high🔑Stealer

investigatedMarch 2, 2026publishedMarch 2, 2026

Kent-Loader: A CS2 Cheat That Doubles as a Full-Featured Backdoor

Threat Actors:is **Russian-speaking** and operates via Telegram.Profilewas pushing updates during analysisIOCs (Complete)ed.

#stealer#social-engineering#credential-theft#c2#botnet#ransomware#exploit

Published: 2026-03-08 | Author: Breakglass Intelligence | TLP:WHITE

TL;DR

A subscription-based Counter-Strike 2 "web radar" cheat sold for 20 RUB/day (~$0.20 USD) via Telegram is actually a fully-capable loader/RAT with admin privilege escalation, registry persistence, process injection, and an auto-update mechanism that can silently push arbitrary payloads to every connected client. The Russian-speaking operator behind the Telegram handle @udwop was observed actively compiling and deploying new binary versions during our live analysis of the C2 infrastructure at puzo[.]monster.

The Biggest Risk: Every User Is Running an Open Backdoor

The most dangerous aspect of Kent-Loader is not its game-cheating functionality — it is the unchecked auto-update pipeline. The binary phones home to puzo[.]monster:1337/update/check.php on every launch, and if a new version is available, it downloads and executes the replacement binary without any code-signing verification, integrity validation beyond an MD5 served by the same untrusted server, or user confirmation.

This means the operator — or anyone who compromises the C2 — can push ransomware, an infostealer, or a wiper to the entire user base with a single file replacement on the server. During our analysis window, we observed the operator push three distinct binary versions in under a week, proving this pipeline is actively used and that silent payload replacement is operationally trivial.

The update endpoint requires no authentication:

GET /update/check.php HTTP/1.1
Host: puzo[.]monster:1337

{"update_available":true,"version":"1.2.2",
 "download_url":"https://puzo.monster:1337/update/download",
 "size":1217536,"md5":"9b8b8bb7d3f3a90deb94101e75e6cb94",
 "updated_at":"2026-03-02T19:31:28.887Z"}

Anyone on the internet can download the latest malware binary. There is no token, no HWID check, and no rate limiting on the download endpoint. The MD5 hash is provided by the same server that serves the payload — a self-referential "integrity check" that provides zero actual security.

Sample Identification

The initial sample was obtained from the C2 distribution endpoint on 2026-03-02. It is a PE32+ console executable for x86-64 Windows, compiled with MSVC (Visual Studio 2019/2022 mixed toolchain), statically linking libcurl for HTTP/HTTPS, nlohmann/json v3.11.2 for JSON parsing, and easywsclient for WebSocket communication.

Field	Value
Original Filename	`loader.exe` (served via Content-Disposition)
File Size	1,225,216 bytes (v1.1.2)
SHA-256	`2f07590fa613389eff5c6e508797eb04a1206d52474e66c58add590909d42344`
Compile Timestamp	2026-02-26 19:07:47 UTC
Claimed Identity	Intel(R) Content Protection HECI Service (`IntelCPHeci.exe`)
PE Version Info	CompanyName: Intel Corporation / LegalCopyright: Copyright (C) 2023 Intel Corporation

The PE version info is entirely fabricated. The binary masquerades as a legitimate Intel HECI service component — a social engineering tactic designed to survive casual inspection in Task Manager or process listings (MITRE ATT&CK T1036.005 - Match Legitimate Name or Location).

Distribution and Monetization

Kent-Loader is marketed as "CS2 Cloud Radar" through a Telegram ecosystem operated by the handle @udwop (bio: "тип умный кодер)" — "like a smart coder)"). The operation includes:

Product channel: @cs2cloudradar — marketing and announcements
Sales bot: @cs2cloudradar_bot — automated subscription key distribution
Group chat: accessible via invite link hxxps://t[.]me/+rtUbonxraYU2MTUy
Pricing: 20 RUB/day (~$0.20 USD) — deliberately low to maximize install base

The low price point is notable. At $0.20/day, the revenue from the cheat itself is negligible. This pricing strategy is consistent with a threat actor whose primary objective is building a large botnet of compromised machines rather than generating subscription revenue.

