ObsidianStrike: A Private C2 Framework Hiding on a Compromised Brazilian Law Firm for 9 Months — Only 2 Instances Exist

PublishedApril 10, 2026

c2-frameworkobsidianstrikebrazilcompromised-infrastructurelaw-firmcustom-malware

Published: April 10, 2026 Author: GHOST — Breakglass Intelligence TLP: WHITE

Executive Summary

Breakglass Intelligence has identified a previously undocumented command-and-control framework dubbed ObsidianStrike, deployed on infrastructure belonging to a Brazilian law firm. The threat actor compromised Mosello Lima Advocacia's DigitalOcean account, cloned a deployment across two identical droplets, and has been operating the C2 panel alongside the firm's legitimate case management system since at least July 2025 — approximately nine months undetected.

Only two instances of ObsidianStrike exist on the entire internet. The framework has zero presence on GitHub, zero samples on VirusTotal or MalwareBazaar, and near-zero vendor detection. This is a fully private, Portuguese-language C2 built for targeted Windows operations, hidden behind a victim organization's domain.

Credit to @whoamix302 for the initial tip that led to this investigation.

What This Report Adds to the Public Record

First documented technical analysis of the ObsidianStrike C2 framework
Full capability mapping from extracted source code
Infrastructure linkage proving both nodes were deployed from the same DigitalOcean snapshot
Identification of serious secondary risk: Django DEBUG mode leaking the law firm's case management structure, client data endpoints, and internal automation bot names
Complete IOC package for detection and blocking

We welcome any prior research on this framework and will credit accordingly.

Infrastructure Overview

The threat actor operates two DigitalOcean droplets in North Bergen, New Jersey (AS14061), both serving identical ObsidianStrike C2 panels:

Attribute	Node 1	Node 2
IP	`137[.]184[.]240[.]126`	`137[.]184[.]76[.]141`
Provider	DigitalOcean	DigitalOcean
Location	North Bergen, NJ	North Bergen, NJ
ASN	AS14061	AS14061
SSH Fingerprint	`1e:33:09:dd:ab:30:0e:d9:f4:7d:8c:2c:f7:6e:a1:d9`	Identical
HASSH	`41ff3ecd1458b0bf86e1b4891636213e`	Identical
SSL CN	`cit[.]mosellolima[.]com[.]br`	Identical
SSL Issuer	Let's Encrypt R12	Let's Encrypt R12
Open Ports	22, 80, 443, 9000	22, 80, 443, 9000

The identical SSH fingerprints, HASSH values, and SSL certificates confirm both droplets were deployed from the same DigitalOcean snapshot — the same actor, the same compromised account, a cloned deployment. This is not coincidence; this is operational infrastructure management.

Port Layout

Port 22 — SSH (Ubuntu)
Port 80 — nginx
Port 443 — Portal MIT (the law firm's legitimate Django case management application)
Port 9000 — ObsidianStrike C2 panel

The threat actor did not disrupt the firm's existing services. They simply added port 9000.

The Victim: Mosello Lima Advocacia

Domain: mosellolima[.]com[.]br Owner: Iklenio Lima Tech contacts: iklenio@gmail[.]com, ti@mosellolima[.]com[.]br Domain created: 2014-02-17 (registro.br) Main site: Behind Cloudflare (188[.]114[.]96[.]0, 188[.]114[.]97[.]0) Email infrastructure: Microsoft 365, Brevo, Zoho, Locaweb

Mosello Lima Advocacia is a Brazilian law firm that has operated its domain since 2014. Their primary website sits behind Cloudflare protection. They run Microsoft 365 for email and use multiple SaaS integrations typical of a mid-size legal practice.

Their internal case management system, "Portal MIT," runs on Django at port 443 on the compromised servers. This portal includes named automation bots ("Renata" and "Suzi"), BI dashboards, certificate management, and full case lifecycle tools — standard legal practice management software.

The `cit` Subdomain — Bypassing Cloudflare

A critical detail: the main mosellolima[.]com[.]br domain routes through Cloudflare, but the cit subdomain (cit[.]mosellolima[.]com[.]br) points directly to the DigitalOcean VPS IP addresses, completely bypassing Cloudflare's proxy and protection.

The subdomain likely stands for "Centro de Informatica e Tecnologia" (IT Center). The threat actor either created this subdomain after compromising the firm's DNS management, or repurposed an existing record. Either way, it exposes the raw server IPs — a significant OPSEC advantage for the attacker and a critical vulnerability for the victim.

