From Roblox Cheats to Commercial Spyware: Tracking a Script Kiddie's Three-Year Evolution Into an Android RAT Vendor
Indonesian developer MRSt3Ss left 23 repos public including the complete C2 source code
A 23-repository GitHub profile. Three years of public commit history. A progression from Roblox game exploits to credential stuffing tools to PHP webshells to a fully commercialized Android spyware platform with tiered subscriptions, a reseller program, and 11-language localization. Every step documented, in real time, by the developer himself.
This is the story of GhostShell RAT -- a previously unreported Android spyware-as-a-service operation built by an Indonesian developer who left his entire career trajectory on the public internet. Until today, this platform had zero detections across VirusTotal, ThreatFox, URLhaus, and MalwareBazaar.
It Started With a Tip
On March 30, security researcher @Fact_Finder03 flagged an IP address on X. Behind it sat a polished React-based panel on a Contabo VPS in Germany -- dark theme, hCaptcha-protected login, routes for /devices, /builder, /reseller, and /admin. The kind of interface that immediately signals something purpose-built.
The backend API at 167.86.74[.]28 was returning 502 errors -- the Flask service had crashed or been stopped. But the frontend was still serving normally, and React single-page applications have a habit of telling you everything about themselves if you read the JavaScript carefully.
So we read the JavaScript.
565,625 Bytes of Intent
The panel's main bundle -- index-DXpl66-a.js, 565KB of minified React -- contained the complete client-side logic for operating a commercial Android spyware platform. Not a simple RAT panel with a device list and a command button. A business.
The routing structure told the story immediately:
/devices-- List compromised Android devices with online/offline status/devices/:deviceId-- Individual device control: SMS, calls, contacts, keylogger, credentials, camera, screen, file manager/builder-- Generate custom APK payloads with configurable app names, package names, and C2 callbacks/reseller-- Create and manage sub-users with device and build limits/admin-- Global statistics, user management, system overview
The API endpoints backed this up: 25+ routes covering authentication, device management, command dispatch, APK building, and reseller operations. All authenticated via JWT Bearer tokens. All pointed at server.ghostshellrat[.]net as the default C2 callback.
But the panel was just the storefront. The real intelligence was on GitHub.
The Developer Who Documented Everything
The domain ghostshellrat[.]net was registered January 11, 2026, through Njalla -- a privacy-conscious registrar popular with threat actors. WHOIS returned a Saint Kitts and Nevis address, standard Njalla proxy. A dead end by itself.
The panel's source code, however, contained a breadcrumb that Njalla couldn't hide: the alias MRSt3Ss, embedded in repository names referenced throughout the codebase. A GitHub search returned a profile with 23 public repositories -- and a commit history that reads like a curriculum vitae for cybercrime.
February 2023: The Beginning
Account created. First repositories: premium and update-premium1. Python scripts for license key validation. Nothing malicious on their own -- the kind of thing a teenager writes to gate access to a Discord bot or a game tool.
December 2024: First Contact With Offensive Tooling
BonsDork appears. A credential stuffing framework built around Google dork automation. The developer is learning to find exposed credentials and vulnerable login pages at scale. The tools are crude but functional.
August-October 2025: The Roblox Phase
A burst of activity: sc, BonsHub, BonsHub2, roblox. Lua scripts for Roblox exploitation. Repositories named indohang and indohangout -- Indonesian slang, a geographic fingerprint baked directly into the project names. This is a teenager making game cheats. Unremarkable on its own. Thousands of kids do this.
What makes it remarkable is what comes next.
January 2026: The Pivot
In a single month, MRSt3Ss registers ghostshellrat[.]net, uploads a repository called rce containing 10+ PHP webshells (alfa, anonsec, simpeshell, and others), and begins work on the first version of GhostShell RAT. The jump from Roblox exploits to webshells and Android spyware happens in under 90 days.
February 2026: Rapid Iteration
The commit history for February is frantic. Eight repositories in rapid succession: rat1, rat2, rat10, GhostRat, GhostRat2, ghostshell10, ratfix, newrat. The developer is building, breaking, and rebuilding the RAT's server-side component in real time, each iteration adding capabilities. The v1 repository (GhostshellRat) starts as a Flask-based notification stealer. By v2 (ghostshellRAt.v.2), it's a full C2 platform with buyer licensing, device management, and a TCP socket protocol.