Binary Analysis

Execution Flow

The loader follows a multi-stage initialization sequence:

Winsock + exception handler + config system init
Credential recovery — checks registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Loader for saved credentials
Authentication — displays LOADER AUTHORIZATION console prompt, sends POST /api/login with {username, password, hwid} to C2
Subscription verification — checks expiry date and frozen status
Auto-update check — queries /update/check.php, downloads to loader_update.exe if new version available, self-replaces and restarts
Anti-cheat scanning — enumerates running processes for FACEIT (faceit.exe, faceitclient.exe, faceitservice.exe)
Game detection — waits for cs2.exe
Module enumeration — scans for client.dll and schemasystem.dll via CreateToolhelp32Snapshot + Module32First/Next
Schema resolution — resolves game entity offsets dynamically through the CS2 schema system
Memory reading loop — reads player data (position, health, weapons, team, bomb status) via ReadProcessMemory
WebSocket streaming — sends structured JSON player data to ws://puzo[.]monster:1337/loader

UAC Elevation

The manifest demands administrator privileges on launch:

<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />

This is T1548.002 — Abuse Elevation Control Mechanism: Bypass User Account Control. Users who accept the UAC prompt grant the binary full administrative control over the system.

Anti-Analysis Techniques

The binary implements a layered anti-debug and anti-sandbox suite:

IsDebuggerPresent and CheckRemoteDebuggerPresent — standard debugger detection
NtQueryInformationProcess — queries ProcessDebugPort and ProcessDebugObjectHandle
NtQuerySystemInformation — system-level debugger detection
wine_get_version — detects Wine/sandbox environments (T1497 - Virtualization/Sandbox Evasion)
AddVectoredExceptionHandler — exception-based anti-debug (uses structured exceptions to detect single-stepping)

Capabilities Beyond Game Cheating

The import table reveals capabilities far exceeding what a game radar requires:

Capability	Evidence
Process enumeration & injection	`CreateToolhelp32Snapshot`, `Process32First/Next`, `OpenProcess`, `ReadProcessMemory`, `TerminateProcess`
Registry persistence	`RegCreateKeyExA`, `RegOpenKeyExA`, `RegSetValueExA`, `RegQueryValueExA`
Clipboard theft	`OpenClipboard`, `EmptyClipboard`, `SetClipboardData`
Cryptographic operations	`CryptAcquireContextA`, `CryptHashData`, `CryptEncrypt`, `CryptImportKey`
Certificate store access	`CertOpenStore`, `CertEnumCertificatesInStore`, `PFXImportCertStore`
LDAP operations	18 ordinal imports from `WLDAP32.dll`
File system operations	`CreateFile2`, `FindFirstFileW`, `DeleteFileW`, `SetFileInformationByHandle` (v1.2.2+)
Dynamic code loading	`LoadLibraryA`, `GetProcAddress`, `VirtualProtect`

The LDAP imports and certificate store access are particularly anomalous for a game cheat. These capabilities suggest the binary can enumerate Active Directory environments and export certificates — functionality consistent with lateral movement tooling or enterprise credential theft.

C2 Infrastructure

Server Architecture

The C2 runs on a single Ubuntu 22.04 VPS at 144.31.136.2 (ASN AS212743, ETERNITY INTERNATIONAL LIMITED, Falkenstein, Germany), managed through FASTPANEL v2.1.0 on port 8888.

Port 80/443  -->  nginx 1.28.2 (SSL termination, Let's Encrypt)
                    |
Port 1337    -->  Node.js/Express (REST API + WebSocket + Vite SPA)
Port 8888    -->  FASTPANEL v2.1.0 (hosting control panel)
Port 21      -->  ProFTPD (file transfer)
Port 22      -->  OpenSSH 8.9p1
Port 7777    -->  nginx (empty, all 404 -- possibly staging)

The domain puzo[.]monster was registered on 2026-02-03 via NameSilo, with Cloudflare nameservers configured for DNS resolution (but the server IP is not proxied through Cloudflare's CDN — the real IP is directly exposed). The SSL certificate was issued by Let's Encrypt on 2026-02-10, with a wildcard cert for *.puzo.monster provisioned the same day — indicating the operator planned subdomain expansion.

Backend Stack

The API layer is Node.js with Express, backed by MongoDB (confirmed through NoSQL injection behavior) with bcrypt for password hashing. The CORS policy is fully permissive (Access-Control-Allow-Origin: *), meaning any website can make authenticated API calls to the C2 if it can obtain a valid token.

WebSocket Protocol

The real-time data stream uses a room-based WebSocket protocol:

// Client auth (viewer role)
{"type": "auth", "role": "viewer", "code": "<room_code>"}

// Server response
{"type": "joined", "code": "<room_code>"}

// Continuous game data stream
{"m_players": [...], "m_local_team": 2, "m_bomb": {...}, "m_map": "de_dust2"}

Four roles exist: viewer, loader, server, and admin. Only the viewer role responds immediately to auth — the other three appear to require additional authentication tokens, suggesting a tiered access model for different operator functions.

