Evil Stealer: A Multi-Pronged Cybercrime Operation Unmasked Through a Metadata Mistake
TL;DR: Breakglass Intelligence discovered and fully attributed a live cybercrime operation spanning three distinct revenue streams: an information stealer processing 310,000+ credential logs, a cryptocurrency wallet drainer embedded in the panel's JavaScript, and an automated OnlyFans creator scraper targeting female performers. The operator -- identified as Windows user "moros" through unstripped XMP metadata -- works from a UTC+3 timezone and uses Russian-language naming conventions. A critical forensic finding reveals the After Effects project filename gfhz.aep maps to паря ("guy/dude") on a Russian QWERTY keyboard, confirming native Russian input. Infrastructure analysis links the Evil Stealer C2 at evilmirror[.]net to the OFM Hub Intel scraper at ofmhubintel[.]com through matching domain registrar, privacy service, SSH fingerprints, and OS template -- HIGH confidence same operator. The surrounding Njalla /24 netblock hosts a diverse criminal ecosystem including enterprise TLS certificate MitM proxies (Oracle, Apple), a Hak5 Cloud C2, crypto phishing clones, and KYC impersonation domains.
Background
Information stealers represent one of the most prolific and damaging categories of cybercrime tooling. They operate at scale, harvesting browser credentials, session cookies, cryptocurrency wallet data, and other sensitive information from compromised machines. The stolen data -- typically called "logs" -- is then sold on underground marketplaces or used directly for account takeover, cryptocurrency theft, and identity fraud.
Evil Stealer is a newcomer to this landscape. Despite being entirely absent from public threat intelligence as of March 10, 2026, it has already processed over 300,000 credential logs. The operator built and deployed the infrastructure with notable speed but made critical mistakes: leaving XMP metadata in a promotional video that reveals their Windows username and timezone, exposing an unauthenticated status API on port 8888, leaving a crypto wallet drainer visible in unminified JavaScript, and deploying a linked OnlyFans scraper from the same OS template with the same domain registrar.
This investigation was conducted independently and represents first-to-find intelligence on the Evil Stealer operation. A parallel discovery by researcher @solostalking identified the same panel but did not perform binary analysis, attribution, or infrastructure pivoting.
Key Findings
- Three-pronged operation: The operator "moros" runs Evil Stealer (info stealer), a cryptocurrency wallet drainer (MetaMask integration in panel JavaScript), and OFM Hub Intel (automated OnlyFans creator scraper) -- all from Njalla infrastructure.
- 310,194 processed credential logs confirmed by an unauthenticated Python status API on port 8888. The counter appears frozen, suggesting migrated historical data rather than continuous ingestion at the initially estimated rate.
- Cryptocurrency wallet drainer embedded in the Evil Stealer panel JavaScript:
eth_requestAccountscalls and a customevil_stealer://authURI scheme were found in unminified JS chunks, indicating visitors to the panel could have their MetaMask wallets drained. - Operator attribution: Windows user "moros" identified through XMP metadata in promotional video
zloy_parya2.mp4. The After Effects project filenamegfhz.aepis NOT random -- it maps toпаря("guy/dude") typed on a Russian QWERTY keyboard layout, confirming native Russian text input. - Infrastructure linkage: evilmirror[.]net (Evil Stealer) and ofmhubintel[.]com (OnlyFans scraper) share the same Namecheap registrar, same "Withheld for Privacy ehf" WHOIS privacy service, identical SSH HASSH fingerprint (41ff3ecd), and OpenSSH 8.9p1 Ubuntu 22.04 template -- HIGH confidence same operator.
- Parallel discovery: Researcher @solostalking (Raaz) independently found the Evil Stealer panel and submitted IOCs to ThreatFox (#1762861 and #1762862). Their analysis was surface-level: panel screenshots only, no binary acquisition, no operator attribution, no infrastructure pivoting.
- Criminal neighborhood: The /24 netblock contains live MitM proxy infrastructure using genuine Oracle and Apple EV certificates, a Hak5 Cloud C2, crypto phishing clones, KYC impersonation domains, and Russian-language Telegram bot infrastructure.
- VirusTotal reputation: 80.78.19[.]96 has a reputation score of -11 with flags from BitDefender, G-Data, and Gridinsoft. No malware samples communicating with the IP have been submitted yet.
- Single-server operation: SSH key pivoting across Shodan confirms the operator's keys are unique to 80.78.19[.]96. No infrastructure expansion, backup, or standby servers detected.
Attack Chain
The Evil Stealer operation runs a multi-pronged monetization pipeline, though the stealer binary delivery mechanism remains unidentified:
- Delivery: The method by which the stealer payload reaches victim machines is unknown. The panel serves as a management interface and potential wallet-draining trap, not the distribution mechanism.
- Victim Execution: The stealer payload executes on Windows victim machines, harvesting credentials, cookies, browser data, cryptocurrency wallet data, and other sensitive information.
