Dissecting a Multi-RAT Cluster on GALEON-AS: Five Malware Families, One Bulletproof /24
TL;DR: A multi-family C2 server at 178.22.24.175 on Russian ASN AS209290 (GALEON-AS) serves as infrastructure for at least five malware families -- VenomRAT, Vidar Stealer, StormKitty, QuasarRAT/AsyncRAT, and RedLine Stealer -- distributed through trojanized Internet Download Manager installers on piracy sites. The /24 block also hosts Rhadamanthys, DCRat, and AMOS Stealer on neighboring IPs, with RIPE having already revoked and quarantined one of the operator's adjacent subnets for abuse. The surviving allocation was created on 2026-03-02 -- six days ago.
Why This Cluster Matters
Most C2 investigations focus on a single family: one RAT, one server, one campaign. This cluster is different. A single IP address on a freshly allocated Russian ASN is running concurrent C2 listeners for five distinct malware families across three ports, while neighboring IPs in the same /24 host three additional families. The operator is not picking a tool -- they are running a multi-tenant malware platform on purpose-acquired bulletproof infrastructure, with a distribution pipeline built on trojanized software piracy.
The RIPE allocation for 178.22.24.0/24 was created on 2026-03-02. The adjacent 217.119.139.0/24 range, operated by the same AS, was already revoked and quarantined by RIPE on 2026-01-26 after being identified as abusive. The operator burned one subnet and immediately acquired another. That pattern -- burn, re-allocate, resume -- is the hallmark of bulletproof hosting services that treat IP space as a consumable.
Infrastructure Mapping
The Target: 178.22.24.175
| Field | Value |
|---|---|
| ASN | AS209290 (GALEON-AS) / AS48347 (MTW-AS, route origin) |
| Operator | Galeon LLC, Moscow, Russian Federation |
| ISP | Global Communications LLC |
| Registered Address | Troitsk, ul. Novostroika, d. 27/18, pom. 8/1, 108842 Moscow |
| RIPE Allocation Created | 2026-03-02 |
| Registrar MNT | lir-hk-changway-1-MNT (Hong Kong Changway Technologies) |
| Shodan Ports (Historical) | 135/tcp (RPC), 5432/tcp (PostgreSQL) |
| Current Status | All scanned ports filtered -- firewall or relocated |
The registrar chain is notable: a Moscow-based LLC operating infrastructure allocated through a Hong Kong registrar (Changway Technologies). Changway has appeared in prior bulletproof hosting investigations and is known for providing RIPE LIR services to operators who have difficulty obtaining allocations directly.
C2 Port Map
| Port | Family | Confidence | First Seen | Last Seen |
|---|---|---|---|---|
| 4449 | RedLine Stealer | 100% | 2025-11-02 | 2025-11-16 |
| 4449 | VenomRAT | Sample-confirmed | 2025-12-23 | -- |
| 4782 | QuasarRAT | 100% | 2025-12-22 | 2025-12-23 |
| 2022 | AsyncRAT | 50% | 2025-11-12 | -- |
Port 4449 is doing double duty -- RedLine Stealer was reported on it in November 2025, and VenomRAT samples from December 2025 connect to the same port. This could indicate port reuse after the RedLine campaign ended, or a shared listener architecture. The QuasarRAT listener on 4782 is the default Quasar port. AsyncRAT on 2022 carries lower confidence but is corroborated by sandbox analysis of the associated samples.
The Wider GALEON-AS Cluster
Expanding the search to AS209290 reveals this is not an isolated server. The entire ASN is a malware hosting operation:
| IP | Port | Family | Confidence | First Seen |
|---|---|---|---|---|
| 178.22.24.47 | 1321 | Rhadamanthys | 100% | 2025-09-22 |
| 178.22.24.47 | 4343 | Rhadamanthys | 75% | 2025-11-13 |
| 178.22.24.253 | 58888 | Rhadamanthys | 100% | 2025-09-30 |
| 178.22.24.253 | 58 | Rhadamanthys | 100% | 2025-09-30 |
| 178.22.24.253 | 48322 | Rhadamanthys | 75% | 2025-11-13 |
| 217.119.139.23 | 8888 | DCRat | 100% | 2025-12-08 |
| 217.119.139.192 | 8080 | DCRat | 100% | 2025-11-28 |
| 217.119.139.117 | 80 | AMOS Stealer | 100% | 2025-10-21 |
That is eight malware families across five IPs on two subnets. The 217.119.139.0/24 range hosting DCRat and AMOS was quarantined by RIPE on 2026-01-26, but the 178.22.24.0/24 range remains active with its freshly minted allocation.
