Dissecting the "Mhunter" Campaign: An MPRESS-Packed Remcos RAT with Live C2 and Mutual TLS Authentication

TL;DR: We decrypted the full configuration from an MPRESS-packed Remcos RAT sample targeting Italian organizations, revealing a live command-and-control server on a ColoCrossing VPS in Toronto that enforces mutual TLS authentication with embedded EC P-256 certificates. The C2 infrastructure, DuckDNS naming conventions, and botnet identifier "Mhunter" are consistent with West African threat actor patterns documented in prior Remcos campaigns.

---

Why This Sample Matters

Remcos RAT is one of the most widely deployed commercial remote access trojans in the wild, with Censys tracking over 150 active C2 servers at any given time. It is trivial to purchase, easy to configure, and well-documented by its developer (Breaking Security) as a "legitimate" remote administration tool -- which means operator tradecraft, not the malware itself, is what distinguishes campaigns worth studying.

This sample, reported by JAMESWT_WT (the top-ranked VirusTotal contributor globally, with 531,000+ reputation points), stood out for several reasons: a live C2 server with exposed RDP revealing the operator's VPS hostname, mutual TLS authentication that restricts C2 communication exclusively to infected hosts, and a DuckDNS domain name that reads like an aspirational mantra -- "new angel new life new hope for money get rich bac." That naming pattern, combined with infrastructure choices, points to a specific threat actor profile.

We fully decrypted the embedded configuration, extracted both TLS certificates and the EC private key, confirmed the C2 was live and accepting connections, and mapped the operator's infrastructure posture. Here is what we found.

Attack Chain

1. DELIVERY — Suspected phishing lure targeting Italian organizations
   Reporter: JAMESWT_WT (Italy)   |   Delivery vector: Unknown (likely DHL/PayPal phishing)
   ↓
2. EXECUTION — PE32 x86 GUI binary, 528 KB
   Packer: MPRESS   |   TLS callback at 0x45f64c (anti-analysis)
   Compiled: 2026-02-03 17:38:41 UTC
   ↓
3. CONFIG DECRYPTION — RCDATA "SETTINGS" resource (1,361 bytes)
   RC4 encryption with 187-byte key → 58 config fields
   Separator: |\x1e\x1e\x1f|
   ↓
4. PERSISTENCE — Dual registry Run keys + watchdog
   HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   HKLM\Software\Microsoft\Windows\CurrentVersion\Run
   ↓
5. C2 COMMUNICATION — TLS 1.3 with mutual certificate authentication
   newangelnewlifenewhopeformoneygetrichbac.duckdns[.]org:14645
   → 96.44.159.137 (ColoCrossing / HostPapa, Toronto, CA)
   ↓
6. POST-COMPROMISE — Full RAT capabilities
   Keylogging, screen capture, microphone recording, process hollowing,
   file management, remote shell, registry manipulation

The delivery mechanism was not directly observed. However, JAMESWT_WT extensively tracks Remcos campaigns targeting Italy through phishing lures impersonating DHL, PayPal, and Italian financial institutions -- a pattern also documented by CERT-AGID. The Italian origin and this reporter's involvement strongly suggest the sample arrived via a similar phishing vector.

Binary Analysis

The sample is a 528 KB PE32 GUI executable packed with MPRESS, a legitimate executable packer frequently abused by malware authors. Despite the packing, the sample carries an 84% AV detection rate -- Remcos signatures are well-established across the industry.

PE Metadata

Field	Value
SHA256	7976b72d4f0bcca38ba349dc7329e50721afa3b339b0615b42ccdaf899e062e6
MD5	006c1b888bc4ecb72158c20ca0d6cc2c
Size	528,384 bytes
Type	PE32 GUI (x86)
Compiled	2026-02-03 17:38:41 UTC
Packer	MPRESS
Entry Point	0x3b4c2
TLS Callback	0x45f64c

The TLS callback at 0x45f64c is a well-known Remcos anti-analysis technique. TLS callbacks execute before the program's entry point, allowing the malware to detect debuggers or sandboxes before the main code runs. Analysts who set breakpoints only at the entry point will miss this early execution.

