FatalRAT and an Asian Gambling Syndicate Share a Box: Inside the LARUS / Cloud Innovation AFRINIC Bulletproof Empire

TL;DR

While walking Silver Fox infrastructure related to yesterday's ValleyRAT investigations, we pivoted onto 45.192.219.135 — a Hong Kong VPS on Antbox Networks Limited (AS138995) that plays double duty as:

1. FatalRAT C2 backend — tied to a live campaign deploying FatalRAT, Winos4.0, and QQHong sideloaded via Sogou Input Method DLL sideloading (ManualNewWord.dll), VMProtect-packed, beaconing on port 1080 + HTTPS cover on 443 with numbered-subdomain C2 domains (a1.nbdsnb2.top, a1.yydsnb1.top)
2. Multi-market Chinese gambling platform — hosting sg.www.zyxg88.com (a Vue.js gambling app) with mobile distribution via android.zyxgapp.com, protected behind a hash-rotating CDN layer at sheli588foo32.com and a sister brand cluster on 588688.org / 588688.net

The box sits on AFRINIC-allocated address space (45.192.0.0/12) that's legally held by Cloud Innovation Ltd (Seychelles) and managed through LARUS-SERVICE-MNT — a Hong Kong shell company our prior investigations have repeatedly documented as an "IP leasing empire" controlling 4,993+ AFRINIC network objects and 16M+ IPs currently being used as bulletproof hosting by a rotating cast of China-nexus cybercrime and gambling tenants. This is the same LARUS / Cloud Innovation infrastructure that surfaced in our Adaptix C2 framework investigation (253 proxy nodes on the same allocation) and in the ValleyRAT QTServer loader investigation (documented as a "sophisticated bulletproof hosting provider").

What this report adds to the public record:

• Direct evidence of FatalRAT C2 and a live Chinese gambling operation sharing the same IP (45.192.219.135), with full hosting lineage traced back through Antbox Networks → LARUS-SERVICE-MNT → Cloud Innovation Ltd → AFRINIC
• Full infrastructure map of the gambling platform: Vue.js SPA backends + hash-rotating CDN via sheli588foo32.com + multi-layer proxy chain on Netsec, Lanlian International, and Cloud Innovation's own AFRINIC space + AWS Sydney frontend + DNSPod/Dynadot intermediaries
• A leaked Chinese registrant name 邓林 (Deng Lin) and gndhyi23764t@outlook.com on dvqmpu.cn — the operator's Shenzhen/Singapore/Cambodia-targeted gambling sister brand
• Confirmation that the gambling operation targets three Asian markets simultaneously via geographic subdomain prefixes: sz.cn.dvqmpu.cn (Shenzhen), www.sg.dvqmpu.cn (Singapore), cm.dvqmpu.cn (Cambodia)
• An Apache RocketMQ 4.3.2 instance exposed on the same /24 (45.192.219.254) vulnerable to CVE-2023-37582, CVE-2023-33246, and CVE-2019-17572 — an enforcement disruption lever

FatalRAT is meaningfully underreported in public threat intel compared to its cousin ValleyRAT, despite appearing in the same Silver Fox / Chinese-nexus crimeware ecosystem. This post is partly a gap-fill on the FatalRAT side and partly a deeper look at the LARUS / Cloud Innovation hosting empire as a cross-vertical cybercrime enabler.

If you've already published reporting on 45.192.219.135, the zyxg88.com gambling cluster, the sheli588foo32.com hash-rotation CDN, or the LARUS / Cloud Innovation bulletproof chain, please reply or DM — we'll update and credit.

---

The Target

Field	Value
IP	45.192.219.135
ASN	AS138995 (Antbox Networks Limited)
Country	Hong Kong
Parent allocation	Cloud Innovation Ltd (Seychelles) — 45.192.0.0/12
IP manager	LARUS-SERVICE-MNT
Reverse DNS	None
First seen (FatalRAT)	2026-04-08 (parent sample pivot)
First seen (Gambling)	2025-06-12 (URLScan)
Last observed gambling	2025-07-28
Current state	Mostly filtered; port 135/tcp (MS RPC Endpoint Mapper) visible on Shodan

The box is dormant from the outside right now — nmap across 1000 common ports returned nothing; only port 135/tcp (Windows MS RPC Endpoint Mapper) is visible in Shodan InternetDB. That's consistent with an operator who's rotated the active workload off this specific host while keeping the Windows OS alive for re-provisioning later. The historical activity — nginx 1.20.1 serving Chinese-language gambling content in June–July 2025, plus the April 2026 FatalRAT C2 correlation — is what tells the story.

