Table of Contents
TLP : AMBER
Date : 2026-03-09
Analyst : GHOST (Breakglass Intelligence)
Classification : Cybercrime
Investigation ID : xworm-march9-v2
Executive Summary
A deep infrastructure investigation of Oracle Cloud VPS 143.47.53.106 reveals a prolific multi-RAT operator running at least 6 different malware families (XWorm, Hook, DCRat, AsyncRAT, njRAT/Bladabindi) from a single server since June 2024 . The operator uses LocaltoNet and other tunneling services to rotate C2 domains, with 40+ hostnames observed in passive DNS over 21 months.
The most critical finding is an open MinIO S3 bucket on port 9679 containing 210 MB of stolen victim data from the Hook banking trojan campaign — including camera photos, audio recordings, screenshots, and DCIM files from 8 real victim devices . The filenames contain Eastern Arabic numerals , indicating Middle Eastern victims. The campaign remains ACTIVE with the most recent exfiltration occurring 2 days ago (2026-03-07).
The server also hosts a MikroWisp v6.66 ISP management panel for "NEXO58, C.A." — a Venezuelan ISP located in Caracas — with an exposed phpMyAdmin 5.0.2 installation. The operator uses a phishing domain auth.androidfilehost.org (fake Android File Host) for Hook panel/exfiltration infrastructure, registered via NameCheap with actual DNS pointing to a Ukrainian VPS (Virtual Systems LLC).
Key Statistics
6 RAT families deployed from single IP40+ domains/subdomains rotated as C2 channels8 confirmed victim devices (Hook banking trojan)210 MB stolen data in open MinIO bucket21 months of continuous operation (Jun 2024 — present)21 open ports on primary C2 server3 countries of infrastructure (Ireland, Italy, Ukraine)
Key Findings
OPEN MinIO exfiltration bucket at https://143.47.53.106:9679/hook/ — unauthenticated S3 listing of 67 stolen files from 8 victim devices8 real Hook victims identified by device ID (HW-prefixed), with stolen camera photos, audio, screenshots, DCIM filesArabic locale victims — filenames with Eastern Arabic numerals on 2 devices, Samsung "One UI Home" screenshotsOperator test device : bot_test_samsung_s23 with 70-byte placeholder photos (Jan 15, 2026)Malware staging : 2 APK payloads in s2/ directory (com.xxx.zzz.apk, vcxvxc.apk) — Hook trojan buildsPhishing domain : auth.androidfilehost.org impersonating Android File Host, cert active since Apr 2025Venezuelan ISP panel : MikroWisp v6.66 for NEXO58, C.A. on port 8458 with exposed phpMyAdminInternal IP leak : 10.10.10.252 visible in MikroWisp JavaScript console logSOCKS5 proxy on port 3388 (requires authentication)Storj storage node on port 30003 (legitimate distributed storage)6 malware families : XWorm, Hook, DCRat, AsyncRAT, njRAT, BladabindiCampaign duration : At least June 2024 through present (21 months)Related Italian C2 : 80.211.137.34 (Aruba S.p.A., Italy) hosting reginatower.com, axsante.org, shumukh.etpcon.net
What Was Found vs. What Was Known
