Evil Stealer: 310,000 Stolen Credential Logs, an Unauthenticated API, and a Promotional Video That Doxed the Operator
Published: 2026-03-13 Author: BGI -- Breakglass Intelligence Tags: infostealer, MaaS, stealer-as-a-service, OSINT, attribution, credential theft, Russia
TL;DR
A live info-stealer operation at evilmirror[.]net left its backend status API wide open on port 8888 with zero authentication, revealing a sequential log counter at 310,194 -- meaning over 310,000 victim credential logs have been processed in roughly six days of operation. The operator embedded an Adobe After Effects promotional video in the panel that still contained XMP metadata, leaking the Windows username moros, a UTC+3 timezone, and a Russian-language filename. The entire infrastructure -- domain registration, TLS certificate, video render, panel deployment -- was stood up in a single evening on March 4, 2026. As of publication, there is zero prior reporting on Evil Stealer across any public threat intelligence platform. The surrounding /24 on Njalla hosting is a criminal cluster featuring spoofed Apple and Oracle TLS certificates, crypto phishing clones, and an OnlyFans creator scraper sharing the same OS template and registrar as the stealer.
A Stealer Panel With Its Pants Down
On March 10, researcher Raaz (@solostalking) posted a brief tweet identifying a new stealer panel at 80[.]78[.]19[.]96:3000. Two IOCs. One screenshot. No analysis.
Breakglass Intelligence took that starting point and ran.
What we found was a freshly deployed info-stealer MaaS (Malware-as-a-Service) operation that had been live for less than a week but had already processed over 310,000 credential logs -- and whose operator had committed a textbook OPSEC failure that ties the entire operation to a Russian-speaking individual working from Moscow Standard Time.
The domain evilmirror[.]net was registered through Namecheap on March 4, 2026. The Let's Encrypt certificate was issued the same evening. The promotional video was rendered the same evening. The operator built and deployed the entire operation in a single sitting, probably starting around 11 PM Moscow time. And in the rush, they forgot to strip the metadata from a five-second After Effects render.
The Unauthenticated Backend
The Evil Stealer panel runs a Next.js frontend on ports 80/443/3000 -- a dark, red-themed "access terminal" with CRT scanline aesthetics, pulsing status indicators, and branding that references XMPP/OMEMO encrypted communications. The build version reads 0.6.6-rc with a semver constraint of >=0.6.6 <0.9.9, indicating active pre-release development.
But the real finding was on port 8888.
A Python BaseHTTP server (Python 3.10.12, Ubuntu 22.04) exposes a /status endpoint with no authentication whatsoever. No tokens, no headers, no IP restrictions. A simple GET request returns:
{
"status": "ok",
"last_log_id": "310194",
"output_dir": "downloaded_logs",
"timestamp": "2026-03-10T17:33:58.098676"
}
The last_log_id field is a sequential counter. Over 310,000 credential logs have been processed. The output_dir value -- downloaded_logs -- suggests a pull-model architecture where a separate script downloads and processes stolen data. We conducted 150+ probes against this service across 19 enumeration phases. The server has exactly one functional endpoint. It accepts only GET requests. It ignores all query parameters, all headers, and all authentication attempts. It serves no files and has no path traversal vulnerabilities. It is a bare monitoring endpoint that the operator probably checks from their workstation -- and they left it facing the open internet.
At approximately 51,700 logs per day over six days of operation, this is a high-volume credential harvesting campaign by any measure.
The Video That Told Us Everything
The Evil Stealer panel serves a promotional video at /zloy_parya2.mp4 -- a 6.5 MB, 500x500 pixel, 5-second After Effects render. The filename is transliterated Russian: "zloy parya" (злой парня) translates to "evil guy" or "angry dude." The 2 suffix indicates this is the second version.
The operator did not strip the XMP metadata before uploading.
