Open Directory Exposes Active NetSupport RAT Campaign Targeting Freight and Government Sectors

TL;DR

An open directory at 193.111.117[.]17:8080 is actively serving 9 malicious executables — 8 trojanized PyInstaller droppers deploying NetSupport Manager RAT and 1 XOR-encrypted shellcode stager compiled the same day as discovery. The campaign targets freight brokers, logistics companies, and government organizations through lure filenames like RateConf.exe and us.gov.exe. Infrastructure analysis reveals a Russian-speaking operator running 7 C2 domains across a bulletproof hosting cluster (DGTLS-MNT / MHost LLC) with a brand-new ASN created just two weeks prior, accelerating domain registration cadence, and cross-pollination with Xworm, Formbook, and Lumma campaigns.

---

The Open Directory

On March 5, 2026, an Apache/2.4.58 (Ubuntu) server at 193.111.117[.]17 was found serving a /file/ directory with listings enabled over both HTTP (8080) and HTTPS (443, self-signed). The TLS certificate had been generated the same day — 2026-03-05 16:13:38 UTC — and a fresh payload was uploaded hours later.

Nine executables were staged:

Filename	Size	Last Modified	Lure Theme
Confirm.support.exe	13 MB	2026-03-02 21:43	Customer support
Net_view.exe	13 MB	2026-03-02 21:44	IT administration
Order.exe	13 MB	2026-03-02 21:43	Supply chain
RateConf.exe	13 MB	2026-03-03 21:09	Freight / trucking
RateConfirm.exe	13 MB	2026-03-02 21:45	Freight / trucking
RateConfirmation.exe	5.3 MB	2026-03-05 23:28	Freight / trucking
Zanaveska.exe	13 MB	2026-03-03 21:06	Russian-language
us.gov.exe	13 MB	2026-03-02 21:45	US Government
usa.confirm.exe	13 MB	2026-03-02 21:46	Government / logistics

Eight files uploaded in a 3-minute window on March 2, with individual additions on March 3 and 5. The server also exposes WebDAV (DAV 1,2) with PROPFIND, PROPPATCH, COPY, MOVE, DELETE, LOCK, and UNLOCK methods enabled — the operator's upload mechanism. ETag values from PROPFIND Depth:1 responses confirm sequential inode allocation consistent with rapid bulk upload.

Allow: OPTIONS, GET, HEAD, POST, DELETE, TRACE, PROPFIND, PROPPATCH, COPY, MOVE, LOCK, UNLOCK
DAV: 1,2
DAV: <http://apache.org/dav/propset/fs/1>
MS-Author-Via: DAV

MKCOL returns 405 — directory creation is restricted, but file operations are permissive from the operator's authorized source.

---

Payload Analysis: Two Malware Families

Family 1 — NetSupport Manager RAT via PyInstaller Dropper

Eight of the nine samples are ~13 MB PyInstaller-compiled executables (Python 3.13, PyInstaller 6.x) that drop a trojanized NetSupport Manager installation. Compilation dates span February 9 through March 3, 2026.

Execution chain:

1. PyInstaller self-extracts to %TEMP%
2. Registers as "Windows Update Assistant" (v10.0.19045.3448, "Microsoft Corporation") — T1036.005
3. Performs _ANTISANDBOX environment check
4. Extracts Files/ directory containing legitimate NetSupport Manager client components
5. Creates Client.lnk in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ via WScript.Shell COM object — T1547.001
6. Opens a base64-encoded decoy URL in the default browser
7. Launches Client.exe (legitimate, GlobalSign EV-signed NetSupport Manager v12.01/14.10)

The dropped Client32.ini configures the RAT for fully silent, hidden operation:

[Client]
DisableChatMenu=1
DisableClientConnect=1
DisableDisconnect=1
DisableLocalInventory=1
DisableReplayMenu=1
DisableRequestHelp=1
HideWhenIdle=1
silent=1
SysTray=0
ShowUIOnConnect=0
Protocols=3
SKMode=1

[HTTP]
GatewayAddress=ktoto.xyz:443
SecondaryGateway=85.90.199.11:443
GSK=FG;F@PDAFDHI:M>NAGGF

Every UI element disabled, system tray hidden, silent mode on. The Protocols=3 flag enables HTTP gateway tunneling, and SKMode=1 enforces gateway security key authentication.

