Dissecting "SILENT": A Full-Stack Malware-as-a-Service Operation Targeting Gamers
Published: March 8, 2026 Author: Breakglass Intelligence Tags: malware analysis, infostealer, RAT, MaaS, reverse engineering, threat intelligence
TL;DR
A complete Malware-as-a-Service (MaaS) operation branded "SILENT" was reverse-engineered from distribution to command-and-control. The operation uses a fake Minecraft client ("PinkieCraft") to deliver a triple-encrypted Electron-based infostealer and RAT that targets Discord, browsers, cryptocurrency wallets, gaming platforms, and Telegram -- with 76 active API keys observed on its exfiltration proxy during a 92-minute investigation window, indicating a growing victim pool. The entire React-based admin panel source code was recovered from publicly exposed source maps, revealing the full C2 API surface, a Telegram-based 2FA login flow, and French-language developer comments that contribute to operator attribution.
The Exposed Panel: How Source Maps Blew Open a MaaS Operation
The most consequential finding in this investigation was not inside the malware itself -- it was on the operator's admin panel. The React application hosted at funnywebsiteviewer.onrender.com was deployed with production source maps publicly accessible at /static/js/main.17bcf5b0.js.map. This single OPSEC failure yielded 112,000 characters of unminified React source code across three components (App.js, ClientDetail.js, ChatPage.js), exposing every API endpoint, the authentication flow, and the full scope of RAT capabilities.
The panel hardcodes its backend URL as https://datanetworksync.onrender.com and implements a Telegram-based 2FA flow: the operator submits a license key (WEEKLY-{32-char-hex}), the backend sends a one-time code via Telegram bot API, and a JWT is returned. The OTP expires after 5 minutes. French-language comments -- "Demarrer un compte a rebours" (start a countdown) and "Nettoyer apres expiration" (clean after expiration) -- confirm the developer's native language.
The backend leaks its development configuration through CORS set to http://localhost:3000, and the Express.js exfiltration proxy runs in development mode, returning full stack traces including the path /var/www/new-api-protocol/.
Kill Chain: From Fake Minecraft Client to Full System Compromise
Stage 1: Distribution
The malware is distributed through pinkiecraft.com, a fake Minecraft client site registered January 17, 2026 via a Turkish registrar (Turkticaret.net). The download page serves a 57.2 MB ZIP containing an NSIS installer (PinkieCraft.exe).
Stage 2: Payload Delivery
The NSIS installer extracts an Electron application with three AES-256-CBC encrypted JavaScript payloads, each using PBKDF2 key derivation (SHA-512, 100,000 iterations) with unique master keys:
| Payload | Size | Function |
|---|---|---|
crypted.js | 5.1 MB | Main infostealer -- browser, wallet, gaming, and credential theft |
discord-injection-obf.js | 1.0 MB | Discord client injection for persistent credential interception |
main.js | 1.15 MB | Electron main process -- RAT C2, persistence, privilege escalation |
After AES decryption, all three files employ JsConfuser obfuscation with __p_XXXXXXXXXX function naming, indexed string lookup tables, dead code injection, and control flow flattening. Key dependencies bundled in node_modules: sqlite3 (Chrome credential databases), @primno/dpapi (Windows DPAPI), ws (WebSocket C2), and node-telegram-bot-api (exfiltration).
Stage 3: Privilege Escalation
The malware attempts six UAC bypass techniques sequentially until one succeeds (T1548.002):
- fodhelper.exe -- writes
HKCU\...\ms-settings\shell\open\commandwithDelegateExecute - eventvwr.exe -- writes
HKCU\...\mscfile\shell\open\command - Folder\shell\open\command -- DelegateExecute variant
- SilentCleanup scheduled task -- poisons
windirinHKCU\Environment, then triggersschtasks.exe /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup - exefile\shell\runas -- writes
HKCU\...\exefile\shell\runas\command - VBScript runas --
CreateObject("Shell.Application").ShellExecutewith"runas"verb
Stage 4: Defense Evasion
Before credential theft begins, the malware adds itself to Windows Defender exclusions (T1562.001):
powershell -NoProfile -EP Bypass -W Hidden -C "Add-MpPreference -ExclusionPath '{path}'"
powershell -NoProfile -EP Bypass -W Hidden -C "Add-MpPreference -ExclusionProcess '{exe}'"
It then kills target application processes -- Discord, Steam, all major browsers, Minecraft clients -- to release file locks on credential databases.