Section Table

Section	Virtual Size	Raw Size	Entropy
.text	0x5d361	0x5d400	6.63
.rdata	0x19a96	0x19c00	5.68
.data	0x6074	0xe00	3.33
.rsrc	0x4b60	0x4c00	3.99
.reloc	0x40bc	0x4200	6.67

The entropy values are moderate. MPRESS does not inflate entropy to the 7.9+ range typical of UPX or custom packers, which is one reason it occasionally slips past entropy-based heuristics.

Key Imports: Process Hollowing and Keylogging

The import table reveals Remcos's two primary execution techniques:

Process Hollowing (T1055.012): CreateProcessW / CreateProcessA → WriteProcessMemory → ReadProcessMemory → SetThreadContext / GetThreadContext → ResumeThread. This is the classic process hollowing sequence: create a legitimate process in a suspended state, hollow out its memory, write the malicious payload, fix the thread context to point to the new code, and resume execution. The injected code runs under the identity of the legitimate process, evading process-based detection.

Keylogging (T1056.001): SetWindowsHookExA → GetKeyboardState → GetKeyState → GetKeyboardLayout → MapVirtualKeyA → CallNextHookEx → UnhookWindowsHookEx. This is a standard Windows keyboard hook chain that captures keystrokes system-wide and logs them to logs.dat.

Persistence (T1547.001): RegCreateKeyExW → RegSetValueExW → RegOpenKeyExW → RegDeleteKeyA. Both HKCU and HKLM Run keys are configured, with a watchdog process ensuring the RAT restarts if killed.

Configuration Decryption

The Remcos configuration is stored in the PE's resource section as an RCDATA entry named "SETTINGS." The 1,361-byte resource begins with a single byte (0xBB = 187 decimal) indicating the RC4 key length, followed by the 187-byte key, followed by 1,173 bytes of RC4-encrypted configuration data.

After decryption, the configuration contains 58 fields separated by the delimiter |\x1e\x1e\x1f|. The hex dump of the decrypted config confirms the field structure -- the C2 host, port, TLS flag, and botnet ID are immediately visible in the first fields:

Field	Value
C2 Host	newangelnewlifenewhopeformoneygetrichbac.duckdns[.]org
C2 Port	14645
TLS Enabled	Yes (field suffix :1)
Botnet / Campaign ID	Mhunter
Mutex	Rmc-CJKB2M
Install Filename	remcos.exe
Log File	logs.dat
Screenshots Directory	Screenshots
Microphone Records Directory	MicRecords
HKCU Run Persistence	Enabled
HKLM Run Persistence	Enabled
Watchdog	Enabled
Reconnect Delay	100,000 ms
Connect Delay	10 s
Config Hash	A7ACC1647D9ABDD81DDE5E01BEB3E738

Embedded TLS Certificates and Private Key

The most operationally significant aspect of the configuration is the embedded TLS material in fields 54-56. Remcos supports mutual TLS authentication, and this sample has it fully enabled:

Field 54 -- Client Certificate (EC P-256, self-signed):

• Serial: 45:e5:b5:db:64:97:56:41:65:46:ce:0e:64:e3:14:1e
• Validity: 1970-01-01 to 2090-12-31 (dummy dates)
• Subject/Issuer: empty

Field 55 -- EC Private Key:

• 961afa28d5f7b4a7caed0cb62cb9c1ce86516e602741b692e65fcdb64e8ea544

Field 56 -- Server Certificate (EC P-256, self-signed):

• Serial: 62:0f:88:5f:cc:d5:40:a5:9b:77:8b:08:71:66:61:d1
• Validity: 1970-01-01 to 2090-12-31 (dummy dates)
• Subject/Issuer: empty

The server certificate in field 56 was confirmed to match the certificate served by the live C2 on port 14645. This mutual authentication scheme means only bots carrying the correct client certificate can establish a connection -- the server rejects all other TLS handshakes with alert 116 (certificate required). This is a meaningful anti-takeover measure: researchers cannot passively monitor or sink the C2 without the extracted client certificate and private key.

Live C2 Infrastructure

At the time of analysis (2026-03-04), the C2 server was live and accepting connections.