Per-sample C2 mapping:

Sample	Primary C2	Secondary Gateway	GSK
Confirm.support.exe	ktoto[.]xyz:443	85.90.199.11:443	FG;F@PDAFDHI:M>NAGGF
Net_view.exe	efsllc[.]org:443	151.243.18.8:443	FI:J?FCGGI<HADDDGM:N=P@C
Order.exe	afreu[.]xyz:443	178.17.62.192:443	EDHF;I>MBBEHHO<G
RateConf.exe	akusa[.]icu:443	109.107.168.236:443	EDHF;I>MBBEHHO<G
RateConfirm.exe	surosuro[.]xyz:443	95.85.239.4:443	EDHF;I>MBBEHHO<G
Zanaveska.exe	zanaves[.]lol:443	109.107.168.211:443	EDHF;I>MBBEHHO<G
us.gov.exe	vadusa[.]xyz:443	45.131.214.85:443	EDHF;I>MBBEHHO<G
usa.confirm.exe	vadusa[.]xyz:443	45.131.214.85:443	EDHF;I>MBBEHHO<G

Three distinct Gateway Security Keys across the campaign. GSK1 is exclusive to the oldest domain (ktoto.xyz), GSK3 to the now-suspended efsllc.org, and GSK2 is shared across 6 of 8 samples — the current operational key.

The secondary gateway IP in each case resolves to the same host as the primary domain. This is DNS-failure resilience, not a separate C2 tier.

Embedded NetSupport components (dropped to Files/):

Component	Purpose
Client.exe	NetSupport Manager Client v12.01/14.10 (legitimate, GlobalSign EV-signed)
Client32.ini	Per-sample C2 gateway configuration
NSM.LIC	License file (generated 2015-10-06 — stolen or cracked)
PCICL32.DLL / pcicapi.dll	NetSupport PCI communications
TCCTL32.DLL	TCP/IP control
htctl32.dll	HTTP tunnel control
remcmdstub.exe	Remote command execution stub
nskbfltr.inf	Keyboard filter driver

Build GUID consistent across all 8 samples: d3031974-b18d-47a3-8041-1812c3dd43c8

Family 2 — XOR Shellcode Stager

RateConfirmation.exe is the outlier at 5.3 MB versus the 13 MB PyInstaller pack. It was compiled the same day as discovery — 2026-03-05 18:19:14 UTC — using MinGW/GCC, with 19 numbered PE sections characteristic of a custom build toolchain.

Decryption routine:

• XOR key: StagerKey16Bytes (ASCII, 16-byte repeating)
• Encrypted payload offset: 0x2602e to 0x541fff (5,357,521 bytes)
• Decrypted result: NetSupport Manager Client.exe (x86, 5,236,352 bytes)
  • Compile date: 2015-01-09 (original NetSupport build)
  • User-Agent: NetSupport Manager/1.3
  • Beacon: POST http://%s/fakeurl.htm HTTP/1.1

Imports are minimal — VirtualProtect, LoadLibraryA, GetProcAddress — a classic reflective loader pattern. This stager represents a tooling evolution: moving from PyInstaller wrappers to a custom MinGW loader, likely in response to increasing AV detection of the PyInstaller variant.

---

C2 Infrastructure: The DGTLS-MNT Cluster

Gateway Behavior

All C2 endpoints accept TCP connections on port 443 but immediately reset TLS handshakes. This is the NetSupport Manager HTTP Gateway proprietary protocol — it is not standard HTTPS. Detection at the network level is straightforward: connections to port 443 that fail TLS negotiation and fall back to the NSM custom protocol.

The gateway beacon path is /fakeurl.htm (POST) or /testpage.htm (GET), observed by OTX AlienVault on 45.88.78.33 and 95.85.239.4 as early as February 14, 2026.

Windows C2 Machines

RDP certificates and self-signed TLS certs on the C2 servers leak Windows machine hostnames:

IP	Hostname	Provisioned	Exposed Ports
45.88.78.33	WIN-0IAOQE7DGJ9	2026-01-27	443, 445, 3389, 5985
151.243.18.8	VM-962cc4f6-07f0-40f1-b890-1a3f20c2a1c7	2026-02-20	135, 445, 1337, 5985
109.107.168.236	VM-7688c583-85ee-4a0f-9eab-3e007410760d	2026-02-23	443, 3389
109.107.168.211	VM-edb99687-e70a-402c-b256-fee81eca20a9	2026-02-25	443, 3389
45.131.214.85	VM-3a451985-22f0-4c94-9c16-c0ab3265cacc	2026-02-27	443, 3389

The first machine has a custom hostname; the subsequent four use VM-{GUID} format from automated cloud provisioning. VMs deployed every 2 days from February 20-27. Two of these (45.88.78.33 and 151.243.18.8) are flagged for CVE-2020-0796 (SMBGhost) — unpatched Windows Server with SMBv3.1.1 exposed to the internet. Both also expose WinRM (port 5985, Microsoft-HTTPAPI/2.0) — with valid credentials, full remote code execution is trivially achievable.

The Bulletproof Hosting Network

Five of the seven C2 IPs sit on AS200823, an ASN created on 2026-02-19 — just two weeks before this investigation. Three entities share the DGTLS-MNT RIPE maintainer and are operationally the same organization:

Entity	Registered Country	Website	Language
MHost LLC	Georgia (Kobuleti)	mhost.ee	Russian
Partner Hosting LTD	UK (71-75 Shelton Street, virtual office)	altawk.com	Russian
ALTAWK	Czech Republic	altawk.com	Russian

The 71-75 Shelton Street address is a well-known virtual office location in Covent Garden — a common shell company registrant.

DGTLS-MNT controls 2,048 IPs across 8 /24 blocks:

109.107.168.0/24   GB-PHL16-RIPE (Partner Hosting)
178.17.62.0/24     MHost_LLC
213.176.79.0/24    MHost_LLC
5.252.155.0/24     DE-PHL16-RIPE (Partner Hosting)
95.85.236.0/24     MHost_LLC
95.85.237.0/24     MHost_LLC
95.85.238.0/24     ALTAWK-CZ
95.85.239.0/24     MHost_LLC

A subnet scan of 109.107.168.200-255 found 24 hosts with port 443 open — significant infrastructure beyond the 2 known C2 IPs in this range.

Staging Server Hosting

The staging server (193.111.117[.]17) and one secondary gateway (151.243.18.8) are hosted on DEDIK SERVICES LIMITED (AS207043), a UK-registered company at 60 St. Martin's Lane, London, operated by Eduards Hramcovs. The IP range originates from the IPXO marketplace (geofeed tokens present in RIPE route objects). Shodan historical data shows ports 1337 and 5985 were previously open but now closed — the operator cleaned up after initial provisioning.

---

Domain Infrastructure and OPSEC Failure

Registration Patterns

Five of seven domains use Dynadot LLC with "Super Privacy Service LTD c/o Dynadot" WHOIS privacy. afreu.xyz and akusa.icu were registered on the same day (2025-12-07) and updated on the same day (2026-01-22), confirming a single operator account.

Domain registration follows an accelerating cadence:

2025-07-31  ktoto.xyz         (Month 0)
2025-10-28  efsllc.org        (Month 3)
2025-12-07  afreu.xyz         (Month 5)
2025-12-07  akusa.icu         (Month 5)
2026-02-02  surosuro.xyz      (Month 7)
2026-02-27  vadusa.xyz        (Month 7, Week 4)
2026-03-03  zanaves.lol       (Month 8, Week 1) <-- switched registrar

The SOA Leak

zanaves.lol is the only domain NOT registered through Dynadot. It uses PublicDomainRegistry with OrderBox DNS, which exposes the registrant email in the SOA record:

zanaves.lol.  SOA  fdomain.earth.orderbox-dns.com.  br_stirling.gmx.com.  2026030302

br_stirling@gmx.com — a potential operator identifier. All Dynadot domains use generic hostmaster@domain SOA contacts, masking the operator. The switch to PDR for zanaves.lol was an OPSEC failure, likely driven by urgency after efsllc.org was suspended by registry action (serverHold).

Certificate Transparency Findings

CT logs for akusa.icu reveal three additional subdomains issued on the same day (2025-12-08):

• t-mobile.akusa[.]icu — telecom brand impersonation (urlscan confirms T-Mobile lure page, redirected to Dynadot parking)
• djsyxtzo.akusa[.]icu — randomly generated
• hfvqh0.akusa[.]icu — randomly generated

Three of the newer domains (surosuro.xyz, zanaves.lol, vadusa.xyz) have no certificates in CT logs despite having port 443 open — consistent with the NetSupport Manager custom gateway protocol that does not use standard TLS.

---

Attribution: Russian-Speaking Multi-Malware Operator

Linguistic Indicators

• zanaves.lol / Zanaveska.exe: "занавес" / "занавеска" = "curtain" in Russian
• ktoto.xyz: "кто-то" = "someone" in Russian
• All three DGTLS-MNT hosting websites (mhost.ee, altawk.com, waicore.com) serve Russian-language pages with Russian <meta> descriptions

Multi-Family Deployment

OTX AlienVault tags on 95.85.239.4 (surosuro.xyz) indicate this infrastructure serves more than NetSupport RAT:

• Xworm (commodity RAT)
• Formbook (infostealer)
• Lumma (stealer-as-a-service)
• NetSupport Manager (RAT)

This cross-pollination suggests a professional initial access broker deploying multiple families through shared infrastructure, or a multi-operator bulletproof hosting customer serving several criminal groups.

Existing Threat Intel Coverage

Source	Date	Finding
OTX "NetSupport" pulse	2026-02-14	45.88.78.33, 178.17.62.192, 95.85.239.4
JAMESWT_WT (Twitter)	2026-02-25	Tags: RAT, NetSupport, Xworm, opendir
skocherhan (Twitter)	2026-02-14	Tags: APT, Formbook, Lumma
GreyNoise	2026-03-05	All 9 IPs NOT observed scanning — passive infrastructure

GreyNoise silence across all 9 IPs confirms this is receive-only C2 infrastructure, not a scanning operation.

---

Campaign Timeline

2015-10-06   NSM.LIC license generated (stolen/cracked)
2019-09      ktoto.xyz first observed behind Cloudflare
2025-07-31   ktoto.xyz registered at Dynadot
2025-10-28   efsllc.org re-registered at NiceNIC (HK registrant)
2025-12-07   afreu.xyz + akusa.icu registered (same day, same registrar)
2025-12-08   t-mobile.akusa.icu cert issued — telecom phishing side op
2026-01-27   WIN-0IAOQE7DGJ9 (45.88.78.33) — first C2 Windows machine
2026-02-09   RateConfirm.exe compiled — first payload
2026-02-14   OTX "NetSupport" pulse — first public reporting
2026-02-19   AS200823 (DGTLS-MNT) created — brand new ASN
2026-02-20   VM provisioning begins (4 VMs in 7 days)
2026-02-27   efsllc.org suspended → vadusa.xyz registered same day
2026-03-02   8 payloads uploaded to staging server open directory
2026-03-03   zanaves.lol registered (PDR — OPSEC leak); 2 more payloads uploaded
2026-03-05   Staging server TLS cert regenerated; XOR stager compiled + uploaded

The operator shows a clear pattern: when infrastructure gets burned (efsllc.org suspension, OTX pulses), they spin up replacement domains and VMs within 48 hours. The shift from PyInstaller to a MinGW XOR stager on March 5 likely reflects detection pressure on the original delivery mechanism.