Django DEBUG=True — Active Data Leak

The Django application on port 443 is running with DEBUG=True in production. When a non-existent URL is requested, Django returns a full URL pattern dump, exposing the entire application structure:

Automation Bots:

robo_renata — automated case processing
suzi — automated case processing
dispatcher — task routing

Dashboards:

panoramaMLA — firm overview dashboard
radarInconsistencias — inconsistency radar (audit tool)
gerador_dashboards_bi — BI dashboard generator

Legal Operations:

certidao — certificate management
conferencia — conference/review system
alterar_processos — case modification
alterar_fases — phase management
criar_pedidos — order creation
criar_compromissos — appointment scheduling

User Management:

/usuarios/ — full user management endpoints

This DEBUG leak is a serious secondary risk. Anyone who requests an invalid URL on port 443 receives a blueprint of the firm's entire case management system — endpoint names, URL patterns, and internal tooling. For a law firm handling client cases, this exposure could facilitate targeted attacks against specific legal proceedings or client data.

ObsidianStrike C2 — Technical Analysis

Stack

ObsidianStrike is a custom C2 framework with a web-based operator panel:

Backend: Python http.server (lightweight, no heavy framework)
Frontend: Vue.js 3 with Socket.IO 4.5.4
Font: JetBrains Mono (developer aesthetic)
Language: Portuguese-Brazilian (pt-BR) throughout the interface
Authentication: JWT-based with auto-setup functionality
Real-time comms: Socket.IO for live agent streaming

The choice of Python's built-in http.server as the backend is notable. It avoids dependencies that might trigger detection, keeps the deployment footprint minimal, and is trivially portable. The Vue.js frontend with Socket.IO provides a responsive, real-time operator experience — this is not a hastily assembled script but a purpose-built tool.

Authentication and Setup

The C2 panel implements JWT authentication with a dangerous convenience feature: an unauthenticated /api/setup endpoint that initializes the panel with default credentials (admin/admin). The auto-setup logic is embedded in the client-side JavaScript, meaning anyone who inspects the page source can see the setup mechanism.

On the investigated instances, setup had already been completed — the panel was initialized and operational.

API Endpoints

Endpoint	Method	Auth	Purpose
`/api/setup`	POST	None	Initial admin account creation
`/api/login`	POST	None	JWT token generation
`/api/agents`	GET	JWT	List all connected agents
`/api/agents/{id}`	GET	JWT	Agent details (hostname, username, internal IP, online status)
`/api/agents/{id}/tasks`	POST	JWT	Send command to agent
`/api/agents/{id}/tasks`	GET	JWT	Retrieve task results

Agent Capabilities

Source code extraction revealed the following command set:

Capability	Command	Description
Remote Shell	Arbitrary commands	Full command execution on the agent
Screenshots	`screenshot`	Captures screen, returns base64-encoded PNG
Live Streaming	`screenwatch on/off`	Real-time screen feed via Socket.IO
File Browser	`ls_json "path"`	JSON directory listing — default path is `C:\`
File Download	`fetch_file "path"`	Base64-encoded file exfiltration
File Delete	`rm_file "path"`	Destructive file removal
Process List	`plist`	Process name, PID, CPU usage, memory consumption

The default file browser path of C:\ is a critical indicator. The C2 servers run Ubuntu, but the agents it manages are Windows machines. This confirms ObsidianStrike is designed to control Windows endpoints from Linux infrastructure — the compromised law firm servers are the C2 backbone, not the targets.

Dashboard Interface

The operator panel includes:

Agent Overview — Grid and list views of connected agents with status indicators
Network Graph — Topology visualization of agent relationships
Event Log — Chronological operational log
Interactive Shell — Real-time command execution interface
Screenshot Tab — On-demand and historical screen captures
File Explorer — Breadcrumb-navigated file browser with download/delete actions
Process Manager — Running process enumeration with sorting
Live Screen Streaming — Real-time screen viewing via Socket.IO

This is a fully featured C2 operator panel comparable to commercial red team tools, but entirely private and purpose-built.

Attribution Assessment: Compromised Victim, Not Insider Threat

Seven indicators support the conclusion that Mosello Lima Advocacia is a victim of infrastructure compromise, not an insider operating the C2:

1. Threat Actor Branding. "ObsidianStrike" is deliberate operational branding — the kind of name a threat actor gives their tool, not what an IT administrator names internal software.