- Data Exfiltration: Stolen data is transmitted to the C2 infrastructure at 80.78.19[.]96. The exact exfiltration channel is unknown -- port 8888 is read-only (POST returns 501), the panel has no visible API endpoints for data submission, and the advertised XMPP service (jabber.evilmirror[.]net) has no DNS record.
- Log Processing: A Python BaseHTTP server on port 8888 aggregates and tracks processed credential logs in a local
downloaded_logsdirectory. - Wallet Draining: The Evil Stealer panel JavaScript contains
eth_requestAccountsMetaMask integration and anevil_stealer://authcustom URI scheme, suggesting visitors to the panel (potential buyers or victims) may have their cryptocurrency wallets drained. - Data Harvesting: The linked OFM Hub Intel scraper at 80.78.19[.]92 systematically harvests OnlyFans creator profiles (targeting female performers), providing a secondary monetization stream through data sales or targeted social engineering.
- Operator Access: The operator accesses the Evil Stealer panel via evilmirror[.]net to manage operations.
Infrastructure Analysis
Server Configuration
The Evil Stealer infrastructure runs on a single server with five exposed services:
| Port | Service | Technology | Purpose |
|---|---|---|---|
| 22 | SSH | OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 | Server administration |
| 80 | HTTP | nginx/1.18.0 (Ubuntu) | HTTPS redirect |
| 443 | HTTPS | nginx/1.18.0 proxying to Next.js | Evil Stealer landing page + wallet drainer |
| 3000 | HTTP | Next.js (Turbopack) | Raw application server (bypasses nginx) |
| 8888 | HTTP | Python BaseHTTP/0.6 (Python 3.10.12) | Log aggregation API |
Port 3000 exposes the raw Next.js development server, bypassing nginx. This is a configuration that should not exist in production and suggests rapid deployment without proper hardening.
Shodan has only indexed SSH on this host as of March 10, 2026. The HTTP/HTTPS services were deployed on March 4 -- too recently for Shodan's crawl cycle to have reached all ports. The Shodan scan timestamp (February 22) predates the Evil Stealer deployment entirely.
The Unauthenticated Status API
The Python HTTP server on port 8888 exposes a status endpoint without any authentication:
{
"status": "ok",
"last_log_id": "310194",
"output_dir": "downloaded_logs",
"timestamp": "2026-03-10T17:33:58.098676"
}
This reveals:
- Sequential log processing: The
last_log_idfield is a sequential counter showing at least 310,194 individual credential logs have been processed. - Frozen counter: The counter has not been observed to increment, suggesting these logs may represent migrated historical data from a previous operation rather than continuous new victim ingestion at 51,700/day. The operator may have seeded the counter or imported an existing log database when standing up this infrastructure.
- Local storage: Stolen data is stored in a
downloaded_logsdirectory on the server. - Minimal implementation:
BaseHTTP/0.6 Python/3.10.12-- no authentication, no rate limiting, no access control. - GET-only: POST requests return 501 (Unsupported method), making the server read-only from outside. This raises the question of how stolen data actually reaches the server.
The Cryptocurrency Wallet Drainer
Analysis of the Evil Stealer panel's JavaScript bundles revealed cryptocurrency wallet-draining functionality:
eth_requestAccounts: Standard MetaMask API call to request wallet access from a browser extensionevil_stealer://auth: Custom URI scheme suggesting a native application component that handles authentication flows- Unminified code: The JavaScript was not properly obfuscated, exposing these capabilities to analysis
This indicates the Evil Stealer panel is not merely a management interface -- it doubles as a trap for visitors (potential buyers, researchers, or redirected victims) to have their MetaMask wallets compromised.
Hosting: Njalla Privacy Infrastructure
The server is hosted on Njalla, a privacy-focused hosting provider historically resistant to abuse complaints:
Tier 0 (Upstream): AS39287 "ab stract" (Sweden/Romania)
Tier 1 (Provider): Materialism s.r.l. (Bucharest, Romania)
Tier 2 (Hosting): Njalla VPS (njal.la)
Tier 3 (Target): 80.78.19.96 -> evilmirror.net
Njalla is operated by 1337 LLC / Materialism s.r.l., with a Romanian business address at Bulevardul Metalurgiei, Sector 4, Bucharest. The ASN (AS39287) is registered to "ab stract" in Sweden. The PTR record (504e1360.host.njalla.net) confirms Njalla hosting. Shodan geolocates all IPs in this allocation to Malmö, Sweden.
Domain Analysis
The domain evilmirror[.]net was registered on March 4, 2026, through Namecheap with WHOIS privacy provided by "Withheld for Privacy ehf" (Reykjavik, Iceland). The privacy chain makes registrant identification through WHOIS data alone impossible.
