Your C2 Server Is Not Your Portfolio Host: How the NOMADS Group Put Their Names Next to Their Malware

There's a special category of OPSEC failure reserved for threat actors who host their personal website on the same IP address as their command-and-control infrastructure. The NOMADS group earned their place in it.

Starting from a single IP and port -- 193.181.211[.]79:5001 -- flagged by @Fact_Finder03 as a stealer panel, we mapped a complete MaaS operation: a novel information stealer called MefStealer, four identified group members, a FastAPI C2 panel with zero authentication, and a personal developer portfolio sitting on the same Traefik reverse proxy as the malware infrastructure.

MefStealer is not in any public threat intelligence feed. This is the first reporting.

The Panel

Port 5001 serves a FastAPI-based C2 dashboard. No authentication. No login page. No bearer token. Just an open panel accessible to anyone on the internet. The API exposes stealer logs, victim data, and configuration endpoints through a standard REST interface.

Port 5000 runs a Flask-based stealer gate -- the endpoint that receives exfiltrated credentials, cookies, and browser data from infected machines. Also unauthenticated.

Port 6556 runs a Checkmk monitoring agent -- a legitimate infrastructure monitoring tool -- that freely reports the server's health metrics to anyone who connects.

Three services. Three ports. Zero authentication on any of them.

The Portfolio

Here's where it gets remarkable.

The same IP address -- 193.181.211[.]79 -- also serves chernuha[.]space through the same Traefik reverse proxy instance. This isn't a different server behind a shared load balancer. It's the same Traefik configuration routing traffic for both the C2 infrastructure and a personal developer portfolio.

The portfolio belongs to a developer using the alias Chernuha. It showcases their work as a SysAdmin and DevOps engineer. And it includes a "Squad" section that names all four members of the NOMADS group with links to their respective domains.

The Group

Four operators identified through the portfolio cross-referencing and infrastructure analysis:

Chernuha -- SysAdmin/DevOps. Portfolio on the C2 IP. The infrastructure architect of the group.

Forust (MrForust) -- CTF player on the XRock_Team competitive hacking squad. Active on TryHackMe, has a public GitHub, Telegram, Discord presence, and a published PGP key. The VPS hostname forustvps appears in server configurations.

Hudan -- Behind Cloudflare. Less exposed than the others but linked through the Squad page.

Xdfnx -- Fullstack developer. A Slovak residential IP in the 78.98.0.0/16 Telekom range is linked to their infrastructure, providing a geographic anchor for the group.

Slovak Nexus

Two residential IP addresses in Slovak Telekom's address space are connected to group members. Slovakia isn't a country that typically appears in threat actor attribution -- most Eastern European cybercrime is associated with Russia, Ukraine, or Romania. A Slovak-based group developing a novel stealer is noteworthy for the geographic intelligence community.

MefStealer

The stealer itself is a novel family -- no entries in MalwareBazaar, ThreatFox, or any commercial threat feed we checked. The name comes from the panel branding. Based on the infrastructure analysis:

• Exfiltration: Browser credentials, cookies, session tokens
• C2 Protocol: REST API over HTTP (FastAPI backend)
• Hosting: Webdock.io VPS (legitimate Danish hosting provider)
• Status: Pre-operational. Zero confirmed victims in the panel at time of investigation.

The zero-victim status is significant. This infrastructure was caught during staging -- the stealer is built, the C2 is running, but no campaigns have been launched yet. This is an opportunity for preemptive disruption through abuse reports to Webdock.io before any victims are compromised.

Detection

Three YARA rules detecting the MefStealer panel HTML, JavaScript, and gate response patterns are available on our GitHub:

• STIX Bundle
• IOCs by investigation
• All YARA rules
• All Suricata rules
• Full IOC feed (JSON) Seven Suricata signatures cover the FastAPI C2 communications, stealer gate exfiltration, and Checkmk agent exposure.

Indicators of Compromise

Network Indicators

• 193[.]181[.]211[.]79 (Webdock.io)
• chernuha[.]space -- operator portfolio (same IP as C2)
• Port 5001: FastAPI C2 panel
• Port 5000: Flask stealer gate
• Port 6556: Checkmk agent (unauthenticated)

Group Indicators

• NOMADS group name
• Members: Chernuha, Forust/MrForust, Hudan, Xdfnx
• VPS hostname: forustvps
• Geographic nexus: Slovakia (78.98.0.0/16 Telekom)

---

h/t @Fact_Finder03 for the initial IP.