Aspect Prior Reporting (v1) Our Findings (v2) Infrastructure 1 IP, 3 ports 2 IPs, 21+ ports, 40+ domains RAT families 3 (XWorm, DCRat, Hook) 6 (+ AsyncRAT, njRAT, Bladabindi) Victims Unknown 8 confirmed devices, Arabic locale Stolen data Unknown 210 MB in open MinIO bucket Campaign duration Jan-Mar 2026 Jun 2024 — present (21 months) Attribution Low-sophistication Mid-sophistication with ISP access Phishing Unknown auth.androidfilehost.org Panel access Not attempted Open MinIO bucket, ISP panel found Related infra None 80.211.137.34 (Italy), 45.12.2.233 (Ukraine)
Attack Chain
Delivery (Phishing/Fake Tools)
|
v
Token GrabberV2.exe / fake APKs (auth.androidfilehost.org)
|
v
Go Dropper -> PowerShell -> Hidden XWorm/.NET RAT deployment
|
v
Hook APK -> Android device compromise -> Camera/Audio/File exfiltration
|
v
C2: mzsgu2rhxn.localto.net:3480 (XWorm)
C2: 143.47.53.106:8090 (DCRat)
C2: 143.47.53.106:9679/hook/ (Hook exfil bucket)
|
v
Stolen data -> MinIO S3 bucket (open, unauthenticated)
Infrastructure Analysis
Port Inventory — 143.47.53.106
Port Service Purpose 22 OpenSSH 8.0 Remote administration 80 Kestrel (.NET) LocaltoNet reverse proxy 111 rpcbind NFS/RPC 3388 SOCKS5 Proxy (auth required) 3480 XWorm C2 RAT command and control 8090 DCRat C2 RAT command and control 8458 Apache/2.4.65 MikroWisp ISP panel + phpMyAdmin 5.0.2 9679 nginx + MinIO Hook exfiltration storage 30003 Storj DRPC Distributed storage node 1951,3689,4949,6602,7071,8060,8457,9606 Unknown Additional C2/tunnel endpoints 2003,2082,8080,8087,8473,8880 Dynamic Tunnel ports (intermittent)
Network Infrastructure
IP Provider Location Role 143.47.53.106 Oracle Cloud (AS31898) Ireland Primary multi-RAT C2 158.178.201.63 Oracle Cloud (AS31898) Austin TX LocaltoNet server (not attacker) 80.211.137.34 Aruba S.p.A. Italy Related C2 (Express.js/Node.js) 45.12.2.233 Virtual Systems LLC (VSYS) Ukraine Hook phishing DNS target
Domain Timeline (143.47.53.106 Passive DNS)
Date Domain Purpose 2024-06 particularsantander.shop Spanish banking phishing 2024-07 LocaltoNet tunnels begin C2 rotation 2024-08 dash.samakaal.so Somali infrastructure 2025-02 hashmy.etpcon.net etpcon.net infrastructure 2025-04 auth.androidfilehost.org Hook phishing domain registered 2025-07 padriadaavenida.com/net Venezuelan bait domains 2025-08 splunk.e-soluciona.online Fake Splunk login 2025-10 apache-sys.localto.net Fake Apache system 2025-11 chancellerierdc.com DRC embassy impersonation 2025-12 axsante.org, shumukh.etpcon.net Health sector, Arabic infra 2026-01 cedicapital.tdeeplusghonline.com Financial phishing 2026-01-30 143.47.53.106:8090 DCRat (ThreatFox) 2026-02 supermercadoverde.com/net Venezuelan bait 2026-02-05 143.47.53.106:9679 Hook (ThreatFox) 2026-03-04 luuchinzi.com (created 5 days ago) Active C2 tunnel 2026-03-09 9zolmh2qkt/cou369ppsh.localto.net ACTIVE TODAY
Certificate Analysis — auth.androidfilehost.org
Period Issuer Status Apr 2025 - Jul 2025 Let's Encrypt R10 Expired Jul 2025 - Oct 2025 Let's Encrypt R11 (wildcard) Expired Oct 2025 - Jan 2026 Let's Encrypt E7 (on 143.47.53.106:9679) Expired Dec 2025 - Mar 2026 Let's Encrypt E8 (on 45.12.2.233) ACTIVE
Hook Banking Trojan — Open MinIO Exfiltration Bucket
Bucket Details
