Pulsar RAT v2.4.5 — MSI Dropper with GUID-Encoded Shellcode & Cloudflare Workers C2

Breakglass Intelligence — GHOST Operator Report Date: 2026-03-13 Classification: Active Campaign — Pulsar RAT MaaS Confidence: HIGH

---

Executive Summary

haunt.msi is a Windows Installer package that delivers Pulsar RAT v2.4.5.0, a sophisticated open-source .NET Remote Access Trojan. Despite being tagged as "njRAT" upon initial submission, static analysis definitively identifies the payload as Pulsar RAT — a feature-rich MaaS implant with cryptocurrency clipboard hijacking, credential theft, keylogging, webcam/audio capture, and browser profile cloning.

The loader employs three distinct evasion innovations:

1. GUID-encoded shellcode — 973 KB of x64 shellcode stored as 60,820 Windows GUIDs in the PE .rdata section, evading signature-based detection
2. In-memory CLR hosting — bypasses AMSI, ETW, and WLDP before reflectively loading the .NET payload
3. Cloudflare Workers C2 relay — host.fedmenigga.workers.dev proxies all C2 traffic through Cloudflare's CDN to a Frankfurt Windows Server VPS, preventing domain blocklisting

The campaign is actively running as of 2026-03-13, with new Pulsar RAT clients (yuorw.exe) deployed same-day as this sample. The backend infrastructure serves multiple toolsets including a Python DDoS agent and cross-platform payloads, indicating a capable actor running a sustained multi-capability campaign since at least February 2026.

---

Sample Metadata

Field	Value
Filename	haunt.msi
SHA256	e4bd27de913a316b2033eb45baf21ba09ff05000a910542f7ffc50117b4aee26
MD5	7d19b113f3faf859bec3e2c89fc80e03
SHA1	640c92982d1d3de852daba1e51036d1950f11ee4
File Type	Windows Installer (MSI) — Composite Document File V2
File Size	3,309,962 bytes (3.16 MB)
First Seen	2026-03-12 17:17:56 UTC
VT Detections	5 / 76 (ESET, Kaspersky, Sangfor, Skyhigh, Tencent)
Reporter	smica83
VT Tags	malware, checks-usb-bus, msi
Submitted Name	haunt.msi / 6dcf82.msi
Build Tool	WiX Toolset 6.0.2.0
Compile Time	2026-03-11 21:49:42 UTC (MSI) / 2026-02-02 03:57:13 UTC (DLL)

---

Static Analysis

MSI Structure

The installer is built with WiX Toolset 6.0.2.0. Key metadata from the MSI database:

Field	Value
Product Name	JJRIPKSKP (random gibberish)
Manufacturer	SEMPK
ProductCode	{43B1A54F-CBF4-440F-9EC9-1F6F3E5A9DC6}
UpgradeCode	{DB2F2180-BFEB-4C7D-87A7-003AFDEFE794}
RevisionNumber	{F33C6B39-ED26-432B-8E9A-20F3917C9583}
Registry Key	Software\SEMPK\JJRIPKSKP

The MSI contains a single embedded binary (Binary.LoaderDll, 3,146,825 bytes) invoked via a CustomAction called RunDll:

Action:  RunDll
Source:  nGOYQVFxRyF       (exported function name)
Target:  rundll32.exe "cfgmgr.dll", nGOYQVFxRyF

A silent rollback action (FSilent) is configured, suppressing any UI during installation.

Binary.LoaderDll — The Loader (cfgmgr.dll masquerade)

Field	Value
Type	PE32+ (64-bit DLL)
Sections	11 sections
Image Base	0x25b100000
Timestamp	2026-02-02 03:57:13 UTC
Exports Name	cfgmgr.dll (Windows Configuration Manager — DLL hijack masquerade)
Anti-debug	IsDebuggerPresent, CheckRemoteDebuggerPresent
Persistence	Software\Microsoft\Windows\CurrentVersion\Run
Injection target	notepad.exe

Exported functions (masquerading as legitimate cfgmgr.dll):

DllInstall          FlushInstallLog     GetConfigurationValue
GetDiagnosticsInfo  GetProductVersion   MsiHelperCleanup
nGOYQVFxRyF         RqaAvOHynShq        ServiceMain
SetConfigurationValue

The actual DLL entrypoint is nGOYQVFxRyF (obfuscated name).