Confirmed Vulnerability: NoSQL Injection

The /api/login endpoint passes user-supplied JSON directly to MongoDB queries without input sanitization:

// This causes the server to hang indefinitely:
{"username": {"$gt": ""}, "password": {"$gt": ""}, "hwid": "WEB-PANEL"}

When MongoDB operator objects are passed as both username and password, the findOne() query returns a valid user document, but bcrypt.compare() receives an object instead of a string and never resolves — causing the request to hang. While bcrypt prevents direct authentication bypass, this vulnerability confirms unsanitized MongoDB queries and could be exploited for denial-of-service or data exfiltration via timing-based $regex attacks against the username field.

Additionally, zero rate limiting exists on the login endpoint. Over 1,877 brute-force attempts were completed at 25 requests/second without any blocking, lockout, or throttling.

Live Operator Activity: Three Binaries in One Week

During our two-session analysis window (2026-03-02 to 2026-03-03), the operator compiled and deployed three distinct binary versions, demonstrating active development:

Version	Compiled	Size	Key Changes
v1.1.2	2026-02-26 19:07:47	1,225,216 B	Original sample
v1.1.2.1	2026-03-02 19:03:30	1,225,728 B	Added `security error` check, improved error handling
v1.2.2	2026-03-02 19:31:17	1,217,536 B	Added `std::filesystem`, removed debug output, code optimization

The v1.1.2.1 and v1.2.2 builds were pushed 28 minutes apart — the operator was actively developing while we were analyzing the infrastructure. Version 1.2.2 is notable: it is 7,680 bytes smaller than v1.1.2 despite adding new filesystem capabilities (CreateFile2, FindFirstFileW, DeleteFileW, SetFileInformationByHandle), indicating dead code removal and optimization consistent with a maturing toolset. Debug strings like [info] winsock initialization completed and user prompts like Invalid input. Try again: were stripped, reducing forensic visibility.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	Fake Intel `IntelCPHeci.exe` PE metadata
Defense Evasion	Debugger Evasion	T1622	`IsDebuggerPresent`, `NtQueryInformationProcess`
Defense Evasion	Virtualization/Sandbox Evasion	T1497	`wine_get_version` check
Persistence	Registry Run Keys / Startup Folder	T1547.001	`Explorer\Advanced\Loader` registry key
Privilege Escalation	Abuse Elevation Control: Bypass UAC	T1548.002	`requireAdministrator` manifest
Execution	Execution Guardrails: HWID Check	T1480	Hardware ID binding for license enforcement
Discovery	Process Discovery	T1057	`CreateToolhelp32Snapshot` process enumeration
Discovery	System Information Discovery	T1082	`GetVolumeInformationA`, `GetComputerNameA`
Discovery	Account Discovery	T1087	`GetUserNameA`
Collection	Clipboard Data	T1115	`OpenClipboard`, `SetClipboardData`
Command and Control	Application Layer Protocol: Web	T1071.001	HTTP REST API + WebSocket C2
Command and Control	Ingress Tool Transfer	T1105	Auto-update mechanism for payload delivery
Credential Access	Credentials from Certificate Stores	T1552.004	`CertOpenStore`, `CertEnumCertificatesInStore`, `PFXImportCertStore`

Indicators of Compromise

File Hashes

Version	SHA-256	MD5
v1.1.2	`2f07590fa613389eff5c6e508797eb04a1206d52474e66c58add590909d42344`	`c2a5a64a39c898bda06f08e6dd11370c`
v1.1.2.1	`544af6e733d1de03497424cc672461225ef9c322f3402b342742c35e0cff553e`	`0a61d78cfd5187ef0fea757b3c5e3449`
v1.2.2	`817207c233c2828f45de65c67932dcd72f9de698d2ac31a89a16d02783ff68ea`	`9b8b8bb7d3f3a90deb94101e75e6cb94`

Network Indicators

Indicator	Type	Context
`puzo[.]monster`	Domain	Primary C2 domain
`144.31.136.2`	IPv4	C2 server IP
`hxxp://puzo[.]monster:1337/update/check.php`	URL	Update check endpoint
`hxxp://puzo[.]monster:1337/update/download`	URL	Payload download
`hxxp://puzo[.]monster:1337/api/login`	URL	Authentication endpoint
`ws://puzo[.]monster:1337/loader`	URL	WebSocket C2 channel
`wss://puzo[.]monster/loader`	URL	WebSocket C2 (TLS)
`hxxps://puzo[.]monster/radar?code=`	URL	Web radar viewer