Sample Analysis
MalwareBazaar holds 12 samples tagged to 178.22.24.175, uploaded primarily on 2025-12-23 by reporter iamaachum. The samples cluster into three functional groups: RAT binaries, stealer payloads, and a sophisticated Golang process hollowing loader that ties them together.
Group 1: QuasarRAT/AsyncRAT Dual-RAT Binary
| Field | Value |
|---|---|
| SHA256 | 0b2b62e1b05659012daceb08af36da7011b14c5978be5985ba93827047f4da21 |
| Filename | 3AB58D54D30CD44E9013A95573D0D528.exe |
| Size | 22 MB |
| Type | .NET PE (x86), CIL |
| Internal Name | twerjhituhq.exe / "j34ytje" |
| C2 | 178.22.24.175:4782 |
| Botnet Tags | "day1", "new1" |
The 22 MB file size is unusual for a RAT and suggests bundling or padding. Sandbox results from CAPE, Triage, and VMRay all identify AsyncRAT behavior, while Triage additionally flags QuasarRAT signatures (score 10/10). The botnet tags "day1" and "new1" are consistent with an operator testing infrastructure or onboarding a new campaign -- the naming suggests this was an early-stage deployment.
Observed behaviors include autorun persistence, process injection, browser and email credential theft, PowerShell execution, and scheduled task creation.
Group 2: Vidar/OffLoader Dropper (Inno Setup)
| Field | Value |
|---|---|
| SHA256 | bcd3ea6381685f74cfea4dbbbe28e41eb7dd6435260555a234ac595d3bed8a1a |
| Filename | executive_7839.858_INSTALL.exe |
| Size | 5 MB |
| Type | PE x86, Inno Setup installer (Delphi) |
| Signature | OffLoader |
| Spoofed Publisher | "Black Blender Max Service Setup" / Microsoft Corporation |
| Delivery | Web download |
The Inno Setup dropper masquerades as a legitimate installer with spoofed Microsoft Corporation version info. Once executed, it resolves its Vidar C2 through a dead-drop resolver chain:
Dead Drop Resolver Chain:
1. Telegram β telegram.me/gal17d
2. Steam β steamcommunity.com/profiles/76561198759765485
3. HTTP β xet.multiatend.com.br
The Telegram handle "gal17d" is likely operator-controlled. The Steam profile serves as a fallback -- Vidar is well-known for embedding C2 addresses in Steam profile bio fields, which are publicly readable without authentication. The HTTP endpoint on a Brazilian domain (multiatend.com.br) suggests a compromised legitimate site repurposed as a resolver.
Group 3: The Birkenhead Loader (StormKitty/VenomRAT/Vidar)
This is the most technically interesting component. It is a Golang-compiled process hollowing loader that drops all three payloads simultaneously.
| Field | Value |
|---|---|
| SHA256 | f3a4b0da6aee356030a581a3423a43136821add76ba78f22455e5bc99b947c56 |
| Filename | IDM_64~1.EXE |
| Size | 4.8 MB |
| Type | PE x86-64 (Golang) |
| Go Source | Birkenhead/main.go, Birkenhead/empyrean.go |
| Signature | StormKitty |
| VenomRAT C2 | 178.22.24.175:4449 |
| Distribution | downloadtorrentfile[.]com (trojanized IDM installer) |
The Go source paths (Birkenhead/main.go, Birkenhead/empyrean.go) reveal the loader's internal project name. "Empyrean" is a known open-source Discord token stealer, suggesting the operator is compositing multiple open-source and commercial tools into a single delivery chain.
Process Hollowing Implementation
The loader's Go symbol table exposes a complete process hollowing toolkit:
Process Injection (T1055.012):
CreateProcessAsUserW β Create suspended target process
WriteProcessMemory β Write payload into target address space
SetThreadContext β Redirect execution to payload entry point
ResumeThread β Resume execution under target process identity
PE Manipulation:
PERawToVirtual β Convert PE from disk format to memory layout
RelocateModule β Fix image base relocations
ProcessRelocationTable β Process .reloc section entries
RedirectToPayload β Patch entry point to payload
WoW64 Cross-Architecture:
Wow64GetThreadContext β Handle 32-bit injection from 64-bit process
Wow64SetThreadContext β Set thread context across architecture boundary
Privilege Escalation (T1134):
AdjustTokenPrivileges β Enable SeDebugPrivilege
DuplicateTokenEx β Duplicate access tokens
ImpersonateSelf β Self-impersonation for privilege manipulation
The WoW64 support is significant -- it means this loader can inject 32-bit payloads from a 64-bit process context, which is necessary when targeting legacy applications or when the dropped payload (like the .NET-based VenomRAT) is x86-only.
