Hunting SmokeLoader's "InsureFlow Pro": Unmasking a Dual-Family C2 Operation with Raft Protocol Obfuscation
TL;DR
We identified and mapped a live SmokeLoader and Fuery botnet operation run by a single operator ("ingermany") using a custom Flask-based C2 panel disguised as an insurance SaaS application. The operator deploys a novel code obfuscation technique that abuses Raft consensus protocol type names in Go binaries -- a pattern not previously documented in public malware research. Infrastructure pivoting through stale TLS certificates, shared cPanel hosting history, and SOA record OPSEC failures linked seven domains, three active C2 endpoints, and a Fuery "Monkey" panel sharing a /24 subnet with known Phorpiex infrastructure on bulletproof hosting.
Initial Lead: Sandbox Detonation
The investigation began with two MalwareBazaar samples uploaded on 2026-03-05:
| Sample | Family | SHA256 | Triage Score |
|---|---|---|---|
| SmokeLoader | PE32+ (x86-64), Go 1.20.1 | bac70244b93a4a92b9d633415435cd81e8643ecd20b52b962b369ceaaddc3958 | 7/10 |
| Fuery | PE32 (x86), Go 1.20.1 | 18e9a8bfad425d3ff9c0ab3d71e6890320166127b8bdf7460a7edd30f45be0ab | 10/10 |
Behavioral analysis from Triage sandbox (report 260305-sq9n7aa17m) revealed the SmokeLoader sample performing browser credential harvesting (T1555.003), email client data theft, cryptocurrency wallet access, and software/process enumeration (T1012). The network traffic told a more interesting story.
SmokeLoader C2 Protocol
The bot uses a split-function architecture across two non-standard high ports:
1. DNS resolution: ropea.top (NXDOMAIN, suspended), coox.live, baxe.pics
2. TCP beacon: 5 connections to coox.live:28313 (check-in, minimal data)
3. HTTP POST: multipart/form-data to baxe.pics:48261
- Requires "token" field (bot auth, encrypted in binary)
- Requires "file" field (stolen data payload)
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
- Outbound: 1,022,432 bytes (stolen data upload)
- Inbound: ~88,400 bytes (commands/config)
4. CRL check: c.pki.goog (Google PKI certificate validation)
The use of ports 28313 and 48261 is significant -- these fall outside the range of standard threat intel scanning, which typically covers ports up to 10000. Each IP serves exactly one function on its unique port; port 28313 is closed on baxe.pics, and port 48261 is closed on coox.live.
The "InsureFlow Pro" Panel: A Custom Flask C2
Live probing of coox.live (168.231.114.49) revealed a Python/Flask web application behind nginx/1.24.0 (Ubuntu), masquerading as a legitimate insurance data processing platform called "InsureFlow Pro."
This is not a known panel kit. Standard SmokeLoader panels are PHP-based. "InsureFlow Pro" has zero mentions across all major threat intelligence platforms, security blogs, and code repositories. The operator built this from scratch.
Panel Endpoint Map
GET / -> 200 Login page ("InsureFlow Pro", 25,091 bytes)
GET /admin -> 200 Dashboard (NO AUTHENTICATION REQUIRED)
GET /status -> 200 {"ai_system":"operational","database":"connected","version":"1.0.0"}
GET /healthz -> 200 Leaks internal file paths, DB status, template names
POST /upload -> 400 {"error":"No file provided in request"}
POST /api/auth/login -> 401 JSON credential auth (email + password)
GET /api/auth/verify -> 401 Token verification
The /admin dashboard is entirely cosmetic -- all statistics are hardcoded in JavaScript (1,247 files processed, 45,892 rows, 99.8% success rate). The "Clear Cache" and "Test System" buttons execute alert() calls. This is scaffolding designed to survive casual inspection by hosting provider abuse teams.