March 2026: Going Commercial
A keysystem repository appears -- license key infrastructure for selling access. By mid-March, the production React panel is deployed to the Contabo VPS. The certificates renew on March 11. The business is open.
Three years. From game cheats to commercial spyware. Every commit public.
What GhostShell RAT Actually Does
This isn't a toy. The device control panel exposes 18+ remote commands organized into modules that cover every surveillance use case an operator -- or a stalker -- could want.
Credential Theft: Harvests browser passwords, lock screen PINs, CVV numbers, and SSNs via keylogger and clipboard monitoring. Credentials are captured passively and on demand.
Full Device Surveillance: SMS logs, call logs, contact lists, app inventory, notification capture, live location tracking with Leaflet map integration, gallery browsing, and camera image capture.
Remote Control: hVNC-style live screen streaming with touch input injection (tap, swipe, text input). The operator can interact with the victim's device in real time while the victim sees nothing -- a "black screen" mode hides all activity by overlaying an opaque layer on the device display.
File Management: Full filesystem access. List directories, read files, write files, delete files, move files, create directories, check storage capacity.
Crypto Clipper: A clipboard hijacker supporting 10 cryptocurrencies -- BTC, ETH, TRC20 (USDT), LTC, DOGE, XMR, XRP, SOL, BNB, and ADA. When a victim copies a wallet address, the clipper silently replaces it with the operator's address. The feature is optional, configured at build time in the APK builder.
The APK builder itself is configurable: custom app name (default: "System Service"), custom package name, C2 host and port, options to hide the app from the launcher after first launch, request Device Administrator privileges, enable accessibility services for keylogging and auto-permission granting, and embed the crypto clipper with operator wallet addresses.
The Subscription Model
GhostShell isn't a one-off tool sold on a forum. It's a tiered SaaS platform.
| Tier | Max Devices | Max APK Builds |
|---|---|---|
| Free | 5 | 3 |
| Basic | 25 | 10 |
| Pro | 100 | 50 |
| Unlimited | 999,999 | 999,999 |
The free tier at 5 devices and 3 builds isn't a demo -- it's a stalkerware on-ramp. Five devices is exactly the right number for an abusive partner monitoring a spouse's phone plus a few family members. The design choice is deliberate.
The reseller system adds another layer. Resellers can create sub-users with configurable limits -- default 10 users, 5 devices each, 3 builds each. This is a franchise model. MRSt3Ss doesn't just sell spyware; he sells the ability to sell spyware.
11 Languages, One Objective
The panel ships with localization for English, Spanish, French, German, Turkish, Portuguese, Korean, Chinese, Hindi, Arabic, and Russian. This isn't a developer adding a few translations for fun. This is market segmentation. The language list covers every major cybercrime market on the planet -- from Turkish underground forums to Russian-speaking Telegram channels to Southeast Asian fraud operations.
Combined with the tiered pricing and reseller system, the picture is clear: GhostShell RAT is a business, built for global distribution.
The Indonesian Health Department
Buried in the rce repository -- the webshell collection uploaded in January 2026 -- sits a file called fix.py. Its default path is /home/dinkes.
"Dinkes" is short for Dinas Kesehatan -- the Indonesian Health Department.
This isn't a test path or a placeholder. It's a reference to an actual compromised government server. The developer was using the webshells in his own repository against Indonesian public health infrastructure, and he hard-coded the evidence into the tool itself.
Given that the webshell collection includes alfa shell, anonsec, simpeshell, and several others -- all capable of full server takeover -- the implication is that MRSt3Ss had shell access to a government health department system and was using it as a development or staging environment for his tools.
OPSEC: A Case Study in What Not to Do
The investigation required no exploitation, no credential guessing, no social engineering. Everything was public.
23 public repositories containing complete C2 source code, webshells, credential stuffing tools, and Roblox exploits. Hardcoded admin credentials: username ghostshell, password ghostshell10. A Flask secret key of GHOSTSHELL_SECRET_KEY_999. Another secret key, ganti-ini-sesuka-hati, which is Indonesian for "change this as you please" -- apparently he never did.
Code comments in Indonesian throughout: "Halaman dashboard" (dashboard page), "Ambil semua notifikasi" (get all notifications), "Penyimpanan notifikasi" (notification storage). Repository names like contoh (Indonesian for "example"). Roblox scripts named indohang and indohangout.
