FlashTest Stealer: A $5,000 EV Certificate, a Shell Company, and a Speed Test That Steals Your Browser
TL;DR: FlashTestInstaller.exe is a 356KB .NET WPF application signed with an Extended Validation (EV) Authenticode certificate issued to Israeli shell company Kartos Gale LTD. The EV signature bypasses Windows SmartScreen, suppresses reputation-based AV warnings, and confers enterprise trust -- all for a credential stealer disguised as a broadband speed test tool. The operator built a complete fake product ecosystem: a marketing website at flashtestapp.com, a working speed test UI backed by flanativ.com, a proper uninstaller with registry cleanup, and three Cloudflare-proxied infrastructure domains. The stealer silently harvests Chrome credentials, cookies, and session tokens via a multi-stage C2 protocol on colropl.com. Infrastructure is live as of March 14, 2026.
The Investment in Legitimacy
Extended Validation code signing certificates are not easy to obtain. They require legal entity verification, physical address confirmation, and operational existence checks by a Certificate Authority. They cost $2,000-5,000 per year. They require a hardware token or HSM for key storage. And they are the only type of Authenticode signature that completely bypasses Windows SmartScreen -- Microsoft's primary reputation-based protection for downloaded executables.
The operator behind FlashTest did not steal a certificate. They purchased one through Kartos Gale LTD, a company registered in Israel with serial number 516891132. Sectigo issued the EV certificate under their EV Code Signing CA EV R36 intermediate, valid from December 29, 2025 through December 29, 2026. The signing timestamp on the binary is January 27, 2026 at 14:20:32 UTC -- a Monday afternoon, during business hours in Israel. This is a purpose-built shell company created to acquire code signing trust.
The result: when a victim downloads FlashTestInstaller.exe, Windows shows a UAC prompt with a green verified publisher field reading "Kartos Gale LTD" instead of the yellow "Unknown Publisher" warning. SmartScreen does not intervene. Most endpoint protection products reduce their suspicion scoring for EV-signed binaries. The malware arrives with more trust signals than the average legitimate application.
Certificate Details
| Field | Value |
|---|---|
| Subject | Kartos Gale LTD |
| Country | Israel |
| Business ID | serialNumber=516891132 |
| Issuer | Sectigo Public Code Signing CA EV R36 |
| Certificate Serial | A888CB01C4A97F105FDA08F27C7BB2BC |
| Valid From | 2025-12-29 |
| Valid To | 2026-12-29 |
| Signing Timestamp | 2026-01-27 14:20:32 UTC |
| Key Usage | Code Signing (EV) |
Binary Analysis
FlashTestInstaller.exe is a 64-bit .NET WPF application at 356KB -- small, clean, and unremarkable at first glance. It drops two binaries into the installation directory:
| File | Size | Purpose |
|---|---|---|
| FlashTestInstaller.exe | 356 KB | Installer, EV-signed |
| FlashTest.exe | 151 KB | Main stealer payload |
| Uninstall.exe | 57 KB | Uninstaller with C2 telemetry |
All three binaries carry fabricated PE timestamps designed to confuse static analysis: 2088, 2067, and 2050 respectively. No legitimate compiler produces timestamps decades in the future. This is a deliberate anti-forensics measure to break timeline reconstruction and trip up automated PE analysis pipelines that parse compilation timestamps.
Anti-Analysis Techniques
The stealer employs multiple obfuscation layers to complicate both static and dynamic analysis:
Reversed strings -- Chrome profile paths and browser database filenames are stored as reversed strings in the binary, defeating simple string-based YARA rules and static analysis grep patterns. At runtime, the strings are reversed back before use.
Base64-encoded registry paths -- Windows Registry keys used for persistence and configuration are base64-encoded at rest and decoded at runtime. This avoids both static string detection and registry path monitoring rules that key on known stealer registry locations.
Hardcoded API key -- The C2 authentication key Xt9kLm3nQp7wYz-f1829574063 is embedded directly in the binary, used as a bearer token for all C2 communications. This key authenticates the implant to the operator's backend, distinguishing it from security researcher probes.
The Working Speed Test: Social Engineering Through Functionality
This is where FlashTest distinguishes itself from commodity stealers. The application presents a fully functional speed test interface backed by spd.flanativ.com. The UI is a clean WPF application that actually measures download and upload speeds, displays ping latency, and renders results in a professional gauge visualization.
The speed test works. A victim who runs FlashTest will see legitimate-looking bandwidth measurements, conclude the application does what it claims, and leave it installed. Meanwhile, the stealer component operates silently in the background.
The operator built an entire product ecosystem to support this deception:
| Component | Domain | Purpose |
|---|---|---|
| Marketing website | flashtestapp.com | Product landing page, download links |
| Speed test CDN | flanativ.com | Backend for the working speed test |
| C2 server | colropl.com | Credential exfiltration and tasking |
All three domains are Cloudflare-proxied, hiding the origin servers behind Cloudflare's CDN and WAF. The registration timeline shows deliberate staging:
| Domain | Registered | Registrar |
|---|---|---|
| flashtestapp.com | September 2025 | GoDaddy |
| colropl.com | November 2025 | Key-Systems GmbH |
| flanativ.com | December 2025 | GoDaddy |
The product website was established first -- three months before the certificate was even issued. The C2 domain came next, followed by the speed test backend. The EV certificate was purchased in late December 2025, the binary was signed in late January 2026, and the campaign has been live since. This is a patient, well-funded operation.
C2 Protocol: Multi-Stage Beacon Chain
The stealer uses a structured multi-stage C2 protocol against colropl.com, with each stage serving a distinct function in the attack lifecycle:
Stage 1: Initial Check-In
| Endpoint | Method | Purpose |
|---|---|---|
/StartFlash | POST | Initial beacon -- registers implant, receives tasking config |
/ValidateFlash | POST | Validation handshake -- confirms target viability |
Stage 2: Data Exfiltration
| Endpoint | Method | Purpose |
|---|---|---|
/FirstReportFe | POST | Primary exfiltration -- Chrome credentials and cookies |
/SecondReportTa | POST | Secondary exfiltration -- session tokens and additional data |
Supplemental Endpoints
| Endpoint | Method | Purpose |
|---|---|---|
/fs | POST | Hello/heartbeat beacon |
/fls | POST | Secondary heartbeat |
/ficht | POST | Unknown function (possibly feature check) |
/uti | POST | Uninstall telemetry -- reports removal to operator |
All requests are authenticated with the hardcoded API key. The /uti endpoint is particularly notable: even the uninstaller phones home. When a victim removes FlashTest, Uninstall.exe notifies the C2 that the implant has been removed, giving the operator real-time visibility into detection rates and target attrition.
Credential Theft: Chrome Targeting
The stealer targets Google Chrome specifically, harvesting:
- Saved passwords from Chrome's Login Data SQLite database
- Cookies including session cookies for authenticated services
- Session tokens for persistent access to victim accounts
Chrome credential paths are stored as reversed strings in the binary, decoded at runtime. The stealer accesses Chrome's profile directory, copies the relevant SQLite databases, and decrypts saved credentials using the Windows DPAPI key associated with the victim's user profile. Stolen data is exfiltrated over HTTPS through the multi-stage C2 protocol described above.
The Uninstaller as Intelligence Tool
The inclusion of a functional uninstaller with proper registry cleanup is not just social engineering -- it is operational intelligence. The 57KB Uninstall.exe binary:
- Removes FlashTest files from the installation directory
- Cleans up Windows Registry entries
- Reports the uninstallation event to
colropl.com/uti
This gives the operator three data points that commodity stealers never collect: how many targets remove the software, how quickly after installation they remove it, and by extension, how many targets leave it running indefinitely. This is A/B testing for malware distribution -- data that informs future campaign refinements.
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Resource Development | Acquire Infrastructure: Domains | T1583.001 | Three domains staged over 4 months |
| Resource Development | Obtain Capabilities: Code Signing Certificates | T1588.003 | EV cert via shell company Kartos Gale LTD |
| Resource Development | Establish Accounts | T1585 | Israeli shell company for EV verification |
| Defense Evasion | Subvert Trust Controls: Code Signing | T1553.002 | EV Authenticode bypasses SmartScreen |
| Defense Evasion | Obfuscated Files or Information | T1027 | Reversed strings, base64 registry paths, fake PE timestamps |
| Defense Evasion | Indicator Removal: Timestomp | T1070.006 | Fabricated PE compile timestamps (2050-2088) |
| Defense Evasion | Masquerading | T1036.005 | Functional speed test application as cover |
| Credential Access | Credentials from Password Stores: Web Browsers | T1555.003 | Chrome Login Data database theft |
| Credential Access | Steal Web Session Cookie | T1539 | Chrome cookie exfiltration |
| Collection | Data from Local System | T1005 | Chrome profile data harvesting |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | HTTPS exfil via multi-stage protocol |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 | HTTPS C2 via Cloudflare-proxied domains |