Stage 5: Credential Harvesting
The stealer operates across five major target categories detailed in the following sections.
Stage 6: Exfiltration and Persistent Access
Stolen data flows through a multi-layered exfiltration network. A persistent WebSocket connection to the backend C2 enables real-time remote access.
Infostealer Capabilities: What Gets Stolen
Browser Credential Theft
The stealer targets nine browser families, checking up to seven user profiles in each (T1555.003):
- Google Chrome, Microsoft Edge, Brave, Opera Stable, Opera GX, Opera Neon, Vivaldi, Yandex Browser, Mozilla Firefox
For each, it extracts:
- Cookies via
SELECT host_key, name, path, expires_utc, is_secure, is_httponly, encrypted_value FROM cookies - Saved passwords via
SELECT origin_url, username_value, password_value FROM logins - Autofill data via
SELECT * FROM autofill - Discord tokens from IndexedDB LevelDB stores
A notable technique is the Chrome Remote Debugging hijack (T1185): the malware launches browsers with --remote-debugging-port={port} --headless=new --restore-last-session --remote-allow-origins=*, connects to http://127.0.0.1:{debugPort}, and calls Network.getAllCookies to extract session cookies protected by encryption at rest. It also downloads Python 3.10 from globalcdn.nuget.org for a secondary cookie extraction method.
Discord Injection
The injection module locates Discord at %LOCALAPPDATA%\Discord, overwrites discord_desktop_core-*/index.js (only if under 100KB, avoiding double-injection), kills Discord via taskkill /F /IM Discord.exe, and restarts it with malicious code active.
The injected code intercepts:
| Intercepted Endpoint | Data Captured |
|---|---|
/auth/login | Email + password in cleartext |
/auth/register | New account credentials |
/mfa/totp | Two-factor authentication codes |
/mfa/codes-verification | Backup codes |
/users/@me | Profile changes (email, password updates) |
/billing/payment-sources | Payment methods on file |
/relationships | Complete friend list |
/guilds?with_counts=true | Server membership and counts |
wss://remote-auth-gateway.discord.gg/* | QR code login hijack (T1557) |
Payment transactions are also intercepted through Braintree (merchant 49pp2rp4phym7387) and Stripe, capturing card data from Discord purchase flows.
Cryptocurrency Wallet Theft
Eight browser extension wallets are targeted by extension ID (T1552):
| Wallet | Extension ID |
|---|---|
| MetaMask | nkbihfbeogaeaoehlefnkodbefgpgknn |
| Phantom | bfnaelmomeimhlpmgjnjophhpkkoljpa |
| Coinbase Wallet | hnfanknocfeofbddgcijnmhnfnkdnaad |
| Trust Wallet | egjidjbpglichdcondbcbdnbeeppgdp |
| Binance Chain | fhbohimaelbohpjbbldcngcnapndodjp |
| Atomic Wallet | fhilaheimglignddkjgofkcbgekhenbh |
| Authenticator | bhghoamapcdpbohphigoooaddinpkbai |
| Exodus (extension) | aholpfdialjgjfhomihkjbmgjidlcdno |
The desktop Exodus wallet at %APPDATA%\Exodus\exodus.wallet\ is also exfiltrated.
Gaming Platform Theft
| Platform | Data Stolen |
|---|---|
| Roblox | Auth cookies, Robux balance, payment methods, inventory, friends, groups, premium status |
| Steam | loginusers.vdf, account data via API key 440D7F4D810EF9298D25EDDF37C1F902 |
| TikTok | Account info, wallet/diamond data |
| Minecraft | Accounts from Lunar Client, Badlion, Feather launcher, vanilla .minecraft |
Telegram Session Hijack
The tdata session directory is archived and uploaded to GoFile (e1/e2/e5/e8.gofile.io), giving the operator full Telegram account access without re-authentication (T1539).