Server Profile

Field	Value
Domain	newangelnewlifenewhopeformoneygetrichbac.duckdns[.]org
IP Address	96.44.159.137
Reverse DNS	96-44-159-137-host.colocrossing.com
ASN	AS36352 (HostPapa / ColoCrossing)
Location	Toronto, Ontario, Canada
Port 14645/tcp	OPEN -- Remcos C2 listener, TLS 1.3, mutual auth enforced
Port 3389/tcp	OPEN -- RDP, operator management access
Port 445/tcp	OPEN -- SMB, anonymous login blocked, signing not required

The RDP service on port 3389 leaked a self-signed certificate with subject CN = DESKTOP-E4F55FE, created on 2026-02-28. This tells us two things: the operator provisioned this VPS approximately one week before the sample appeared on MalwareBazaar, and they never bothered to change the default Windows hostname. The exposed SMB port with signing not required is another indicator of minimal operational security hygiene.

Infrastructure Pattern

The combination of DuckDNS dynamic DNS and ColoCrossing/HostPapa hosting is one of the most common infrastructure patterns for Remcos operators. Censys research has identified ColoCrossing, RAILNET, and Contabo as the top three hosting providers for Remcos C2 servers. AS36352 carries a 51% spam rate per CleanTalk blacklists, with over 1,582 detected malicious IPs.

DuckDNS is the dynamic DNS provider of choice for Remcos campaigns -- the maltrail indicator list contains 126+ DuckDNS entries associated with Remcos C2 infrastructure. Dynamic DNS allows operators to rotate the backend IP address without rebuilding the malware, providing resilience against IP-based blocking.

Attribution Assessment

Several indicators converge on a likely West African origin, consistent with threat actor patterns documented by HYAS, Censys, and independent researchers:

Domain naming convention: The domain name "newangelnewlifenewhopeformoneygetrichbac" is a concatenation of aspirational English words. This naming pattern -- long, motivational phrases strung together -- has been repeatedly documented in Remcos campaigns attributed to Nigerian operators. HYAS has specifically tracked Remcos operators based in Maiduguri, Nigeria using similar DuckDNS C2 infrastructure.

Botnet identifier: "Mhunter" plausibly abbreviates "money hunter," consistent with the financial aspiration theme in the domain name.

Infrastructure choices: DuckDNS + ColoCrossing is the most common combination used by documented Remcos operators in West Africa. The minimal OPSEC (default hostname, exposed RDP, exposed SMB) is consistent with less sophisticated cybercrime actors rather than state-sponsored groups.

Targeting: Italy is one of the most heavily targeted countries for Remcos campaigns, with JAMESWT_WT and CERT-AGID documenting extensive phishing operations using DHL, PayPal, and financial institution lures.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Initial Access	Phishing	T1566	Suspected phishing lure (Italian targeting)
Execution	User Execution: Malicious File	T1204.002	PE32 binary execution
Persistence	Boot or Logon Autostart: Registry Run Keys	T1547.001	HKCU + HKLM Run keys with watchdog
Defense Evasion	Software Packing	T1027.002	MPRESS packer
Defense Evasion	Obfuscated Files or Information	T1027	RC4 encrypted config in RCDATA resource
Privilege Escalation	Process Injection: Process Hollowing	T1055.012	CreateProcess → WriteProcessMemory → SetThreadContext → ResumeThread
Credential Access	Input Capture: Keylogging	T1056.001	SetWindowsHookExA keyboard hooks
Collection	Screen Capture	T1113	Periodic screenshots to Screenshots/
Collection	Audio Capture	T1123	Microphone recording to MicRecords/
Command and Control	Encrypted Channel: Asymmetric Cryptography	T1573.002	TLS 1.3 with EC P-256 mutual authentication
Command and Control	Dynamic Resolution: Dynamic DNS	T1568.002	DuckDNS for C2 domain resolution

Defensive Recommendations

Network-Level Controls:

1. Block DuckDNS at the DNS layer. If *.duckdns.org is not used legitimately in your environment, block it entirely. This single rule eliminates connectivity for 126+ documented Remcos C2 domains and many other malware families that abuse this service.
2. Block the C2 IP 96.44.159.137 and consider reputation-based blocking for AS36352 (ColoCrossing), which carries a 51% spam rate.
3. Alert on TLS connections to non-standard ports using self-signed EC P-256 certificates with empty Subject/Issuer fields and the 1970-2090 validity window. This certificate profile is highly anomalous and strongly indicative of Remcos.
4. Deploy JA3/JA3S fingerprinting to identify Remcos TLS handshake patterns, particularly on high-numbered ports.