| Command and Control | Encrypted Channel: Asymmetric Cryptography | T1573.002 | TLS via Cloudflare |
| Discovery | System Information Discovery | T1082 | System data collected during StartFlash beacon |
Indicators of Compromise
File Indicators
| Type | Value | Description |
|---|---|---|
| SHA-256 | b18e84c03195b6e8e4b92c59a2845d7118e915c2638c2ca524fbeb10c81ea83b | FlashTestInstaller.exe |
| Cert Serial | A888CB01C4A97F105FDA08F27C7BB2BC | Sectigo EV cert (Kartos Gale LTD) |
| API Key | Xt9kLm3nQp7wYz-f1829574063 | Hardcoded C2 authentication key |
Network Indicators
| Type | Value | Description |
|---|---|---|
| Domain | flashtestapp[.]com | Product marketing website |
| Domain | colropl[.]com | Primary C2 server |
| Domain | flanativ[.]com | Speed test backend / fake CDN |
| URL | colropl[.]com/StartFlash | Initial beacon endpoint |
| URL | colropl[.]com/ValidateFlash | Validation handshake |
| URL | colropl[.]com/FirstReportFe | Primary data exfiltration |
| URL | colropl[.]com/SecondReportTa | Secondary data exfiltration |
| URL | colropl[.]com/fs | Heartbeat |
| URL | colropl[.]com/fls | Secondary heartbeat |
| URL | colropl[.]com/ficht | Unknown function |
| URL | colropl[.]com/uti | Uninstall telemetry |
| URL | spd.flanativ[.]com | Speed test API endpoint |
Host Indicators
| Type | Value | Description |
|---|---|---|
| PE Timestamp | 2088 | FlashTestInstaller.exe (fabricated) |
| PE Timestamp | 2067 | FlashTest.exe (fabricated) |
| PE Timestamp | 2050 | Uninstall.exe (fabricated) |
| Signer | Kartos Gale LTD (IL, 516891132) | EV certificate subject |
Defensive Recommendations
Immediate Actions
- Block all three domains --
flashtestapp.com,colropl.com, andflanativ.com-- at DNS, web proxy, and firewall levels. - Hunt for the SHA-256 hash across endpoint telemetry and email gateway logs.
- Revoke trust for the certificate -- add cert serial
A888CB01C4A97F105FDA08F27C7BB2BCto your organization's certificate blocklist. - Search for the API key
Xt9kLm3nQp7wYz-f1829574063in network traffic logs (HTTP request bodies and headers).
Detection Engineering
- Alert on PE binaries with compilation timestamps beyond 2030. No legitimate compiler produces these dates. This is a high-confidence indicator of timestomped malware.
- Monitor for .NET WPF applications making HTTPS connections to Cloudflare-proxied domains within 60 seconds of first execution -- especially from user download directories.
- Signature rule for the C2 endpoint naming convention:
/StartFlash,/ValidateFlash,/FirstReportFe,/SecondReportTaare distinctive and unlikely to appear in legitimate web traffic. - Certificate monitoring: Watch Certificate Transparency logs for new EV certificates issued to Kartos Gale LTD or other recently registered Israeli entities.
Strategic Recommendations
- Report to Sectigo for EV certificate revocation -- provide the cert serial and evidence of malicious use. EV revocation has downstream effects: SmartScreen will retroactively flag the binary.
- Report
flashtestapp.comto GoDaddy andcolropl.comto Key-Systems GmbH for abuse investigation. - Report to Cloudflare Trust & Safety -- all three domains are proxied through Cloudflare, and removal of the CDN shield will expose the origin infrastructure.
The Bigger Picture: EV Trust as a Commodity
FlashTest is not sophisticated malware. It is a straightforward .NET credential stealer with basic obfuscation. What makes it effective is the investment in everything around the malware: a shell company that passes EV verification, a working product that does what it claims, a marketing website, a multi-domain infrastructure behind Cloudflare, and an uninstaller that provides operational telemetry.
This is the commoditization of trust. The EV code signing ecosystem assumes that the cost and verification requirements create a meaningful barrier. FlashTest demonstrates that a motivated operator can clear that barrier with a few thousand dollars and a shell company registration. The resulting binary arrives on victim machines with more trust signals than most legitimate software -- a green publisher name, no SmartScreen warning, and reduced AV scrutiny.
The infrastructure timeline -- domains registered months in advance, certificate purchased weeks before signing, the binary compiled and signed during Israeli business hours -- suggests this is not a one-off campaign. The operator has invested in reusable infrastructure designed to outlast individual payload iterations. Expect additional signed binaries from Kartos Gale LTD until Sectigo revokes the certificate.
Reported by researcher SquiblydooBlog via @abuse_ch. Investigation conducted 2026-03-14. Breakglass Intelligence | Infrastructure confirmed live at time of publication. Classification: TLP:CLEAR