The /healthz endpoint leaks operational details without authentication:
- Database connection status (connected)
- Upload and output directory write permissions (both writable)
- Template files:
EBAO Motor Comprehensive Template.XLSX(1.32 MB),Ebao TPL Template.XLSX(1.27 MB)
The /upload endpoint accepts only .xls/.xlsx files and crashes with a Python LogRecord attribute conflict:
{"error":"File processing failed: \"Attempt to overwrite 'filename' in LogRecord\""}
This bug reveals the upload processing code was never properly tested -- the cover story is hasty construction. The actual bot check-in operates on port 28313 via the token-authenticated multipart protocol observed in sandbox traffic, not through the panel's web interface.
Security Misconfigurations
The panel exhibits several OPSEC failures:
- Wildcard CORS: Reflects any
Originheader, enabling cross-origin authenticated requests from arbitrary domains - No rate limiting: Login endpoint allows unlimited brute-force attempts
- Stale TLS certificate: Default cert serves
botmind-sa.com(Let's Encrypt E7, issued 2025-12-28), notcoox.live-- exposing infrastructure lineage - Stateless auth: JWT/token-based via
localStorage, no server-side session management - Gunicorn error disclosure: 431 errors leak
gunicorn-specific error format - ETag timing: Values are raw Unix timestamps (
"1772798343.309762"), exposing server clock
Fuery C2: The "Monkey" Panel
The second sample revealed a completely separate C2 infrastructure for the Fuery malware family:
Primary C2: laf.oahgsfwklg.top (178.16.54.79)
- Stack: nginx + PHP 7.4.33 + Laravel (XSRF-TOKEN + laravel_session cookies)
- Panel name: "Monkey"
- TLS: Let's Encrypt E8, cert issued 2026-01-03
- Hosting: OMEGATECH LTD, Netherlands (AS209800), Seychelles entity
Fuery C2 Endpoints
The Fuery protocol uses single-letter POST endpoints returning base64-encoded encrypted blobs:
POST /t -> "KToMhmyPnQ==" (7 bytes: telemetry/heartbeat)
POST /s -> "IT0KlnyQmnCFk+BELR3gLzy1Iw==" (19 bytes: status/commands)
POST /c -> "PzcGkQ==" (4 bytes: command retrieval, POST-only)
POST /f -> "IQIgoUyB/nbltdQPGgU=" (file operations)
POST /v -> (empty: version/validation)
The Fuery bot downloads OpenSSL DLLs from its C2 for SMTP-based exfiltration:
| File | Size | OpenSSL Version | SHA256 |
|---|---|---|---|
/fd/libeay32.dll | 1,177,088 bytes | 1.0.1g | fc17b65f6b4c6dc717b19d46a4a6a8ed68b982aaf9e25d4421ca223894166a13 |
/fd/ssleay32.dll | 270,336 bytes | 1.0.1g | b4434b408409d36d8e0d0bcf41ad804d02fdee96bc7f8255105380bfcec0d1f5 |
OpenSSL 1.0.1g is the Heartbleed-patched release but dates to 2014. These DLLs enable the bot to exfiltrate data via smtp.gmail.com:465 (observed in sandbox: TCP to 209.85.202.108:465).
Fuery Backup Domain Generation
The Fuery binary contains 13 hardcoded domains, but only one resolves:
ACTIVE:
laf.oahgsfwklg.top -> 178.16.54.79
DEAD (NXDOMAIN):
iahfi.visbxskagt.com
let.mebeyourfriend.digital
if.youwannabemylover.life
make.mydaymakemyday.info
smachrie1.weinerbuyout.top
sackless2.backspacersasine.sbs
recondole3.compositesclosetful.xyz
dietaries4.permeatedicelanders.today
epanadiplosis5.misdateswampanoag.cyou
invoke6.escrimesesquipedal.digital
bordrage7.kafkaesquebozo.info
stacher8.disequilibrationaproctous.top
The naming follows a clear pattern: [nonsense_word][number].[two_compound_words].[TLD]. This resembles DGA-like backup domain generation seen in SmokeLoader/Amadey families, with the numbered prefixes suggesting sequential generation.
