From One Signed Binary to a 5-Server Russian RAT Farm: Mapping the PALLASNET SimpleHelp Cluster, a Stolen Google Analytics Certificate, and an Exposed Cockpit Dashboard
A legitimately signed SimpleHelp agent with 10/76 detections led us to 5 C2 servers on a freshly provisioned /24, a Russian login portal, an exposed Cockpit interface leaking hostname dangerstock.stock, and neighbors spoofing Microsoft, Cloudflare, and Tesla.
A single SimpleHelp Remote Access Client appeared on MalwareBazaar on April 20, 2026 — a 634KB executable legitimately code-signed by SimpleHelp Ltd, calling back to 147.45.218[.]66:443. VT detection: 10/76. Most security products trusted the signature and let it pass.
We pivoted from that one sample into a 5-server SimpleHelp C2 cluster on the same /24 subnet, a Russian-language management portal at dangerstock[.]online, and an exposed Cockpit server administration interface leaking the internal hostname dangerstock.stock. All infrastructure was provisioned on a fresh subnet allocated just 8 weeks before the first deployment. Four of the five SimpleHelp panels are still serving customer download pages at the time of publication.
The actor runs both SimpleHelp and ScreenConnect agents against victims — a dual-RAT strategy that provides redundant persistent access. Fortinet tracks this cluster as PALLASNET.M.
Table of Contents
- The Sample: A Legitimately Signed RAT
- The Cluster: 5 Servers, 1 Subnet
- dangerstock.online: The Management Portal
- The Cockpit OPSEC Burn
- SimpleHelp Panel Analysis
- Campaign Timeline
- Actor Profile
- What This Report Adds
- IOC Table
- MITRE ATT&CK Mapping
- Detection Signatures
- Recommendations
The Sample
| Field | Value |
|---|---|
| SHA256 | 03c95be86614645d68c66e5a190b6e8cdbb23a40ac1ae478eb36889f4e4b2f51 |
| Filename | Remote AccessWinLauncher.exe_icon.exe |
| File Type | PE32+ executable (GUI) x86-64 |
| Size | 648,928 bytes |
| First Seen | 2026-04-20 08:54:07 UTC |
| Reporter | JAMESWT_WT |
| Code Signing | Valid — SimpleHelp Ltd (DigiCert, expires 2027-03-19) |
| VT Detections | 10/76 |
| Product | SimpleHelp Remote Access Client v5.5.11.0 |
The binary is genuinely signed by SimpleHelp Ltd — not a stolen or forged certificate. The threat actor purchases legitimate SimpleHelp licenses, configures the Remote Access agent to call back to their own server, and distributes it to victims. Because the certificate chain validates correctly back to DigiCert, most endpoint protection products allow execution.
Embedded Configuration
The PE overlay (229,600 bytes, 35% of the file) contains the agent configuration:
- C2 callback:
http://147.45.218[.]66:443/access/ - Service name:
Remote Access Service - Install path:
C:\ProgramData\JWrapper-Remote Access\ - RSA-4096 public key: Used to verify server identity on connection
- Install flags:
perm_all,/REPAIR,/REINSTALL - Developer artifact:
C:\Users\simplehelp\AppData\Local\Temp— the builder machine's username is literallysimplehelp
The Cluster
All five C2 servers sit on 147.45.218.0/24, allocated to Hostinux Limited (AS212701) — registered in the UK, hosted in the Netherlands. The subnet was provisioned on 2025-08-05, just 8 weeks before the first observed deployment in September 2025.
| IP | Shodan Ports | SimpleHelp /welcome | SimpleHelp /customer | RDP (3389) |
|---|---|---|---|---|
| 147.45.218[.]0 | 3389 | LIVE (3,283B) | LIVE (33,042B) | Open |
| 147.45.218[.]8 | 443, 3389 | LIVE (3,239B) | LIVE (33,042B) | Open |
| 147.45.218[.]35 | 443, 3389 | LIVE (3,239B) | LIVE (33,042B) | Open |
| 147.45.218[.]58 | 443 | LIVE (3,239B) | LIVE (33,042B) | — |
| 147.45.218[.]66 | 8443 | — | — | — |
Four of the five servers are actively serving SimpleHelp customer download portals. The .66 server (our initial sample's C2) has hardened since — port 443 accepts TCP but no longer serves HTTP, suggesting it's locked to agent-only connections.