RAT Command-and-Control Infrastructure
Backend API Surface
The C2 backend at datanetworksync.onrender.com exposes a full remote access API authenticated via JWT Bearer tokens. The complete route map, extracted from the panel source:
| Endpoint | Method | Function |
|---|---|---|
/api/screen/{hwid} | GET | Live screenshot from victim via Electron desktopCapturer |
/api/execute-powershell/{hwid} | POST | Arbitrary PowerShell execution on victim |
/api/system/{hwid}/{action} | POST | System control: shutdown, restart, sleep, lock, BSOD |
/api/list-files/{hwid} | POST | Browse victim filesystem including drive enumeration |
/api/download-file/{hwid} | POST | Exfiltrate specific files from victim |
/api/upload-exe/{hwid} | POST | Download and execute EXE from Discord CDN on victim |
/api/regenerate-discord/{hwid} | POST | Re-steal Discord tokens on demand |
/api/relog/{hwid} | POST | Full credential re-harvest |
/api/alert/{hwid} | POST | Display popup message on victim screen |
/api/play-sound/{hwid} | POST | Play arbitrary audio on victim |
/api/chat/{hwid} | GET/POST | Bidirectional admin-to-victim messaging |
/api/chat/{hwid}/bring | POST | Force victim's browser to the chat page |
The panel refreshes the victim list every 3 seconds and captures live screenshots at 1-second intervals. The BSOD command works by force-killing svchost.exe (taskkill /f /im svchost.exe), which crashes the system.
Unauthenticated Endpoints
Two chat-related endpoints require no authentication whatsoever:
GET /api/chat/{hwid}/messages-- anyone can read admin-victim chat logsPOST /api/chat/{hwid}/victim-- anyone can send messages as the "victim"
This means any party who discovers a valid HWID can read operator communications and inject messages into the chat stream.
Persistence Mechanisms
The malware deploys five independent persistence mechanisms (T1547.001, T1053.005, T1546.003, T1546.015):
| Mechanism | Detail |
|---|---|
| Registry Run keys | HKCU\...\Run with names mimicking SecurityHealth, Adobe, or app-specific autolaunch |
| Startup folder | VBScript-created .lnk described as "Microsoft OneDrive", WindowStyle 7 (minimized) |
| Scheduled tasks | XML-defined tasks named GoogleUpdateTaskMachineCore, Adobe Acrobat Update, or CCleaner Update -- triggers on boot (2 min delay), logon (30s delay), every 4 hours, and session unlock. Author spoofed as "Microsoft Corporation" |
| WMI event subscription | Filter WinUpdate{SID} fires daily at 8:00 AM via WQL __InstanceModificationEvent |
| COM hijacking | HKCU\Software\Classes\CLSID\{clsid}\InprocServer32 |
The scheduled task configuration is particularly robust: it runs at HighestAvailable run level, is marked hidden, and retries 3 times every 5 minutes on failure.
Exfiltration Network Architecture
Victim
|
+---> Discord injection data ---> network-sync-protocol.net/api/send (x-api-key)
|
+---> Browser/wallet/gaming ---> datanetworksync.onrender.com (x-api-key)
|
+---> Backup proxy -----------> sync-service.system-telemetry.workers.dev/api/send
|
+---> Telegram sessions ------> GoFile.io (e1/e2/e5/e8.gofile.io)
|
+---> RAT WebSocket ----------> wss://datanetworksync.onrender.com
|
+---> Victim IP/geo ----------> api.ipify.org + ip-api.com
The Cloudflare Worker proxy presents a fake "System Telemetry v3.1.0" dashboard with permissive CORS (Access-Control-Allow-Origin: *).
