highPhishing

CRPX0 / DataBreachPlus — Multi-Platform Crypto Clipper + Ransomware MaaS Panel

InvestigatedApril 3, 2026PublishedApril 3, 2026

Threat Actors:ProfileAssessmentCryptocurrency Wallets

fanonlyatnpanelc2ratmaasphishingransomwarestealerclippertelegramtor

TLP: WHITE Date: 2026-04-03 Analyst: GHOST (Breakglass Intelligence) Classification: Cybercrime — Malware-as-a-Service (MaaS) Source: @malwrhunterteam tweet, 2026-04-03T17:49 UTC

Executive Summary

An exposed Malware-as-a-Service (MaaS) panel at fanonlyatn[.]xyz was identified with open directory listings containing the complete source code for a multi-platform malware operation. The operation, internally branded CRPX0, combines a cryptocurrency clipboard hijacker (supporting 10 crypto currencies), a seed phrase scanner/stealer, and a cross-platform ransomware module — all controlled through a centralized PHP dashboard with multi-language support (EN/ZH/RU). The threat actor operates under the Telegram handle @DataBreachPlus and uses the email databreachplus@proton[.]me for ransom negotiations.

The panel features open self-registration with a "Payment Code" requirement, indicating a commercial MaaS model. Seven macOS-specific builder scripts were found, including sophisticated techniques to bypass Apple's Gatekeeper (DMG packaging, encrypted vaults, native binary compilation, PKG installers). Social engineering lures include fake FedEx shipping documents and fake OnlyFans account lists.

Three backup Russian C2 domains (caribb[.]ru, mekhovaya-shuba[.]ru, beboss34[.]ru) all resolve to 31[.]31[.]198[.]206 on REG.RU shared hosting, confirming Russian operational infrastructure.

Key Findings

COMPLETE SOURCE CODE EXPOSED: Full Python source for all three malware modules (clipper, seed stealer, ransomware) plus 7 macOS builder scripts, 3 VBS droppers, and 1 Windows CMD launcher
10-CURRENCY CRYPTO CLIPPER: Replaces clipboard addresses for BTC (3 formats), ETH, TRON, DOGE, LTC, SOL, XRP, and BCH
HARDCODED THREAT ACTOR WALLETS: 10 cryptocurrency wallet addresses for clipjacking extraction (see IOC section)
RANSOMWARE MODULE (CRPX0): Fernet-based file encryption, shadow copy deletion, wallpaper replacement, multi-language ransom notes (EN/RU/ZH)
SEED PHRASE SCANNER: BIP39 wordlist-based scanner that searches victim files for 12/24-word recovery phrases and exfiltrates them
DASHBOARD API SECRET EXPOSED: 26i$MyYe@r — hardcoded in all payloads
TELEGRAM HANDLE: @DataBreachPlus (hxxps://t[.]me/DataBreachPlus) — used for ransom negotiation AND in the OnlyFans RDP VBS dropper decoy
qTox ID: 17EB54B8455144E088C7E77F88A97221C319F0CFE4FE306853EEB113EE8DB5607BB6EE481C7C
RANSOM EMAIL: databreachplus@proton[.]me
OPEN REGISTRATION: Panel allows agent registration with "Payment Code" — commercial MaaS confirmed
THREE RUSSIAN BACKUP C2s: All on 31[.]31[.]198[.]206 (REG.RU shared hosting), registered as "Private Person"
FEDEX PHISHING LURE: Fake FedEx "Shipping_Details.txt" decoy with tracking number 7945 6821 0349 2, access key pass2021#
ONLYFANS LURE: Fake "50 working OnlyFans account" list used as decoy
macOS GATEKEEPER BYPASS: 7 builder scripts implementing escalating bypass techniques (AppleScript applet, native C universal binary, PKG installer, encrypted DMG vault)
py.txt = PORTABLE PYTHON: 14.5 MB base64-encoded ZIP containing Python 3.11.5 Windows embedded distribution (python-build-standalone)

