critical🎯APT

publishedMarch 12, 2026

QuasarRAT + NjRAT on a Week-Old Bulletproof Server: A Russian Operator's OPSEC Disaster

Threat Actors:APT10ProfileAssessmentTimeline

#botnet#quasarrat#social-engineering#credential-theft#c2#apt

TL;DR: A QuasarRAT v1.4.1 sample led us to a live, dual-RAT command-and-control server at 196[.]251[.]107[.]24 running both QuasarRAT (port 4782) and NjRAT (port 5552) on Windows Server 2019. The infrastructure is less than a week old -- the server certificate was issued March 3, 2026, and the VM was created March 4. The C2 sits on AS214351 (FEMO IT SOLUTIONS LIMITED), a UK-registered shell company at a known virtual office address in London's Covent Garden, routing traffic through Russian DDoS protection providers StormWall and DDoS-Guard on AFRINIC IP space allocated to a Seychelles entity. Three separate OPSEC failures -- a Russian-language Open Server Panel TLS certificate on port 443, a VM instance UUID leaked via the RDP certificate, and a default, unmodified QuasarRAT server certificate -- paint a picture of a Russian-speaking operator running commodity RATs from bulletproof hosting with the operational security of someone who left the keys in the ignition.

One Sample, Two RATs, Zero Subtlety

This investigation started the way most do -- a fresh upload to MalwareBazaar. A QuasarRAT v1.4.1 client binary, 3.2MB, submitted from the Netherlands on March 10, 2026, with 62 out of 76 antivirus engines flagging it. Not exactly stealthy.

But the interesting part was never the sample itself. QuasarRAT is open-source, available on GitHub, and has been a favorite of everyone from script kiddies to APT10. What made this one worth pulling apart was where it called home -- and what else was running there.

The C2 IP, 196[.]251[.]107[.]24, was not just hosting QuasarRAT. A ThreatFox pivot revealed an NjRAT (Bladabindi) sample phoning home to the exact same IP on port 5552. Two separate RAT families. One server. Same operator, hedging their bets with redundant remote access tools.

As of March 11, 2026, both listeners were confirmed LIVE via TLS handshake verification. The operator is active right now.

What Was Found vs. What Was Known

Aspect	Prior Reporting	Our Findings
C2 Infrastructure	Single QuasarRAT C2 reported	Multi-RAT server: QuasarRAT + NjRAT on same IP
Hosting	IP address only	Full bulletproof hosting chain: FEMO IT -> StormWall/DDoS-Guard -> NTT
Operator Profile	Unknown	Russian-speaking (ospanel certificate), VM-based operation
OPSEC Failures	None reported	3 critical failures: ospanel cert, VM UUID leak, default Quasar cert
Adjacent Infrastructure	Not investigated	Full /24 scan revealing Windows servers at .18, .32, .47
NjRAT Link	Separate ThreatFox report	Confirmed co-hosted by same operator on same IP

The Attack Chain

[Delivery]              [Execution]              [Persistence]
Unknown vector    -->   Client.exe runs     -->  Scheduled task
(TAG: "google           QuasarRAT v1.4.1         auto-start on boot
 chrome" suggests                |
 fake browser           [C2 Beacon]
 update lure)           TLS + RSA-4096
                        196[.]251[.]107[.]24:4782
                                |
                        [Actions on Objectives]
                        +-- Keylogging
                        +-- Browser credential theft
                        +-- WinSCP credential theft
                        +-- Remote shell access
                        +-- File management
                        +-- Screen capture
                        +-- Reverse proxy
                        +-- Registry manipulation
                        +-- Network reconnaissance

The botnet tag -- "google chrome" -- is a social engineering breadcrumb. It suggests the initial delivery vector involves luring victims with a fake Google Chrome update or component. The victim runs what they think is a browser installer. What they actually get is a 3.2MB .NET binary that phones home to a Russian operator's bulletproof server.

The Bulletproof Hosting Stack: Shell Companies All the Way Down

The infrastructure behind this operation is a textbook example of bulletproof hosting layering. Every tier is designed to insulate the operator from takedown attempts.

Tier 0 (Upstream Transit):
  AS2914 NTT America (legitimate Tier 1 carrier)
       |
Tier 1 (DDoS Protection / BPH Enablers):
  AS59796 StormWall s.r.o. (abuse@stormwall.pro)
  AS49612 DDoS-Guard LTD (abuse@ddos-guard.net)
       |
Tier 2 (Bulletproof Hosting):
  AS214351 FEMO IT SOLUTIONS LIMITED
  Contact: hostdevbasx@proton.me
  Address: 71-75 Shelton Street, London WC2H 9JQ
       |
Tier 3 (AFRINIC Allocation):
  196[.]251[.]107[.]0/24
  Admin: Qazi Sikandar Raza, Seychelles
  Abuse: abuse@as214351[.]com (behind Njalla DNS)
       |
Operational:
  196[.]251[.]107[.]24 (QuasarRAT + NjRAT C2)

Every layer of this stack has a tell.