NT API imports for process injection (loaded directly from ntdll.dll):

ZwAllocateVirtualMemory     ZwWriteVirtualMemory      ZwProtectVirtualMemory
ZwQueueApcThread            ZwResumeThread            ZwSetContextThread
ZwGetContextThread          ZwCreateSection           ZwMapViewOfSection
ZwUnmapViewOfSection        ZwSetInformationThread    RtlAddFunctionTable

Section layout:

Section	Raw Size	Virtual Size	Entropy	Note
.text	0x3cc0	—	—	Loader code
.data	0x79b90	—	—	Runtime data
.rdata	0x252458	—	—	GUID-encoded shellcode (2.43 MB)

GUID-Encoded Shellcode — Novel Obfuscation Technique

The .rdata section contains 60,820 Windows GUID-formatted entries that together encode 973,120 bytes of x64 shellcode. Each GUID's bytes are stored in Windows in-memory GUID format, requiring byte-swapping of the first three components during decoding:

Raw GUID:   000098e9-5300-5756-5541-504151415241
Windows LE: e9 98 00 00 00 | 53 00 | 56 57 | 55 41 50 41 51 41 52 41
Decoded:    e9 98 00 00 00  53 00  56 57  55 41 50 41 51 41 52 41
Assembly:   JMP +0x98       ...    PUSH RSI PUSH RBP PUSH R8 PUSH R9 PUSH R10 PUSH R11 ...

The first instruction (E9 98 00 00 00 = JMP +0x9d) jumps to the actual shellcode at offset 0x9d.

This technique is not seen in common malware families and appears purpose-built to evade signature-based detection systems that scan for shellcode byte sequences.

Shellcode Internals — CLR Host with Triple Bypass

The 973 KB shellcode acts as a native CLR host performing three bypass operations before loading the .NET payload:

1. AMSI Bypass:

AmsiInitialize    AmsiScanBuffer    AmsiScanString

The shellcode patches AMSI functions in memory to disable antivirus scanning of script content.

2. ETW Bypass:

EtwEventWrite    EtwEventUnregister

Event Tracing for Windows (used by EDRs) is disabled by overwriting the function prologue.

3. WLDP Bypass (Windows Lockdown Policy):

WldpQueryDynamicCodeTrust    WldpIsClassInApprovedList

Windows Lockdown Policy functions are bypassed to allow dynamic code execution.

CLR Loading sequence:

ole32;oleaut32;wininet;mscoree;shell32   (DLLs loaded for CLR host)
v4.0.30319                               (.NET 4.0 runtime)

The shellcode then reflectively loads an embedded .NET PE (the Pulsar RAT payload) from position 0x99b41 in the decoded shellcode, using a custom in-memory PE loader.

Embedded Payload — Pulsar RAT v2.4.5.0 (.NET)

Identification:

costura.pulsar.common.dll.compressed|2.4.5.0|Pulsar.Common, Version=2.4.5.0,
  Culture=neutral, PublicKeyToken=null|Pulsar.Common.dll|71AD34CD9F4F3EE2328CA1C7A64A576499208F43|187392

The payload is definitively identified as Pulsar RAT v2.4.5.0 via its embedded Pulsar.Common.dll (SHA1: 71AD34CD9F4F3EE2328CA1C7A64A576499208F43).

Embedded dependencies (Costura.Fody):

• messagepack.dll — MessagePack serialization for C2 protocol
• messagepack.annotations.dll
• pulsar.common.dll — Pulsar RAT shared library
• system.buffers.dll, system.collections.immutable.dll, system.memory.dll
• system.threading.tasks.extensions.dll
• system.runtime.compilerservices.unsafe.dll

Capabilities extracted from .NET user string heap:

Category	Evidence
Keylogging	Gma.System.MouseKeyHook, KeyloggerService
Screen capture	SharpDX, SharpDX.Direct3D11, SharpDX.DXGI, SharpDX.D3DCompiler
Webcam	AForge.Video, AForge.Video.DirectShow, FilterInfoCollection
Audio	NAudio.Core, NAudio.Wasapi, Error stopping audio
Crypto hijack	Regex patterns for BTC/ETH/LTC/XMR/SOL/XRP/TRX/BCH (see below)
Browser theft	PK11SDR_Decrypt (Firefox), logins (Firefox logins.json), Cloning browser profile
Browser targets	Chrome, Edge, Brave (Local\BraveSoftware\Brave), Opera (Roaming\Opera Software\Opera Stable)
Remote execution	<ExecuteViaRunPE>b__0 (process hollowing)
Handle hijacking	Remote file handle hijacked successfully, OpenProcess
IP geolocation	https://ipwho.is/
Anti-VM	CheckForVMwareAndVirtualBox, VMware/VirtualBox/QEMU/Parallels strings
Anti-debug	x32dbg, x64dbg, windbg, ollydbg, dnspy, immunity debugger, ida
Remote chat	FrmRemoteChat, Sendpacket, Chat has been ended
Registry	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
Persistence	Software\Microsoft\Windows\CurrentVersion\Run, notepad.exe