Attack Chain

[Social Engineering Lure]
    |
    v
[FedEx Tracking / OnlyFans Accounts / RDP Installer]
    |
    +--[Windows] launcher.cmd / launcher.vbs --> call2.py
    +--[macOS]   mac_loader*.sh / DMG / PKG --> call2.py
    |
    v
[call1.py] — Stage 1 downloader (fetches call2.py from C2)
    |
    v
[call2.py] — Stage 2 installer
    |-- Downloads portable Python (indygreg builds / python.org embedded)
    |-- Establishes persistence (LaunchAgents on macOS)
    |-- Downloads & patches payload (last.zip -> v1.1.py/sys32.py)
    |-- Downloads seed scanner (finderx.zip -> finder2.py)
    |
    v
[v1.1.py / sys32.py] — MAIN PAYLOAD: Crypto Clipper
    |-- Monitors clipboard for crypto addresses
    |-- Replaces with attacker wallets (10 currencies)
    |-- Detects seed phrases in clipboard
    |-- Sends install heartbeat + detections to C2 dashboard
    |
    v
[finder2.py] — SEED PHRASE SCANNER
    |-- Scans all user files for BIP39 seed phrases (12/24 word)
    |-- Exfiltrates found phrases to C2
    |
    v
[crypter.py] — RANSOMWARE MODULE (CRPX0)
    |-- Stage 1: Scan and inventory all target files
    |-- Stage 2: Fernet encryption with .crpx0 extension
    |-- Deletes shadow copies / Time Machine snapshots
    |-- Sets custom wallpaper
    |-- Drops ransom notes in EN/RU/ZH
    |-- Reports encryption key + scan report to dashboard + Telegram via Russian C2s

Infrastructure Analysis

Primary C2 (Panel/Dashboard)

Domain	Registrar	Created	NS	Status
fanonlyatn[.]xyz	Navicosoft Pty Ltd (AU)	2026-03-12	beth/devin.ns.cloudflare.com	LIVE

Cloudflare-proxied — real origin IP unknown
LiteSpeed Web Server behind Cloudflare
API endpoints: /api.php (main C2), /api_address_match.php (crypto address matching)
Build server: /builds/last.zip (payload), /builds/scan/finderx.zip (scanner), /builds/rans/crypter.py (ransomware)
Certificates: Let's Encrypt (R12, R13, E7) + Sectigo DV, first issued 2026-03-13

Backup C2 (Ransomware Notification)

Domain	IP	Registrar	Created	Purpose
caribb[.]ru	31[.]31[.]198[.]206	REGRU-RU	2025-11-14	Ransomware C2 (notify.php)
mekhovaya-shuba[.]ru	31[.]31[.]198[.]206	REGRU-RU	2026-01-06	Ransomware C2 (notify.php)
beboss34[.]ru	31[.]31[.]198[.]206	REGRU-RU	2025-07-11	Ransomware C2 (notify.php)

All three resolve to 31[.]31[.]198[.]206 (REG.RU shared hosting — scp96.hosting.reg.ru)
Hosting: REG.RU (Russian web hosting provider), cPanel/WHM
Open ports: 21 (FTP), 22, 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 2082-2096 (cPanel), 3306 (MySQL)
All registered to "Private Person" via REGRU-RU registrar
Endpoint path: /crpx0/notify.php

Shared Infrastructure Indicators

Cloudflare NS pair: beth + devin — use this to find other domains on the same Cloudflare account
REG.RU hosting: All 3 Russian domains share the same nameservers (ns1.hosting.reg.ru, ns2.hosting.reg.ru) and IP
Dashboard secret: 26i$MyYe@r — shared across ALL payloads

Malware Analysis

Component 1: Crypto Clipboard Hijacker (v1.1.py / sys32.py)

Build ID: v1.21
Size: 115,345 bytes (in last.zip)
SHA256: (last.zip) See IOC section
Capabilities:
- Real-time clipboard monitoring via pyperclip
- Cryptocurrency address detection via regex patterns
- Clipboard replacement with attacker-controlled wallets
- BIP39 seed phrase detection in clipboard
- C2 heartbeat and detection reporting
- Dynamic address matching via API (/api_address_match.php)
Supported Cryptocurrencies: BTC (Legacy/P2SH/Bech32), ETH, TRON, DOGE, LTC, SOL, XRP, BCH
Dependencies: pyperclip, requests, pyautogui

Component 2: Seed Phrase Scanner (finder2.py)

Build ID: v2.2_ULTRA_STRICT
Size: 37,146 bytes (in finderx.zip)
Capabilities:
- Full BIP39 wordlist (2048 words)
- Scans all user-accessible files
- Detects 12 and 24-word seed phrases
- Exfiltrates found phrases to C2 dashboard
- Limits to 2 seed phrases per file (anti-false-positive)