A Let's Encrypt E8 certificate was issued the same day, covering both evilmirror[.]net and www.evilmirror[.]net, using an ECDSA P-256 key. The certificate is valid until June 2, 2026.
The non-functional XMPP reference to jabber.evilmirror[.]net in the panel UI (no DNS record exists for this subdomain) suggests planned but not yet implemented encrypted messaging capabilities. The port 8888 server being read-only and the XMPP being non-functional leaves the actual exfiltration channel as an open question.
Linked Operation: OFM Hub Intel (OnlyFans Scraper)
Attribution to Evil Stealer Operator
The strongest cross-infrastructure connection found links Evil Stealer to OFM Hub Intel, an automated OnlyFans creator scraper running on the same Njalla /24:
| Evidence | Evil Stealer (80.78.19.96) | OFM Hub Intel (80.78.19.92) | Match |
|---|---|---|---|
| Registrar | Namecheap | Namecheap | YES |
| Privacy service | Withheld for Privacy ehf | Withheld for Privacy ehf | YES |
| SSH HASSH | 41ff3ecd1458b0bf86e1b4891636213e | 41ff3ecd1458b0bf86e1b4891636213e | YES |
| OpenSSH version | 8.9p1 Ubuntu | 8.9p1 Ubuntu | YES |
| OS template | Ubuntu 22.04 LTS | Ubuntu 22.04 LTS | YES |
| Hosting | Njalla (AS39287) | Njalla (AS39287) | YES |
| Python backend | BaseHTTP/0.6 (3.10.12) | FastAPI | Partial |
Attribution confidence: HIGH. The combination of identical registrar, identical privacy service, identical SSH HASSH fingerprint (same OS template deployment), and identical hosting provider across two domains registered 18 days apart strongly indicates a single operator.
OFM Hub Intel Capabilities
The scraper at 80.78.19[.]92:8000 runs a fully exposed FastAPI application with Swagger UI documentation:
/scan: Triggers scraping batches with optional admin token authentication/scan/status: Returns scan cursor and last run time/creators/recent: New OnlyFans accounts by join date (up to 168 hours lookback)/creators/latest: Recently updated profiles/creators/search: Flexible search with filters: gender, performer_only, verified_only, price range, username, join date
The scanner was actively running as of March 9, 2026. The default search preset targets gender=female, performer_only=true -- specifically harvesting female adult content creator data. The last_cursor decodes to timestamp 1682553600 (April 27, 2023), indicating the scraper is paginating through historical OnlyFans data.
Business model hypothesis: The operator runs a diversified cybercrime portfolio -- stealing credentials via Evil Stealer, draining crypto wallets via the panel's MetaMask integration, and harvesting adult content creator data via OFM Hub Intel for resale or targeted social engineering campaigns.
Criminal Neighborhood Analysis
/24 Netblock Overview
The 80.78.19.0/24 Njalla allocation hosts a diverse criminal infrastructure cluster. Shodan indexes 368 services across approximately 55 unique IPs. All hosts share the AS39287 allocation and Njalla's sequential hex-encoded hostname pattern (504eXXXX.host.njalla.net).
Confirmed Malicious Infrastructure
| IP | Service | Assessment | Evidence |
|---|---|---|---|
| 80.78.19[.]71 | Hak5 Cloud C2 (port 8080) + Caddy | Active C2 infrastructure | Shodan-tagged c2 |
| 80.78.19[.]96 | evilmirror[.]net (Evil Stealer) | Info stealer + wallet drainer | This investigation |
| 80.78.19[.]92 | OFM Hub Intel (FastAPI, port 8000) | OnlyFans data scraper | Linked to .96 operator |
| 80.78.19[.]101 | Oracle cert MitM proxy (AkamaiGHost) | TLS interception | Genuine Oracle EV cert |
| 80.78.19[.]104 | Apple cert MitM proxy (AkamaiGHost) | TLS interception | Genuine Apple EV cert |
| 80.78.19[.]84 | sumsub[.]buzz | KYC phishing | Impersonates sumsub.com |
TLS MitM Proxy Infrastructure (80.78.19.101 + 80.78.19.104)
Two Njalla IPs serve genuine enterprise Extended Validation certificates and act as transparent TLS proxies through Akamai CDN:
80.78.19.101 -- Oracle Certificate:
- Subject: CN=www-cs-02.oracle.com, O=Oracle Corporation, L=Redwood City, ST=California
- Issuer: DigiCert Global G3 TLS ECC SHA384 2020 CA1
- SANs: 83 Oracle domains including oracle.com, bronto.com, covid19rx.org
- Behavior: Returns real Oracle error pages with Akamai incident reference numbers
80.78.19.104 -- Apple Certificate:
- Subject: CN=www.apple.com, O=Apple Inc., L=Cupertino (EV cert with serialNumber=C0806592)
- Issuer: Apple Public EV Server RSA CA 1 - G1 (via DigiCert)
- SANs: images.apple.com, www.apple.com, www.apple.com.cn
- WAF: Kona SiteDefender (Akamai) detected
These servers can intercept all traffic in transit, including credentials, session tokens, and API keys. The Akamai infrastructure is real -- traffic flows through genuine CDN endpoints routed through these Njalla IPs.