The Hosting Lineage — AFRINIC → Seychelles → Hong Kong → Tenants

This is the part that matters for enforcement: the box we're looking at sits on IP space that passed through four layers of corporate indirection before landing at an Antbox customer account.

AFRINIC Allocation:   45.192.0.0 - 45.207.255.255  (/12)
      │
      ▼
Cloud Innovation Ltd (Seychelles)
      │    Address:   Suite 202, Eden Plaza, Eden Island, Mahe
      │    Phone:     +248-4-610-795
      │    Maintainer: CIL1-MNT
      │
      ▼
LARUS-SERVICE-MNT (technical manager)
      │    Address:   Flat A3, 11/F, TML Tower, Tsuen Wan, Hong Kong
      │    Phone:     +852-2988-8918
      │    Abuse:     abuse@larus.help
      │
      ▼
Antbox Networks Limited (AS138995)
      │    Admin:     monk@antboxnetwork.com
      │    Location:  Hong Kong
      │
      ▼
Tenants: Silver Fox / FatalRAT C2 + Chinese gambling + RocketMQ exposures + misc

Why AFRINIC?

AFRINIC is the Regional Internet Registry for Africa. 45.192.0.0/12 was originally allocated to Cloud Innovation Ltd, a Seychelles shell company, as part of AFRINIC's historical African-business policy. In practice, none of this IP space is used in Africa — it's been monetized as a commercial bulletproof-hosting pool via LARUS-SERVICE-MNT (Hong Kong) and then leased to tenants through Antbox Networks. The AFRINIC-address / Hong-Kong-routed / Seychelles-owned / Chinese-tenant shape is recognizable across the prior GHOST work and is one of the cleanest examples of regional IP arbitrage being weaponized as a bulletproof hosting service.

The South African contact cluster

The WHOIS records on the Cloud Innovation network objects show a consistent pattern of South African contacts:

Name	Location	Phone
Tingting Xu	TML Tower, Tsuen Wan, HK	+852-9144-2775
OutsideHeaven Support	Mahe, Seychelles	+248-4-610-795
Bastian Heath	De Boom Resort, Vredenburg, ZA	+27-64-408-4813
Dori Anne Heath	De Boom Resort, Vredenburg, ZA	+27-84-056-6945
Dillon Jodamus	50 Oboe Street, Retreat, ZA	+27-65-989-3017
Keith Thomas	Cape Town, ZA	+27-84-056-6945 ← shared
Ncube Gwen	26b Belgravia Road, Athlone, ZA	+27-60-981-9777

Dori Anne Heath and Keith Thomas share the same phone number +27-84-056-6945. A cluster of Cape Town and Western Cape addresses, with shared contact numbers, managing Seychelles-registered network objects assigned from AFRINIC and routed through Hong Kong — that's the shell company pattern.

Vertical 1 — The FatalRAT C2 Cluster

The parent investigation (sample e1b4c8df3cd7a51d8751b3c3c8b143b5feee7eb1) identified 45.192.219.135 as part of a multi-node FatalRAT campaign on Antbox/LARUS infrastructure:

C2 IP	Ports	Role
108.187.41.248	443	FatalRAT C2 (HTTPS cover)
108.187.42.200	1080 + Winos4.0	FatalRAT C2 + Winos4.0 dual-deployment
45.192.219.135	—	Our target — C2 backend
45.192.219.143	135, 7680	C2 backend sibling

FatalRAT TTPs

Technique	Detail
Initial access	DLL sideloading via Sogou Input Method (ManualNewWord.dll)
Packing	VMProtect with .9990 / .9991 section naming
C2 transport	Port 1080 (custom FatalRAT protocol) + port 443 (HTTPS cover)
C2 domains	Numbered-subdomain scheme (a1.nbdsnb2.top, a1.yydsnb1.top)
Persistence	Registry Run keys + scheduled tasks
Artifacts	Chinese-language registry strings (e.g., 安装时间 — "install time")

FatalRAT's Sogou Input Method sideloading vector is the standout detail. Sogou Input Method (搜狗输入法) is one of the most popular Chinese-language IME packages on Windows, used by hundreds of millions of Chinese-speaking users. Abusing it as a DLL sideload carrier means the malware lands inside a trusted application context on almost every target machine in the victim base.