Embedded in the file's metadata block is an After Effects project link that reveals the full Windows path of the developer's workstation:
C:\Users\moros\Desktop\gfhz.aep
From this single artifact, we extract:
| Artifact | Value | Intelligence Value |
|---|---|---|
| Windows username | moros | Operator handle/alias |
| Project file | gfhz.aep | Random keyboard string -- disposable project name |
| Software | Adobe After Effects 2025 | Professional video production tooling |
| Creation timestamp | 2026-03-04T23:06:22+03:00 | UTC+3 -- Moscow Standard Time |
| XMP Instance ID | xmp.iid:40395bd7-1b8b-bb49-aeb0-7bb8934ae858 | Cross-reference fingerprint |
| XMP Document ID | xmp.did:510e389b-1418-c04a-90bc-d51f2b53841b | Cross-reference fingerprint |
The combination of a Russian-language filename, UTC+3 timezone, and the operator handle moros gives us medium-high confidence attribution to a Russian-speaking individual. The XMP instance and document IDs are persistent across After Effects installations and can be used to link future renders from the same machine.
The video was rendered at 11:06 PM local time. The domain was registered earlier that same evening. The TLS certificate was issued at 20:15 UTC. The entire infrastructure went from zero to operational in a matter of hours -- and the operator was working late.
Infrastructure: Njalla and a Criminal Neighborhood
Evil Stealer is hosted on Njalla (AS39287, Materialism s.r.l., Bucharest, Romania), a privacy-focused VPS provider that has become a recurring fixture in criminal infrastructure investigations. The PTR record resolves to 504e1360.host.njalla.net within the 80.78.16.0/20 allocation.
The server runs five services:
| Port | Service | Purpose |
|---|---|---|
| 22 | OpenSSH 8.9p1 | Administration |
| 80 | nginx 1.18.0 | HTTPS redirect |
| 443 | nginx -> Next.js | Panel frontend |
| 3000 | Next.js (Turbopack) | Raw app server (accidentally exposed) |
| 8888 | Python BaseHTTP | Log aggregation status API |
Port 3000 deserves a note: it exposes the raw Next.js development server without TLS, bypassing the nginx reverse proxy. This is likely a configuration oversight -- the operator set up nginx on 80/443 but forgot to firewall the upstream application port. Combined with the unauthenticated status API on 8888, the operational security posture is poor across the board.
The /24: A Criminal Cluster
Scanning the surrounding 80.78.19.0/24 revealed a diverse criminal ecosystem sharing the same Njalla hosting block. Selected highlights:
| IP | What It Is | Threat Level |
|---|---|---|
| 80[.]78[.]19[.]84 | sumsub[.]buzz -- Impersonation of Sumsub KYC provider, clone of CoinLedger crypto tax platform | Crypto phishing |
| 80[.]78[.]19[.]88 | Telegram bot admin panel with leaked /api/settings endpoint (no auth) | Grey market |
| 80[.]78[.]19[.]92 | OFM Hub Intel -- fully exposed OnlyFans creator scraper with Swagger docs | Data harvesting |
| 80[.]78[.]19[.]99 | spendy[.]fun -- Russian-language Telegram Mini App finance bot (RUB currency default) | Likely legitimate |
| 80[.]78[.]19[.]101 | Serves genuine Oracle Corporation TLS certificate from a Njalla VPS | MitM proxy |
| 80[.]78[.]19[.]104 | Serves genuine Apple Inc. EV certificate from a Njalla VPS | MitM proxy |
The strongest cross-infrastructure connection is between Evil Stealer (.96) and the OnlyFans scraper (.92): both registered through Namecheap with Withheld for Privacy ehf, both share the identical SSH HASSH fingerprint (41ff3ecd) indicating deployment from the same Ubuntu 22.04 template, and both run Python backends. High confidence these are operated by the same individual.
The Oracle and Apple certificate servers at .101 and .104 are running AkamaiGHost reverse proxies that terminate TLS with genuine corporate EV certificates. Whether this represents BGP hijacking, compromised CDN configurations, or some other certificate acquisition method, it constitutes active man-in-the-middle infrastructure capable of intercepting authentication traffic to two of the most impersonated brands on the internet.