Cryptocurrency wallet clipboard hijacker — Targeted currencies:

Currency	Detection Regex
Bitcoin (BTC)	^(1|3|bc1)[a-zA-Z0-9]{25,39}$
Ethereum (ETH)	^0x[a-fA-F0-9]{40}$
Monero (XMR)	^4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}$
Solana (SOL)	^[1-9A-HJ-NP-Za-km-z]{32,44}$
Litecoin (LTC)	^(L|M|3)-9]{26,33}$
XRP	^X[1-9A-HJ-NP-Za-km-z]{33}$
Ripple	^r[0-9a-zA-Z]{24,34}$
TRON (TRX)	^T[1-9A-HJ-NP-Za-km-z]{33}$
Bitcoin Cash (BCH)	^(bitcoincash:)?(q|p)[a-z0-9]{41}$

When a victim copies a crypto wallet address to their clipboard, Pulsar RAT replaces it with the attacker's address before the victim can paste it.

Firefox Password Theft — PKCS#11 decryption:

PK11SDR_Decrypt      logins       httpRealm
formSubmitURL        usernameField    EncryptedUsername

---

Infection Chain / Kill Chain

[1] DELIVERY
    haunt.msi delivered to victim (method unknown — likely social engineering)
    └── File: haunt.msi (3.16 MB, WiX Toolset 6.0.2.0)

[2] EXECUTION
    User runs MSI → Windows Installer executes CustomAction
    └── rundll32.exe "<temp>\cfgmgr.dll",nGOYQVFxRyF
        (MSI drops Binary.LoaderDll → cfgmgr.dll in %TEMP%)

[3] LOADER STAGE (cfgmgr.dll / Binary.LoaderDll)
    ├── Reads 60,820 GUID entries from .rdata section
    ├── Decodes GUID format → raw x64 shellcode (973 KB)
    ├── Allocates RWX memory, copies shellcode
    └── Transfers execution to shellcode

[4] SHELLCODE STAGE (973 KB x64)
    ├── AMSI bypass (patches AmsiScanBuffer)
    ├── ETW bypass (patches EtwEventWrite)
    ├── WLDP bypass (patches WldpQueryDynamicCodeTrust)
    ├── Loads CLR runtime (mscoree.dll → v4.0.30319)
    ├── Reflectively loads embedded Pulsar RAT .NET PE
    └── Hands execution to .NET runtime

[5] PAYLOAD STAGE (Pulsar RAT v2.4.5.0)
    ├── Anti-VM checks (VMware/VirtualBox/QEMU/Parallels/Cuckoo)
    ├── Anti-debug checks (x64dbg/WinDbg/dnspy/etc.)
    ├── Persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    ├── IP geolocation: GET https://ipwho.is/
    ├── C2 connection: HTTPS → host.fedmenigga.workers.dev:443
    │   └── Cloudflare Worker relay → 31.57.147.207:? (backend)
    └── Waits for operator commands:
        ├── Keylog
        ├── Screenshot / screen stream (SharpDX)
        ├── Webcam capture (AForge)
        ├── Audio capture (NAudio)
        ├── Clipboard monitor → crypto address replacement
        ├── Browser credential dump (Chromium + Firefox)
        ├── Remote shell
        ├── File manager
        ├── Process manager / injection
        └── Remote chat

[6] PERSISTENCE
    Registry Run key: notepad.exe (or injected process)
    CLSID registration: {6C683247-F56D-470B-AAFA-9E232B4F4FF0}
    Hidden file: %APPDATA%\Microsoft\Crypto\RSA\qyjbnsml\sml.dll

