reg, $sandboxie) and $author) or
($user and $pdb)
}
Suricata / Snort Rules
# DCRat Trillex C2 -- TLS SNI detection
alert tls any any -> any any (msg:"DCRAT Trillex C2 - TLS SNI Match"; \
tls.sni; content:"trillex.io"; sid:2026030901; rev:1;)
# DCRat Trillex C2 -- DNS query detection
alert dns any any -> any any (msg:"DCRAT Trillex C2 - DNS Query"; \
dns.query; content:"trillex.io"; sid:2026030902; rev:1;)
# DCRat -- SMTP port C2 (port 25 non-mail traffic)
alert tcp any any -> any 25 (msg:"DCRAT Suspicious Non-SMTP Traffic on Port 25"; \
flow:established,to_server; content:!|48 45 4C 4F|; content:!|45 48 4C 4F|; \
threshold:type limit, track by_src, count 1, seconds 60; sid:2026030903; rev:1;)
Hunting Queries
EDR / Endpoint queries:
# Search for DCRat mutex
process.name:* AND mutex.name:"DcRatMutex_qwqdanchun"
# Search for mv3.exe in AppData
file.path:*\\AppData\\Roaming\\mv3.exe
# Search for the scheduled task
process.command_line:*schtasks*onlogon*mv3*
# Search for PDB path artifact (broader hunt for operator "gcloud")
file.pe.pdb_path:*gcloud*
DNS / Network queries:
# Any historical resolution of trillex.io or subdomains
dns.query.name:*.trillex.io OR dns.query.name:trillex.io
# Outbound connections on port 25 from non-mail servers
dst.port:25 AND NOT process.name:(postfix OR sendmail OR exim OR exchange*)
SIEM correlation:
Search for the combination of scheduled task creation with onlogon trigger and file writes to %AppData% within a 60-second window -- this pattern is characteristic of DCRat's installation routine regardless of the specific campaign identifiers.
Published by Breakglass Intelligence. Investigation conducted 2026-03-09. 2 samples analyzed. Full DCRat configuration decrypted. ThreatFox family misidentification corrected. Classification: TLP:CLEAR