Novel Obfuscation: Raft Consensus Protocol Type Abuse
Both binaries share an obfuscation technique we have not seen documented in public malware research. The Go binaries use Raft consensus protocol type names as disguises for malware data structures:
// Shared across both families (not real Raft implementation):
*main.AppendEntries
*main.VoteRequest
*main.VoteResponse
*main.LogEntry
*main.LogIndex
*main.NodeID
*main.Term
*main.Bitstream
*main.MacroBlock
*main.MotionVector
map.bucket[main.NodeID]bool
map.bucket[main.LogIndex]main.Term
map.bucket[main.NodeID]main.LogIndex
Per-build unique type names use auto-generated compound words:
// SmokeLoader-unique (PE32+, x86-64):
*main.Exclusionqualifying
*main.Impressionadjustments
*main.Pharmaceutical
*main.Sequencesmilwaukee
// Fuery-unique (PE32, x86):
*main.Fundamentalsreductions
*main.Returningcholesterol
*main.Sensitivedefendant
*main.Preparation
These are not functional Raft implementations. The type names (AppendEntries, VoteRequest, LogEntry) are borrowed from the Raft distributed consensus protocol to make the binary appear to be a legitimate distributed systems application during static analysis. The compound-word types serve as per-build watermarks, likely auto-generated during compilation. Both families compile with Go 1.20.1 and share the same obfuscation framework, establishing a toolchain link between the two otherwise distinct malware families.
Infrastructure Pivoting
TLS Certificate Archaeology
The stale TLS certificate on coox.live (serving CN=botmind-sa.com instead of coox.live) provided the first pivot. Certificate timeline reconstruction:
2025-10-24 botmind-sa.com registered (GoDaddy) -- earliest operator domain
2025-12-28 botmind-sa.com LE cert issued (still served on coox.live:443)
2026-01-03 oahgsfwklg.top registered + LE cert (Fuery C2)
2026-02-04 178.16.54.79 first flagged in OTX (Stealc/Remcos/CobaltStrike)
2026-02-10 baxe.pics registered (Namecheap, privacy-protected)
2026-02-19 coox.live + ropea.top registered (same second, PDR/Regway)
2026-02-22 forestoaker.com registered (Realtime Register)
2026-03-02 forestoaker.com suspended by registrar (~8 days)
2026-03-05 Samples uploaded to MalwareBazaar
The baxe.pics domain previously resolved to 94.231.205.229 (MVPS LTD, Cyprus) before migrating to 65.21.104.235 (Hetzner, Finland) around late February 2026. TLS on the Hetzner IP serves a certificate for qimmaedu.com, an Arabic-language education management system, confirming the operator co-hosts cover sites on the same infrastructure.
cPanel Certificate Chain Linking
Historical certificate transparency logs revealed shared cPanel mail certificates linking the operator's expired domain portfolio:
ropea.top <--> oorwa.top <--> mmun.top (cPanel shared mail certs, Oct-Dec 2021)
oorwa.top <--> horej.top (Let's Encrypt shared cert, Aug 2023)
horej.top <--> fymzq.top (Let's Encrypt shared cert, Aug 2023)
All linked through mail.ropea.top, mail.oorwa.top, mail.mmun.top appearing as SANs on the same cPanel auto-generated certificates. These domains were co-located on a massive shared hosting instance -- the 2021 cPanel cert (ID 5742879649) covered 1,800+ domains as SANs.
OMEGATECH Subnet Overlap
The Fuery C2 IP (178.16.54.79) sits on the same /24 subnet as a known Phorpiex botnet C2 (178.16.54.109), both hosted by OMEGATECH LTD -- a Seychelles-registered entity operating out of the Netherlands on AS209800. This co-location suggests either the same operator or shared bulletproof hosting infrastructure.
Operator Attribution: "ingermany"
WHOIS data for coox.live and ropea.top (registered within one second of each other on 2026-02-19 via PDR/Regway) exposed the registrant:
Name: German Ingrmen
Organization: ingermany
Address: OSVALT, Krasnodar, Krasnodarskiy kray, 512211, RU
Phone: +7.9114890282
Email: ingermany1@inbox.eu
SOA record for coox.live independently confirms the email:
dns1.regway.com. ingermany1.inbox.eu. 2026030402 7200 7200 172800 38400
Registration Data Analysis
The WHOIS data is fabricated but internally consistent:
- Postal code 512211: Invalid for Krasnodar (valid range: 350000-350991). No Russian region uses the 512xxx prefix.