The v1 GhostShell RAT had deployment references to Railway.app -- a free hosting platform that logs user metadata. The same alias was used across every project, from the 2023 license key tools through the 2026 Android RAT. Three years of activity, one identity, zero compartmentalization.
This actor's entire development career is a forensic timeline laid out in chronological order, freely accessible to anyone who searches GitHub for "GhostshellRat."
The C2 Protocol
For the technically inclined: GhostShell's C2 communication runs over raw TCP sockets on port 8888 (configurable to 8080), using newline-delimited JSON. File transfers are chunked and Base64-encoded. The protocol supports 11 message types from client to server -- DEVICE_INFO, SMS_LOG, CALL_LOG, CONTACT_LIST, APP_LIST, NOTIFICATION_DATA, FILE_MANAGER_RESULT, LOCATION_SUCCESS, RECORD_STATUS, GALLERY_PAGE_DATA, and CAMERA_IMAGE_END.
The architecture is straightforward:
Android APK --TCP:8888--> Python/Flask Server --HTTP API--> React Panel
(victim) (raw TCP socket) (operator)
Buyer validation uses a UID + HWID lock -- the license binds to the first hardware ID that activates it, with a time-limited expiry. The database schema is minimal: a single buyers table with uid, locked_hwid, and expiry_date fields. Simple, functional, and consistent with a one-person operation.
The Intelligence Gap
GhostShell RAT has zero prior coverage. We checked ThreatFox, MalwareBazaar, URLhaus, VirusTotal, and every public threat intelligence feed we could find. Nothing. No IOCs submitted, no samples uploaded, no community discussions, no vendor reports. A commercial Android spyware platform with a functioning subscription model, a reseller network, 11-language localization, and 18+ remote control capabilities -- and not a single report existed before this investigation.
The domain was registered in January 2026. The infrastructure has been active for nearly three months. Certificates were renewed on March 11. This platform has been operational and maintained, and the entire threat intelligence community missed it.
Indicators of Compromise
Network Infrastructure
| IOC | Type | Context |
|---|---|---|
167.86.74[.]28 | IPv4 | C2 server (Contabo GmbH, Germany) |
ghostshellrat[.]net | Domain | C2 domain (Njalla privacy registrar) |
server[.]ghostshellrat[.]net | Domain | Default APK C2 callback |
Behavioral Indicators
| Indicator | Value |
|---|---|
| Default app name | "System Service" |
| Default C2 callback | server.ghostshellrat[.]net:8080 |
| Alternative C2 port | 8888 (TCP) |
| Protocol | Newline-delimited JSON over TCP |
| SQLite database | ghostshell.db |
| Data directories | captured_images/, device_downloads/, screen_recordings/ |
Attribution
| Indicator | Value |
|---|---|
| GitHub profile | hxxps://github[.]com/MRSt3Ss (23 public repos) |
| Key repositories | GhostshellRat, ghostshellRAt.v.2, rce, keysystem |
| Hardcoded credentials | ghostshell / ghostshell10 |
What Happens Next
This report has been shared with Contabo (hosting provider), Tucows/Njalla (domain registrar), GitHub (malware distribution), and ID-CERT (Indonesian government compromise evidence). IOCs have been submitted to ThreatFox, MalwareBazaar, and URLhaus.
The LE certificate for server.ghostshellrat[.]net expires April 11, 2026. Whether MRSt3Ss renews it or migrates will tell us whether this report reaches him. Given that his entire operational history is on a public GitHub profile under a consistent alias, and his admin password is literally the name of his product with "10" appended -- our bet is that operational security improvements aren't his strong suit.
Three years ago, this was a kid making Roblox cheats. Today, it's a commercial spyware vendor selling Android surveillance tools to a global customer base. The tools got more dangerous. The OPSEC never improved. And every step of the journey is still sitting on GitHub, public, timestamped, and waiting to be read.
This investigation was triggered by a tip from @Fact_Finder03. Infrastructure analysis and attribution were produced by Breakglass Intelligence's autonomous GHOST investigation system. All evidence was captured via passive and semi-passive methods -- no systems were accessed, no credentials were used, no vulnerabilities were exploited.
Breakglass Intelligence | April 2026