PingServer Unmasked: Live Steaelite RAT C2 on Bulletproof Infrastructure -- Error-Based Enumeration, Fake Agent Registration, and a Criminal Hosting Cluster
TL;DR: An active Steaelite RAT C2 server was identified at 91.92.240.197 on Omegatech LTD bulletproof hosting. Error-based enumeration of the ASP.NET Core application leaked the internal project namespace (PingServer.Models.SendInfoData), and a fake agent was successfully registered without any authentication -- meaning the C2 accepts arbitrary implant check-ins from anyone on the internet. The surrounding /24 subnet is a criminal hosting cluster containing a Discord token marketplace, a BlueKeep-vulnerable RDP server, and a cloned SushiSwap DeFi phishing site.
We Registered a Fake Agent on a Live RAT C2
The headline finding is straightforward: the PingServer C2 at 91.92.240.197 has zero authentication on its agent check-in endpoint. A single HTTP POST to /logs/sendInfo with a JSON body containing fabricated system information returned 200 "success" -- registering our fake agent in the operator's panel alongside real victims.
POST /logs/sendInfo HTTP/2
Host: 91.92.240.197
Content-Type: application/json
{"hostname":"RESP-TEST","username":"analyst","ip":"10.0.0.3",
"os":"Windows 11","hwid":"TEST-HWID-001","ram":16384,
"cpu":"Intel i9","version":"1.0"}
β HTTP/2 200 OK
β Content-Type: text/plain
β Body: "success"
This means any device on the internet can register as a managed implant. The hwid field serves as the agent identifier for subsequent command dispatch. There is no token, no certificate pinning, no shared secret. This is a significant operational security failure by the RAT operator -- and it gave us a window into the entire C2 protocol.
The finding also has defensive implications: security teams can flood the operator's panel with fake agents, degrading their ability to manage real victims (a technique sometimes called "sinkhole poisoning" or "C2 pollution").
Server Infrastructure
The C2 runs on a Windows Server with ASP.NET Core on Kestrel, hosted on Omegatech LTD's bulletproof infrastructure.
| Property | Value |
|---|---|
| IP | 91.92.240.197 |
| ASN | AS202412 (Omegatech LTD) |
| Location | Frankfurt am Main, Germany |
| Registrant | Omegatech LTD, House of Francis Room 303, Ile du Port, Mahe, Seychelles |
| OS | Windows Server (WSD + WinRM confirm) |
| Web Stack | ASP.NET Core / Kestrel |
| TLS | Self-signed, CN=localhost, TLSv1.3 (RSA 2048-bit) |
| Certificate Serial | 4804878F208E383E |
| Certificate Validity | 2026-01-07 to 2027-01-07 |
Open Ports
| Port | Service | Notes |
|---|---|---|
| 443 | Kestrel HTTPS | Primary C2 + web panel (HTTP/2) |
| 5000 | Kestrel HTTPS | Same application, dual port binding |
| 5357 | WSD | Microsoft-HTTPAPI/2.0 |
| 5985 | WinRM | Remote management (POST-only, 405) |
| 9000 | Unknown | TLS rejected, no HTTP, no banner -- likely custom binary protocol |
Ports 22, 80, 3389, 445, and 3306 are all closed. The operator uses WinRM (port 5985) for server management rather than RDP, and the same self-signed CN=localhost certificate is served on both ports 443 and 5000, confirming a single application with dual port bindings.
C2 Protocol: Full Endpoint Map
The investigation mapped the complete HTTP-based C2 protocol through a combination of directory brute-forcing, HTTP verb enumeration, and error-based information leakage.