Component 3: Ransomware (crypter.py — CRPX0)

Encryption: Python cryptography.Fernet (symmetric, AES-128-CBC + HMAC)
Extension: .crpx0
Key Management: Generated per-operation via Fernet.generate_key(), sent to C2 before encryption
Ransom Note: "HOW TO RECOVER.txt" (EN/RU/ZH versions)
Shadow Copy Deletion: vssadmin, wmic, wbadmin (Windows), tmutil (macOS), timeshift (Linux)
Wallpaper Change: Windows (SystemParametersInfoW), macOS (osascript), Linux (gsettings/feh/xfconf)
Target Extensions: Documents, Media, Databases, Archives, Emails, Developer Code, Engineering/Design files
Operation ID Format: OP-XXXXXXXX (UUID-based)
Cross-Platform: Windows, macOS, Linux

Delivery Mechanisms (7 macOS builders + Windows droppers)

Builder	Technique	Bypass Method	Lure Theme
mac_app_builder.sh	osacompile AppleScript applet	DMG + right-click Open	FedEx / OnlyFans
mac_pkg_builder.sh	pkgbuild with postinstall script	PKG is more trusted	FedEx / OnlyFans
mac_pro_builder.sh	Native C universal binary in .app bundle	10x more reliable than AS	FedEx / OnlyFans
mac_ultimate_builder.sh	Extensionless binary	Avoids "Damaged App" error	FedEx / OnlyFans
mac_vault_builder.sh	AES-128 encrypted DMG	Gatekeeper can't scan encrypted files	FedEx / OnlyFans
mac_loader_stealth.sh	Base64-encoded bash, FedEx social engineering	Fake "Document Access Key" prompt	FedEx
mac_loader_accounts.sh	Base64-encoded bash, OnlyFans lure	Fake "Verification Key" prompt	OnlyFans

Windows Delivery

Dropper	Type	Decoy
launcher.cmd	CMD batch script	None (silent)
launcher.vbs (old)	VBScript	Fake OnlyFans account list (50 accounts)
launchertracking.vbs (old)	VBScript	Fake FedEx tracking info
launcherrdp.vbs (old)	VBScript	"contact us on telegram @DataBreachPlus to get it"

Persistence

macOS: LaunchAgent (~/Library/LaunchAgents/com.sys32.data.plist) with KeepAlive
Windows: Hidden directory %APPDATA%\sys32data\ with portable Python
Hidden Directory: ~/.sys32data/ (macOS/Linux), %APPDATA%\sys32data\ (Windows)

Threat Actor Profile

Attribution Assessment

Confidence: MEDIUM-HIGH
Handle: @DataBreachPlus (Telegram)
Email: databreachplus@proton[.]me
qTox ID: 17EB54B8455144E088C7E77F88A97221C319F0CFE4FE306853EEB113EE8DB5607BB6EE481C7C
Language Evidence: Russian ransom notes, Russian .ru domains, Russian hosting (REG.RU), Chinese + English support = multi-ethnic customer base
Operational Pattern:
- Domain registered 2026-03-12 (22 days ago)
- First certificates issued 2026-03-13
- Builder scripts actively updated through 2026-03-18
- launcherrdp.vbs updated 2026-04-03 09:28 UTC (TODAY — operator is active)
- Russian backup C2 domains pre-date the panel by 3-8 months (established infrastructure)
OPSEC Failures:
- Open directory listing exposing complete source code
- Hardcoded dashboard API secret in all payloads (26i$MyYe@r)
- Telegram handle in ransom note AND VBS dropper decoy
- Access key pass2021# hardcoded in stealth loaders
- Real Russian infrastructure (REG.RU) used for backup C2, not Cloudflare-proxied
Sophistication: MEDIUM — code is well-structured with proper error handling, multi-platform support, and layered delivery. However, fundamental OPSEC failures (open directories, hardcoded secrets) indicate a developer-level operator rather than a seasoned APT.
Motivation: Financial — cryptocurrency theft (clipjacking + seed phrase theft) + ransomware extortion
GPT-4 Provenance: The ransomware wallpaper image contains C2PA (Content Authenticity) metadata signed by "ChatGPT" via "Truepic Lens CLI" — the background image was generated by ChatGPT/DALL-E.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Application
Initial Access	Phishing: Spearphishing Link	T1566.002	FedEx/OnlyFans themed lure scripts
Execution	Command and Scripting Interpreter: Python	T1059.006	All payloads are Python
Execution	Command and Scripting Interpreter: Visual Basic	T1059.005	VBS launchers (Windows)
Execution	Command and Scripting Interpreter: Unix Shell	T1059.004	Bash loaders (macOS)
Persistence	Boot or Logon Autostart: Launch Agent	T1543.001	com.sys32.data.plist
Defense Evasion	Masquerading	T1036	sys32data hidden directory, fake FedEx/OnlyFans documents
Defense Evasion	Obfuscated Files or Information: Base64	T1027.010	Stealth loader scripts
Defense Evasion	Indicator Removal: File Deletion	T1070.004	Shadow copy deletion
Defense Evasion	Subvert Trust Controls	T1553	Encrypted DMG to bypass Gatekeeper scanning
Credential Access	Credentials from Password Stores	T1555	Seed phrase scanner
Collection	Clipboard Data	T1115	Crypto clipboard hijacker
Collection	Data from Local System	T1005	File scanning for seed phrases
Impact	Data Encrypted for Impact	T1486	CRPX0 ransomware
Impact	Data Manipulation: Transmitted Data Manipulation	T1565.002	Clipboard address replacement
Impact	Inhibit System Recovery	T1490	Shadow copy deletion
Impact	Defacement: Internal Defacement	T1491.001	Wallpaper change
C2	Web Service: One-Way Communication	T1102.001	Dashboard API (api.php)
C2	Application Layer Protocol: Web	T1071.001	HTTP/HTTPS C2
Exfiltration	Exfiltration Over C2 Channel	T1041	Seed phrases sent to dashboard

