HexReaper Left Their Username in the C2 URL: Inside a GitHub Gist Dead-Drop That Exposed Every Server They Ever Used

A GitHub Gist. A filename called gistfile1.txt. A description that was just keyboard mash -- "sdjkmfmsmjefoaeo." Inside: a single line of text pointing to a WebSocket server in the Republic of Georgia. And at the top of the URL, in plain sight, the operator's username: HexReaper.

That's the dead-drop C2 resolver for Kortex -- a custom Node.js RAT targeting Ukrainian users through trojanized creative software installers, backed by a 12,800-IP bulletproof hosting operation registered in Batumi, Georgia. The operator built a purpose-engineered remote access tool with V8 bytecode obfuscation, compiled it through GitHub Actions CI/CD, hid the C2 address behind a GitHub Gist that could be updated without recompiling the payload -- and then put their username at the top of the only URL the malware ever calls home to.

This is the story of how one OPSEC failure cascaded into total infrastructure exposure.

The Sample

On March 31, a trojanized MSI installer for Element 3D 2.2.3 -- a widely-used 3D rendering plugin for Adobe After Effects -- appeared on MalwareBazaar. The file was 17.2 MB, built with WiX Toolset 4.0.1.0, and timestamped to March 30, 2026 at 06:01 UTC. It looked like pirated software. It was.

But the MSI's internal product name wasn't "Element 3D." It was "System Service." Version 1.0.37.

When executed, the installer writes two files to %LOCALAPPDATA%\SystemService_8436\:

1. svchost.exe -- a 47 MB executable. Not Windows' svchost. A Node.js 18.5.0 runtime packed with Vercel's pkg compiler, containing a V8 bytecode-compiled JavaScript payload.

2. junk.dat -- 215 MB of nothing. Pure padding. Its only purpose is to inflate the total installation size past the file-size thresholds that automated sandbox environments use to decide what's worth analyzing. Many sandboxes won't detonate a 260 MB package. The operator knows this.

A CustomAction in the MSI fires immediately after installation completes:

cmd.exe /c start /b svchost.exe

No persistence mechanism beyond the initial install. No scheduled task. No registry key. The malware trusts that the user won't look in their %LOCALAPPDATA% directory and find a folder called SystemService_8436 running a process named after a Windows system binary.

The Dead-Drop

When Kortex starts, it doesn't connect directly to a C2 server. It makes a single HTTPS GET request:

hxxps://gist[.]githubusercontent[.]com/HexReaper/eec6869214d2b4e12bd606529128f8c2/raw/gistfile1.txt

The response, as of March 29, 2026:

ws://2[.]27[.]28[.]167:6062

This is a dead-drop resolver -- a technique catalogued as MITRE ATT&CK T1102.001. The malware doesn't need to know where its C2 is at compile time. It asks GitHub. If the operator needs to rotate infrastructure, they edit the Gist. Every infected machine picks up the new address on its next check-in. No recompilation, no redistribution, no burned samples.

It's a sound operational pattern. Threat actors from APT groups to commodity malware operators use dead-drops on legitimate platforms -- Pastebin, Telegram, Google Docs -- specifically because the initial beacon blends into normal HTTPS traffic to a trusted domain. GitHub Gists are particularly effective: encrypted in transit, hosted on infrastructure that no corporate firewall blocks, and updateable through a simple API call.

There's just one problem.

The Username Problem

GitHub Gist URLs contain the account name of the creator. Every time Kortex phones home, it announces who built the dead-drop:

gist.githubusercontent.com/HexReaper/...

The operator could have created a throwaway account with a random string for a username. They could have used GitHub's API to create the Gist under an organization. They could have proxied through a redirect service. Instead, they used an account they've maintained since June 4, 2022 -- GitHub ID 106869807, username HexReaper.

But the Gist URL isn't even the worst part. The worst part is the revision history.

Every C2 They've Ever Used

GitHub Gists are Git repositories. Every edit creates a commit. Every commit is accessible through the API. The revision history of HexReaper's dead-drop Gist contains the complete operational timeline of the Kortex campaign:

Date	C2 Address	Provider
January 10, 2026	ws://83.217.208[.]72:6062	DGTLS-MNT (bulletproof hosting)
January 10, 2026	ws://144.31.84[.]211:6062	Senko Digital LLC
January 13, 2026	ws://83.217.208[.]72:6062	DGTLS-MNT
March 29, 2026	ws://2.27.28[.]167:6062	Senko Digital LLC

Three IP addresses. Two hosting providers. Three months of operational history. All recoverable from a single API call to api.github.com/gists/eec6869214d2b4e12bd606529128f8c2/commits.