---

Network Indicators

C2 Architecture

Victim Machine
     │
     │ HTTPS/443
     ▼
[Cloudflare CDN — C2 Relay]
 104.20.44.133   (Cloudflare)
 104.21.73.44    (Cloudflare)
 172.66.175.107  (Cloudflare)
 172.67.140.32   (Cloudflare)
     │
     │ host.fedmenigga.workers.dev
     ▼
[Cloudflare Worker — fedmenigga]
 → Routes traffic to backend
     │
     ▼
[Backend C2 Server]
 31.57.147.207:??? (Windows Server 2022)
 HostName: WIN-9QL4SDRB93L
 SSL Cert: kixlil.bloxfruitt.art
 ISP: Sprious LLC / GOLD IP L.L.C-FZ
 ASN: 64267
 Location: Frankfurt am Main, Germany

[Alternative Relay — Second campaign]
 dainty-boba-01d5e4.netlify.app
 → 98.84.224.111 (AWS us-east-1)
 → 18.208.88.157 (AWS us-east-1)

C2 Domain Infrastructure

Domain	Role	Infrastructure	Notes
host.fedmenigga.workers.dev	PRIMARY C2 RELAY	Cloudflare Workers	Contacted by haunt.msi + yuorw.exe + builder.bat
fedmenigga.workers.dev	C2 relay base	Cloudflare Workers	Registered under Cloudflare
kixlil.bloxfruitt.art	Backend FQDN	31.57.147.207	SSL cert on backend server
bloxfruitt.art	Backend domain	Namecheap registrar	Registered Dec 2024
dainty-boba-01d5e4.netlify.app	Alt C2 relay	Netlify / AWS	Used by Client.exe campaign
ipwho.is	IP geolocation	Legitimate API	Used by Pulsar to geolocate victim

Backend Server — 31.57.147.207

Field	Value
IP	31.57.147.207
ASN	AS64267
AS Owner	12651980 CANADA INC.
ISP	Sprious LLC / GOLD IP L.L.C-FZ
Location	Frankfurt am Main, Hessen, Germany
OS	Windows Server 2022 (Build 10.0.20348)
Hostname	WIN-9QL4SDRB93L
SSL Cert CN	kixlil.bloxfruitt.art
Open Ports	135 (RPC), 139 (NetBIOS), 445 (SMB v2), 3389 (RDP), 5985 (WinRM)
Vulnerability	CVE-2020-0796 (SMBGhost — SMBv3 compression RCE)
Shodan Updated	2026-03-12 16:29:04 UTC

Notable: This is a Windows VPS (not Linux) which hosts the Pulsar RAT C2 panel (also a Windows application). RDP port 3389 is open, suggesting the operator manages it via RDP. The SMBGhost vulnerability is present but may not be exploitable if patched at OS level.

bloxfruitt.art Subdomain Infrastructure (Full Discovery)

All subdomains had Let's Encrypt certificates issued in December 2024, suggesting simultaneous provisioning of a C2 panel and multiple client endpoints:

Subdomain	Cert Issued	Notes
kixlil.bloxfruitt.art	2024-12-02	Linked to 31.57.147.207
plxoq.bloxfruitt.art	2024-12-02
qfip.bloxfruitt.art	2024-12-02
xcbtg.bloxfruitt.art	2024-12-02
poplo.bloxfruitt.art	2024-12-02
hucis.bloxfruitt.art	2024-12-06
plco.bloxfruitt.art	2024-12-06
zkxcop.bloxfruitt.art	2024-12-06
qwrtyui.bloxfruitt.art	2024-12-01
vgjryu.bloxfruitt.art	2024-12-01
nsxcjhu.bloxfruitt.art	2024-12-01
kixnjs.bloxfruitt.art	2024-12-01
pozopl.bloxfruitt.art	2024-12-01
*.bloxfruitt.art	2025-12-01	Wildcard cert renewed 2025

All subdomains currently have no DNS resolution — infrastructure was likely relocated or subdomains point to a different backend than the zone apex record.

---

Behavioral Analysis (Inferred from Static + OSINT)

1. Installation: MSI silently installs (LIMITUI=7, ARPSYSTEMCOMPONENT=1 — no Add/Remove Programs entry)
2. Persistence: Written to HKCU\Software\Microsoft\Windows\CurrentVersion\Run as notepad.exe masquerade
3. Anti-analysis: Checks for 20+ VM artifacts (VMware, VirtualBox, QEMU, Cuckoo, Parallels) and 8+ debuggers before activating
4. Geolocate: Calls https://ipwho.is/ to get victim IP, country, ISP
5. C2 beacon: Connects to host.fedmenigga.workers.dev via HTTPS (port 443), using MessagePack-serialized protocol over TLS
6. Clipboard hijack: Monitors clipboard continuously; replaces any recognized crypto address with attacker's address
7. Credential theft: Dumps browser saved passwords from Chromium profile (Login Data) and Firefox (logins.json via PKCS#11)
8. Data exfiltration: All captured data (keystrokes, screenshots, credentials, clipboard) sent to C2 operator in real-time

---

MITRE ATT&CK TTPs

Technique ID	Name	Implementation
T1566	Phishing	MSI delivered as social engineering lure
T1204.002	User Execution: Malicious File	User runs haunt.msi
T1218.007	Msiexec	MSI installer as execution vehicle
T1218.011	Rundll32	rundll32.exe cfgmgr.dll,nGOYQVFxRyF
T1036.005	Masquerading: Match Legitimate Name	cfgmgr.dll DLL name
T1027	Obfuscated Files or Information	GUID-encoded shellcode
T1027.011	Fileless Storage	Shellcode decoded into memory
T1140	Deobfuscate/Decode Files	GUID-to-bytes decoding at runtime
T1620	Reflective Code Loading	Pulsar RAT loaded from memory
T1562.001	Disable or Modify Tools (AMSI)	Patches AmsiScanBuffer
T1562.006	Indicator Blocking (ETW)	Patches EtwEventWrite
T1055.004	Process Injection: APC	ZwQueueApcThread
T1055.012	Process Hollowing	<ExecuteViaRunPE> into notepad.exe
T1547.001	Registry Run Keys / Startup Folder	HKCU...\Run persistence
T1071.001	Web Protocols	HTTPS C2 on port 443
T1090.004	Domain Fronting	Cloudflare Workers relay
T1090.001	Internal Proxy	Cloudflare → backend routing
T1041	Exfiltration Over C2 Channel	All data via HTTPS to C2
T1056.001	Keylogging	Gma.System.MouseKeyHook
T1115	Clipboard Data	Crypto wallet monitoring
T1185	Browser Session Hijacking	Browser profile cloning
T1555.003	Web Browser Credentials	Chrome/Edge/Brave/Opera/Firefox
T1539	Steal Web Session Cookie	Browser profile exfiltration
T1125	Video Capture	AForge webcam capture
T1123	Audio Capture	NAudio microphone recording
T1113	Screen Capture	SharpDX screen streaming
T1057	Process Discovery	WMI Win32_BIOS, Win32_DiskDrive
T1082	System Information Discovery	OS version, hardware, CLR version
T1012	Query Registry	SOFTWARE\Microsoft\Windows NT\CurrentVersion
T1497	Virtualization/Sandbox Evasion	VM artifact checking
T1480	Execution Guardrails	Debugger detection + sleep delays
T1622	Debugger Evasion	Anti-debug thread monitoring

---

Campaign Context & Related Samples

Timeline

Date	Event	Indicator
2024-12-01	bloxfruitt.art infrastructure created	Let's Encrypt certs issued for 13+ subdomains
2026-02-04	Bot deployment begins	bot.exe (Python DDoS/KryptonC2) first seen
2026-02-16	First Pulsar RAT campaign	payload/Client.exe via Netlify relay
2026-02-22	Builder deployed	builder.bat (1.35 MB) first seen
2026-03-06	Multi-platform payload	agent-windows-amd64.exe deployed
2026-03-12	haunt.msi campaign launch	First submission of this sample
2026-03-13	Active deployment	yuorw.exe (new Pulsar client) same-day as haunt.msi

Related Samples

SHA256	Name	Type	Detections	Role
e4bd27de...	haunt.msi	MSI dropper	5/76	This sample — Pulsar RAT loader
3aece208...	yuorw.exe / Client.exe	PE32 .NET EXE	47/76	Raw Pulsar RAT v2.4.5 client
25a8f876...	payload / Client.exe	PE32 .NET EXE	46/76	Pulsar RAT v2.4.5 (earlier campaign)
5e77eb0e...	builder.bat	DOS batch	10/76	Payload builder/delivery (1.35 MB)
90afcb37...	agent-windows-amd64.exe	PE64 EXE	37/76	Multi-framework agent (Sliver/Quasar)
9f6d7226...	bot.exe	PE64 (PyInstaller)	37/76	Python DDoS / KryptonC2
4304dfbd...	SpoofSIP-3.22.3.zip	ZIP	16/76	VoIP spoofing lure (trojanized)
f3598e80...	LarpExodus.zip	ZIP (multi-platform)	11/76	Gaming lure (PE+ELF+MachO)
6df41bed...	c5c3d8f3fb503a06.bat	DOS batch	25/76	Netlify-relayed dropper

LarpExodus.zip is particularly notable — it contains PE, ELF, and MachO executables, indicating the actor targets Windows, Linux, AND macOS, with gaming community lures.

SpoofSIP-3.22.3.zip suggests targeting of VoIP/telephony professionals via trojanized software packages.

---

Attribution & Threat Actor Assessment

Confidence: MODERATE

Indicators

• Tooling: Pulsar RAT is open-source (.NET, available on GitHub). Deployment of an open-source RAT with a custom GUID-shellcode loader suggests a technically capable actor who is either modifying existing tooling or procuring a custom loader as a service.

• Infrastructure pattern: Multiple bloxfruitt.art subdomains with randomized names (kixlil, qfip, xcbtg, poplo, hucis, etc.) issued simultaneously suggests either:

  • A single actor running multiple concurrent campaigns, OR
  • A MaaS provider selling access to Pulsar RAT infrastructure

• Cloudflare Workers abuse: The use of *.workers.dev as a C2 relay is a deliberate OPSEC choice — it prevents domain blocklisting because Cloudflare is a trusted CDN. The attacker's actual backend (31.57.147.207) remains hidden behind Cloudflare's infrastructure.

• Backend VPS: Windows Server 2022 hosted at Sprious LLC (via GOLD IP L.L.C-FZ) in Frankfurt. Sprious LLC / 12651980 CANADA INC. is a hosting reseller commonly used by threat actors for bulletproof hosting. RDP and WinRM open suggest direct operator access.

• Campaign breadth: The actor operates multi-tool campaigns combining:

  • Pulsar RAT (.NET) — credential theft, crypto hijack, RAT
  • Python DDoS bot (KryptonC2)
  • Cross-platform payloads (LarpExodus — Win/Linux/macOS)
  • Multiple delivery mechanisms (MSI, ZIP lures, BAT builders)

• OPSEC mistakes:

  • Backend server runs Windows Server 2022 with default hostname (WIN-9QL4SDRB93L)
  • CVE-2020-0796 (SMBGhost) is unpatched on the server
  • SSL certificate for kixlil.bloxfruitt.art was issued for the backend IP, revealing the domain infrastructure even through the Cloudflare relay
  • All 13+ subdomains were issued certs simultaneously — single provisioning event
  • bloxfruitt.art registered via Namecheap (WHOIS redacted) — actor tried to hide identity but the mx.plingest.com MX record could be pivoted for email infrastructure

• Targeting: Lures suggest mixed targeting — gaming community (LarpExodus), VoIP professionals (SpoofSIP), and general users (haunt.msi). No specific geography identified.

---

Infrastructure Map

┌─────────────────────────────────────────────────────────────────┐
│                    ACTOR INFRASTRUCTURE                         │
│                                                                 │
│  Domain Registrar: Namecheap                                    │
│  Domain: bloxfruitt.art (registered Dec 2024)                   │
│  MX: mx.plingest.com                                            │
│                                                                 │
│  Subdomains (all Let's Encrypt, Dec 2024):                      │
│  ┌─────────────────────────────────────────────┐                │
│  │ kixlil.bloxfruitt.art ←── SSL on backend    │                │
│  │ plxoq / qfip / xcbtg / poplo / hucis / ...  │                │
│  │ *.bloxfruitt.art (wildcard, renewed Dec 2025)│               │
│  └─────────────────────────────────────────────┘                │
│                                                                 │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │ C2 BACKEND: 31.57.147.207 (Frankfurt, DE)                │   │
│  │   OS: Windows Server 2022  Host: WIN-9QL4SDRB93L         │   │
│  │   ISP: Sprious LLC (GOLD IP L.L.C-FZ, ASN 64267)         │   │
│  │   Ports: 135/139/445/3389/5985 (RDP open!)               │   │
│  │   Vuln: CVE-2020-0796 (SMBGhost)                         │   │
│  │   Cert: kixlil.bloxfruitt.art                            │   │
│  └──────────────────────────────────────────────────────────┘   │
│                                                                 │
│  C2 RELAYS (hiding backend):                                    │
│  ┌───────────────────────────────────────────┐                  │
│  │ Cloudflare Workers: fedmenigga.workers.dev│                  │
│  │ → host.fedmenigga.workers.dev             │                  │
│  │   Used by: haunt.msi, yuorw.exe,          │                  │
│  │           builder.bat                     │                  │
│  └───────────────────────────────────────────┘                  │
│  ┌────────────────────────────────────────────┐                 │
│  │ Netlify: dainty-boba-01d5e4.netlify.app    │                 │
│  │ → 98.84.224.111 (AWS us-east-1)            │                 │
│  │   Used by: Client.exe (25a8f876...)        │                 │
│  └────────────────────────────────────────────┘                 │
│                                                                 │
│  VICTIM GEOLOCATION API:                                        │
│  → https://ipwho.is/ (legitimate service, abused)              │
└─────────────────────────────────────────────────────────────────┘

---

Indicators of Compromise (IOCs)

File Hashes

SHA256	MD5	Name	Type
e4bd27de913a316b2033eb45baf21ba09ff05000a910542f7ffc50117b4aee26	7d19b113f3faf859bec3e2c89fc80e03	haunt.msi	MSI dropper
3aece208c19578481758a974aedc78ca72e4cfcbd0b5ab82f4c9b554ded13979	82ea514557eb1a4886e5689700a0b8b5	yuorw.exe / Client.exe	Pulsar RAT
25a8f87617a8cd55508b3a6e9228ef2e60bd2cd124348e3e7be8708e3d383f26	—	payload / Client.exe	Pulsar RAT
5e77eb0ec4b743151f758a780ca692c91f3b75793a5882527af57bc8fb23b1a5	—	builder.bat	RAT builder
90afcb372c775210d739b1d53e7e69676c3c7d2445602f8feddb3a835294e977	—	agent-windows-amd64.exe	Multi-framework
9f6d7226e97df77451818615cdc298ab256e52eb9fdb72fc5ed63f34a411f525	—	bot.exe	Python DDoS

Network Indicators

Indicator	Type	Role
host.fedmenigga.workers.dev	Domain	PRIMARY C2 RELAY
fedmenigga.workers.dev	Domain	C2 relay base
31.57.147.207	IP	C2 BACKEND SERVER
kixlil.bloxfruitt.art	Domain	Backend SSL CN
bloxfruitt.art	Domain	Backend domain
dainty-boba-01d5e4.netlify.app	Domain	Alt C2 relay
172.234.24.211	IP	bloxfruitt.art apex
172.239.57.117	IP	bloxfruitt.art apex

Registry

Key	Value	Purpose
HKCU\Software\Microsoft\Windows\CurrentVersion\Run	(payload path)	Persistence
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion	Read: InstallDate	Fingerprint
HKCR\CLSID\{6C683247-F56D-470B-AAFA-9E232B4F4FF0}	—	COM registration
HKCU\Software\SEMPK\JJRIPKSKP	installed=1	MSI marker

Files

Path	Purpose
%APPDATA%\Microsoft\Crypto\RSA\qyjbnsml\sml.dll	Hidden payload drop location
%TEMP%\cfgmgr.dll	Loader DLL (masquerades as Windows cfgmgr.dll)

Mutexes / Unique Strings

Indicator	Type
JJRIPKSKP	MSI product name (unique per build)
SEMPK	MSI manufacturer string
WIN-9QL4SDRB93L	Backend server hostname
nGOYQVFxRyF	Loader DLL export function name
RqaAvOHynShq	Loader DLL export function name
{F33C6B39-ED26-432B-8E9A-20F3917C9583}	MSI Revision Number (GUID)

---

Detection Notes

• Low AV detection (5/76): The GUID-encoded shellcode and multi-layer obfuscation effectively evade most signature-based AV engines. Only generic detections fired.
• AMSI bypass: Disables Windows Defender's script scanning before the .NET payload runs.
• ETW bypass: Blind-spots EDR solutions that rely on ETW for behavioral telemetry.
• Cloudflare C2: Domain blocklisting is ineffective — *.workers.dev cannot be blocked without disrupting legitimate Cloudflare Workers usage.
• Hunt recommendation: Look for rundll32.exe loading from %TEMP%\cfgmgr.dll, or outbound HTTPS connections to *.workers.dev from unexpected processes.