FatalRAT vs. its better-known cousin

Public reporting on ValleyRAT (the Silver Fox flagship Winos4.0 / Gh0stKCP variant) is extensive — multiple vendor writeups from Fortinet, Forescout, Qi'anxin, Nextron, ReliaQuest, and The Hacker News in 2025–2026 alone. Public reporting on FatalRAT is substantially thinner. The two malware families coexist on the same infrastructure, share operator tooling, and target the same Chinese-speaking victim base, but FatalRAT keeps getting treated as a footnote in Silver Fox reporting rather than as a family worth mapping on its own. This investigation is partly a gap-fill on that.

Vertical 2 — The Gambling Operation

Cohabiting on the same IP, through the same hoster, is a Chinese gambling platform running a Vue.js SPA architecture with CDN + hash-based subdomain rotation for anti-takedown resilience.

The brand cluster

Domain	Registrar	Created	Role
zyxg88.com	Amazon Registrar	2025-06-02	Primary gambling platform
zyxgapp.com	Amazon Registrar	2025-06-02	Mobile app distribution
588688.org	Amazon Registrar	2025-12-05	Secondary gambling brand
588688.net	Amazon Registrar	2025-12-05	Secondary gambling brand (cross-signed SAN)
myzyhk.com	Amazon Registrar	2025-08-30	Wildcard-cert proxy domain
qlkj888.com	Cosmotown / TuringSign	2026-02-25	Sibling gambling brand on same ASN
dvqmpu.cn	Yantai Disipu Tech	2025-03-31	Chinese-market domain (OPSEC leak)

Tech stack on the victim-facing side

nginx 1.20.1
Vue.js (Vite build, polyfills)
Vuex + Vue Router + Axios
Let's Encrypt R11 TLS (89-day auto-renew)
SourceHanSansCN font        ← Chinese-market targeting
/apis/globals API endpoint
LoginView / LoginTop / AppInput components

Full-featured login portal, Chinese-language UI, targeted at Chinese-speaking gambling users. The SourceHanSansCN font bundle confirms the target market.

The hash-rotating CDN

The clever part of the gambling operation's infrastructure posture is sheli588foo32.com — a single apex domain that serves as a CDN layer using 8-character hex hash subdomains that rotate across multiple Antbox IPs:

97ec3bae.sheli588foo32.com → 45.192.219.135
702b5d8d.sheli588foo32.com → 45.192.219.132
64aa45e4.sheli588foo32.com → 45.192.219.132
d7438f4d.sheli588foo32.com → 45.194.37.56
d688779d.sheli588foo32.com → 192.238.138.18

Each client or session gets a unique subdomain, which defeats simple domain-block lists — defenders can't block abc123.sheli588foo32.com individually, they have to block the entire apex *.sheli588foo32.com. The hash-based naming gives the operator effectively unlimited unique-looking URLs per victim while routing all traffic through a small pool of backend IPs.

The CDN proxy chain layer

Behind the hash-rotating layer sits a second proxy tier at vip-jisldk-feo-dun.com distributed across three different Hong Kong and Cloud Innovation hosts:

IP	Provider	Ports
182.16.14.3	Netsec Limited (HK)	80, 443, 6666, 8089, 8099, 8848
182.16.14.4	Netsec Limited (HK)	80, 443, 2077, 6666, 8099, 8888
182.16.14.5	Netsec Limited (HK)	443, 2054, 6666, 8089, 8099
43.224.225.245	Lanlian International (HK)	80, 443, 2053, 8089, 8092, 8099
43.224.225.246	Lanlian International (HK)	80, 8089, 8092, 9527
156.234.9.19	AFRINIC / Cloud Innovation	443
156.234.9.20	AFRINIC / Cloud Innovation	—
156.234.9.21	AFRINIC / Cloud Innovation	80, 443

The port pattern (6666, 8089, 8099, 8848, 9527) is consistent with a Nacos-based proxy management backend — 8848 is Nacos' default admin port. Custom proxy daemons running on the higher ports (2053, 2054, 2077, 8092) complete the management surface.