During the 92-minute investigation, the proxy's unauthenticated /api/health endpoint revealed the key count climbing from 75 to 76 -- a new victim compromised in real time.
MITRE ATT&CK Mapping
| TTP ID | Technique | Implementation |
|---|---|---|
| T1204.002 | User Execution: Malicious File | Fake Minecraft client download |
| T1027.013 | Obfuscated Files: Encrypted/Encoded File | AES-256-CBC + JsConfuser obfuscation |
| T1548.002 | Abuse Elevation Control: Bypass UAC | 6 sequential UAC bypass techniques |
| T1562.001 | Impair Defenses: Disable or Modify Tools | Defender exclusion via PowerShell |
| T1555.003 | Credentials from Password Stores: Web Browsers | SQLite + DPAPI + remote debugging |
| T1185 | Browser Session Hijacking | Chrome remote debugging headless mode |
| T1539 | Steal Web Session Cookie | All browser cookies + Telegram tdata |
| T1552 | Unsecured Credentials | Crypto wallet extension data theft |
| T1547.001 | Boot or Logon Autostart: Registry Run Keys | 4 registry name patterns |
| T1053.005 | Scheduled Task | XML tasks mimicking Google/Adobe/CCleaner |
| T1546.003 | Event Triggered Execution: WMI | Daily 8 AM WMI event subscription |
| T1546.015 | Component Object Model Hijacking | COM CLSID InprocServer32 hijack |
| T1557 | Adversary-in-the-Middle | Discord QR code login interception |
| T1571 | Non-Standard Port | WebSocket C2 over HTTPS |
| T1567 | Exfiltration Over Web Service | GoFile.io, Render.com, Cloudflare Workers |
| T1102 | Web Service | Discord CDN for payload delivery |
| T1059.001 | Command and Scripting Interpreter: PowerShell | Remote PowerShell execution via RAT |
Operator Attribution
The operator profile assembled from OSINT and code analysis:
- Language: French (inline code comments in native French)
- Age/maturity: Likely young -- casual naming (
Silentapilolxd123.,funnywebsiteviewer), test credentials in production - Community: Gaming-oriented, active in Roblox (custom emoji references to Robux/Premium)
- Tools: Uses Google Gemini for AI-generated images
- Infrastructure: Turkish registrar, Cloudflare, Render.com free tier
- Business model: Weekly subscription MaaS --
WEEKLY-{hex}license keys, Telegram OTP-gated panel - Timeline: Domain registration January 2026; panel last updated February 12; C2 active as of February 26, 2026
Defensive Recommendations
Network-Level Blocks
Add the following to DNS sinkholes, proxy blocklists, and firewall rules:
network-sync-protocol.net
*.network-sync-protocol.net
sync-service.system-telemetry.workers.dev
datanetworksync.onrender.com
funnywebsiteviewer.onrender.com
pinkiecraft.com
Endpoint Detection
- Monitor for UAC bypass registry writes to
HKCU\...\ms-settings\shell\open\command,mscfile\shell\open\command, andHKCU\Environmentwindir - Alert on
Add-MpPreference -ExclusionPathor-ExclusionProcessin PowerShell - Detect browsers launched with
--remote-debugging-portcombined with--headless - Monitor Discord client integrity --
discord_desktop_core-*/index.jsexceeding 100KB indicates injection - Watch for WMI subscriptions with
WinUpdatein the filter name - Alert on scheduled tasks authored by "Microsoft Corporation" outside expected system paths
Incident Response for Infected Hosts
- Isolate the machine from the network
- Check Discord client for modified
index.jsindiscord_desktop_core-*/ - Remove persistence: registry Run keys (SecurityHealth*, AdobeGCInvok*), startup
.lnkfiles, WMI subscriptionsWinUpdate{SID}, fake scheduled tasks - Search for infection marker
X7G8JQW9LFH3YD2KP6ZTQ4VMX5N8WB1RHFJQ.txt - Rotate all credentials -- every saved password, token, and session cookie is compromised