The January 10 entries are particularly revealing. The operator stood up the Gist pointing to DGTLS-MNT bulletproof hosting, rotated to Senko Digital the same day, then rotated back to DGTLS-MNT three days later. That back-and-forth suggests they were testing infrastructure -- spinning up servers, checking connectivity, and deciding which provider to settle on. They settled on both: DGTLS-MNT for the initial deployment, Senko Digital for the long term.

The dead-drop pattern was supposed to make infrastructure rotation invisible. Instead, the Gist became a flight recorder.

Inside the RAT

The svchost.exe payload is a 47 MB PE64 executable. The internal name is node.exe -- it's a Node.js 18.5.0 runtime with the application code baked in by Vercel's pkg compiler. The JavaScript source isn't shipped as plaintext; it's pre-compiled to V8 bytecode, which means static analysis tools that look for JavaScript strings won't find readable source code.

What they will find is a PDB path:

C:\Users\runneradmin\AppData\Local\Temp\pkg.24e0b2b2d51e47b9dba34c30\

runneradmin is the default Windows username on GitHub Actions runners. The operator doesn't build the malware on their own machine. They push code to a repository, and GitHub's CI/CD infrastructure compiles it for them. A free, disposable, attributable build environment -- attributable because the PDB path is baked into the binary and survives pkg compilation.

The V8 bytecode obfuscation and hex-number variable renaming (_0x488f68, _0x2c3e71) prevent clean decompilation, but the package.json embedded in the binary tells us everything about the RAT's capabilities:

Dependency	Version	Purpose
ws	^8.20.0	WebSocket client -- the C2 channel
axios	^1.14.0	HTTP client -- dead-drop resolver and file transfer
screenshot-desktop	^1.15.3	Desktop screenshot capture
adm-zip	^0.5.16	Archive creation for staging exfiltration data
nedb	^1.8.0	Embedded NoSQL database -- local data persistence
sqlite3	^5.1.7	SQLite access -- likely browser data theft
express	^5.2.1	HTTP server -- possibly a local reverse proxy or file receiver
rcedit	^5.0.2	(devDep) Windows PE resource editor -- icon injection

The project is named kortex-client, with a display name of "Kortex Background Node." The rcedit dev dependency confirms the operator uses it to replace the default Node.js icon in the compiled binary with something less conspicuous before distribution.

The combination of screenshot-desktop, child_process (Node.js built-in), adm-zip, and sqlite3 gives Kortex a complete post-exploitation toolkit: capture the screen, execute arbitrary commands, compress and exfiltrate files, and harvest browser databases. The WebSocket protocol on port 6062 handles bidirectional command-and-control, with string analysis revealing command types including screenshot, spawn, exec, Shell, upload, download, and payload.

The Upload Form

When you visit the current C2 server at hxxp://2.27.28[.]167/ in a browser, you don't get a default nginx page. You get a file upload form.

One button. One label: "Загрузить" -- Russian for "Upload."

This is the exfiltration endpoint. The RAT captures screenshots, compresses files, and uploads them here via HTTP POST. The operator chose to build it as a simple HTML form served by nginx/1.18.0 on Ubuntu, presumably so they can also manually upload files through a browser. It's functional, minimal, and it confirms the operator's language: Russian.

The C2 server responds to HTTP GET requests on port 6062 with a simple OK -- a liveness check that the RAT likely uses before upgrading the connection to WebSocket.

Senko Digital: A 12,800-IP Bullet Factory

Two of the three C2 IPs belong to Senko Digital LLC, registered at 7 Zhiuli Shartava Avenue, Batumi, Georgia. The company operates AS213520 (SENKO-AS), with RIPE registration dating to January 2025 for the ASN and January 2026 for the organization record.

For a company with no visible customer base and no public service offerings, Senko Digital controls an extraordinary amount of address space. AS213520 announces 40 BGP routes spanning 12,800 IP addresses across seven /16 blocks:

• 144.31.x.x -- 20 routes across scattered /23 and /24 allocations
• 2.27.28-31.x -- 2 routes (/23 blocks)
• 64.188.x.x -- 6 routes
• 91.132.160-163.x -- 2 routes
• 77.239.120-121.x -- 2 routes
• 150.241.x.x -- 3 routes
• 193.x.x.x -- 5 routes

The RIPE maintainer senko-mnt has cross-references with SBL-MNT (Spamhaus blocklist), mnt-lt-rolandas-1 (a Lithuanian entity), lir-us-acedatacenter-1-MNT (ACE Data Center, US), and ZAPPIE-MNT (Zappie Host). The Spamhaus maintainer reference alone is a red flag -- it indicates prior awareness of or interaction with Spamhaus, the internet's largest anti-abuse organization.