Property Value URL https://143.47.53.106:9679/hook/Backend MinIO (S3-compatible object storage) Bucket Name hook Owner ID 02d6176db174dc93cb1b899f7c6078f08654445fe8cf1b6ce98d8855f66bdbf4 Owner Display minio Authentication NONE — fully open listing Total Files 67 Total Size 210.4 MB Victim Devices 8 real + 1 test + 1 staging Injects Bucket /injects/ (HTTP 403 — exists but locked)
Victim Device Inventory
Device ID Files Size Data Types Last Active HW-dbfe8363b7c5ae60 12 23 MB Camera, Audio, Files (ARABIC) 2026-03-07 HW-e25395a7c09f4de7 10 25 MB Camera, Files (ARABIC) 2026-03-01 HW-272bb59cd3a308df 4 115 MB APKs (Telegram, Call Recorder) 2026-01-31 HW-0a9664b910cf2812 4 1.4 MB Camera, DCIM 2026-02-17 HW-12ccbdbf2eba2f37 1 1.7 MB DCIM 2026-02-17 HW-9b443c05e5b0d903 10 11 MB DCIM, Screenshots (Samsung) 2025-11-02 HW-dff9d515eb601d2a 4 2.8 MB Audio, DCIM, Photos 2025-08-20 HW-898eeed5aba5ca3a 1 162 KB Photos 2025-06-17 bot_test_samsung_s23 16 7 KB Camera stubs, .dat files 2026-01-15 s2 4 36 MB APK builds + icons 2025-08-19
Arabic Locale Artifacts : Devices HW-dbfe8363b7c5ae60 and HW-e25395a7c09f4de7 contain filenames with Eastern Arabic numerals (U+0660-U+0669). Screenshots reference Samsung "One UI Home". These victims use Arabic-locale Samsung Galaxy devices, consistent with Middle Eastern geography.
Malware Samples
From v1 Investigation
SHA256 Family Type Size 109b2330... XWorm Go dropper (PE64) 3.4 MB 84fae604... XWorm/njRAT .NET hybrid (PE32) 111 KB
From OTX (Additional samples communicating with 143.47.53.106)
SHA256 Family Detection Date 90b9a533... njRAT ClamAV: Win.Packed.njRAT 2026-03-07 5fb2d73e... AsyncRAT Defender: Backdoor:MSIL/AsyncRAT.GG!MTB 2025-12-01 927af7c3... AsyncRAT Defender: Backdoor:MSIL/AsyncRAT.GG!MTB 2025-12-01 4f7c31b6... AsyncRAT Defender: Backdoor:MSIL/AsyncRAT.GG!MTB 2025-12-01 69bc9be2... Bladabindi/njRAT Defender: Backdoor:MSIL/Bladabindi 2025-11-17
Threat Actor Profile
Attribution Assessment
Confidence : MEDIUMCountry/Region : Latin America (Venezuela) with Middle Eastern victim targetingMotivation : Financial (banking trojan + credential theft)Sophistication : MID — commodity RATs with multi-family diversification, tunneling OpSec, ISP accessActive since : At least June 2024Currently active : YES (exfiltration 2 days ago, new domains today)
OPSEC Failures
Open MinIO bucket — 210 MB of victim data publicly accessibleInternal IP leak — 10.10.10.252 in MikroWisp JavaScript console.logExpired TLS cert — auth.androidfilehost.org on 143.47.53.106 (Jan 28, 2026)phpMyAdmin exposed — v5.0.2 accessible without IP restrictionTest device naming — bot_test_samsung_s23 reveals operator device modelSame IP for everything — ISP panel, RAT C2s, exfil storage all on one server
Operator Timeline
Date Activity 2024-06 First domains on 143.47.53.106 2024-07 LocaltoNet tunnel usage begins 2024-08 Somali infrastructure (dash.samakaal.so) 2025-02 etpcon.net subdomains 2025-04 auth.androidfilehost.org registered, Hook staging 2025-06 First Hook victim data 2025-07 Venezuelan domains, chgip.online tunnels 2025-08 Fake Splunk login 2025-10 Italian Aruba server 80.211.137.34 2025-11 DRC embassy impersonation, njRAT/Bladabindi 2025-12 AsyncRAT samples, health sector targeting 2026-01 Hook test device, DCRat on port 8090 2026-02 Hook on port 9679, MikroWisp ISP panel 2026-03 XWorm on port 3480, new domains, ACTIVE exfiltration
