>_|
BreakglassIntelligence
< Back to blog
high🎣Phishing
publishedMarch 13, 2026

Operation Fake Carbanak: How Vidar Stealer Operators Are Baiting Security Researchers With Legendary APT Source Code

Threat Actors:ProfileAssessment
#phishing#vidar#countloader#social-engineering#credential-theft#c2#apt

"Source code of carbanak backdoor discovered.exe"

That's the actual filename. And it's working. Because if you're a malware analyst or threat intel researcher and someone drops a file with that name in your feed, you're going to open it. That's the whole play.

This isn't Carbanak source code. It's a Vidar Stealer binary compiled in Go 1.26.0, padded from 1.9MB to 34.2MB with null bytes, delivered in a password-protected archive (password: 9790), and phoning home to a bulletproof server in Moldova. The threat actor is specifically targeting the people who investigate malware for a living.

Not a One-Off

The filename "source code of carbanak backdoor discovered" isn't unique to Vidar. Our MalwareBazaar pivot found the same lure attached to three different malware families in a rotating campaign:

DateFamilyHash
March 2-3CountLoaderVia MalwareBazaar tag pivot
March 6Smoke LoaderVia MalwareBazaar tag pivot
March 11Vidar Stealera7ceb4b5a57e3552d627007f8a966f6743d6896ae66390d040c90767186bd8c4

Same bait, different hooks. The operator rotates payloads weekly while keeping the social engineering constant. This is a commoditized adaptation of DPRK/Lazarus researcher-targeting techniques (2021/2023), except aimed at the broader infosec community rather than specific individuals.

The Binary

The de-pumped sample is a Go executable with obfuscated type names -- Collectors, Contracts, Distinction, Liabilities, Procedures, Scheduled -- that map to standard stealer functionality. Internal name: exclusion.exe.

Four encrypted configuration blocks sit in the .rdata section, each prefixed with a unique marker: 5SkT2bAo, MasS94Ao, eStSYCAo, 5SzS94Ao. These likely contain the C2 URL, exfiltration parameters, and target application paths. Without dynamic execution, the configs resist static extraction -- which is the point.

Imports tell the story: crypt32.dll for credential theft, advapi32.dll for registry access, ws2_32.dll for network communications. Standard stealer toolkit.

Novel C2 Infrastructure

The C2 server at 37[.]221[.]66[.]22:11522 (TCP, custom protocol) is hosted by AlexHost SRL in Chisinau, Moldova -- a known bulletproof hosting provider operating under AS48753. The non-standard port is designed to evade basic network monitoring that focuses on 80/443/8080.

When we probed the server at 15:31 UTC, it was live. A Node.js/Express panel was running on port 3000. By 21:15 UTC, it was offline. Either the operator noticed our probing, or this infrastructure rotates on a schedule.

Two domains resolved to this IP historically: mratano[.]com (suspended) and equaltoogames[.]com (expired). Both are dead ends now, but confirm this IP has been used for C2 operations before.

These IOCs are NOVEL -- they don't appear in any public threat intel feed as of analysis time.

Evasion Effectiveness

The Go compilation achieves 22% AV detection (17/76). The file pumping technique (94% null byte padding) is basic but effective -- it pushes the file past the size threshold for many automated scanners while the password-protected archive prevents gateway inspection.

IOCs

Sample:

  • a7ceb4b5a57e3552d627007f8a966f6743d6896ae66390d040c90767186bd8c4 -- Vidar binary (de-pumped)
  • Imphash: ebc247a77b4d4a804b261f97a1fd075c
  • Internal name: exclusion.exe
  • Archive password: 9790

C2 Infrastructure (NOVEL):

  • 37[.]221[.]66[.]22:11522 -- Primary C2 (AlexHost SRL, Chisinau, Moldova, AS48753)
  • 37[.]221[.]66[.]22:3000 -- Panel (Node.js/Express)
  • mratano[.]com -- Historical domain (suspended)
  • equaltoogames[.]com -- Historical domain (expired)

Config Markers: 5SkT2bAo, MasS94Ao, eStSYCAo, 5SzS94Ao

Detection Guidance

  1. Block 37[.]221[.]66[.]22 and monitor the 37.221.66.0/24 range for new C2 deployments
  2. Hunt for outbound TCP connections on port 11522 -- this is highly anomalous for legitimate traffic
  3. Alert on password-protected archives with files named *carbanak*, *source code*, or *backdoor discovered*
  4. YARA: Match the config block markers (5SkT2bAo, MasS94Ao) in Go-compiled PE binaries
  5. Researcher awareness: If a file promises source code of a famous APT tool, it's targeting you. Don't execute it, even in a sandbox without checking the hash first.
Share: