highPhishing

OffLoader: 100 C2 Domains, a Trojanized 7-Zip Installer, and the Amadey Botnet's Pay-Per-Install Machine

PublishedMarch 12, 2026

phishingvidarquasarratamadeysocial-engineeringc2botnetspearphishing

TL;DR: An 8.5MB Inno Setup installer uploaded to MalwareBazaar turned out to be OffLoader -- a loader/dropper distributed through the Amadey botnet's fbf543 pay-per-install campaign. Following the C2 trail led to 100 distinct command-and-control domains registered via Namecheap, all following a distinctive two-English-word naming pattern (e.g., mouthfruit[.]cfd, dinosaursjam[.]cfd, basketballyear[.]xyz), distributed across two Cloudflare accounts that rotated in February 2026. Multiple domains were confirmed LIVE and actively serving a previously unreported trojanized 7-Zip 16.02 installer via the /api/ endpoint. The delivery infrastructure sits on OMEGATECH bulletproof hosting (AS202412), a Seychelles shell company backed by Turkish parent entity MGN TEKNOLOJI operating 17 /24 blocks (4,352 IPs). The Amadey fbf543 campaign is not exclusive to OffLoader -- it simultaneously distributes Vidar stealer, QuasarRAT, and SalatStealer, confirming this is a multi-family PPI distribution service where OffLoader is one of several customers buying installs.

When a 7/76 Detection Rate Means You Should Pay Attention

An 8.5MB file with a 7 out of 76 antivirus detection rate is either a false positive or something that most of the security industry has not caught up with yet. This was the latter.

The sample arrived on MalwareBazaar on March 10, 2026, reported by Bitsight as a web download. On the surface, it looked like a weaponized Inno Setup installer -- a legitimate Windows installer framework that malware authors frequently abuse because the resulting executables inherit the trust and familiarity of the Inno Setup brand. The installer was compiled with Embarcadero Delphi 36.0, carried fake Authenticode metadata claiming to be from "Neon Analytics Tech" (a company that does not exist), and had 90% of its 8.5MB file size dedicated to encrypted overlay data.

But the real discovery was not in the binary itself. It was in the infrastructure behind it.

A ThreatFox pivot on the OffLoader tag returned 100 distinct C2 domains spanning December 2025 to March 2026. All registered through Namecheap. All following an identical naming convention. All proxied through Cloudflare. And multiple domains confirmed LIVE, actively serving malware payloads to anyone who asked.

What Was Found vs. What Was Known

Aspect	Prior Reporting	Our Findings
C2 Infrastructure	Individual domains reported	100 C2 domains mapped, naming pattern identified
Domain Registration	Unknown	All Namecheap, two-word concatenation pattern, cheap TLDs
Cloudflare Accounts	Unknown	Two accounts identified (ara/venkat -> brad/emma rotation in Feb 2026)
Delivery Infrastructure	Unknown	OMEGATECH BPH (AS202412), Seychelles shell -> Turkish parent
Payload	Unknown	Trojanized 7-Zip 16.02 installer served from live C2 (unreported hash)
Campaign Linking	OffLoader only	Amadey fbf543 distributes OffLoader + Vidar + QuasarRAT + SalatStealer
Social Engineering	Unknown	Cracked Adobe Photoshop, Fortnite tools, BIGFILMS packs, billing docs
Detection Rate	--	7/76 (9.2%) -- effectively invisible to most AV engines

The Attack Chain: From Amadey to Shell Extension Hijack

[1. Amadey Botnet - Campaign fbf543]
    Pay-per-install service selects payload
    Downloads OffLoader from 158.94.211[.]222 (OMEGATECH BPH)
    URL: /files/7782139129/4Qrxrgo.exe
         |
         v
[2. Victim Execution]
    Social engineering lure:
    - "Adobe Photoshop 2025 v26 Cracked Free Download"
    - "Fortnite Potato Graphics How to play on LOW END PC"
    - "BIGFILMS INFERNO Pack Create Epic Blockbuster Scenes"
    - "December bill.exe"
         |
         v
[3. Inno Setup Wrapper Unpacks]
    Modified Inno Setup 6.6.0 (Delphi 36.0)
    Encrypted payload sections (90% of 8.5MB file)
    Geofencing check (location settings)
    Debug environment detection
         |
         v
[4. C2 Check-In]
    /connector --> 200 OK (beacon)
    /config    --> "closed" or campaign status
    /api/      --> Payload download (setup.exe)
         |
         v
[5. Trojanized 7-Zip 16.02 Installer]
    Masquerades as legitimate 7-Zip installer
    Requests administrator privileges (UAC bypass)
    SeShutdownPrivilege token adjustment
         |
         v
[6. Persistence via Shell Extension Hijack]
    CLSID: {23170F69-40C1-278A-1000-000100020000}
    Registers DragDropHandlers + ContextMenuHandlers
    Applies to: Drive, Directory, Folder, * (all files)
    Code executes on EVERY right-click context menu

The persistence mechanism is elegant. By registering a shell extension handler that applies to all files, all directories, all drives, and all folders, the trojanized 7-Zip component gains code execution every time the user right-clicks on anything in Windows Explorer. It is one of the most reliable persistence mechanisms available because it does not depend on scheduled tasks, startup registry keys, or services -- it triggers on the most common user interaction in Windows.