Host-Based Indicators

Indicator	Type	Context
`HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Loader`	Registry Key	Credential persistence
`loader_key_2024_secure`	String	Encryption key identifier
`loader-updater/1.0`	User-Agent	HTTP request identifier
`loader_update.exe`	Filename	Self-update staging file
`IntelCPHeci.exe`	Process Name	Masqueraded process name
`requireAdministrator`	Manifest	UAC elevation demand

Telegram Indicators

Indicator	Type	Context
`@udwop`	Handle	Developer/operator
`@cs2cloudradar`	Channel	Product marketing
`@cs2cloudradar_bot`	Bot	Automated key sales
`hxxps://t[.]me/+rtUbonxraYU2MTUy`	Invite Link	User group

SSH Host Key Fingerprints

Algorithm	Fingerprint
ECDSA	`SHA256:G44fA0WevYyxNnFfHIf7B1VP0qx1nT+gCdS7ZxiXiVU`
RSA	`SHA256:7uCCTfeXY4TiGcNVl1ZAVxvArFaJ7NDcgDMXxSL0HFM`
ED25519	`SHA256:hNyXfbsgHFAiRbtoQus4KfVA5r0G+ayb6Ny6JN9AG28`

Defensive Recommendations

Detection

Network monitoring: Alert on connections to puzo[.]monster or 144.31.136.2, particularly on port 1337. The User-Agent string loader-updater/1.0 is a high-fidelity network signature.
Registry monitoring: Watch for creation of HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Loader. This is not a standard Windows registry path.
Process monitoring: Flag any process named IntelCPHeci.exe that is not signed by Intel Corporation, or any unsigned binary requesting requireAdministrator from a non-standard path.
WebSocket monitoring: Detect outbound WebSocket connections to non-standard ports (1337) carrying JSON payloads with fields like m_players, m_position, and m_bomb.

Prevention

Application whitelisting: Block execution of unsigned binaries requesting administrator privileges, particularly those with forged PE version information.
DNS blocking: Add puzo[.]monster to DNS blocklists. Since the server IP is not behind Cloudflare's CDN, IP-based blocking at 144.31.136.2 is also effective.
Endpoint policy: Prevent ReadProcessMemory calls from unsigned processes targeting game executables. This catches the radar functionality and any future memory-reading payloads.
User education: Gaming communities should be warned that cheap cheat tools, especially those requiring admin privileges and providing WebSocket-based functionality, are high-risk vectors for trojanized software.

Incident Response

If Kent-Loader execution is confirmed on an endpoint:

Assume full compromise. The binary had administrator access and the capability to read arbitrary process memory, access certificate stores, and interact with the clipboard.
Rotate all credentials that may have been present in memory or clipboard during the infection window.
Audit the registry at the identified persistence path and remove any stored credential material.
Check for additional payloads. The auto-update mechanism may have deployed secondary malware. Examine loader_update.exe and any recently-created executables.
Review certificate stores. The binary imports PFXImportCertStore and CertEnumCertificatesInStore — check for unauthorized certificate exports or installations.

Conclusion

Kent-Loader represents a pattern increasingly common in the threat landscape: commodity malware distributed through gaming cheat communities, where users voluntarily disable security controls (accept UAC prompts, whitelist in antivirus, grant admin access) because they believe they are installing a competitive advantage rather than a backdoor. The $0.20/day price point makes it accessible to a massive user base while generating negligible revenue — a pricing model that only makes sense if the real value proposition is the installed footprint itself.

The technical sophistication is moderate but effective. The operator is actively developing the toolset, pushing three versions in a week with progressive hardening (debug output removal, code optimization, expanded filesystem capabilities). The C2 infrastructure is simple but functional — a single VPS running Node.js with MongoDB, managed through FASTPANEL, with no rate limiting and a confirmed NoSQL injection vulnerability in the authentication endpoint.

The most concerning element remains the unconstrained auto-update pipeline. Every machine running Kent-Loader is one server-side file replacement away from executing arbitrary attacker-controlled code with administrator privileges. The operator has already demonstrated the willingness and capability to push updates at will. The question is not whether this pipeline will be used for malicious payload delivery — it is whether it already has been.

C2 status at time of publication: ACTIVE Investigation conducted by Breakglass Intelligence, 2026-03-02 through 2026-03-03