The net effect: victim requests chain through Amazon Route 53 DNS → AWS Sydney frontend → vip-jisldk-feo-dun.com CDN tier → hash-rotating sheli588foo32 subdomains → Antbox HK backends. That's a four-hop anti-takedown architecture on top of a simple Vue.js gambling app.

Geographic subdomain prefixes

Certificate Transparency on dvqmpu.cn reveals the gambling operation targets multiple Asian markets simultaneously:

Subdomain	Market
sz.cn.dvqmpu.cn	Shenzhen, China
www.sg.dvqmpu.cn	Singapore
cm.dvqmpu.cn	Cambodia

Three separate Asian markets running on the same shared gambling backend.

The Attribution Leak — 邓林 / gndhyi23764t@outlook.com

While most of the gambling brand domains are registered through Amazon Registrar with Identity Protection Service (privacy proxy at "PO Box 786, Hayes, Middlesex, GB"), the one .cn domain — dvqmpu.cn — was registered through Yantai Disipu Tech with no privacy protection because .cn domains historically had weaker privacy options. The exposed registrant details:

Registrant name:   邓林 (Deng Lin)
Registrant email:  gndhyi23764t@outlook.com
Registrar:         Yantai Disipu Tech
Created:           2025-03-31

The same OPSEC failure pattern we see with the Luo Quan Silver Fox registration (covered in today's companion post): privacy-protected on the .com / .org side, unprotected on the .cn side because of registrar differences. The gndhyi23764t@outlook.com email prefix is clearly randomized (17 alphanumeric characters), not a human-chosen username — a disposable Outlook account used once for one domain. But the name field 邓林 (Deng Lin) is not randomized. Whether "Deng Lin" is a real individual, a burner identity, or a team-shared handle is a question for enforcement with subpoena power; what we can prove is the registrant-level link between this specific Chinese name and the gambling sister brand dvqmpu.cn.

Dual-Use Assessment

We can read the FatalRAT + gambling co-location on 45.192.219.135 three ways:

1. Same operator running both — MEDIUM confidence. The gambling operation may be deploying FatalRAT to steal user credentials, financial data, or competitor intelligence. Chinese gambling operations with their own side-malware capability is not unheard of — gambling → stealer → crypto wallet drain is a profitable integrated vertical.
2. Shared bulletproof-hosting co-tenancy — HIGH confidence. Antbox / LARUS sells IP space to both cybercrime and gambling operators with no customer isolation. Different tenants routinely share the same IP through virtual hosting, and Antbox's customer-vetting posture is nonexistent.
3. Gambling apps as FatalRAT delivery — LOW confidence. The gambling Android apps could be trojanized with FatalRAT to target gambling users. Possible but unconfirmed.

The honest read is probably a mix of (1) and (2): the bulletproof hoster enables both, and operationally the two tenant groups are adjacent enough that some customer overlap is likely even if the entities are formally separate. Whoever you are as a defender, the practical response is the same: block the /24 and treat the entire LARUS / Cloud Innovation AFRINIC allocation as hostile.

Detection & Hunting

Block list

# /24 blocks
45.192.219.0/24

# FatalRAT C2 cluster (Antbox/LARUS)
108.187.41.248
108.187.42.200
45.192.219.135
45.192.219.143

# CDN proxy tier
182.16.14.3   182.16.14.4   182.16.14.5
43.224.225.245  43.224.225.246
156.234.9.19  156.234.9.20  156.234.9.21

# Gambling frontend (AWS Sydney)
13.210.222.176

# Gambling domains
zyxg88.com
zyxgapp.com
sheli588foo32.com               (block entire apex — hash subdomains rotate)
vip-jisldk-feo-dun.com          (block entire apex — CDN proxy chain)
myzyhk.com
588688.org
588688.net
dvqmpu.cn
qlkj888.com