100 C2 Domains: A Study in Industrialized Infrastructure

The 100 domains follow a rigid pattern that makes them both easy to generate and easy to detect -- if you know what you are looking for.

The Naming Convention

Every domain is a two-English-word concatenation registered on a cheap TLD:

mouthfruit[.]cfd
dinosaursjam[.]cfd
basketballyear[.]xyz
chickensmine[.]space
punishmentslave[.]info
birthdaymagic[.]xyz
grassturkey[.]info

Noun + noun. Adjective + noun. Occasionally verb + noun. Always two words, no hyphens, no numbers. This is almost certainly generated by a word-list combinator script -- pick one word from column A, one from column B, register the result on whatever cheap TLD is available through Namecheap.

The Cloudflare Account Rotation

Period	Cloudflare NS Pair	Account
December 2025 - January 2026	ara.ns.cloudflare.com / venkat.ns.cloudflare.com	Account 1
February 2026 - Present	brad.ns.cloudflare.com / emma.ns.cloudflare.com	Account 2

The operator rotated Cloudflare accounts around February 2026. This is likely a response to abuse reports on the first account -- when Cloudflare receives enough complaints, they may disable the account, forcing the operator to register a new one and migrate their domains. The naming convention stayed the same, the registrar stayed the same, the backend stayed the same. Only the Cloudflare account changed.

Domain Status (Sample of Most Recent)

Domain	TLD	First Seen	Status
mouthfruit[.]cfd	.cfd	2026-03-08	LIVE -- serving malware
basketballyear[.]xyz	.xyz	2026-03-08	LIVE
chickensmine[.]space	.space	2026-03-07	LIVE
dinosaursjam[.]cfd	.cfd	2026-03-05	LIVE
yardvalue[.]cfd	.cfd	2026-03-05	LIVE
yamsmell[.]xyz	.xyz	2026-03-04	LIVE
paperbee[.]xyz	.xyz	2025-12-27	LIVE
grassturkey[.]info	.info	2025-12-27	LIVE
pizzasthread[.]xyz	.xyz	2025-12-29	LIVE
rockcredit[.]space	.space	2026-02-27	LIVE

The majority of domains -- even those registered months ago -- are still resolving and responding. This is an operation with staying power.

The C2 Backend

Every live domain shares the same backend fingerprint:

Component	Value
Reverse Proxy	Cloudflare (cf-ray headers)
Backend Server	nginx/1.10.1 (leaks in 301 redirects)
X-Powered-By	PHP/5.5.38 (likely spoofed)
`/connector`	200 OK (bot check-in endpoint)
`/config`	Returns "closed" (campaign paused) or active status
`/api/`	Serves PE32 executable with `Content-Disposition: attachment; filename=setup.exe`
CORS	`Access-Control-Allow-Origin: *` on /api/ (accepts requests from anywhere)

The nginx/1.10.1 version is notable -- it was released in 2016. Either the backend server has not been updated in a decade, or this version string is spoofed to avoid fingerprinting. Given the PHP/5.5.38 header (also from 2016), the operator may be running an intentionally aged server stack, or more likely, both headers are hardcoded to mislead.

The Trojanized 7-Zip Installer: A Previously Unreported Payload

During live C2 probing, mouthfruit[.]cfd/api/ served a PE32 executable masquerading as a 7-Zip 16.02 installer. This payload hash does not appear on VirusTotal or MalwareBazaar as of investigation time.

Property	Value
SHA-256	`629ce3c424bd884e74aed6b7d87d8f0d75274fb87143b8d6360c5eec41d5f865`
MD5	`1f662cf64a83651238b92d62e23144fd`
File Size	1,106,469 bytes (1.05 MB)
File Type	PE32 executable (GUI) Intel 80386
PE Timestamp	2016-05-21 08:52:51 UTC (likely backdated)
Masquerade	7-Zip 16.02 Installer
Manifest	requireAdministrator
Privilege Escalation	SeShutdownPrivilege token adjustment
VT/MB Status	Not yet submitted (unreported at time of investigation)

The PE timestamp claims May 2016, but the file was served from active C2 infrastructure in March 2026. A 10-year timestamp gap is a strong indicator of deliberate manipulation -- the operator backdated the compilation timestamp to match the legitimate 7-Zip 16.02 release window, hoping to make the binary appear older and more trustworthy than it is.