- Street "OSVALT": Does not exist in Krasnodar's street directory. Not a Russian street naming convention.
- Phone +7-911: MTS mobile prefix for the Northwestern Federal District (St. Petersburg area), ~2,000 km from the claimed Krasnodar address.
- Name "German Ingrmen": Zero hits across all public databases, social media (VK, OK.ru), and court records. "German" is a legitimate Russian first name; "Ingrmen" is a deliberate corruption of "Ingerman" (Ingria/St. Petersburg region connection).
The thematic consistency is notable: "ingermany" (organization) + "ingermany1" (email username) + "Ingrmen" (surname) all phonetically converge on "in Germany." Combined with the +7-911 prefix pointing to the St. Petersburg/Ingermanland region, this may be more than irony.
OPSEC Profile
The operator uses a Latvian email provider (inbox.eu, operated by Inbokss SIA in Riga) popular among Russian-speaking Baltic diaspora. This provides GDPR protection and avoids Russian SORM lawful intercept requirements -- a deliberate jurisdictional choice.
The registrar chain passes through Regway (Webshark Inc., Seychelles) to PDR Ltd (India, ICANN ID 303). Regway has documented use by the FSB-linked SEABORGIUM/COLDRIVER group (Recorded Future, 38 domains) and hosts 11,722+ domains on its nameservers, including significant concentrations of phishing domains targeting French telecoms and banks.
Critical OPSEC failure: The operator did not enable WHOIS privacy on the PDR/Regway registrations, despite it being available. The baxe.pics domain (Namecheap) correctly uses privacy protection. This inconsistency across registrars directly exposed the pseudonym and linked both domains.
Distinction from UAC-0006
This operator is distinct from UAC-0006 (CERT-UA's tracked SmokeLoader actor). UAC-0006 uses Russian registrars (reg.ru, nic.ru), Russian hosting (macloud.ru, cloudx.ru), and targets Ukrainian financial institutions. The "ingermany" operator uses Western registrars, European hosting, and shows no Ukrainian targeting -- likely an independent SmokeLoader customer.
Threat Intelligence Coverage Gap
The investigation revealed a concerning gap in detection across major platforms:
| Platform | 168.231.114.49 | 65.21.104.235 | coox.live | baxe.pics |
|---|---|---|---|---|
| Shodan | Not indexed | Indexed (qimmaedu.com) | N/A | N/A |
| VirusTotal | No results | No results | No results | No results |
| OTX AlienVault | 0 pulses | 0 pulses | 0 pulses | 50 pulses |
| GreyNoise | Not found | Not found | N/A | N/A |
| AbuseIPDB | No reports | No reports | N/A | N/A |
| ThreatFox | Not indexed | Not indexed | Not indexed | Not indexed |
| URLhaus | Not indexed | Not indexed | Not indexed | Not indexed |
Only baxe.pics has any coverage (50 OTX pulses, tagged botnet_c2, detected by LTNA-Australia and PreCog Sweep automated feeds since 2026-03-01). The primary panel at coox.live and its IP have zero coverage -- the "InsureFlow Pro" disguise is working.
