Two C2s, One /24, One Telegram Handle: 'GeorgeGinx' Ships a Striker Deployment Next to a Custom Flask Panel on Evoxt
Two C2s, One /24, One Telegram Handle: "GeorgeGinx" Ships a Striker Deployment Next to a Custom Flask Panel on Evoxt
TL;DR
On April 8, 2026, we followed a lead from @malwrhunterteam to 23.27.141.44 — an Evoxt VPS in New York City — and found a Striker C2 deployment sitting behind a "Trading Bots Management" cover page, served by a dead-simple python -m http.server wrapper on port 3004 with the Socket.IO backend on 3003. Pivoting two IPs over to 23.27.141.46, we found a second C2 panel built in Flask, branded "GeorgeGinx Panel", with a Golang backend on port 1337 and a custom DNS server on UDP 53.
Both panels are wired to the same operator. The GeorgeGinx login page advertises its own Telegram contact — @georgeknowsit (display name: "Geroge knows" — actor's own typo, not ours) — in plain HTML. The Striker C2 uses an SSL certificate for calipology.com issued by Sectigo in June 2025 and registered via GoDaddy, which redirects HTTPS traffic through to calipology.co.uk — a legitimate UK brake caliper refurbishment WordPress site administered by a "Daniel" that the C2 operator is either tied to or cynically hiding behind.
What this report adds to the public record:
- First observation (that we could find) of a GeorgeGinx-branded C2 panel with a public Telegram contact anchored in the login HTML —
@georgeknowsit - Confirmation that the port-3004 "Trading Bots Management" page at
23.27.141.44is a Striker C2 frontend, verified via localStorage key, full Socket.IO event catalog, and the compiled Svelte bundle - Full infrastructure map linking
23.27.141.44↔23.27.141.46↔calipology.com↔calipology.co.ukand the Daniel/IPB forum admin identity worth further investigation
Hat tip to @malwrhunterteam for the lead. If you've already published reporting on GeorgeGinx, the calipology.com domain, or the Striker C2 deployment on 23.27.141.44, please reply or DM — we'll update and credit.
The Two Boxes
23.27.141.44 (Striker) | 23.27.141.46 (GeorgeGinx) | |
|---|---|---|
| ASN | AS (Ace Data Centers II / Evoxt) | Same /24 |
| Hoster | Evoxt (EVOXT-NETWORK) | Evoxt |
| Location | New York City, US | New York City, US |
| SSH | OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 | OpenSSH 9.6p1 Ubuntu 3ubuntu13 |
| First Shodan (SSH) | 2026-03-04 | — |
| First Shodan (C2 panel) | 2026-03-15 | — |
| OS | Ubuntu 24.04 LTS | Ubuntu |
The two boxes sit two IPs apart on the same /24, same hoster, same Ubuntu release family. You don't need a pivot table — they're correlated by inspection.
23.27.141.44 — Striker C2
| Port | Service | Details |
|---|---|---|
| 21 | vsftpd 3.0.5 | FTP (no anon) |
| 22 | OpenSSH 9.6p1 | Operator SSH |
| 80 | Apache 2.4.58 | Default Ubuntu welcome page |
| 443 | Apache 2.4.58 | Redirects to calipology.co.uk; cert for calipology.com (Sectigo DV R36, valid 2025-06-16 → 2026-06-16) |
| 3003 | Socket.IO (Node.js) | Striker C2 backend |
| 3004 | Python SimpleHTTP/0.6 (3.12.3) | Striker C2 panel ("Trading Bots Management") |
| 8080 | nginx 1.26.2 | Default welcome page |
23.27.141.46 — GeorgeGinx Panel
| Port | Service | Details |
|---|---|---|
| 22 | OpenSSH 9.6p1 | Operator SSH |
| 53/udp | DNS (unknown daemon) | Custom listener — possible DNS tunneling or DNS C2 |
| 80 | HTTP → HTTPS redirect | — |
| 631 | CUPS 2.4.16 | Print service; returns Forbidden |
| 1337 | Go net/http | Custom Go backend — 404 on every path (UUID/signed-route gated) |
| 8080 | Werkzeug/3.1.6 Python/3.12.3 | GeorgeGinx Panel (Flask) — /login, /login_auth |
Striker, Confirmed
The port-3004 page presents itself as "Trading Bots Management". The actual application is a compiled Svelte SPA (Vite build hashes, Tailwind styles) with a 160 KB minified JavaScript bundle — index.967cb510.js — that betrays itself the moment you grep it.