Connection to Evil Stealer: MEDIUM-LOW. Same SSH Group B (OpenSSH 9.6p1), same Njalla hosting, but different OS template than the Evil Stealer operator. Could represent a stealer + traffic interception pipeline, but insufficient evidence for firm attribution to "moros."
Suspicious Financial/Crypto Infrastructure
| IP | Domain | Assessment |
|---|---|---|
| 80.78.19[.]81 | new.mortgagefi[.]app | Financial phishing on privacy hosting |
| 80.78.19[.]123 | chainlytic-ai[.]com | AI/crypto on privacy hosting, 6 CVEs |
| 80.78.19[.]156 | sbpcapital[.]app | Financial app, port 3001 open |
| 80.78.19[.]60 | rajbet65[.]com | Gambling site on privacy hosting |
| 80.78.19[.]38 | medusa1[.]com | Named after Medusa ransomware gang, 2 CVEs |
Other Suspicious Infrastructure
| IP | Domain | Assessment |
|---|---|---|
| 80.78.19[.]88 | (Telegram bot backend) | Node.js admin panel, leaked settings via unauthenticated /api/settings endpoint |
| 80.78.19[.]99 | spendy[.]fun | Russian-language Telegram finance bot (RUB currency), likely legitimate |
| 80.78.19[.]53 | kanglomirat[.]market | Marketplace on privacy hosting |
| 80.78.19[.]176 | (no hostname) | MS-SQL + IIS + SSH + email -- Windows/Linux hybrid |
SSH Fingerprint Groupings
Three distinct OS template groups were identified in the /24, useful for clustering:
Group A -- OpenSSH 8.9p1 (HASSH: 41ff3ecd) -- Ubuntu 22.04:
- 80.78.19.92 (ofmhubintel.com) -- LINKED TO EVIL STEALER
- 80.78.19.96 (evilmirror.net) -- EVIL STEALER TARGET
- 34 total hosts in /24 share this HASSH (it's a Njalla template default, not an operator signature)
Group B -- OpenSSH 9.6p1 (HASSH: e42184b0) -- Ubuntu 24.04:
- 80.78.19.84, .88, .101, .104
Group C -- OpenSSH 9.2p1 -- Debian:
- 80.78.19.99
All SSH host keys are unique per IP -- Njalla generates per-VM keys. No infrastructure expansion was detected through SSH key pivoting.
Web Application Analysis
Landing Page Design
The Evil Stealer panel presents a stylized dark terminal aesthetic:
- Title:
EVIL stealer // access_terminal - Meta description: "XMPP + OMEMO secure authentication portal"
- Framework: Next.js with Turbopack bundler
- Font: Geist Mono (monospace)
- Analytics: Vercel Analytics SDK v1.6.1 integrated
Visual elements include a CRT scanline animation overlay, red grid background pattern, pulsing "node_01" indicator, an 8-second progress bar animation, and blinking cursor with "initializing system_" text. A promotional video (zloy_parya2.mp4) is embedded in the page.
Version Information
// EVIL_stealer
// build::0.6.6-rc
// sys::active
node_01
// xmpp://jabber.evilmirror.net
pragma evil >=0.6.6 <0.9.9;
The release candidate version (0.6.6-rc) and semver constraint (>=0.6.6 <0.9.9) indicate actively developed software that has not yet reached 1.0. The "node_01" designation suggests the architecture is designed for (or branded as supporting) multi-node deployment. The XMPP reference remains non-functional.
JavaScript Analysis
Unminified JavaScript bundles in the panel reveal:
eth_requestAccounts: MetaMask wallet connection API -- the panel can prompt visitors to connect their walletsevil_stealer://auth: Custom URI scheme for native application authentication handoff- Next.js Build ID:
xeOeAnxdbPnm01dTsWk6f
Threat Actor Profile
The Metadata Mistake
The promotional video at /zloy_parya2.mp4 was rendered from Adobe After Effects 2025 on a Windows machine. The operator failed to strip XMP metadata before uploading:
<creatorAtom:aeProjectLink
creatorAtom:fullPath="C:\Users\moros\Desktop\gfhz.aep"/>
This reveals:
- Windows username: moros
- Operating system: Windows (C:\ path structure)
- Desktop location: After Effects project file on Desktop
- Software: Adobe After Effects 2025
The Russian Keyboard Proof
The project filename gfhz.aep was initially dismissed as random keyboard input. However, forensic analysis reveals it is meaningful:
Mapping gfhz through a Russian QWERTY keyboard layout:
| Latin key | Russian character |
|---|---|
| g | п |
| f | а |
| h | р |
| z | я |
gfhz → паря (transliteration: "parya") -- an informal Russian word meaning "guy" or "dude."