Anti-Analysis and Persistence
Persistence (T1547.001):
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
Defense Evasion (T1562.001):
Disable_Defender β Windows Defender tampering
Check_Debugger β IsDebuggerPresent checks
DebuggerCheck__API β NtQueryInformationProcess anti-debug
pe_detect_tls_callbacks β TLS callback anti-analysis
Group 4: Vidar DLL Payload (CornflowerBlue1.dat)
| Field | Value |
|---|---|
| SHA256 | 7a7856ad1fbd7092d4503b5a2dabed236731b0b6dbc5394a96e3c5120b5046ee |
| Filename | CornflowerBlue1.dat |
| Size | 1.7 MB (DLL) |
| Signature | Vidar |
| Tags | QuasarRAT, VenomRAT, Vidar |
| Detection | Win32.Trojan.Kepavll (ReversingLabs, 61%) |
A Rust-compiled DLL with anti-debug checks and TLS callbacks. The filename "CornflowerBlue1.dat" follows a pattern seen in other Vidar campaigns where payloads are named after CSS colors to blend into application data directories. The relatively low 61% detection rate suggests this DLL component receives less analyst attention than the parent executables.
Group 5: Trojanized IDM Distribution (8 Samples)
Eight additional samples uploaded on 2025-12-23 are all trojanized Internet Download Manager installers, distributed as both ISOs and standalone EXEs:
Distribution Artifacts:
Internet Download Manager IDM 6.48 Build 45.iso
Internet Download Manager IDM 6.42 Build 45-[FTUApps.com].iso
Internet Download Manager (IDM) v6.42 Build 42 + Fix{CracksHash}.iso
IDMan.exe (multiple variants)
Cross-platform_25.49.22_INSTALL.exe
The ISO format is a deliberate choice. ISOs auto-mount on Windows 10/11 without third-party software, bypassing Mark-of-the-Web (MOTW) protections that would otherwise trigger SmartScreen warnings on downloaded executables (T1553.005). The "CracksHash" and "FTUApps" branding targets users actively searching for pirated software -- a demographic that has already accepted the risk of running unsigned executables and is unlikely to scrutinize what they install.
Kill Chain Summary
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 1. INITIAL ACCESS (T1189) β
β Trojanized IDM installers on downloadtorrentfile.com / CracksHash β
β Format: ISO (MOTW bypass) and EXE β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2. EXECUTION (T1204.002) β
β User executes IDM installer β
β β Inno Setup dropper (OffLoader) OR Golang loader (Birkenhead) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 3. PERSISTENCE (T1547.001) β
β Registry Run key: HKCU\...\CurrentVersion\Run β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 4. DEFENSE EVASION (T1055.012, T1562.001) β
β Process hollowing via CreateProcessAsUserW β WriteProcessMemory β
β Windows Defender tampering β
β Anti-debug: TLS callbacks, IsDebuggerPresent, NtQueryInformation β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 5. COMMAND AND CONTROL (T1071, T1102) β
β VenomRAT β 178.22.24.175:4449 β
β QuasarRAT β 178.22.24.175:4782 β
β AsyncRAT β 178.22.24.175:2022 β
β Vidar C2 β Dead-drop: Telegram/Steam/HTTP resolvers β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 6. EXFILTRATION (T1041) β
β Vidar: Browser credentials, crypto wallets, files β
β RedLine: Browser/FTP/IM credentials, system fingerprinting β
β StormKitty: Discord tokens, browser data, keylogging β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
RIPE Revocation: The Burned Subnet
RIPE NCC revoked and quarantined the 217.119.139.0/24 assignment on 2026-01-26:
remarks: Assignment revoked on 2026-01-26
remarks: Prefix quarantined - not in service
This subnet hosted DCRat (ports 8888, 8080) and AMOS Stealer (port 80) on the same ASN. The quarantine confirms that abuse reports were filed and acted upon. But six weeks later, the operator acquired a fresh allocation for 178.22.24.0/24 -- created 2026-03-02 -- and resumed operations. The infrastructure lifecycle is clear:
2025-09-22 First Rhadamanthys C2 observed on 178.22.24.0/24
2025-10-21 AMOS Stealer panel on 217.119.139.0/24
2025-11-02 RedLine Stealer on 178.22.24.175
2025-12-22 QuasarRAT/VenomRAT campaign launches
2026-01-26 RIPE revokes 217.119.139.0/24
2026-03-02 RIPE allocation renewed/recreated for 178.22.24.0/24
2026-03-08 Investigation date β 178.22.24.175 ports now filtered
The six-day gap between allocation and our investigation finding filtered ports suggests the operator may be in the process of migrating again, or has implemented stricter firewall rules after losing the adjacent subnet.