Bundle fingerprints
The JS bundle makes four calls to localStorage:
localStorage.getItem("striker")
localStorage.setItem("striker", ...)
localStorage.removeItem("striker")
That's the framework name keyed in clear text. For a second opinion, the full Socket.IO event catalog in the bundle matches Striker C2's documented command protocol exactly:
| Category | Events |
|---|---|
| Agent Management | new_agent, update_agent, agent_deleted |
| Interactive Shell | agent_console_input, agent_console_output |
| Tasking | new_task, update_task, task_deleted, releaseTask |
| File Operations | new_file, file_updated, file_deleted |
| Redirectors | new_redirector, redirector_deleted |
| Auth Keys | new_authkey, authkey_updated, authkey_deleted, releaseAuthKey |
| Team Chat | new_teamchat_message, send_teamchat_message |
| User Management | new_user, user_deleted, user_updated, releaseUser |
| Logging | new_log (250-entry buffer) |
| Errors | striker_error |
The agent data model on the frontend side:
os · pid · cwd · host · user · admin · loggedIn · frozen ·
lastSeen · dateCreated · downloadsCount
Keyword density in the bundle: agent × 69, Listener × 57, rat × 48, session × 42, task/Task × 72, c2/C2 × 40, Payload × 7. Auth is token-based via Socket.IO handshake (auth:{token:J}).
What this Striker deployment supports
Interactive agent console (real-time shell) · task assignment + tracking · file staging in both directions · proxy redirectors · multi-user with per-user auth keys · team chat for multiple operators on the same target. Enough to run hands-on-keyboard intrusions.
The Cover Domain — calipology.com ↔ calipology.co.uk
The SSL cert on port 443 of the Striker box covers calipology.com and www.calipology.com, issued by Sectigo DV R36 (valid 2025-06-16 → 2026-06-16). HTTPS traffic to that cert hits a 302 redirect straight to calipology.co.uk.
calipology.com (the cover)
| Field | Value |
|---|---|
| Registrar | GoDaddy |
| Created | 2025-06-16 (same day as the SSL cert) |
| Expires | 2026-06-16 |
| Nameservers | beth.ns.cloudflare.com, derek.ns.cloudflare.com |
| DNS A | 172.67.223.239, 104.21.4.11 (Cloudflare) |
| Shodan hostname | Points to 23.27.141.44 (our Striker box) |
Ten months old, registered the exact day the cert was issued, pointed at Cloudflare for passive DNS while the certificate was deployed directly on the C2 box. This is a textbook cert laundering pattern — buy a cheap domain, get a DV cert, deploy the cert on your C2 so scanners and defensive tooling see a legitimate-looking TLS endpoint.
calipology.co.uk (the redirect target)
| Field | Value |
|---|---|
| Registrar | Squarespace Domains LLC |
| Created | 2019-11-22 (six years older than the .com) |
| Expires | 2029-11-22 |
| Nameservers | sid.ns.cloudflare.com, zoe.ns.cloudflare.com (different CF account than the .com) |
| Website | WordPress ("Brake Caliper Refurbs"), LiteSpeed-backed, Yoast SEO Premium v19.1 |
| Forum | IPB (Invision Power Board) community at ipb.calipology.co.uk (77.74.194.251) |
| Forum admin | "Daniel" — admin@calipology.co.uk |
| MX | Zoho EU |
| SPF | Includes zoho.eu, google.com, mithrilnetwork.com |
The .co.uk predates the .com by six years and has a legitimate-looking small-business footprint: active WordPress site, IPB community forum, Zoho email. The two domains share neither Cloudflare account nor nameserver pair, which leaves two read-ings for the relationship:
- Same owner. "Daniel" runs both the brake caliper business and the GeorgeGinx C2 operation, and the .com was registered to paper a cert over the C2 box.
- Impersonation. A separate actor registered
calipology.comspecifically to get a Sectigo DV cert in the legit business's name, then pointed HTTPS redirects at the real site as additional cover.
Either way, defenders should treat calipology.com as actor infrastructure and treat calipology.co.uk as a pivot worth contacting for notification. We're not going to publicly name Daniel; we'll reach out through the forum channel.
The variety of CAs issuing certs for calipology.com over a short period (Sectigo, Google Trust Services, and GoDaddy certs all in 2025-2026) also suggests the operator has been testing different hosting / cert chains, which is another behavior pattern worth noting.
The Attribution Gift — @georgeknowsit
The GeorgeGinx Panel at 23.27.141.46:8080 renders a dark-mode Flask login page. The HTML contains, in plain text:
Telegram: @georgeknowsit
https://t.me/georgeknowsit
Display name: "Geroge knows"
That is the operator advertising themselves on their own C2 panel's unauthenticated login page. The display name Geroge knows is the operator's own misspelling of "George knows" — not a typo we introduced. It's useful because it makes the username pivotable across handles where someone has re-used the same misspelling on other platforms.
We could not find a matching public GitHub or X account for georgeknowsit or GeorgeGinx, and there are no prior CTI references to either string that we could turn up. The Telegram handle is the strongest attribution anchor we have for this cluster.