Combined with the video filename zloy_parya2.mp4 (where "zloy parya" transliterates to "злой паря" -- "evil guy"), this confirms:
- The operator uses a Russian keyboard layout as their primary input method
- The project filename was intentional Russian text, not random
- The filename and video name carry the same meaning -- "evil guy" -- strongly suggesting Russian is the operator's native language
Attribution Assessment
| Evidence | Source | Confidence |
|---|---|---|
| Windows username "moros" | XMP metadata in zloy_parya2.mp4 | DEFINITIVE |
| UTC+3 timezone | File creation timestamp +03:00 | HIGH |
| Russian language (video filename) | "zloy_parya" = "злой паря" = "evil guy" | HIGH |
| Russian keyboard layout | "gfhz.aep" = "паря" on Russian QWERTY | DEFINITIVE |
| Windows OS | After Effects path C:\Users\moros\ | DEFINITIVE |
| Adobe After Effects 2025 | XMP CreatorTool tag | DEFINITIVE |
| OFM Hub Intel operation | Shared registrar + HASSH + hosting | HIGH |
| Crypto wallet drainer | eth_requestAccounts in panel JS | HIGH |
Additional XMP identifiers recovered (persistent across all exports from this After Effects installation):
- Instance ID:
xmp.iid:40395bd7-1b8b-bb49-aeb0-7bb8934ae858 - Document ID:
xmp.did:510e389b-1418-c04a-90bc-d51f2b53841b
Operational Timeline
| Time (UTC) | Event |
|---|---|
| Feb 11, 2026 | sumsub[.]buzz registered (possible same cluster) |
| Feb 14, 2026 | ofmhubintel[.]com registered via Namecheap (same registrar as Evil Stealer) |
| Feb 20, 2026 | OFM Hub Intel scanner configuration last updated |
| Feb 22, 2026 | Shodan scans 80.78.19.96 (pre-Evil Stealer -- only SSH visible) |
| March 3, 2026 | spendy[.]fun registered (separate operator) |
| March 4, 20:06 (+03:00) | Promotional video rendered (11:06 PM local time) |
| March 4, 20:15 UTC | TLS certificate issued by Let's Encrypt |
| March 4, 20:44 UTC | Domain evilmirror[.]net registered via Namecheap |
| March 4, ~21:00 UTC | Infrastructure goes live (estimated) |
| March 9, 2026 | OFM Hub Intel scanner last active run |
| March 10, 17:33 UTC | 310,194 logs confirmed via port 8888 (this investigation) |
| March 10, 2026 | @solostalking independently discovers panel, submits ThreatFox IOCs |
| March 10, 2026 | Breakglass Intelligence completes full investigation |
Scale Assessment
| Metric | Value |
|---|---|
| Days since deployment | ~6 (March 4-10) |
| Total logs processed | 310,194+ |
| Counter status | Frozen (not incrementing) |
| Likely explanation | Migrated historical data, not 51K/day new victims |
| Linked operations | OFM Hub Intel (OnlyFans scraper), crypto wallet drainer |
The frozen counter suggests the 310,194 figure represents imported historical data from a previous stealer operation rather than new victim acquisition at 51,700/day. This aligns with the theory that "moros" is an experienced operator who migrated an existing log database when deploying Evil Stealer v0.6.6-rc on fresh Njalla infrastructure.
Parallel Discovery: @solostalking
Researcher @solostalking (Raaz) independently discovered the Evil Stealer panel and published findings on X/Twitter. Their analysis:
- Found: The Evil Stealer panel landing page
- Submitted: ThreatFox IOCs #1762861 and #1762862
- Did NOT find: Binary sample, operator attribution ("moros"), wallet drainer, OFM Hub Intel link, infrastructure pivoting, neighbor analysis
This confirms the Evil Stealer panel is visible to the broader security research community, but the depth of attribution and infrastructure analysis in this report remains unique.
As of March 10, 2026, the ThreatFox submissions by @solostalking are the only public intelligence entries for Evil Stealer outside of this Breakglass Intelligence report.
VirusTotal Intelligence
As of March 10, 2026:
| Indicator | Reputation | Detections | Notes |
|---|---|---|---|
| 80.78.19[.]96 | -11 | BitDefender, G-Data, Gridinsoft (malicious), 1 community vote | Flagged but minimal coverage |
| 80.78.19[.]84 | 0 | 0 detections | Clean |
| 80.78.19[.]88 | 0 | 0 detections | Clean |
| evilmirror[.]net | -- | Resolves to 80.78.19.96 | No community reports |
| Communicating files | None | 0 samples | No malware submitting to this IP yet |
Key gap: No malware samples communicating with 80.78.19[.]96 have been submitted to VirusTotal. Acquiring and submitting the Evil Stealer binary remains a critical next step.