# Number-lucky gambling sibling domains
1668855.com  1668877.com  668811.vip  886622.vip

Hunting queries

• Hash-subdomain hunt — DNS queries matching [0-9a-f]{8}\.sheli588foo32\.com
• CDN proxy hunt — DNS queries to any subdomain of vip-jisldk-feo-dun.com
• FatalRAT port hunt — outbound TCP connections to any AS138995 address on port 1080
• Sogou DLL sideload hunt — endpoint events showing Sogou Input Method loading ManualNewWord.dll from non-Sogou install directories
• VMProtect + Sogou hunt — PE files with .9990 / .9991 section names loaded by Sogou processes
• Registrant hunt — any new .cn domain registered under gndhyi23764t@outlook.com or the 邓林 registrant name
• LARUS hunt — any corporate-network traffic to the broader 45.192.0.0/12 allocation (Cloud Innovation / LARUS); if your org has no legitimate business in AFRINIC space, this is a prime baseline anomaly

Apache RocketMQ CVE pivot

45.192.219.254 on the same /24 runs Apache RocketMQ 4.3.2 with a self-signed cert, exposed to the internet, and is vulnerable to:

• CVE-2023-37582 — RocketMQ NameServer RCE
• CVE-2023-33246 — RocketMQ broker RCE
• CVE-2019-17572 — Apache RocketMQ arbitrary file read

For enforcement partners doing disruption operations against the LARUS cluster, .254 is a textbook RocketMQ CVE exposure. That's intelligence-collection leverage.

Confidence Table

Claim	Confidence	Basis
45.192.219.135 is a FatalRAT C2 backend	HIGH	Parent malware sample analysis confirmed C2 reference
The gambling platform at zyxg88.com ran on this IP	HIGH	Direct URLScan captures from June-July 2025 with Let's Encrypt cert issuance records
FatalRAT + gambling are the same operator	MEDIUM	Co-location is suggestive; diverse registrar patterns weaken single-operator read
LARUS / Cloud Innovation is a bulletproof-hosting shell	HIGH	Consistent with prior GHOST investigations documenting 4,993+ AFRINIC network objects + 16M+ IPs under the same management
邓林 (Deng Lin) is a real operator identity	MEDIUM	Could be real, burner, or team-shared
FatalRAT is underreported relative to ValleyRAT	HIGH	Verified by public CTI coverage comparison

Disclosure

• Antbox Networks Limited abuse — monk@antboxnetwork.com
• LARUS-SERVICE-MNT abuse — abuse@larus.help
• AFRINIC abuse — for the broader 45.192.0.0/12 allocation via Cloud Innovation Ltd
• Amazon Registrar abuse — for zyxg88.com, zyxgapp.com, 588688.org, 588688.net, myzyhk.com
• CNCERT/CC — for the Chinese-market gambling operations and FatalRAT campaign targets
• HKCERT — infrastructure is Hong Kong-routed
• Apache Software Foundation — for the exposed RocketMQ 4.3.2 instance on .254 (courtesy disclosure)

Prior art

• Yesterday's GHOST post on the Silver Fox ValleyRAT / CTG Server HK cluster: silverfox-valleyrat-telegram-chinese-langpack-zpaq-bytedance-ctg
• Today's companion Luo Quan Silver Fox attribution: silver-fox-luo-quan-jackbank-jackadmin-registrant-attribution
• Prior Breakglass investigations documenting LARUS-SERVICE-MNT / Cloud Innovation as an IP leasing empire (Adaptix C2 framework, ValleyRAT QTServer loader, and related Silver Fox infrastructure mapping work)
• Public ValleyRAT reporting from Fortinet, Forescout, Qi'anxin, Nextron Systems, ReliaQuest, and The Hacker News (multiple 2025-2026 pieces)
• Limited prior public reporting on FatalRAT specifically — mostly as a footnote in Silver Fox / Winos4.0 writeups

If you've already published reporting on the 45.192.219.135 FatalRAT / gambling co-location, the zyxg88.com brand cluster, the sheli588foo32.com hash-rotating CDN, or the 邓林 registrant, please reply or DM — we'll update and credit.

---

GHOST — Breakglass Intelligence "One indicator. Total infrastructure."