IOC Summary

Network Indicators (Defanged)

Primary C2:

fanonlyatn[.]xyz (104[.]21[.]28[.]214, 172[.]67[.]147[.]155 — Cloudflare)
hxxps://fanonlyatn[.]xyz/api[.]php (C2 dashboard API)
hxxps://fanonlyatn[.]xyz/api_address_match[.]php (address matching API)
hxxps://fanonlyatn[.]xyz/builds/last[.]zip (payload delivery)
hxxps://fanonlyatn[.]xyz/builds/scan/finderx[.]zip (scanner delivery)
hxxps://fanonlyatn[.]xyz/builds/rans/crypter[.]py (ransomware delivery)
hxxps://fanonlyatn[.]xyz/files/call1[.]py (stage 1 loader)
hxxps://fanonlyatn[.]xyz/files/call2[.]py (stage 2 installer)

Backup C2 (Ransomware):

caribb[.]ru (31[.]31[.]198[.]206)
mekhovaya-shuba[.]ru (31[.]31[.]198[.]206)
beboss34[.]ru (31[.]31[.]198[.]206)
hxxps://caribb[.]ru/crpx0/notify[.]php
hxxps://mekhovaya-shuba[.]ru/crpx0/notify[.]php
hxxps://beboss34[.]ru/crpx0/notify[.]php

Telegram:

hxxps://t[.]me/DataBreachPlus

Email:

databreachplus@proton[.]me

Threat Actor Cryptocurrency Wallets

Currency	Address
BTC (Legacy)	`1KC2kXDeyBH9yocYSQy6DQ1ou5hRRRBtpZ`
BTC (P2SH)	`3887CPBvo96AZAm5Gn339isJTXVjdaFogR`
BTC (Bech32)	`bc1qhwxpvjpdlyz7ekmjq6y67t2m2m2e5jq62ykfl4`
Ethereum	`0x835270cEd14bfdAaeF8F8Fa0e532A244cfDe8b52`
TRON	`TDtxY9ZHNffj14Ci9qhBjkpR2AAhCaHuXs`
Dogecoin	`D91Sb1JyWoLb43F2XHFjUL9QJj7iLm6cUR`
Litecoin	`ltc1qadnhqpyj97wjhv2e502n3w207zy2r30pgejq8p`
Solana	`FQPxYxm4y7D6PFjFcGeKcPe42kUfbDnbRsaeLoPYmxYQ`
Ripple	`rBuqUShtAdijJxchFaEXcMij1VVRMY2JWY`
Bitcoin Cash	`qrl73me6ndr7a5sxuyxgn5aflrefyu4c6uzamhu9ar`