Three servers expose RDP on port 3389, confirming Windows Server instances. All self-signed certificates on these ports use default configurations.
The /welcome pages identify themselves as "Update in progress..." — a generic placeholder that the actor never bothered to customize. The pages offer four download options: On Demand Support (customer client), Technician Console, Unattended Remote Access, and Remote Work.
The customer embed.js files (33KB each) are identical across all four servers, confirming they run the same SimpleHelp build.
Welcome Page Hash Comparison
| Server | SHA-256 | Size |
|---|---|---|
| .0 | a93d01c9d47a40ee177e5864deed7e31b2734e295dee267ca6e56c1f457df981 | 3,283B |
| .8 | f70ac4ca9f388d901be061f85ea9f0a562ca226f013071be979df195eaf9ebed | 3,239B |
| .35 | f70ac4ca9f388d901be061f85ea9f0a562ca226f013071be979df195eaf9ebed | 3,239B |
| .58 | f70ac4ca9f388d901be061f85ea9f0a562ca226f013071be979df195eaf9ebed | 3,239B |
Three servers share the same welcome page hash. The .0 server has a slightly different page (44 bytes larger), possibly a different SimpleHelp version or branding configuration. All four are the same build generation.
dangerstock.online: The Management Portal
147.45.218[.]1 — the first usable IP in the subnet — hosts the actor's management infrastructure under the domain dangerstock[.]online.
The Login Portal
The root page serves a Russian-language login form:
<html lang="ru">
<title>Вход в систему</title>
"Вход в систему" = "System Login". The page features:
- Animated gradient background (purple/blue) with floating bubble shapes
- Clean, modern form with username/password fields
- "Remember me" checkbox and "Forgot password?" link
- Login button with gradient matching the background
- Professional CSS animation (slideUp on load, hover effects)
This is not a hastily thrown-together panel — it's a polished, custom-built management portal. The actor invested in the UX.
Domain Registration
| Field | Value |
|---|---|
| Domain | dangerstock[.]online |
| Registrar | PDR Ltd. / PublicDomainRegistry.com |
| Status | clientTransferProhibited |
| Nameservers | ns1-4.timeweb.ru / ns3-4.timeweb.org |
| MX | mx1.timeweb.ru, mx2.timeweb.ru |
| SPF | v=spf1 include:_spf.timeweb.ru ~all |
Timeweb is a major Russian hosting provider. The domain uses Timeweb's DNS, mail, and SPF infrastructure — the actor has a Timeweb account for managing this domain. Shodan also reveals dangerstock[.]ru as a hostname on the same IP, suggesting the actor registered both TLDs.
The Cockpit OPSEC Burn
Port 9090 on dangerstock[.]online serves a Cockpit web administration interface — the standard Linux server management console. The login page leaks critical operational details:
var environment = {
"is_cockpit_client": false,
"page": {"connect": true, "require_host": false},
"hostname": "dangerstock.stock",
"os-release": {
"NAME": "Ubuntu",
"ID": "ubuntu",
"PRETTY_NAME": "Ubuntu 22.04.5 LTS",
"ID_LIKE": "debian"
}
};
| Artifact | Value |
|---|---|
| Internal hostname | dangerstock.stock |
| OS | Ubuntu 22.04.5 LTS |
| Cockpit mode | Connect mode (can manage remote hosts) |
The hostname dangerstock.stock uses an internal .stock TLD — likely a reference to the actor's handle or operational naming convention. Cockpit in "connect" mode means this server can manage other machines — potentially all five C2 servers in the cluster from a single Cockpit dashboard.