Confirmed Endpoints
| Endpoint | Method | Response | Function |
|---|---|---|---|
/Account/Login | GET | 200 | Operator login form |
/Account/Login | POST | 200/302 | Authentication (200 = failed, 302 = success) |
/Account/Logout | POST | 302 | Session termination |
/agents | GET | 302 β Login | Agent management panel (auth required) |
/logs/sendInfo | POST | 200 | Agent check-in / registration |
/ping | POST | Hangs | Long-poll command dispatch channel |
/download/{type} | POST | Hangs | Payload delivery (wildcard route) |
/obfEncDownload/{id} | GET | Hangs | Obfuscated encrypted payload download |
The Long-Poll Architecture
PingServer uses HTTP long-polling rather than WebSockets or persistent TCP connections for command-and-control. The pattern works as follows:
- The agent POSTs to
/logs/sendInfowith system information (hostname, username, IP, OS, HWID, RAM, CPU). The server returns200 "success"immediately. - The agent POSTs to
/pingwith itshwid. The server holds the connection open indefinitely -- no response is sent until the operator pushes a command through the/agentsweb panel. - When the operator issues a task, the held
/pingconnection returns with the command payload. The agent executes and reports back. - Payload delivery follows the same long-poll pattern via
/download/{type}and/obfEncDownload/{id}.
This architecture is deliberately evasive. Each request looks like a normal HTTP POST to a web application. There are no unusual WebSocket upgrades, no keep-alive heartbeats, no binary protocol headers. The only anomaly detectable at the network layer is POST requests that hold connections open for extended periods -- a pattern that most IDS/IPS solutions do not flag by default.
The /download/* Wildcard
The /download/ route accepts any path parameter as a catch-all, functioning as a [Route("/download/{type}")] ASP.NET Core route. Testing confirmed it accepts at least 15 different payload type strings including agent, stager, payload, shellcode, exe, dll, ps1, bat, msi, and hta. All return HTTP 405 on GET (POST-only) and hang on POST (waiting for operator-pushed payload).
Error-Based Enumeration: Leaking the Internals
The critical intelligence breakthrough came from error-based enumeration of the /logs/sendInfo endpoint. ASP.NET Core's model validation proved remarkably chatty.
Step 1 -- Empty body leak: POSTing an empty body with Content-Type: application/json triggered a model validation error that leaked the full .NET namespace:
"The infoData field is required."
Namespace: PingServer.Models.SendInfoData
This confirmed the internal project name is "PingServer" and the check-in model class is SendInfoData.
Step 2 -- Type probing: POSTing different JSON types revealed the model's expectations:
{}(empty object) -- accepted, connection hangs (waiting for command dispatch){"infoData":"x"}--200 "success"(field satisfied)[](array) --400 "$ is invalid"(expects object, not array)null--400text/plainbody --415 Unsupported Media Type(RFC 7807 Problem Details)
Step 3 -- Fake registration: A full JSON object with fabricated system information was accepted with 200 "success", confirming that the server stores whatever agent data it receives with no validation beyond the presence of a JSON object.
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Initial Access | Phishing / Drive-by | T1566 / T1189 | Trojanized RDCMan.msi distribution |
| Execution | User Execution: Malicious File | T1204.002 | MSI installer execution |
| Persistence | Boot or Logon Autostart Execution | T1547 | Probable (Steaelite feature) |
| Defense Evasion | Obfuscated Files or Information | T1027 | /obfEncDownload/ encrypted payloads |
| Defense Evasion | Subvert Trust Controls | T1553 | Trojanized legitimate Microsoft tool |
| Credential Access | Credentials from Web Browsers | T1555.003 | Steaelite auto-harvest on connect |
| Credential Access | Steal Web Session Cookie | T1539 | Browser cookie extraction |
| Discovery | System Information Discovery | T1082 | /logs/sendInfo harvests hostname, OS, CPU, RAM |
| Discovery | System Owner/User Discovery | T1033 | Username exfiltration in check-in |
| Command and Control | Application Layer Protocol: Web | T1071.001 | HTTPS long-poll C2 over ports 443/5000 |
| Command and Control | Non-Standard Port | T1571 | Port 5000 (secondary), port 9000 (binary protocol) |
| Command and Control | Encrypted Channel | T1573 | Self-signed TLS, /obfEncDownload/ |
| Command and Control | Ingress Tool Transfer | T1105 | /download/{type} payload delivery |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Stolen data returned via same HTTPS channel |
| Impact | Data Encrypted for Impact | T1486 | Steaelite ransomware module (reported capability) |
The Malware: Trojanized RDCMan.msi
The delivery vehicle is a trojanized Microsoft Remote Desktop Connection Manager installer.
| Property | Value |
|---|---|
| Filename | RDCMan.msi |
| SHA-256 | c32932c7d7f18719a762cca23ba3ab6747c1953256084b24084a683382adac4a |
| Disguise | Microsoft Remote Desktop Connection Manager |
| C2 Server | 91.92.240.197:443 |
| C2 Paths | /download/agent, /obfEncDownload/, /logs/sendInfo, /ping |
The infection chain proceeds through a predictable sequence: victim downloads and executes the trojanized MSI (likely via SEO poisoning, malvertising, or phishing), the installer deploys the legitimate RDCMan alongside a malicious .NET payload, the payload checks in to the C2 via /logs/sendInfo with full system fingerprinting, and the agent begins polling /ping for operator commands. Public reporting on Steaelite indicates the RAT performs immediate credential harvesting on initial connect -- browser passwords, cookies, and session tokens are exfiltrated before the operator even interacts with the agent.
Framework Identification: Steaelite RAT (High Confidence)
The following characteristics map directly to public Steaelite RAT reporting from BlackFog, The Register, and GBHackers (all published February 2026):
| Feature | Steaelite (Reported) | This Server | Match |
|---|---|---|---|
| .NET-based | Yes | ASP.NET Core / Kestrel | Yes |
| Browser web panel | Yes | /Account/Login β /agents | Yes |
| Windows C2 server | Yes | WSD + WinRM confirm | Yes |
| Self-signed TLS | Typical | CN=localhost | Yes |
| Auto-credential theft | On connect | /logs/sendInfo hangs post-checkin | Yes |
| Multiple payload types | Yes | /download/* wildcard | Yes |
| Encrypted downloads | Yes | /obfEncDownload/* | Yes |
| Trojanized legitimate tools | Yes | RDCMan.msi | Yes |
| Commercial RAT ($200-500/mo) | Yes | Bulletproof hosting investment | Yes |
Steaelite's reported capabilities include browser credential harvesting, remote code execution, file management, live webcam/microphone streaming, keylogging, clipboard monitoring, DDoS functionality, ransomware deployment, hidden RDP access, Windows Defender manipulation, UAC bypass, USB propagation, cryptocurrency address clipping, and location tracking. This is a full-spectrum RAT with double-extortion capabilities -- the operator can both steal data and deploy ransomware from the same panel.
The internal name "PingServer" likely refers to the C2 server component specifically, with the /ping endpoint serving as the namesake command polling channel.
The Criminal Neighborhood: 91.92.240.0/24
The Omegatech LTD /24 range is not just hosting a single C2 server. It is a criminal hosting cluster with multiple distinct operations sharing the same bulletproof infrastructure.
Subnet Map
| IP | Operation | Status |
|---|---|---|
.195 | Suspicious redirect (bkletyrieside4984949awer.org β cloudflare.com) | Active |
.197 | PingServer / Steaelite RAT C2 (this investigation) | Active |
.199 | Plesk hosting panel | Active |
.202 | Fake SushiSwap DEX (DeFi wallet phishing) | Active |
.206 | Shearkey's Kingdom (Discord token marketplace) | Active |
.207 | BlueKeep-vulnerable RDP (CVE-2019-0708) | Active |
.208 | Restricted nginx (403 Forbidden) | Active |
Shearkey's Kingdom (.206) -- Discord Token Marketplace
The most thoroughly documented neighbor is a Discord boost and token marketplace operated by Malik Shahzain (shahzain345), based in Islamabad, Pakistan. The operation runs a React/Vite dashboard at dashboard.shearkeykingdom.com with a full product catalog (Discord tokens at $0.05, server boosts at $0.20-0.475, Nitro at $29.99, aged accounts, and stolen Disney+ credentials). A Discord Registration Coordination Server on port 3010 exposes a real-time status API showing active captcha solvers and pending automated Discord account registrations.
Shahzain's GitHub profile (shahzain345, 28 repos, 54 followers) includes public repositories for hCaptcha solvers, Discord multi-tools, token bots, self-bots, mass joiners, and account generators. The operation has been repeatedly terminated by Discord and Sellix but rebuilds each time.
SushiSwap DeFi Phishing (.202)
A cloned SushiSwap decentralized exchange interface designed to steal cryptocurrency wallet credentials and drain funds. Built with Vite/React, served over HTTPS.
Assessment
These are likely separate operators sharing the same bulletproof hosting provider. No direct evidence links the PingServer C2 operator to Shahzain or the DeFi phishing operation. However, co-tenancy on Omegatech LTD infrastructure -- a provider already flagged on ThreatFox (first seen January 31, 2026) and AbuseIPDB -- indicates all tenants have similar threat profiles and deliberately chose infrastructure designed to resist law enforcement takedowns.
Defensive Recommendations
Immediate Actions
- Block the C2 IP and subnet. Add
91.92.240.197to blocklists. Consider blocking the entire91.92.240.0/24range -- every host surveyed is either malicious or suspicious. - Hunt for historical connections. Search proxy logs, DNS logs, and NetFlow data for any connections to
91.92.240.197on ports 443, 5000, or 9000. Any match indicates a compromised endpoint. - Validate RDCMan installations. Hash-check any
RDCMan.msifiles in your environment against Microsoft's known-good hashes. The trojanized installer SHA-256 is listed in the IOC table below. - Deploy the detection signatures. Snort/Suricata rules and YARA rules are provided in the IOC section for both network and host-based detection.
Network Detection
- Flag long-poll HTTP POST requests. POST requests to external IPs that hold connections open for more than 30 seconds are anomalous in most enterprise environments and are the primary behavioral indicator for this C2 pattern.
- TLS certificate alerting. Self-signed certificates with
CN=localhostoriginating from AS202412 (Omegatech LTD) should generate high-confidence alerts. - URI monitoring. Add
/logs/sendInfo,/ping,/download/, and/obfEncDownload/to proxy inspection rules. These URI patterns are specific to the PingServer C2 protocol.
Strategic Measures
- ASN-level blocking. AS202412 (Omegatech LTD) is a confirmed bulletproof hosting provider with no legitimate business traffic. Blocking the entire ASN is a low-false-positive, high-impact defensive measure.
- MSI execution controls. Enforce application whitelisting or code-signing verification for
.msiinstallers, particularly for IT administration tools that are common trojanization targets. - Abuse reporting. Report to
abuse@omegatech.sc(likely ineffective given the provider's bulletproof nature), submit the RDCMan.msi hash to VirusTotal for community detection, and report the Discord marketplace to Discord Trust & Safety.
Indicators of Compromise
Network Indicators
| Type | Indicator | Context |
|---|---|---|
| IPv4 | 91.92.240.197 | PingServer / Steaelite RAT C2 |
| Port | 443/tcp | Primary C2 (HTTPS/Kestrel) |
| Port | 5000/tcp | Secondary C2 (same application) |
| Port | 9000/tcp | Unknown binary protocol channel |
| ASN | AS202412 | Omegatech LTD (bulletproof hosting) |
| IPv4 | 91.92.240.202 | SushiSwap DeFi phishing (co-hosted) |
| IPv4 | 91.92.240.206 | Discord token marketplace (co-hosted) |
| IPv4 | 91.92.240.207 | BlueKeep-vulnerable RDP (co-hosted) |
TLS Certificate
| Field | Value |
|---|---|
| Subject | CN=localhost |
| Issuer | CN=localhost (self-signed) |
| Serial | 4804878F208E383E |
| SHA-256 Fingerprint | 92:B4:19:A8:60:3E:30:29:DD:16:81:CE:9E:C2:36:0D:2D:42:01:B3:7E:0F:9D:1F:AF:2E:CB:BC:C6:D6:FE:9D |
| Validity | 2026-01-07 to 2027-01-07 |
| Algorithm | RSA 2048-bit, sha256WithRSAEncryption |
File Indicators
| Filename | SHA-256 | Notes |
|---|---|---|
RDCMan.msi | c32932c7d7f18719a762cca23ba3ab6747c1953256084b24084a683382adac4a | Trojanized Microsoft Remote Desktop Connection Manager |
URI Indicators
| Method | URI | Function |
|---|---|---|
| POST | /logs/sendInfo | Agent check-in (namespace: PingServer.Models.SendInfoData) |
| POST | /ping | Long-poll command dispatch channel |
| POST | /download/{type} | Payload delivery (wildcard route) |
| GET | /obfEncDownload/{id} | Obfuscated encrypted payload download |
| GET | /Account/Login | Operator web panel login |
| GET | /agents | Operator agent management (auth required) |
Historical Domains (Same Infrastructure)
| Domain | Activity | Date |
|---|---|---|
client-bill-support.info | Billing scam phishing | 2024-04-22 |
bkletyrieside4984949awer.org | Suspicious redirect | 2026 |
YARA Rule
rule PingServer_Steaelite_RAT_C2 {
meta:
description = "Detects PingServer/Steaelite RAT C2 communication patterns"
author = "Breakglass Intelligence"
date = "2026-03-03"
tlp = "TLP:CLEAR"
reference = "https://intel.breakglass.tech"
strings:
$uri1 = "/logs/sendInfo" ascii wide
$uri2 = "/download/agent" ascii wide
$uri3 = "/obfEncDownload/" ascii wide
$uri4 = "/ping" ascii wide
$uri5 = "/Account/Login" ascii wide
$ns1 = "PingServer.Models" ascii wide
$ns2 = "PingServer.Models.SendInfoData" ascii wide
$field1 = "infoData" ascii wide
$ip1 = "91.92.240.197" ascii wide
$file1 = "RDCMan.msi" ascii wide
$cert1 = "4804878F208E383E" ascii wide
condition:
2 of ($uri*) or any of ($ns*) or
($file1 and any of ($uri*)) or
any of ($cert*)
}
Snort/Suricata Rules
# Steaelite/PingServer C2 β Agent check-in
alert http any any -> 91.92.240.197 any (msg:"STEAELITE-RAT Agent Check-in"; \
content:"POST"; http_method; content:"/logs/sendInfo"; http_uri; \
content:"application/json"; http_header; sid:2026030311; rev:1;)
# Steaelite/PingServer C2 β Command poll
alert http any any -> 91.92.240.197 any (msg:"PINGSERVER-RAT Command Poll"; \
content:"POST"; http_method; content:"/ping"; http_uri; \
content:"application/json"; http_header; sid:2026030315; rev:1;)
# Steaelite/PingServer C2 β Payload download
alert http any any -> 91.92.240.197 any (msg:"STEAELITE-RAT Payload Download"; \
content:"POST"; http_method; content:"/download/"; http_uri; \
sid:2026030312; rev:1;)
# Steaelite/PingServer C2 β Encrypted download
alert http any any -> 91.92.240.197 any (msg:"STEAELITE-RAT Encrypted Download"; \
content:"/obfEncDownload/"; http_uri; sid:2026030313; rev:1;)
# Omegatech bulletproof hosting β Self-signed localhost cert
alert tls any any -> 91.92.240.0/24 any (msg:"OMEGATECH Suspicious Self-Signed Cert"; \
tls.cert_subject; content:"CN=localhost"; sid:2026030314; rev:1;)
Conclusion
This investigation fully mapped a live Steaelite RAT C2 server from the outside without credentials or malware execution. The ASP.NET Core application's verbose error handling leaked its internal namespace and data model, and the complete absence of agent authentication allowed a fake implant to be registered on the operator's panel -- a remarkable operational security failure for a commercial RAT that reportedly costs $200-500/month.
The C2's HTTP long-poll architecture is specifically designed to evade network detection by disguising command-and-control traffic as ordinary web requests. Defenders should focus on behavioral indicators -- particularly POST requests with anomalously long hold times to external IPs -- rather than signature-based approaches alone.
The broader finding is equally significant: the 91.92.240.0/24 subnet on Omegatech LTD (AS202412) is a confirmed criminal hosting cluster. Every surveyed host in the range is running malicious infrastructure, from RAT C2 to DeFi phishing to automated Discord abuse tooling. The entire ASN warrants defensive blocking in enterprise environments.
The server was operational and accepting agent registrations as of 2026-03-03 13:10 UTC.
Published by Breakglass Intelligence. Investigation conducted 2026-03-03. Classification: TLP:CLEAR