MITRE ATT&CK Mapping
| Technique | ID | Description |
|---|---|---|
| Credentials from Password Stores: Credentials from Web Browsers | T1555.003 | Browser credential harvesting |
| Query Registry | T1012 | Software enumeration |
| Application Layer Protocol: Web Protocols | T1071.001 | HTTP POST multipart C2 |
| Non-Standard Port | T1571 | C2 on ports 28313, 48261 |
| Exfiltration Over C2 Channel | T1041 | 1 MB+ stolen data upload via C2 |
| Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | T1048.002 | Fuery SMTP exfiltration via Gmail |
| Obfuscated Files or Information | T1027 | Raft protocol type name abuse |
| Ingress Tool Transfer | T1105 | OpenSSL DLL download from C2 |
| Web Service | T1102 | Gmail SMTP as exfil channel |
| Masquerading | T1036 | Panel disguised as insurance SaaS |
IOCs
Network Indicators
Live C2 Endpoints (confirmed 2026-03-06):
http://168.231.114.49:28313/ SmokeLoader check-in beacon
http://65.21.104.235:48261/ SmokeLoader data exfiltration
https://coox.live/admin SmokeLoader panel (unauthenticated)
http://178.16.54.79/t Fuery telemetry
http://178.16.54.79/s Fuery status/commands
http://178.16.54.79/c Fuery command retrieval
http://178.16.54.79/f Fuery file operations
http://178.16.54.79/fd/libeay32.dll OpenSSL DLL (1,177,088 bytes)
http://178.16.54.79/fd/ssleay32.dll OpenSSL DLL (270,336 bytes)
Domains:
coox.live SmokeLoader panel + C2 beacon
baxe.pics SmokeLoader data exfiltration
laf.oahgsfwklg.top Fuery "Monkey" C2 panel
ropea.top Suspended SmokeLoader C2
forestoaker.com Suspended backup domain
botmind-sa.com Operator's previous domain (stale cert pivot)
qimmaedu.com Cover site (same IP as baxe.pics)
oorwa.top Expired, linked via shared certs
mmun.top Expired, linked via shared certs
horej.top Expired, linked via shared certs
fymzq.top Expired, linked via shared certs
IP Addresses:
168.231.114.49 Hostinger, GB (AS47583) -- coox.live
65.21.104.235 Hetzner, FI (AS24940) -- baxe.pics
178.16.54.79 OMEGATECH, NL (AS209800) -- Fuery C2
94.231.205.229 MVPS LTD, CY -- previous baxe.pics (decommissioned)
File Hashes (SHA256)
bac70244b93a4a92b9d633415435cd81e8643ecd20b52b962b369ceaaddc3958 SmokeLoader
18e9a8bfad425d3ff9c0ab3d71e6890320166127b8bdf7460a7edd30f45be0ab Fuery
fc17b65f6b4c6dc717b19d46a4a6a8ed68b982aaf9e25d4421ca223894166a13 libeay32.dll
b4434b408409d36d8e0d0bcf41ad804d02fdee96bc7f8255105380bfcec0d1f5 ssleay32.dll
TLS Certificate Fingerprints
botmind-sa.com Serial: 060de956ea7dd93d4a45219836814a9a3e61 (LE E7, stale on coox.live)
coox.live Serial: 4b4e999390920081 (GoDaddy, issued 2026-02-19)
oahgsfwklg.top Issuer: Let's Encrypt E8 (Fuery C2, expires 2026-04-03)
qimmaedu.com Serial: 05c5546bc8978542d89b113cda8041e6e48b (LE R12, on baxe.pics IP)
Operator Identifiers
Email: ingermany1@inbox.eu
Phone: +7.9114890282 (MTS, Northwest Russia)
WHOIS Name: German Ingrmen
Organization: ingermany
Registrar: PDR Ltd / Regway.com (Webshark Inc., Seychelles)
SOA RNAME: ingermany1.inbox.eu (coox.live zone)
Detection Signatures
Panel fingerprinting queries for Shodan/Censys:
http.title:"InsureFlow Pro"
http.body:"ai_system" AND "operational" AND "database" AND "connected"
http.body:"Invalid file type. Allowed types: .xls, .xlsx"
Snort/Suricata network signatures:
alert tcp any any -> any 28313 (msg:"SmokeLoader C2 Beacon (coox.live high port)"; sid:1000001;)
alert tcp any any -> any 48261 (msg:"SmokeLoader Exfil (baxe.pics high port)"; content:"multipart/form-data"; sid:1000002;)
alert http any any -> any any (msg:"Fuery C2 Single-Letter Endpoint"; content:"POST"; http_method; pcre:"/^\/[tscfv]$/U"; sid:1000003;)
Investigation conducted 2026-03-05 through 2026-03-06. All C2 endpoints were confirmed live at time of publication. IOCs should be validated before deployment in production detection rules.