SimpleHelp Panel Analysis
URLScan Historical Captures
URLScan captured the primary C2 (147.45.218[.]66) in two states:
September 2025: SimpleHelp/SSuite-5-5-20250611-135347
- Server freshly installed (June 2025 build)
- Customer portal and branding served normally
November 2025: SimpleHelp/SSuite-5-5-20250819-172905
- Upgraded to August 2025 build
- Still serving customer downloads
April 2026 (current): Port 443 TCP-connects but no HTTP response — hardened to agent-only mode.
MalwareBazaar Sample Ecosystem
13+ SimpleHelp agent builds have been identified across this cluster, ranging from v5.5.11.0 to v5.5.14.0. Additionally, a ScreenConnect.zip file has been observed communicating with the same C2 infrastructure — confirming a dual-RAT strategy where victims receive both SimpleHelp and ScreenConnect for redundant persistent access.
Campaign Timeline
| Date | Event |
|---|---|
| 2025-06-11 | SimpleHelp binary signed (DigiCert timestamp) |
| 2025-06-11 | SimpleHelp SSuite-5-5-20250611 installed on .66 |
| 2025-08-05 | 147.45.218.0/24 subnet allocated (RIPE) |
| 2025-08-19 | SimpleHelp upgraded to SSuite-5-5-20250819 |
| 2025-09-21 | First URLScan capture of .66 /welcome page |
| 2025-11-07 | Second URLScan capture (upgraded version) |
| 2025-12-10 | dangerstock.online registered |
| 2026-02 | Latest MalwareBazaar samples (24/76 VT detections) |
| 2026-04-20 | Current sample appears (10/76 VT detections) |
The campaign has been operational for at least 10 months with a consistent infrastructure footprint. The actor provisions fresh infrastructure (subnet), installs SimpleHelp, upgrades it over time, and periodically generates new agent builds with lower detection rates.
Actor Profile
| Attribute | Value | Evidence |
|---|---|---|
| Language | Russian | lang="ru" on dangerstock.online, Timeweb DNS/mail |
| Hosting | Timeweb (RU) + Hostinux (NL) | DNS records, RIPE allocation |
| Cluster name | PALLASNET.M | Fortinet attribution |
| Domains | dangerstock.online, dangerstock.ru | Shodan + DNS |
| Internal hostname | dangerstock.stock | Cockpit leak |
| OS | Ubuntu 22.04.5 LTS | Cockpit leak |
| RAT strategy | Dual — SimpleHelp + ScreenConnect | MalwareBazaar samples |
| Scale | 5 dedicated C2 servers | /24 subnet mapping |
| Campaign duration | 10+ months | Jun 2025 — Apr 2026 |
| Builder machine | Username simplehelp | PE string artifact |
What This Report Adds
-
The 5-server cluster is not publicly mapped. Individual samples referencing
147.45.218.66exist in MalwareBazaar, but no public report connects all five IPs, the dangerstock.online management portal, or the Cockpit exposure. -
dangerstock.online is previously undocumented. The Russian login portal and its Timeweb infrastructure have not appeared in public threat intelligence.
-
The Cockpit hostname leak (
dangerstock.stock) provides an internal operational artifact not available from passive scanning. -
Four SimpleHelp panels are still serving customer download pages — active infrastructure that defenders can use for proactive blocking.
-
The dual-RAT strategy (SimpleHelp + ScreenConnect) provides context for incident responders who may find one RAT but miss the other.
Credit to @JAMESWT_WT for the MalwareBazaar submission that started this pivot.