2. Django DEBUG=True. The legitimate Portal MIT application runs with Django's debug mode enabled in production, exposing the full URL structure. An IT team aware of the C2 on their own servers would not simultaneously leave their production application in debug mode.

3. Auto-Setup with Default Credentials. The /api/setup endpoint initializes with admin/admin and this logic is visible in client-side JavaScript. An insider deploying deliberately would configure proper credentials.

4. Windows-Targeting C2 on Linux Infrastructure. The C2 defaults to C:\ paths — it manages Windows victims, but the servers are Ubuntu. The law firm's servers are the staging platform, not the ultimate targets.

5. Legitimate Services Untouched. Portal MIT continues to operate normally on port 443. The threat actor simply added port 9000 alongside existing services.

6. Cloudflare Bypass. The main domain routes through Cloudflare, but the cit subdomain points directly to the VPS IPs. This is consistent with a threat actor who gained DNS or hosting account access and created a record that bypasses the firm's existing security controls.

7. Cloned Infrastructure. Two identical droplets deployed from the same snapshot indicate a compromised DigitalOcean account. An insider would not need to clone — they would have direct access.

Timeline

Date	Event
2014-02-17	`mosellolima[.]com[.]br` registered
2021	Node 2 IP previously hosted devops training sites, `stairway[.]ma`
Pre-2025	Node 1 IP previously hosted `featrix[.]com`, `sedeimoveis[.]com[.]br`
2025-07-20	First Let's Encrypt certificate for `cit[.]mosellolima[.]com[.]br` (R10) — earliest confirmed C2 activity
2025-07 to 2026-04	Regular 60-day certificate renewals — continuous operation
2026-03-28	URLScan captures confirming C2 panel on both nodes
2026-04-10	This report

The C2 infrastructure has been operational for approximately nine months with no disruption. Certificate renewals confirm continuous, automated upkeep.

Detection Status — Near Invisible

Platform	Node 1 (`137[.]184[.]240[.]126`)	Node 2 (`137[.]184[.]76[.]141`)
VirusTotal	2/94 detections	1/94 detections
Detecting Vendors	Criminal IP, CRDF, Gridinsoft	Criminal IP
ThreatFox	Not listed	Not listed
URLhaus	Not listed	Not listed
AbuseIPDB	Not listed	Not listed
MalwareBazaar	Not listed	Not listed
Shodan	Listed (ObsidianStrike on 9000)	Listed (ObsidianStrike on 9000)

Only two instances of ObsidianStrike exist on the entire internet according to Shodan. This is not a leaked builder or a forked open-source project — this is a private, purpose-built framework with an extremely small deployment footprint.

The near-zero detection rate across all major threat intelligence platforms means this C2 has been effectively invisible to automated defenses for its entire operational lifetime.

OPSEC Failures

Despite building a custom C2 framework, the threat actor made significant operational security mistakes:

C2 on identifiable business domain. Hosting the C2 on cit[.]mosellolima[.]com[.]br ties the entire operation to a real, identifiable organization.
WHOIS exposure. The domain's WHOIS records reveal real names and email addresses (the victim's), but these now link to the C2 infrastructure in public scanning data.
Django DEBUG=True. Whether the TA left this or the victim had it configured, it exposes the full application architecture to any visitor.
Auto-setup credentials in client-side JavaScript. The admin/admin default and the setup logic are visible in the page source.
Dashboard accessible without auth redirect. The panel serves its frontend without requiring authentication first, allowing reconnaissance of the framework before login.
cit subdomain not behind Cloudflare. Exposes raw server IPs while the main domain is proxied — an inconsistency that draws investigative attention.
Identical SSH fingerprints across both nodes. Definitively links both servers to the same deployment, same operator, same compromised account.
Identical Let's Encrypt certificates on both servers. Further confirms the cloned deployment pattern.

These failures collectively enabled the identification, analysis, and full mapping of this infrastructure from passive data alone.