The payload performs three key actions:

Registry manipulation: Creates keys under Software\7-Zip and the CLSID {23170F69-40C1-278A-1000-000100020000}
Shell extension hijack: Registers DragDropHandlers and ContextMenuHandlers for all file types
Privilege escalation: Requests admin elevation via manifest and adjusts the SeShutdownPrivilege token

The Delivery Layer: OMEGATECH Bulletproof Hosting

The Amadey botnet delivers OffLoader from 158[.]94[.]211[.]222, hosted on OMEGATECH (AS202412). OMEGATECH is a Seychelles-registered shell company that serves as the operational front for MGN TEKNOLOJI ANONIM SIRKETI, a Turkish entity that maintains the RIPE registration.

MGN TEKNOLOJI ANONIM SIRKETI (Turkey)
  |-- lir-tr-mgn-1-MNT (RIPE maintainer)
      |
      +-- Omegatech LTD (Seychelles shell company)
          |-- AS202412
          |-- abuse@omegatech[.]sc
          |
          +-- 17 /24 prefixes (4,352 IPs total)
              158.94.208-211.0/24  (4 blocks)
              178.16.52-55.0/24   (4 blocks)
              91.92.240-243.0/24  (4 blocks)
              146.19.125.0/24
              193.30.241.0/24
              45.132.180.0/24
              94.154.35.0/24
              94.26.38.0/24

The neighboring IPs on the same /24 tell their own story:

IP	Hostname	Notes
.220	--	Windows RDP, SMB exposed
.221	goyslopjewbag[.]icu	Offensive content, game server ports
.222	labinstalls[.]info	Our delivery server
.223	--	Windows, RDP, HTTPS
.224	virtualine.org	Full mail server + web hosting
.225	--	RDP only

The hostname on .221 tells you everything you need to know about OMEGATECH's acceptable use policy. This is a hosting provider where the neighbors are running hate speech domains alongside game server ports. Filing an abuse report to abuse@omegatech[.]sc would be an exercise in futility.

Amadey Campaign fbf543: A Multi-Family PPI Service

OffLoader is not the only payload distributed through the fbf543 Amadey campaign. MalwareBazaar reveals at least four malware families sharing the same campaign identifier:

Malware Family	Type	First Seen	Samples
OffLoader	Loader/Dropper	2026-01-04	25+
Vidar	Info Stealer	2026-03-10	3+
QuasarRAT	Remote Access Trojan	2026-03-10	1+
SalatStealer	Info Stealer	2026-03-09	1+

This confirms the Amadey fbf543 campaign operates as a pay-per-install marketplace. Multiple malware operators purchase install distribution from the Amadey botnet, and the botnet delivers whatever payload the highest bidder specifies. OffLoader has been a customer since at least January 2026, while Vidar and QuasarRAT are more recent additions.

The social engineering lures used across OffLoader samples reveal the victim targeting strategy:

Adobe Photoshop 2025 v26 11 2 Cracked Free Download for Windows.exe
FortnitePotatoGraphicsHowtoplayFortniteonLOWENDPCWithoutGPU-Optibuddy.exe
BIGFILMS 8211 INFERNO Pack Create Epic Blockbuster Scenes.exe
December bill.exe

Three of the four lures target people searching for pirated or free software. The fourth targets people who open email attachments claiming to be invoices. Both are high-volume, low-sophistication targeting strategies -- the kind that work best when distributed through a PPI botnet at scale.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Initial Access	Phishing: Spearphishing Link	T1566.002	Cracked software download links
Execution	User Execution: Malicious File	T1204.002	Victim runs fake installer
Persistence	Event Triggered Execution: COM Hijacking	T1546.015	CLSID shell extension hijack
Persistence	Modify Registry	T1112	Shell extension registration in HKLM
Privilege Escalation	Abuse Elevation Control	T1548.002	requireAdministrator manifest
Privilege Escalation	Access Token Manipulation	T1134	SeShutdownPrivilege, CreateProcessWithToken
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	7-Zip 16.02 installer disguise
Defense Evasion	Obfuscated Files: Software Packing	T1027.002	Encrypted Inno Setup payload, UPX
Defense Evasion	Virtualization/Sandbox Evasion	T1497	Debug detection, geofencing
Discovery	System Location Discovery	T1614	Computer location settings check
Command and Control	Proxy: Multi-hop Proxy	T1090.003	Cloudflare CDN proxying C2 traffic
Command and Control	Ingress Tool Transfer	T1105	Downloads setup.exe from /api/