MITRE ATT&CK Mapping
| Technique | ID | Usage |
|---|---|---|
| Drive-by Compromise | T1189 | Trojanized IDM on piracy sites |
| User Execution: Malicious File | T1204.002 | ISO/EXE installers require user execution |
| Registry Run Keys | T1547.001 | HKCU...\Run persistence |
| Process Injection: Process Hollowing | T1055.012 | Birkenhead loader hollowing via WoW64 |
| Impair Defenses: Disable or Modify Tools | T1562.001 | Windows Defender disabling |
| Subvert Trust Controls: MOTW Bypass | T1553.005 | ISO distribution bypasses SmartScreen |
| Web Service: Dead Drop Resolver | T1102.001 | Vidar uses Telegram/Steam for C2 resolution |
| Application Layer Protocol | T1071 | RAT C2 over custom TCP |
| Exfiltration Over C2 Channel | T1041 | Credential/data theft via RAT and stealer channels |
| Access Token Manipulation | T1134 | DuplicateTokenEx, AdjustTokenPrivileges |
IOCs
Network Indicators
# Primary C2 β 178.22.24.175
178.22.24.175:4449 VenomRAT / RedLine Stealer
178.22.24.175:4782 QuasarRAT
178.22.24.175:2022 AsyncRAT
178.22.24.175:5432 PostgreSQL (data backend)
# GALEON-AS Cluster
178.22.24.47:1321 Rhadamanthys
178.22.24.47:4343 Rhadamanthys
178.22.24.253:58888 Rhadamanthys
178.22.24.253:58 Rhadamanthys
217.119.139.23:8888 DCRat (subnet quarantined)
217.119.139.192:8080 DCRat (subnet quarantined)
217.119.139.117:80 AMOS Stealer (subnet quarantined)
Dead Drop Resolvers
telegram[.]me/gal17d
steamcommunity[.]com/profiles/76561198759765485
xet.multiatend[.]com[.]br
Distribution Infrastructure
downloadtorrentfile[.]com
File Hashes (SHA256)
# QuasarRAT/AsyncRAT dual-RAT binary
0b2b62e1b05659012daceb08af36da7011b14c5978be5985ba93827047f4da21
# Vidar/OffLoader Inno Setup dropper
bcd3ea6381685f74cfea4dbbbe28e41eb7dd6435260555a234ac595d3bed8a1a
# StormKitty/VenomRAT/Vidar Golang loader (Birkenhead)
f3a4b0da6aee356030a581a3423a43136821add76ba78f22455e5bc99b947c56
# Vidar DLL payload (CornflowerBlue1.dat)
7a7856ad1fbd7092d4503b5a2dabed236731b0b6dbc5394a96e3c5120b5046ee
# Trojanized IDM ISOs
8c60924560de7800b980ed881d140ab7 (IDM 6.48 Build 45)
48ac9183df54aa8ea2ff37f91cf9496e (IDM 6.42 Build 45 - FTUApps)
528da74bdb9e2d14c7efdeae6e6ec95f (IDM CracksHash)
# Additional payloads
e04c0a63203c01287f3caeb0713dbdaf (Cross-platform QuasarRAT)
YARA Rules (Community)
command_and_control
CP_Script_Inject_Detector
Disable_Defender
Golangmalware
Suspicious_Golang_Binary
Check_Debugger
DebuggerCheck__API
pe_detect_tls_callbacks
ASN / Registrar Intelligence
AS209290 GALEON-AS Galeon LLC, Moscow
AS48347 MTW-AS Route origin, Moscow
Registrar lir-hk-changway-1-MNT Hong Kong Changway Technologies
Abuse abuse@gc.com.ru Global Communications LLC
Abuse info@galeonllc.ru Galeon LLC
Abuse abuse@mtw.ru MTW-AS
Investigation completed 2026-03-08 by breakglass.intelligence. IOCs available for automated ingestion. If you are operating in a network that permits torrent or piracy site access, block downloadtorrentfile[.]com and the GALEON-AS ranges at the perimeter immediately.