Detection Guidance
Network Detection
Primary network indicators:
- Domain: DNS resolution of evilmirror[.]net or www.evilmirror[.]net
- IP: Connections to 80.78.19[.]96 on ports 443, 3000, or 8888
- Linked IP: Connections to 80.78.19[.]92 on port 8000 (OFM Hub Intel)
- TLS fingerprint: Let's Encrypt certificate serial
05:72:b7:73:96:61:1d:1d:42:21:88:fc:39:67:83:e0:2d:9e - PTR record: Resolution involving 504e1360.host.njalla.net
- MitM proxies: Connections to 80.78.19[.]101 or .104 presenting Oracle/Apple certificates
Host-Based Detection
Without the actual stealer binary, host-based detection is limited to behavioral patterns common to information stealers:
- Unexpected access to browser credential stores (Login Data, Cookies files)
- Bulk reading of browser extension data directories
- Access to cryptocurrency wallet application data (especially MetaMask)
- Unusual outbound HTTPS connections to recently registered domains
- ZIP file creation in temp directories followed by upload and deletion
- Custom URI scheme registration (
evil_stealer://)
Monitoring Opportunities
- Port 8888 status API: Track the
last_log_idcounter for growth. If it remains frozen, the operation may be staging for launch rather than actively ingesting. - Shodan indexing: HTTP/HTTPS services will be indexed eventually -- monitor for banner and certificate data.
- OFM Hub Intel: The scraper's
/scan/statusendpoint is publicly accessible and reveals last run timestamps. - ThreatFox: Monitor IOCs #1762861 and #1762862 for community enrichment.
Suricata Rules
9 Suricata rules have been produced covering Evil Stealer C2 communication, DNS lookups, OFM Hub Intel API access, Telegram bot backend, Oracle/Apple MitM proxies, sumsub.buzz phishing, spendy.fun, and broad cluster traffic detection. Rules use SIDs 9000101-9000109.
YARA Rules
5 YARA rules have been produced:
Evil_Stealer_C2_Strings: Detects C2 domain and IP referencesOFM_Hub_Intel_Scraper: Detects scraper API references (requires 2+ matches)Njalla_Evil_Cluster_IPs: Detects cluster IP references (requires 3+ matches)Sumsub_Phishing_Kit: Detects KYC phishing kit referencesSpendy_Finance_Bot: Detects finance bot references
IOCs (Defanged)
Domains
evilmirror[.]net -- Evil Stealer C2 panel
www[.]evilmirror[.]net -- Evil Stealer C2 panel
ofmhubintel[.]com -- OnlyFans scraper (LINKED to Evil Stealer operator)
sumsub[.]buzz -- KYC phishing (same /24)
spendy[.]fun -- Russian finance bot (same /24)
api[.]spendy[.]fun -- spendy.fun API backend
IP Addresses
# Evil Stealer Operator (HIGH confidence)
80[.]78[.]19[.]96 -- Evil Stealer C2
80[.]78[.]19[.]92 -- OFM Hub Intel scraper
# Njalla Cluster (same /24)
80[.]78[.]19[.]84 -- sumsub.buzz phishing
80[.]78[.]19[.]88 -- Telegram bot admin panel
80[.]78[.]19[.]99 -- spendy.fun finance bot
80[.]78[.]19[.]101 -- Oracle cert MitM proxy
80[.]78[.]19[.]104 -- Apple cert MitM proxy
80[.]78[.]19[.]71 -- Hak5 Cloud C2
URLs
hxxps://evilmirror[.]net/
hxxp://80[.]78[.]19[.]96:3000/
hxxp://80[.]78[.]19[.]96:8888/status
hxxp://80[.]78[.]19[.]92:8000/docs -- OFM Hub Intel Swagger UI
hxxp://80[.]78[.]19[.]88:3000/api/settings -- Leaked Telegram bot settings
Hosting/Network Indicators
ASN: AS39287 (ab stract / Materialism s.r.l.)
PTR: 504e1360.host.njalla.net (Evil Stealer)
PTR: 504e135c.host.njalla.net (OFM Hub Intel)
Nameservers: dns1.registrar-servers.com, dns2.registrar-servers.com
Registrar: Namecheap Inc.