Operator Profile
Failures:
- Telegram handle embedded in C2 panel HTML — hand-delivered attribution
- Misspelled display name as a cross-platform pivot
- Both C2 boxes on the same /24 — correlation-trivial
- Python
SimpleHTTPwith directory listing enabled on/assets/for the Striker frontend — lets anyone inventory the compiled bundle - Default Apache + nginx welcome pages left on web ports — fingerprint aid
- No CDN / proxy in front of C2 — direct IP exposure
mod_statusenabled (just IP-restricted), not disabled — low-effort hardening
Competencies:
- Running two distinct C2 frameworks in parallel (Striker + bespoke Flask panel) — comfortable with more than one tool
- Custom Go backend on port 1337 — can write their own stuff, not pure script kiddie
- Custom DNS server on 46 — possible DNS tunneling capability
- Obtained legitimate Sectigo cert for cover domain — knows how cert laundering works
- Applied a "Trading Bots Management" cover title — thought about what a passing researcher would see
Net-net: intermediate-level solo or small-team operator, probably running hands-on-keyboard intrusions given the interactive-console capability in Striker, with enough dev chops to write a custom panel but not enough OPSEC discipline to scrub a Telegram handle from their own login page. The Telegram contact link suggests they may be offering services or tools to others — potentially an access broker or tooling shop, not just an end-user of commodity C2.
Neighbors in the /24 Worth Noting
| IP | Notes |
|---|---|
23.27.141.38 | 3X-UI panel — a Chinese-language Xray-core management interface on port 10000. Could be related, could be another Evoxt tenant. Worth watching. |
23.27.141.43 | Windows RDP + WinRM exposed (3389, 5985). Standard Evoxt Windows tenant footprint. |
The 3X-UI presence on .38 is the one I'd flag — 3X-UI is a common management panel for Xray-core circumvention proxies, and the combination of a GeorgeGinx C2 two IPs over from a Chinese Xray panel is suggestive without being proof. Not enough for attribution, but worth a hunting note.
Detection & Hunting
Network
- Block
23.27.141.44and23.27.141.46at the perimeter. - Block
calipology.comat DNS sinkhole. - Alert on outbound WebSocket connections to unusual ports
3003/3004— that pair is the Striker C2 backend + frontend split. - Alert on HTTP traffic containing
"striker"in localStorage or Socket.IO handshake fields. - Monitor for TLS connections where the certificate subject is
CN=calipology.com.
Hunting queries
# Generic
dst_ip IN (23.27.141.44, 23.27.141.46) AND dst_port IN (3003, 3004, 1337, 8080)
# DNS
query CONTAINS "calipology.com"
# HTTP
uri CONTAINS "socket.io" AND dst_port IN (3003, 3004)
# TLS
certificate.subject.CN == "calipology.com"
SSH host keys (23.27.141.44)
ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxsvnrA+lrMPT52uv47t7/Y/NNivlOp23db1FbcyeTK
ecdsa-p256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPFVHdXv20rFdRZen9Wftc/zfcXZmWhQwl6Pv09Lj2P6LVfTumRGo77iDOQHRmzXVdg1TJkIGOuNc8mgKx5mxtw=
If either key re-appears on another IP, that's sister infrastructure.
MITRE ATT&CK
T1583.003 · T1583.001 · T1587.001 · T1588.002 · T1071.001 · T1573.002 · T1090 · T1059 · T1041 · T1105 · T1036.005 · T1036.004
IOCs
Infrastructure
23.27.141.44 Striker C2 server
23.27.141.44:3003 Socket.IO backend
23.27.141.44:3004 Striker panel ("Trading Bots Management")
23.27.141.46 GeorgeGinx Panel server
23.27.141.46:8080 Flask login ("/login", "/login_auth")
23.27.141.46:1337 Go backend
23.27.141.46:53/udp Custom DNS daemon
calipology.com Cover domain for TLS cert
Operator identifiers
GeorgeGinx C2 brand
@georgeknowsit Telegram handle
Geroge knows Telegram display name (typo)
admin@calipology.co.uk Forum admin email — possible overlap (LOW confidence)
Daniel IPB forum admin name — possible overlap (LOW confidence)
TLS cert
Subject: CN=calipology.com
Issuer: Sectigo Public Server Authentication CA DV R36
Valid: 2025-06-16 to 2026-06-16
SANs: calipology.com, www.calipology.com
Confidence
| Finding | Confidence |
|---|---|
23.27.141.44 is a Striker C2 | HIGH — localStorage key + full Socket.IO event catalog in the JS bundle |
23.27.141.46 is operated by the same actor | HIGH — same /24, same Evoxt tenant footprint, shared operator branding |
Operator is @georgeknowsit on Telegram | HIGH — embedded in the panel's own login HTML |
calipology.com is operator-controlled | HIGH — registered same day as the Sectigo cert deployed on the C2 |
calipology.co.uk is the same owner | MEDIUM — either same operator or impersonation of a legit UK business |
| "Daniel" is the operator | LOW — possible but not confirmed |
GHOST — Breakglass Intelligence "One indicator. Total infrastructure."