---

MITRE ATT&CK Mapping

Technique	ID	Context
Remote Access Software	T1219	NetSupport Manager Client deployed as RAT
Phishing: Spearphishing Attachment	T1566.001	Freight rate confirmation and government lure filenames
Boot/Logon Autostart: Startup Folder	T1547.001	Client.lnk dropped in %APPDATA%\...\Startup\
Masquerading: Match Legitimate Name	T1036.005	Registers as "Windows Update Assistant" by "Microsoft Corporation"
Obfuscated Files: Software Packing	T1027.002	PyInstaller packing; XOR encryption with StagerKey16Bytes
Encrypted Channel: Asymmetric Crypto	T1573.002	HTTPS C2 on port 443 (custom NSM protocol)
Application Layer Protocol: Web	T1071.001	HTTP gateway (/fakeurl.htm, /testpage.htm)
Acquire Infrastructure: Domains	T1583.001	7 domains across 3 registrars, accelerating cadence
Acquire Infrastructure: VPS	T1583.003	DGTLS-MNT bulletproof hosting, VMs provisioned every 2 days
Obtain Capabilities: Tool	T1588.002	Legitimate NetSupport Manager repurposed as RAT
Obtain Capabilities: Digital Certificates	T1588.004	Stolen/cracked NSM license (2015 vintage)

---

Detection Opportunities

Network signatures:

• Outbound HTTP POST to /fakeurl.htm on port 443
• User-Agent string: NetSupport Manager/1.3
• TCP connections to port 443 that immediately reset TLS handshake (NSM custom protocol)
• DNS queries for any C2 domains listed below

Endpoint signatures:

• Client.exe execution with parent process from %APPDATA% or %TEMP%
• Client.lnk creation in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
• Process metadata claiming "Windows Update Assistant" v10.0.19045.3448
• Build GUID d3031974-b18d-47a3-8041-1812c3dd43c8 in PyInstaller manifest
• XOR decryption with key StagerKey16Bytes in memory

YARA (network beacon):

rule NetSupport_RAT_Gateway_Beacon {
    meta:
        description = "NetSupport Manager RAT HTTP gateway beacon"
        campaign = "netsupport-freight-lure-2026"
    strings:
        $ua = "NetSupport Manager/1.3" ascii
        $beacon1 = "/fakeurl.htm" ascii
        $beacon2 = "/testpage.htm" ascii
    condition:
        $ua and ($beacon1 or $beacon2)
}

---

Indicators of Compromise

Network Indicators

Staging Server:

193.111.117[.]17        # Open directory, Apache/2.4.58, AS207043 DEDIK-IO

C2 Domains:

ktoto[.]xyz             # 45.88.78.33, AS204601 Peetinvest
efsllc[.]org            # SUSPENDED (serverHold)
afreu[.]xyz             # 178.17.62.192, AS200823 MHost LLC
akusa[.]icu             # 109.107.168.236, AS200823 Partner Hosting
surosuro[.]xyz          # 95.85.239.4, AS200823 MHost LLC
zanaves[.]lol           # 109.107.168.211, AS200823 Partner Hosting
vadusa[.]xyz            # 45.131.214.85, AS200823 MHost LLC

C2 Subdomains:

t-mobile.akusa[.]icu    # Telecom brand impersonation
djsyxtzo.akusa[.]icu    # Randomly generated
hfvqh0.akusa[.]icu      # Randomly generated

C2 IP Addresses:

45.88.78[.]33           # ktoto.xyz, Windows, SMBGhost, RDP exposed
85.90.199[.]11          # ktoto.xyz secondary, dormant
151.243.18[.]8          # efsllc.org secondary, Windows, SMBGhost
178.17.62[.]192         # afreu.xyz
109.107.168[.]236       # akusa.icu
95.85.239[.]4           # surosuro.xyz, multi-malware (Xworm/Formbook/Lumma)
109.107.168[.]211       # zanaves.lol
45.131.214[.]85         # vadusa.xyz

File Hashes (SHA256)

PyInstaller Droppers:

28c2426e93130038b7470e3b9ce5d6a531bb17b427aea61064157417c5ce6666  Confirm.support.exe
bdf9f680afda4aceaf89e106136f14472adc17d7264648f82880d4a247cd5b5b  Net_view.exe
92748a3d9b11ce9290270f72147a25250d17d37697fbef8795af06f4f649f4ea  Order.exe
2fdaffdac4758c1c4cfc3f5a8360959bbb717cbafb478b9a888ecd55aad7e2e6  RateConf.exe
f1727b9da4055014e15f70f3b4c36029cd3ef02cc42a39ada315255493323758  RateConfirm.exe
9b2c40a2f37440f9b98dfd8ddf084389aef3fe5e64b894b421b85e8a60cd556c  Zanaveska.exe
712c7e845543e6ddd07f724b6f9a9a0e2c84fdf6d8956fdd2bef94775b2ef707  us.gov.exe
c9e5bb7a368280d771edcfdb33717a3130560d2bb71773ab1aaffe0eb585fd2c  usa.confirm.exe

XOR Shellcode Stager:

deb897a025e7b3e6a64634d1057fc04457ad7fa5a0a9c13dece2f9803fb2ab99  RateConfirmation.exe

Decrypted Payload (NetSupport Client):

d6e6c4aa2dd66b5e68936a0e784424b76b3f5d5187b4f77118d3a8fbbeb9aaac  Client.exe (x86, 2015 build)

Host Artifacts

# Persistence
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk

# Gateway Security Keys
FG;F@PDAFDHI:M>NAGGF
EDHF;I>MBBEHHO<G
FI:J?FCGGI<HADDDGM:N=P@C

# Build identifier
d3031974-b18d-47a3-8041-1812c3dd43c8

# NSM license serials
0x1ad2ecb3
0x2f7406b4

# XOR key (stager)
StagerKey16Bytes

C2 Machine Hostnames (RDP/TLS Certificate Leak)

WIN-0IAOQE7DGJ9                                    # 45.88.78.33
VM-962cc4f6-07f0-40f1-b890-1a3f20c2a1c7            # 151.243.18.8
VM-7688c583-85ee-4a0f-9eab-3e007410760d            # 109.107.168.236
VM-edb99687-e70a-402c-b256-fee81eca20a9            # 109.107.168.211
VM-3a451985-22f0-4c94-9c16-c0ab3265cacc            # 45.131.214.85

Operator Attribution

br_stirling@gmx.com     # SOA record leak from zanaves.lol (OPSEC failure)

DGTLS-MNT Bulletproof Hosting Ranges (AS200823)

109.107.168.0/24
178.17.62.0/24
213.176.79.0/24
5.252.155.0/24
95.85.236.0/24
95.85.237.0/24
95.85.238.0/24
95.85.239.0/24

Abuse Contacts

Provider	Contact	Scope
DEDIK SERVICES LIMITED	report@abuseradar.com	Staging + secondary IPs
MHost LLC	abuse@mhost.ee	3 C2 IPs
Partner Hosting LTD	abuse@altawk.com	2 C2 IPs
Peetinvest/Podaon	abuse@server-panel.net	ktoto.xyz IP
GREEN FLOID LLC	abuse@greenfloid.com	ktoto.xyz secondary
Dynadot LLC	abuse@dynadot.com	5 domains
PublicDomainRegistry	abuse@publicdomainregistry.com	zanaves.lol