Privacy: Withheld for Privacy ehf (Reykjavik, Iceland)
TLS Certificates
# Evil Stealer
Serial: 05:72:b7:73:96:61:1d:1d:42:21:88:fc:39:67:83:e0:2d:9e
SKI: A4:17:99:3B:A2:68:C1:6E:D7:95:FD:DC:3E:C2:04:B0:BE:49:F0:0B
Issuer: Let's Encrypt E8
# Oracle MitM (80.78.19.101)
Serial: 02:14:C7:C4:07:D1:79:3B:0C:CB:F2:41:AA:C9:55:C7
SHA1: E1:21:E9:5C:98:1D:1A:5C:A2:09:08:D8:40:49:F8:3B:93:F2:AC:CE
Issuer: DigiCert Global G3 TLS ECC SHA384 2020 CA1
# Apple MitM (80.78.19.104)
Serial: 0A:22:AC:E4:2F:C7:1F:46:3F:95:3E:F0:B5:A8:3F:0C
SHA1: 7A:A1:D4:BD:DA:4F:AB:DA:8C:59:06:54:4F:B1:6A:D6:1E:F7:C2:02
Issuer: Apple Public EV Server RSA CA 1 - G1
File Indicators
# Favicon
SHA256: e6a1fb96b2e07da569ab8144894cd6056360f1d72f660a6a1f01d7e05040733d
MD5: 1531be3efd30088bb69864634c5c6067
# Promotional Video (zloy_parya2.mp4)
SHA256: 6eb03ee6f1efc8110b39ebd25a6345343602f7b91654da0da382bb5f2a65a6b8
MD5: 5639d2cc48d5e8653a1eb8a6be57be7d
Size: 6,504,170 bytes
Behavioral/Attribution Indicators
# Operator Identifiers
Windows User: moros
XMP Instance: xmp.iid:40395bd7-1b8b-bb49-aeb0-7bb8934ae858
XMP Document: xmp.did:510e389b-1418-c04a-90bc-d51f2b53841b
AE Project: C:\Users\moros\Desktop\gfhz.aep
AE Project (decoded): C:\Users\moros\Desktop\паря.aep (Russian QWERTY)
# Application Fingerprints
Next.js Build: xeOeAnxdbPnm01dTsWk6f
SSH ed25519: AAAAC3NzaC1lZDI1NTE5AAAAINJ3GltQHreUWXzxkm1rGLoBwXD7j4D/XwGpebQh2Eu3
SSH ECDSA: ea:28:3a:41:43:90:86:a2:d3:d1:27:9f:5f:dd:43:3b
SSH HASSH: 41ff3ecd1458b0bf86e1b4891636213e (shared with OFM Hub Intel)
# Wallet Drainer Indicators
MetaMask API: eth_requestAccounts
Custom URI: evil_stealer://auth
SSH Fingerprint Groups (Njalla /24 Clustering)
# Group A -- Ubuntu 22.04 (EVIL STEALER OPERATOR)
HASSH: 41ff3ecd1458b0bf86e1b4891636213e
IPs: 80.78.19.92, 80.78.19.96
# Group B -- Ubuntu 24.04
HASSH: e42184b06d45385a906f0803d04c83da
IPs: 80.78.19.84, 80.78.19.88, 80.78.19.101, 80.78.19.104
# Group C -- Debian
OpenSSH: 9.2p1
IPs: 80.78.19.99
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Application |
|---|---|---|---|
| Resource Development | Acquire Infrastructure: VPS | T1583.003 | Njalla VPS acquisition (multiple IPs) |
| Resource Development | Acquire Infrastructure: Domains | T1583.001 | evilmirror.net, ofmhubintel.com |
| Resource Development | Obtain Capabilities: Tool | T1588.001 | Evil Stealer development |
| Credential Access | Credentials from Password Stores | T1555 | Browser credential harvesting |
| Credential Access | Steal Web Session Cookie | T1539 | Session cookie theft |
| Credential Access | Steal Application Access Token | T1528 | MetaMask wallet draining |
| Credential Access | Adversary-in-the-Middle | T1557 | TLS MitM proxies (.101/.104) |
| Collection | Data from Local System | T1005 | Victim data exfiltration |
| Collection | Data from Information Repositories | T1213 | OFM Hub Intel scraping OnlyFans |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Log upload to C2 |
| Command and Control | Application Layer Protocol | T1071 | HTTPS C2 communication |
| Command and Control | Encrypted Channel: Asymmetric | T1573.002 | TLS-encrypted C2 |
| Defense Evasion | Masquerading | T1036 | sumsub.buzz KYC impersonation |
| Initial Access | Phishing | T1566 | sumsub.buzz credential phishing |
| Discovery | Cloud Service Discovery | T1580 | OnlyFans API enumeration |
Recommended Actions
Immediate (24-48 hours):
- Block evilmirror[.]net, ofmhubintel[.]com, and the 80.78.19.80/28 range in organizational DNS and firewall policies
- Deploy Suricata rules (SIDs 9000101-9000109) for network detection
- Submit IOCs to ThreatFox, URLhaus, and MalwareBazaar (pending sample acquisition)
- Monitor the port 8888 status endpoint to confirm whether the counter is truly frozen
- File abuse reports with Njalla (abuse@njal.la), Namecheap (abuse@namecheap.com), and Tucows (domainabuse@tucows.com)
- Alert Oracle and Apple security teams about certificate misuse on .101/.104
- Alert DigiCert about the Oracle EV certificate on unauthorized infrastructure
Short-term (1-2 weeks):
- Attempt to acquire the actual stealer binary through Telegram channels and underground forums searching for "Evil Stealer"
- Submit any acquired binary to VirusTotal, MalwareBazaar, and Triage sandbox