File Indicators

File	SHA256	Purpose
call1.py	`2117308f2834f6bc73c2333f128ee4026fe5b4ff27454c951cb78cd2978c332e`	Stage 1 loader
call2.py	`1982d3de7d50e642da1bb8c97baa7e9fd1d7531e8f3e14555fa5ebf4e7e65720`	Stage 2 installer
launcher.cmd	`584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527`	Windows CMD launcher
py.txt	`db9c5e3e65d90c804622f2fe078e1a2ab04144da1e1fdf1af60d7afa578aef66`	Base64 portable Python ZIP
mac_loader_stealth.sh	`cfb3ea4a06be6a9407378cb39204b1a1977f32efb9d74e6a2233b0b563cfc5a6`	FedEx stealth loader
mac_loader_accounts.sh	`ea54a298420d24fedbd64a707a32aa024c6a694cbfbf61dfd42bb4565ccd4b7b`	OnlyFans lure loader
OrderTracking.sh	`1397b5fde442fe8c091f58ccda4c8a5749ee5b80365578650a17fb515bf5c2f0`	FedEx decoy dropper

Behavioral Indicators

Hidden directory: ~/.sys32data/ (macOS/Linux), %APPDATA%\sys32data\ (Windows)
LaunchAgent: com.sys32.data.plist
Payload filename: sys32.py
Scanner filename: finder.py
Debug log: call2_debug.txt, payload_err.txt, finder_log.txt
HWID file: .hwid (JSON with 16-char hex ID)
Ransom note: HOW TO RECOVER.txt, HOW TO RECOVER_RU.txt, HOW TO RECOVER_ZH.txt
Encrypted extension: .crpx0
Ransom wallpaper: .crpx0_background.png
Scan report: scan_report.json
Operation ID format: OP-XXXXXXXX
User-Agent: crpx0-client/1.0 (ransomware), Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)... (loaders)
Portable Python: python-3.11.5-embed-amd64.zip (Windows), cpython-3.11.7+20240107-{aarch64,x86_64}-apple-darwin-install_only.tar.gz (macOS)
FedEx decoy tracking: 7945 6821 0349 2
Stealth password: pass2021#
Dashboard API secret: 26i$MyYe@r
qTox ID: 17EB54B8455144E088C7E77F88A97221C319F0CFE4FE306853EEB113EE8DB5607BB6EE481C7C

Recommended Actions

Immediate (24-48 hours)

Block all IOCs at network perimeter (domains, IPs, URLs)
Search endpoints for ~/.sys32data/ and %APPDATA%\sys32data\ directories
Check macOS LaunchAgents for com.sys32.data.plist
Monitor clipboard activity for cryptocurrency address patterns
Search for .crpx0 encrypted files
Block the listed cryptocurrency wallet addresses in any exchange/compliance systems

Short-term (1-2 weeks)

Deploy YARA rules (below) to EDR/AV solutions
Submit wallet addresses to blockchain analysis platforms for tracking
Report Telegram account @DataBreachPlus
Report domains to Cloudflare abuse, REG.RU abuse, Navicosoft abuse
Submit samples to MalwareBazaar and VirusTotal

Medium-term (1-3 months)

Monitor for new domains on the same Cloudflare NS pair (beth/devin)
Track wallet transactions for cash-out patterns
Monitor @DataBreachPlus Telegram for operational changes

Abuse Reports

Cloudflare (fanonlyatn.xyz)

The domain fanonlyatn.xyz is hosted behind Cloudflare and serves as the C2 panel for a multi-component malware operation (crypto clipper + ransomware). Open directory at /files/ and /builds/ exposes complete malware source code. Panel at /login.php with agent registration.

REG.RU (Russian C2 domains)

Domains caribb.ru, mekhovaya-shuba.ru, beboss34.ru (IP: 31.31.198.206) host ransomware notification endpoints at /crpx0/notify.php. All registered via REGRU-RU to "Private Person".

Navicosoft (Registrar)

Domain fanonlyatn.xyz registered 2026-03-12 is used as primary C2 for crypto-stealing malware and ransomware operation.

References

@malwrhunterteam (Twitter), 2026-04-03 — original discovery
MITRE ATT&CK: T1115, T1486, T1490, T1543.001, T1553
Fernet encryption: https://cryptography.io/en/latest/fernet/
BIP39 wordlist: https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt
python-build-standalone: https://github.com/indygreg/python-build-standalone

GHOST — Breakglass Intelligence "One indicator. Total infrastructure."