- Revoke cryptocurrency wallet keys; assume all wallet contents at risk
- Enable hardware-based 2FA (backup codes were also stolen)
- Report to platform abuse teams (Discord, Cloudflare, Render.com)
Indicators of Compromise
Domains
| Domain | Function |
|---|---|
network-sync-protocol.net | C2 exfiltration proxy (Discord credentials) |
sync-service.system-telemetry.workers.dev | Cloudflare Worker exfiltration proxy |
datanetworksync.onrender.com | Backend C2 / RAT server |
funnywebsiteviewer.onrender.com | RAT admin panel (source maps exposed) |
pinkiecraft.com | Malware distribution site |
File Hashes (SHA-256)
| File | SHA-256 |
|---|---|
| PinkieCraft.zip | 28a03d29e99c75fc9603b9e5193f97feca561bdc6db4271cdb2d522b9d5b2ae3 |
| PinkieCraft.exe (NSIS) | 9577d4cf2d0b2000b63ce597b04cd07a917387bbde1cf31f8619541a8e9333c3 |
| crypted.js (encrypted) | bef28b9b32342bb5a2824b7cac4a063ec98cd8ddcdb7ed5251add765dcf62160 |
| discord-injection-obf.js | 8881949980768a8e9822d4bd1974c70c753ff7461d96ff0c88bb7e88559620bd |
| main.js (Electron) | e99d2d3c095b3f94d819abb85e0ecacd73d48c8c50a29de92dd74f0c801de98c |
API Keys and Credentials
| Key | Value |
|---|---|
| C2 API Key | Silentapilolxd123. |
| Backend API Key | test_api_key_12345 |
| License Key | WEEKLY-4B9638EF09618D7BA158940637C141AE |
| Steam Web API Key | 440D7F4D810EF9298D25EDDF37C1F902 |
| Braintree Merchant ID | 49pp2rp4phym7387 |
Network, Registry, and Filesystem Indicators
| IP Address | Context |
|---|---|
104.21.75.224 | Cloudflare edge (network-sync-protocol.net) |
172.67.182.109 | Cloudflare edge (network-sync-protocol.net) |
| Registry Key | Purpose |
|---|---|
HKCU\...\CurrentVersion\Run | Persistence (autorun) |
HKCU\...\ms-settings\shell\open\command | UAC bypass (fodhelper) |
HKCU\...\mscfile\shell\open\command | UAC bypass (eventvwr) |
HKCU\Environment (windir) | UAC bypass (SilentCleanup) |
| Filesystem Indicator | Context |
|---|---|
discord_desktop_core-*/index.js > 100KB | Discord injection active |
X7G8JQW9LFH3YD2KP6ZTQ4VMX5N8WB1RHFJQ.txt | Infection marker file |
WMI filter WinUpdate{SID} | WMI persistence |
Scheduled tasks: GoogleUpdateTaskMachineCore, Adobe Acrobat Update, CCleaner Update | Task persistence |
Conclusion
"SILENT" represents commodity MaaS at its current state: technically capable but operationally sloppy. The malware is well-engineered -- triple-layer encryption, six UAC bypass chains, five persistence mechanisms, Chrome remote debugging hijack, and a full RAT. But the infrastructure tells a different story: exposed source maps, development-mode servers leaking stack traces, test API keys in production, and CORS misconfiguration.
The 76 active API keys confirm real victims are being compromised. Young gamers downloading free Minecraft clients are unlikely to inspect NSIS installer payloads or notice headless Chrome processes spawning in the background.
The WEEKLY- license key format indicates this is a subscription service -- the developer sells access to other threat actors who bring their own distribution channels. The IOCs published here represent just one customer's deployment. The underlying "SILENT" platform likely powers additional campaigns with different infrastructure.
All infrastructure providers and platform abuse teams have been notified. The investigation was conducted entirely through passive analysis of publicly accessible endpoints and malware samples from the public distribution site.
This analysis was produced by Breakglass Intelligence. All infrastructure probing used publicly accessible endpoints. No exploitation, unauthorized access, or destructive actions were performed during the investigation.