MITRE ATT&CK Mapping

Technique ID	Name	Application
T1583.003	Acquire Infrastructure: Virtual Private Server	DigitalOcean droplets (via compromised account)
T1587.001	Develop Capabilities: Malware	Custom ObsidianStrike C2 framework
T1071.001	Application Layer Protocol: Web Protocols	HTTP/HTTPS C2 with JWT auth
T1571	Non-Standard Port	C2 panel on port 9000
T1059	Command and Script Interpreter	Remote shell execution on agents
T1113	Screen Capture	`screenshot` and `screenwatch` commands
T1005	Data from Local System	`fetch_file` file exfiltration
T1057	Process Discovery	`plist` process enumeration
T1083	File and Directory Discovery	`ls_json` directory browsing
T1041	Exfiltration Over C2 Channel	Base64 file transfers over HTTP
T1485	Data Destruction	`rm_file` destructive capability

Indicators of Compromise

Network Indicators

# C2 Server IPs
137[.]184[.]240[.]126
137[.]184[.]76[.]141

# C2 Domain
cit[.]mosellolima[.]com[.]br

# C2 URLs
https://cit[.]mosellolima[.]com[.]br:9000
https://cit[.]mosellolima[.]com[.]br:9000/api/login
https://cit[.]mosellolima[.]com[.]br:9000/api/setup
https://cit[.]mosellolima[.]com[.]br:9000/api/agents

# Victim Domain (NOT malicious — compromised)
mosellolima[.]com[.]br

SSH Fingerprints

# SSH Host Key Fingerprint (both nodes)
1e:33:09:dd:ab:30:0e:d9:f4:7d:8c:2c:f7:6e:a1:d9

# HASSH (both nodes)
41ff3ecd1458b0bf86e1b4891636213e

TLS Indicators

# JARM (both nodes)
15d3fd16d29d29d00042d43d000000fe02290512647416dcf0b400ccbc0b6b

# SSL Certificate CN
cit[.]mosellolima[.]com[.]br

# Certificate Issuer
Let's Encrypt R12

Email Addresses (Victim — for context, not malicious)

iklenio@gmail[.]com
ti@mosellolima[.]com[.]br

Detection Signatures

# Shodan Query
"ObsidianStrike"

# Port Pattern
port:9000 AND port:443 AND port:22 AND org:"DigitalOcean"

# JARM Match
ssl.jarm:"15d3fd16d29d29d00042d43d000000fe02290512647416dcf0b400ccbc0b6b"

Recommendations

For the Victim (Mosello Lima Advocacia)

Audit DigitalOcean account immediately. Review all droplets, snapshots, SSH keys, and API tokens. Assume the account is fully compromised.
Disable Django DEBUG mode. Set DEBUG=False in production immediately. The current configuration leaks your entire application structure.
Route all subdomains through Cloudflare. The cit subdomain exposes raw server IPs, defeating Cloudflare's protection.
Rotate all credentials. SSH keys, Django secrets, database passwords, API tokens, and any credentials stored on the compromised servers.
Engage incident response. Nine months of C2 access means the threat actor likely has deep access to firm data. A forensic investigation is warranted.
Review DNS records. Identify any unauthorized subdomain records pointing away from Cloudflare.

For Defenders

Block the IOCs listed above. Both IPs, the domain, and the JARM fingerprint.
Hunt for port 9000 on your infrastructure. ObsidianStrike uses this non-standard port by default.
Monitor for the HASSH and SSH fingerprint. These uniquely identify the threat actor's deployment.
Check for ObsidianStrike indicators in web logs. The /api/setup, /api/agents, and /api/login URL patterns are distinctive.
Review DigitalOcean account security. If you use DigitalOcean, enable 2FA and audit API token usage. This actor demonstrated the ability to clone infrastructure from compromised accounts.

Conclusion

ObsidianStrike represents a class of threat that traditional detection infrastructure consistently misses: a private, custom C2 framework with no public code, no leaked samples, and a deployment footprint of exactly two servers. It operated for nine months on a compromised law firm's infrastructure with near-zero detection across all major threat intelligence platforms.

The threat actor chose their victim strategically. A law firm's DigitalOcean account provides legitimate-looking infrastructure with an established domain history. The cit subdomain blends naturally with an IT-focused law firm. And by leaving the firm's Portal MIT application running undisturbed on port 443, the C2 on port 9000 attracted no attention.

The C2 itself targets Windows endpoints — the Ubuntu servers are the command infrastructure, not the ultimate victims. Somewhere, Windows machines are checking in to cit[.]mosellolima[.]com[.]br:9000, receiving commands, streaming their screens, and having their files exfiltrated. The agents on the other end of this C2 are the story we cannot yet tell.

What we can tell is that this infrastructure is burned. The IOCs are published. The clock is running.

Initial tip credit: @whoamix302

If you have additional context on ObsidianStrike or related infrastructure, reach out via reply or DM on X/Twitter.

GHOST — Breakglass Intelligence https://intel.breakglass.tech