MITRE ATT&CK Mapping
Tactic Technique ID Initial Access Phishing T1566 Execution PowerShell T1059.001 Persistence Registry Run Keys T1547.001 Defense Evasion Obfuscated Files T1027 Defense Evasion Disable Defenses T1562.001 Credential Access Input Capture T1056.001 Collection Screen Capture T1113 Collection Audio Capture T1123 Collection Video Capture T1125 Collection Data from Local System T1005 C2 Application Layer Protocol T1071 C2 Proxy T1090 C2 Dynamic Resolution T1568 Exfiltration Exfiltration Over C2 T1041
IOC Summary
Network Indicators (defanged)
143[.]47[.]53[.]106 — Primary multi-RAT C280[.]211[.]137[.]34 — Related C2 (Italy)45[.]12[.]2[.]233 — Hook phishing DNSmzsgu2rhxn[.]localto[.]net:3480 — XWorm C2auth[.]androidfilehost[.]org — Hook phishing/exfilandroidfilehost[.]org — Phishing parent domainluuchinzi[.]com — Active C2 (created 2026-03-04)supermercadoverde[.]com / .net — Active bait domainscedicapital[.]tdeeplusghonline[.]com — Financial phishingchancellerierdc[.]com — DRC embassy impersonation
File Indicators (SHA256)
109b233024348f26571c086aa6aae6eeedb062a704b4a23e0d87dd2234659103 — Go XWorm dropper84fae604e319f9bede31f822019f1b35a9a893c0873b195d85b0a9c486f40e9a — .NET XWorm/njRAT90b9a5337ed836afef5f432407dbc0c7675d11d54f3fe78af99cbae4c924b8bd — njRAT5fb2d73efa82738be1c6076242fd9097d8f277fe5d9185a45e356e76b8a9d38c — AsyncRAT927af7c313eb63cf0a6c7ef95c3231689584fd886dee151f549167d3c22ef2a4 — AsyncRAT4f7c31b6723288e8041daaaa3a63ab1fa013f0474ce0cd89e9d2a333bb50f6cd — AsyncRAT69bc9be2019663cc075ad613ccc13151ab03414261a19de8264d05cead84fbe7 — Bladabindi/njRAT
Host Indicators
Filename: Token GrabberV2.exe, CrackedLoader.exe
Drop path: %TEMP%\CrackedLoader.exe
Startup LNK: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\CrackedLoader.lnk
GUID: 469ff7a0-5aea-4dde-b17b-4b772472a42b
Internal IP: 10.10.10.252
MinIO Owner: 02d6176db174dc93cb1b899f7c6078f08654445fe8cf1b6ce98d8855f66bdbf4
Recommended Actions
Block 143.47.53.106, 80.211.137.34, 45.12.2.233 at network perimeter
Block *.localto.net, *.chgip.online, *.torao.online, *.local2net.com at DNS
Block auth.androidfilehost.org and androidfilehost.org at DNS
Deploy YARA rules from xworm_march9_v2.yar
Report to Oracle Cloud abuse: abuse@oracleemaildelivery.com
Short-term (1-2 weeks)
Submit all IOCs to ThreatFox, MalwareBazaar
Report phishing domain to NameCheap (androidfilehost.org)
Report C2 domain to Spaceship (luuchinzi.com)
Coordinate with Middle Eastern CERTs for Hook victim notification
Medium-term (1-3 months)
Monitor new LocaltoNet subdomains on Oracle Cloud ranges
Track Hook APK distribution channels
Build passive DNS monitoring for identified tunnel services
Investigate NEXO58, C.A. relationship — is this ISP compromised or complicit?
GHOST — Breakglass Intelligence
"One indicator. Total infrastructure."