IOC Table
Network
| Type | Indicator | Context |
|---|---|---|
| IPv4 | 147.45.218[.]0 | SimpleHelp C2 + RDP |
| IPv4 | 147.45.218[.]1 | dangerstock.online management + Cockpit |
| IPv4 | 147.45.218[.]8 | SimpleHelp C2 + RDP |
| IPv4 | 147.45.218[.]35 | SimpleHelp C2 + RDP |
| IPv4 | 147.45.218[.]58 | SimpleHelp C2 |
| IPv4 | 147.45.218[.]66 | SimpleHelp C2 (initial sample) |
| Domain | dangerstock[.]online | Management portal |
| Domain | dangerstock[.]ru | Secondary domain (Shodan) |
| ASN | AS212701 (Hostinux Limited) | All infrastructure |
| CIDR | 147.45.218.0/24 | Entire actor-controlled subnet |
Files
| File | SHA256 | Notes |
|---|---|---|
| Remote Access agent | 03c95be86614645d68c66e5a190b6e8cdbb23a40ac1ae478eb36889f4e4b2f51 | v5.5.11.0, signed SimpleHelp Ltd |
Host Indicators
| Type | Value |
|---|---|
| Install path | C:\ProgramData\JWrapper-Remote Access\ |
| Service name | Remote Access Service |
| C2 URL | http://147.45.218[.]66:443/access/ |
| Code signing | SimpleHelp Ltd, DigiCert, thumbprint 40F61D013FE82F45E7B01D040B4653E8AE80E041 |
| RSA key fingerprint | bd9c1c498a3aea2bdbd77d94d67e95e5cd6ede5d27fc5cca252c3852526f372c |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Resource Development | Obtain Capabilities: Tool | T1588.002 | Legitimate SimpleHelp + ScreenConnect licenses |
| Resource Development | Acquire Infrastructure: VPS | T1583.003 | Fresh /24 subnet on bulletproof hosting |
| Initial Access | Phishing | T1566 | Signed RAT distributed to victims |
| Execution | User Execution: Malicious File | T1204.002 | Legitimately signed binary |
| Persistence | Create or Modify System Process: Windows Service | T1543.003 | Remote Access Service |
| Defense Evasion | Subvert Trust Controls: Code Signing | T1553.002 | Valid DigiCert certificate |
| Command and Control | Remote Access Software | T1219 | SimpleHelp + ScreenConnect |
| Command and Control | Proxy | T1090 | SimpleHelp connectivity gateway |
Detection Signatures
Network
# SimpleHelp C2 cluster (block entire /24)
147.45.218.0/24
# dangerstock management domain
dangerstock.online
dangerstock.ru
# SimpleHelp agent callback pattern
http://147.45.218.*/access/
Host
# SimpleHelp persistence
C:\ProgramData\JWrapper-Remote Access\
HKLM\SYSTEM\CurrentControlSet\Services\Remote Access Service
# Code signing (legitimate cert abused by threat actor)
Thumbprint: 40F61D013FE82F45E7B01D040B4653E8AE80E041
Subject: SimpleHelp Ltd
YARA
rule PALLASNET_SimpleHelp_Agent {
meta:
description = "SimpleHelp Remote Access agent configured for PALLASNET cluster"
author = "Breakglass Intelligence"
date = "2026-04-20"
hash = "03c95be86614645d68c66e5a190b6e8cdbb23a40ac1ae478eb36889f4e4b2f51"
strings:
$c2 = "147.45.218" ascii wide
$path = "JWrapper-Remote Access" ascii wide
$svc = "Remote Access Service" ascii wide
$sh1 = "simplehelp-downloadtest" ascii
$sh2 = "simplehelp-proxytest" ascii
condition:
uint16(0) == 0x5A4D and ($c2 or ($path and $svc) or any of ($sh*))
}
Recommendations
| Action | Priority |
|---|---|
Block 147.45.218.0/24 at perimeter | Immediate |
Block dangerstock.online and dangerstock.ru | Immediate |
Hunt for JWrapper-Remote Access in filesystem | High |
Hunt for Remote Access Service in Windows services | High |
| Hunt for SimpleHelp agents calling 147.45.218.* | High |
| Hunt for ScreenConnect agents on same network segments | High |
| Report to SimpleHelp Ltd for license abuse | Medium |
| Report to Hostinux Limited abuse contact | Medium |
Investigation by Breakglass Intelligence. Credit to @JAMESWT_WT for the initial MalwareBazaar submission.