The infrastructure has all the hallmarks of bulletproof hosting:

1. Jurisdiction: Georgia has minimal cybercrime enforcement cooperation with Western law enforcement
2. Speed of deployment: The 2.27.28.0/23 block was allocated on March 23, 2026. Six days later, the Kortex C2 was running on it. Fresh IPs, immediately weaponized.
3. Certificate timeline: panel.senko[.]digital got its Let's Encrypt certificate on March 28 -- one day before the C2 rotation. translations.senko[.]digital was issued March 23, the same day the IP block was allocated. The infrastructure was purpose-built.
4. Opacity: The main website is behind Cloudflare. panel.senko[.]digital has bot protection enabled. No pricing page, no customer portal, no legitimate hosting presence.
5. Scale: 12,800 IPs for a company registered 14 months ago in a Georgian port city, with zero identifiable customers.

The third historical C2 IP -- 83.217.208[.]72 -- belongs to DGTLS-MNT / Partner Hosting LTD, a known bulletproof hosting operation. The operator started there in January, then migrated to Senko Digital. Whether Senko is an evolution of the same operation or a separate provider catering to the same clientele, the relationship is clear: HexReaper's infrastructure runs exclusively on BPH networks.

The OPSEC Cascade

What makes this case instructive isn't any single failure. It's how each one compounds the others:

1. The GitHub username in the Gist URL links the dead-drop to a four-year-old account with potential additional activity.

2. The Gist revision history exposes every C2 IP ever used, providing a complete infrastructure timeline that should have been a single ephemeral pointer.

3. The package.json in the compiled binary reveals the project name ("kortex-client"), every dependency, and therefore every capability of the RAT.

4. The PDB path (C:\Users\runneradmin\) confirms the build environment is GitHub Actions, meaning the source code lives in a GitHub repository -- potentially discoverable.

5. The Russian upload form on the C2 root narrows the operator's likely nationality or language group.

6. Shared hosting provider -- both Senko Digital IPs across the campaign definitively link the January and March deployments as the same operator.

7. The nginx version header (1.18.0) on an Ubuntu server tells us the exact OS version (Ubuntu 20.04 LTS ships nginx 1.18.0).

Each of these alone is minor. Together, they paint a complete picture: a Russian-speaking developer, building a custom RAT in Node.js, compiling through GitHub Actions, hosting on Georgian bulletproof infrastructure, and targeting Ukrainian users through pirated creative software. The dead-drop was the cleverest part of the design. The username in it was the dumbest.

The Ukraine Angle

Element 3D is a legitimate, paid plugin from Video Copilot used for 3D rendering in After Effects. It's popular among motion graphics artists and video editors. In Ukraine, where the creative industry has continued operating through wartime and pirated software carries less stigma than in Western markets, a free Element 3D installer is compelling bait.

The trojanized MSI was built on March 30 -- one day before it appeared on MalwareBazaar. This isn't a dusty sample from an old campaign. The operator is actively producing fresh lures. The v1.0.37 version number suggests at least 36 prior builds, though we cannot confirm whether those targeted different software or different regions.

Whether this is cybercrime or state-sponsored espionage wearing a cybercrime disguise is an open question. The infrastructure choices -- bulletproof hosting in Georgia, a Russian-language interface, Ukrainian-targeted lures -- are consistent with either. The RAT's capabilities (screenshots, shell access, file exfiltration, database access) serve both financially-motivated theft and intelligence collection equally well.

Indicators of Compromise

Network Indicators

Type	Value	Context
IP	2.27.28[.]167	Current C2 -- Senko Digital LLC (LIVE)
IP	144.31.84[.]211	Historical C2 -- Senko Digital LLC (rotated Jan 2026)
IP	83.217.208[.]72	Historical C2 -- DGTLS-MNT BPH (rotated Jan 2026)
Port	6062/tcp	WebSocket C2 port
URL	hxxps://gist[.]githubusercontent[.]com/HexReaper/eec6869214d2b4e12bd606529128f8c2/raw/gistfile1.txt	Dead-drop C2 resolver
URL	hxxp://2.27.28[.]167/	Russian-language exfiltration upload form
URL	hxxp://2.27.28[.]167:6062/?id=s-mndk0qmp-21b	WebSocket C2 callback
Domain	panel.senko[.]digital	Operator management panel
Domain	translations.senko[.]digital	Operator infrastructure
Domain	senko[.]digital	Hosting provider front
Domain	as213520[.]net	ASN looking glass / geofeed

File Indicators

Hash	Value	File
SHA256	455bf1be7ee17e25e99054d04f83c512b1f4c886f3ce2868831b7c04d9635392	Element 3D 2.2.3.msi
MD5	93f2395dfa98e1d06e5fa7335438dffe	Element 3D 2.2.3.msi
SHA1	3d0851d1ab144cd688d3d880dce6e82af4f6005a	Element 3D 2.2.3.msi
SHA256	bf3af0269374ac1312e4a478480678a8f5988a206e1f150fe54cd07e77fdf5a8	svchost.exe (Kortex RAT)
MD5	fc5fab9c04d9bdb81447e6539bad1f77	svchost.exe (Kortex RAT)
Imphash	4d0fb8dc9ee470058274f448bebbb85f	svchost.exe

Host Indicators

Type	Value
Install Path	%LOCALAPPDATA%\SystemService_8436\
Process Name	svchost.exe (47 MB, Node.js 18.5.0)
MSI Product Name	System Service
MSI Product Version	1.0.37
WiX Upgrade Code	{9054E078-8F0D-435A-9A8C-7B7261229952}
WiX Product Code	{FE8E87C3-3A2E-4970-9371-ECEF23F3C5BC}
PDB Path	C:\Users\runneradmin\AppData\Local\Temp\pkg.24e0b2b2d51e47b9dba34c30\

MITRE ATT&CK

Tactic	Technique	ID
Initial Access	Supply Chain Compromise (Software)	T1195.002
Execution	JavaScript Runtime (Node.js)	T1059.007
Execution	Windows Installer	T1218.007
Defense Evasion	Masquerading (svchost.exe)	T1036.005
Defense Evasion	V8 Bytecode Obfuscation	T1027.002
Command and Control	Dead Drop Resolver (GitHub Gist)	T1102.001
Command and Control	WebSocket Protocol	T1071.001
Command and Control	Non-Standard Port (6062)	T1571
Collection	Screen Capture	T1113
Exfiltration	HTTP Upload Form	T1041
Exfiltration	Archive Collected Data	T1560.001

Senko Digital LLC -- AS213520 BGP Routes (40 total, 12,800 IPs)

Full allocation list

144.31.x.x (20 routes): 144.31.16.0/23, 144.31.18.0/23, 144.31.62.0/24, 144.31.63.0/24, 144.31.84.0/24, 144.31.85.0/24, 144.31.116.0/24, 144.31.117.0/24, 144.31.118.0/24, 144.31.119.0/24, 144.31.122.0/24, 144.31.123.0/24, 144.31.134.0/24, 144.31.135.0/24, 144.31.138.0/24, 144.31.139.0/24, 144.31.196.0/24, 144.31.197.0/24, 144.31.232.0/24, 144.31.233.0/24

2.27.x.x (2 routes): 2.27.28.0/23, 2.27.30.0/23

64.188.x.x (6 routes): 64.188.68.0/23, 64.188.70.0/23, 64.188.74.0/24, 64.188.104.0/23, 64.188.106.0/24, 64.188.107.0/24

91.132.x.x (2 routes): 91.132.160.0/23, 91.132.162.0/23

77.239.x.x (2 routes): 77.239.120.0/24, 77.239.121.0/24

150.241.x.x (3 routes): 150.241.64.0/24, 150.241.78.0/24, 150.241.79.0/24

193.x.x.x (5 routes): 193.23.197.0/24, 193.23.210.0/23, 193.23.218.0/24, 193.23.219.0/24, 193.135.137.0/24

Detection Guidance

For network defenders: Block all three C2 IPs and the dead-drop Gist URL. Monitor for outbound WebSocket connections to port 6062. Consider blocking AS213520 (Senko Digital) ranges entirely -- 12,800 IPs with no legitimate customer base and a Spamhaus maintainer cross-reference. Hunt for %LOCALAPPDATA%\SystemService_8436\ and any svchost.exe matching the SHA256 above.

For threat intelligence teams: The Gist revision history is a monitoring goldmine. Automated polling of api.github.com/gists/eec6869214d2b4e12bd606529128f8c2/commits will reveal future C2 rotations in near-real-time -- before infected machines check in. Track Senko Digital's certificate issuances on crt.sh for infrastructure expansion. Monitor the HexReaper GitHub account for new repositories or gists.

For incident responders: The Kortex imphash (4d0fb8dc9ee470058274f448bebbb85f) and the WiX product codes are stable detection anchors. The v1.0.37 version number implies prior builds exist -- search for the upgrade code GUID to find older installations that may have been missed.

---

This investigation was triggered by a MalwareBazaar submission (credit: Szabolcs Schmidt, @smica83). Infrastructure mapping, OPSEC analysis, and the Senko Digital bulletproof hosting assessment were produced by Breakglass Intelligence's autonomous GHOST investigation system.

Breakglass Intelligence | March 31, 2026