- Monitor crt.sh for additional certificates and subdomains
- Track the "moros" handle across underground forums
- Watch for XMPP port activation on jabber.evilmirror[.]net
- Monitor Namecheap + "Withheld for Privacy ehf" registrations for new domains by the same buyer
- Deploy YARA rules for retroactive scanning
Medium-term (1-3 months):
- Monitor for infrastructure rotation (new IPs, domains, certificates)
- Track version bumps from the current 0.6.6-rc toward 1.0
- Cross-reference XMP UUIDs against other video content for additional operator attribution
- Monitor OFM Hub Intel -- if scraped OnlyFans data appears for sale, link to this operator
- Investigate 185.158.133.1 (where ofmhubintel.com currently resolves via DNS) for additional infrastructure
- If stealer binary is acquired and victims are identifiable, coordinate with relevant CERTs for notification
- Monitor Shodan for HTTP/HTTPS indexing of 80.78.19[.]96 (expected within weeks)
STIX 2.1 Bundle
A STIX 2.1 bundle containing 17 objects has been produced:
- 1 Identity (Breakglass Intelligence)
- 1 Threat Actor (Evil Stealer Operator)
- 1 Infrastructure (Njalla VPS Cluster)
- 9 Indicators (all IPs and domains)
- 3 Relationships (operator-uses-c2, operator-uses-scraper, cluster-hosts-c2, mitm-pair)
- 2 Notes (shared registrar evidence, MitM certificate details)
The bundle is available for automated ingestion into STIX-compatible threat intelligence platforms.
Open Questions
- Exfiltration channel: How does stolen data reach the server? Port 8888 is read-only, the panel has no visible upload API, and XMPP is non-functional. Possible answers: direct HTTPS POST to a non-indexed endpoint, SSH-based transfer, or a separate binary component handles exfiltration.
- Counter meaning: Is
last_log_id: 310194a true victim count, a migrated database, or a seeded counter? The frozen state suggests historical import. - Binary acquisition: The Evil Stealer payload has not been obtained. Distribution channels (forums, Telegram, bundling) are unknown.
- OFM Hub Intel monetization: How is the scraped OnlyFans data being used? Resale, targeted phishing of creators, or blackmail?
- MitM proxy relationship: Are the Oracle/Apple certificate proxies (.101/.104) operated by "moros" or a separate actor sharing the Njalla allocation?
- Version trajectory: Build 0.6.6-rc with constraint >=0.6.6 <0.9.9 -- how far along is development toward a public release?
References
- RIPE NCC Database: ORG-MS858-RIPE (Materialism s.r.l.)
- Njalla VPS hosting documentation (njal.la)
- AlienVault OTX: AS39287 geolocation data
- VirusTotal Community: 80.78.19.96 (reputation -11)
- ThreatFox: IOCs #1762861, #1762862 (submitted by @solostalking)
- Shodan: Host reports, HASSH fingerprinting, /24 subnet analysis
- Direct TLS analysis via openssl s_client
- Direct HTTP analysis of all exposed services
- HASSH fingerprinting methodology: github.com/salesforce/hassh
- Russian QWERTY keyboard layout mapping
Appendices
Appendix A: Investigation Methodology
This investigation was conducted by Breakglass Intelligence using the GHOST autonomous OSINT agent platform. Tools employed:
- Shodan (paid edu plan): 23 API calls (~16 search credits of 197,994 available)
- VirusTotal (community tier): 5 API calls
- crt.sh: 4 certificate transparency queries
- WHOIS: 4 domain registration lookups
- DNS: ~20 resolution queries
- HTTP probing: ~60 direct service queries
- SSH key scanning: 7 host key collections
Appendix B: Operator Cluster Assessment
| Cluster | IPs | Confidence | Evidence |
|---|---|---|---|
| Operator 1: Evil Stealer + OFM Hub Intel | .96, .92 | HIGH | Same registrar, privacy service, HASSH, OS template |
| Operator 2: Telegram Mini App dev | .88, possibly .99 | MEDIUM | Both Telegram backends, Russian-language, but different tech stacks |
| Operator 3: TLS MitM proxy | .101, .104 | LOW-MEDIUM | Same SSH group, same Akamai proxy technique |
| Operator 4: KYC phisher | .84 | LOW | sumsub.buzz registered via Njalla/Tucows, domain not resolving |
Published by Breakglass Intelligence -- intel.breakglass.tech Investigation conducted 2026-03-10 Report updated 2026-03-10 with full Shodan intelligence, neighbor deep-dive, wallet drainer discovery, Russian keyboard forensics, and @solostalking parallel discovery