Host-Level Controls: 5. Hunt for the mutex Rmc-CJKB2M in process handles. Remcos uses unique mutex names per campaign, making this a high-fidelity indicator for this specific build. 6. Monitor Registry Run keys for new entries pointing to remcos.exe or any unexpected executables. 7. Detect process hollowing behavior -- specifically the CreateProcess (suspended) → WriteProcessMemory → SetThreadContext → ResumeThread API call sequence. 8. Search for artifact directories named Screenshots, MicRecords, and log files named logs.dat in unexpected locations.

Strategic Controls: 9. Implement email filtering for common Remcos delivery lures in Italian-targeted environments: DHL shipping notifications, PayPal payment confirmations, and financial institution correspondence. 10. Deploy application whitelisting to prevent execution of unknown PE binaries, particularly MPRESS-packed executables.

Indicators of Compromise

Network Indicators

Type	Value
C2 Domain	newangelnewlifenewhopeformoneygetrichbac.duckdns[.]org
C2 IP	96.44.159.137
C2 Port	14645/tcp
Reverse DNS	96-44-159-137-host.colocrossing.com
ASN	AS36352 (HostPapa / ColoCrossing)
RDP Hostname	DESKTOP-E4F55FE

File Indicators

Type	Value
SHA256	7976b72d4f0bcca38ba349dc7329e50721afa3b339b0615b42ccdaf899e062e6
MD5	006c1b888bc4ecb72158c20ca0d6cc2c
Filename	remcos.exe
Size	528,384 bytes
Config Hash	A7ACC1647D9ABDD81DDE5E01BEB3E738

Host Indicators

Type	Value
Mutex	Rmc-CJKB2M
Botnet ID	Mhunter
Log File	logs.dat
Screenshots Directory	Screenshots
MicRecords Directory	MicRecords
Registry (HKCU)	HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Registry (HKLM)	HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TLS Certificate Fingerprints

Certificate	Serial	SHA256
Client (field 54)	45:e5:b5:db:64:97:56:41:65:46:ce:0e:64:e3:14:1e	--
Server (field 56)	62:0f:88:5f:cc:d5:40:a5:9b:77:8b:08:71:66:61:d1	bea4cc929bbd4d0c63d1cb31171f27cc09a7fe09741f5cb5bfe9efe6209d989f

Conclusion

The "Mhunter" campaign represents a textbook Remcos RAT deployment: MPRESS packing for basic evasion, DuckDNS for resilient C2 resolution, and a ColoCrossing VPS for hosting. What elevates this sample from routine to noteworthy is the mutual TLS authentication configuration. By embedding both a client certificate and the corresponding private key into the malware configuration, the operator ensures that only infected machines can communicate with the C2 server. This defeats passive C2 monitoring, complicates sinkholing efforts, and requires analysts to extract the embedded TLS material before they can interact with the infrastructure -- exactly what we did here.

The operator's poor OPSEC -- an unchanged default Windows hostname on the RDP service, exposed SMB with signing disabled, and a domain name that reads like a motivational poster -- suggests a financially motivated cybercrime actor rather than an advanced persistent threat. The infrastructure and naming patterns are consistent with West African operators documented by HYAS and Censys, and the Italian targeting aligns with the extensive Remcos phishing campaigns tracked by JAMESWT and CERT-AGID.

For defenders, the actionable takeaway is straightforward: block DuckDNS if you do not use it, alert on self-signed EC P-256 certificates with empty subjects on non-standard ports, and hunt for the Rmc-CJKB2M mutex. The extracted client certificate and private key published here also give the research community the material needed to probe this C2 directly -- while it remains live.

---

Analysis by Breakglass Intelligence. Sample sourced from MalwareBazaar (reporter: JAMESWT_WT). Investigation conducted 2026-03-04.

References: Censys -- Mapping Remcos C2 Activity at Internet Scale | HYAS -- Tracking An Active Remcos Malware Campaign | stamparm/maltrail Remcos Indicators | JAMESWT_WT