MITRE ATT&CK Mapping
| Tactic | Technique | ID |
|---|---|---|
| Resource Development | Acquire Infrastructure: VPS | T1583.003 |
| Resource Development | Acquire Infrastructure: Domains | T1583.001 |
| Credential Access | Credentials from Password Stores | T1555 |
| Credential Access | Steal Web Session Cookie | T1539 |
| Collection | Data from Local System | T1005 |
| Exfiltration | Exfiltration Over C2 Channel | T1041 |
| Command and Control | Application Layer Protocol | T1071 |
| Defense Evasion | Masquerading | T1036 |
IOCs
# Domains
evilmirror[.]net
www[.]evilmirror[.]net
# IP
80[.]78[.]19[.]96
# URLs
hxxps://evilmirror[.]net/
hxxp://80[.]78[.]19[.]96:3000/
hxxp://80[.]78[.]19[.]96:8888/status
# TLS Certificate Serial
05:72:b7:73:96:61:1d:1d:42:21:88:fc:39:67:83:e0:2d:9e
# Promotional Video Hash
SHA256: 6eb03ee6f1efc8110b39ebd25a6345343602f7b91654da0da382bb5f2a65a6b8
# Favicon Hash
SHA256: e6a1fb96b2e07da569ab8144894cd6056360f1d72f660a6a1f01d7e05040733d
# SSH Host Key (Ed25519)
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJ3GltQHreUWXzxkm1rGLoBwXD7j4D/XwGpebQh2Eu3
# XMP Fingerprints (operator machine)
xmp.iid:40395bd7-1b8b-bb49-aeb0-7bb8934ae858
xmp.did:510e389b-1418-c04a-90bc-d51f2b53841b
# Neighboring Infrastructure (same Njalla /24)
80[.]78[.]19[.]84 -- sumsub[.]buzz crypto phishing
80[.]78[.]19[.]92 -- OFM Hub Intel scraper (same operator, HIGH confidence)
80[.]78[.]19[.]101 -- Spoofed Oracle TLS cert
80[.]78[.]19[.]104 -- Spoofed Apple TLS cert
What Comes Next
As of publication, no Evil Stealer binary sample has been captured by any public sandbox or malware repository. The panel is a landing page -- the actual stealer payload, its delivery mechanism, and its victim-side behavior remain unknown. The XMPP/OMEMO authentication scheme advertised on the panel is not yet functional (all XMPP ports are closed, the jabber subdomain has no DNS record), but the branding suggests it is planned for a future release.
The operator moros should be tracked across underground forums, Telegram channels, and code repositories. The XMP document IDs are machine-persistent and will appear in any future After Effects renders from the same installation. The Vercel Analytics SDK integrated into the panel frontend may link to an identifiable Vercel account.
Recommendations for Defenders
Immediate: Block evilmirror[.]net and 80[.]78[.]19[.]96 at your perimeter. Consider blocking the broader 80.78.19.80/28 range given the density of criminal infrastructure. Add the TLS certificate serial to certificate monitoring.
Short-term: Monitor MalwareBazaar and VirusTotal for samples communicating with these IOCs. Set up passive DNS alerts for new subdomains under evilmirror[.]net. Watch for the XMPP infrastructure to come online -- that likely signals the next version.
Medium-term: Track the moros handle. Monitor Namecheap registrations through the same Withheld for Privacy ehf proxy for new domains in this operator's portfolio. The build version 0.6.6-rc and the version ceiling of 0.9.9 tell us this tool is in active development with significant runway planned.
310,000 credential logs in six days, from an operation that did not exist a week ago, with zero coverage on any threat intel platform until now. The stealer economy does not sleep, and neither should the detection stack.
Investigation conducted by GHOST -- Breakglass Intelligence. Original panel identification by Raaz (@solostalking). Full technical report, STIX 2.1 bundle, YARA rules, and Suricata signatures available at intel.breakglass.tech.