Indicators of Compromise

File Indicators

# OffLoader Inno Setup Wrapper
SHA256: 2862dbcdc9546ab145d444a68b8112ce79487a93bdb7c4b45dc6649b640516ce
MD5:    3a8688215724b24dd2885059abadb487
SHA1:   32c61be006f4d2c22dc94009d5bacfada67ab7b3
Imphash: ac4ded70f85ef621e5f8917b250855be

# Trojanized 7-Zip Installer (from C2)
SHA256: 629ce3c424bd884e74aed6b7d87d8f0d75274fb87143b8d6360c5eec41d5f865
MD5:    1f662cf64a83651238b92d62e23144fd

Network Indicators

# Delivery Server (defanged)
158[.]94[.]211[.]222  (OMEGATECH, AS202412) -- OFFLINE
labinstalls[.]info    (hostname)
hxxp://158[.]94[.]211[.]222/files/7782139129/4Qrxrgo.exe

# C2 Domains -- Most Recent (defanged, 15 of 100)
mouthfruit[.]cfd           (LIVE, 2026-03-08)
basketballyear[.]xyz       (LIVE, 2026-03-08)
chickensmine[.]space       (LIVE, 2026-03-07)
dinosaursjam[.]cfd         (LIVE, 2026-03-05)
yardvalue[.]cfd            (LIVE, 2026-03-05)
yamsmell[.]xyz             (LIVE, 2026-03-04)
townquiver[.]xyz           (LIVE, 2026-03-02)
passengerbrake[.]space     (LIVE, 2026-03-02)
birthdaymagic[.]xyz        (LIVE, 2026-03-02)
gunbear[.]xyz              (LIVE, 2026-03-02)
rockcredit[.]space         (LIVE, 2026-02-27)
paperbee[.]xyz             (LIVE, 2025-12-27)
grassturkey[.]info         (LIVE, 2025-12-27)
pizzasthread[.]xyz         (LIVE, 2025-12-29)
armyshoe[.]xyz             (LIVE, 2026-02-09)

# C2 Endpoints
/connector    (bot check-in, HTTP 200)
/config       (campaign status)
/api/         (payload delivery, serves setup.exe)

Behavioral Indicators

# Fake metadata
Product: temstor
Copyright: Neon Analytics Tech (2008-2013)
Version: 27.26.26
Export: SetupLdr.e32

# Persistence
Shell extension CLSID: {23170F69-40C1-278A-1000-000100020000}
Registry: Software\7-Zip
Registry: Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
DragDropHandlers for: Drive, Directory, Folder, *
ContextMenuHandlers for: Drive, Directory, Folder, *

# Anti-analysis
Debug environment detection
Computer location settings check (geofencing)
Process enumeration
timeout.exe execution delay

Recommended Actions

Immediate (24-48 hours)

Block all 100 C2 domains at DNS/proxy level (full list available in investigation artifacts)
Block 158[.]94[.]211[.]222 and labinstalls[.]info at network perimeter
Search endpoint telemetry for the SHA256/MD5/imphash values above
Hunt for the shell extension CLSID {23170F69-40C1-278A-1000-000100020000} in registry -- note this is also the legitimate 7-Zip CLSID, so correlate with unsigned or unexpected DLLs
Search web proxy logs for /connector, /config, /api/ request patterns

Short-term (1-2 weeks)

Block the entire OMEGATECH AS202412 prefix range at perimeter
Submit abuse reports to Cloudflare for all live C2 domains
Submit abuse report to Namecheap for bulk malicious domain registration
Monitor for new domain registrations matching the two-word + cheap TLD pattern
Search for additional OffLoader samples using the imphash ac4ded70f85ef621e5f8917b250855be

Medium-term (1-3 months)

Monitor ThreatFox OffLoader tag for new C2 domain additions
Track Amadey fbf543 campaign for new payload families
Develop automated detection for the Cloudflare NS pair rotation pattern
Coordinate with CERTs for potential OMEGATECH infrastructure disruption

References

MalwareBazaar: https://bazaar.abuse.ch/sample/2862dbcdc9546ab145d444a68b8112ce79487a93bdb7c4b45dc6649b640516ce/
CAPE Sandbox: https://www.capesandbox.com/analysis/56985/
ANY.RUN: https://app.any.run/tasks/766be5fa-d374-4ab1-9c86-84983dcc9d3e
Triage: https://tria.ge/reports/260310-2lnqlahz9t/
URLhaus: https://urlhaus.abuse.ch/url/3793848/

Published by Breakglass Intelligence. Investigation conducted 2026-03-11. 1 sample. 100 C2 domains. 1 previously unreported trojanized 7-Zip installer. 4,352 bulletproof hosting IPs. Classification: TLP:CLEAR