FEMO IT SOLUTIONS LIMITED is registered at 71-75 Shelton Street, London WC2H 9JQ. If that address sounds familiar, it should -- it is one of the most notorious virtual office hubs in London, home to thousands of shell companies. The abuse contact is a Protonmail address. The DNS for as214351[.]com runs through Njalla, the privacy-focused domain registrar of choice for people who do not want to be found.

The IP space itself is allocated through AFRINIC (the African regional internet registry) to a Seychelles-registered entity managed by one Qazi Sikandar Raza. Registering IP allocations through offshore jurisdictions with minimal oversight is a standard bulletproof hosting play. AFRINIC allocations are particularly popular because the region has historically had weaker abuse enforcement.

The transit providers -- StormWall and DDoS-Guard -- are both Russian DDoS protection services. While both have legitimate customers, they are frequently cited in abuse reports for providing transit to bulletproof hosting networks. Having both as upstream peers for a single /24 block is a strong signal.

Certificate Analysis: Three Certificates, Three OPSEC Failures

The operator left fingerprints across every TLS-enabled port on the server.

Port 4782 -- QuasarRAT C2

The QuasarRAT listener presented a self-signed certificate with CN=Quasar Server CA, using RSA-4096 with SHA-512. This is the default certificate that QuasarRAT generates when the server is first started. The operator never bothered to change it.

This matters for two reasons. First, it makes the C2 trivially identifiable via TLS fingerprinting -- any network monitor scanning for CN=Quasar Server CA certificates will flag this immediately. Second, the certificate's NotBefore date of March 3, 2026 tells us exactly when this infrastructure went live: eight days before our investigation.

Port 443 -- The ospanel Tell

The HTTPS certificate on port 443 reveals the most damning indicator: Issuer: CN=ospanel. Open Server Panel (ospanel) is a Russian-language local development environment -- think XAMPP, but built specifically for Russian-speaking developers. Its TLS certificate should never appear on a production server, let alone a C2 node.

The certificate was generated December 23, 2016, with a validity window extending to 2031. This is not a freshly generated cert -- it is a default that has been carried from development environment to production deployment, likely across multiple operations over the years. The operator appears to use ospanel as their local testing environment and simply never replaced the certificate when deploying to production.

Port 3389 -- The VM UUID

The RDP certificate contains CN=VM-0d53cd5b-e339-4aae-97be-60b949f783ad. This is a virtual machine instance identifier, and it is a uniquely trackable fingerprint. If this operator moves their VM to a different IP address, this UUID follows them. It is the digital equivalent of leaving your driver's license at a crime scene.

The certificate's NotBefore date of March 4, 2026, confirms the VM was created one day after the QuasarRAT server certificate was generated -- further narrowing the infrastructure setup timeline to a 48-hour window.

The Neighborhood: Scanning the /24

If the C2 server itself was not enough, the rest of the 196[.]251[.]107[.]0/24 subnet tells a story about FEMO IT's clientele.

IP	Ports	Services	Notes
196[.]251[.]107[.]18	21, 80, 3389, 8000	PureFTPd, nginx, Node.js, RDP	Active Windows box
196[.]251[.]107[.]24	22, 445, 3389, 4782, 5552	SSH, SMB, RDP, QuasarRAT, NjRAT	Our C2 server
196[.]251[.]107[.]32	80, 135, 443, 3389, 5858, 5985	nginx 1.28, RDP, WinRM	Windows server
196[.]251[.]107[.]47	135, 445, 2222, 3389	SMB, RDP	Potentially vulnerable to CVE-2020-0796

These are all Windows servers with RDP exposed to the internet. This is not a legitimate hosting environment -- this is a bulletproof hosting block where every customer is running Windows with open management ports, because nobody expects (or cares about) security audits.

The QuasarRAT Sample: Open Source, Zero Modifications

Property	Value
SHA-256	`7a706b95301ad94c287c2a3eaa38116fcc7343ca28758a76cbfae2fedc8e7b78`
MD5	`0d59800d2c3053699a175b176422a11e`
File Size	3,265,536 bytes (3.1 MB)
File Type	PE32 executable (GUI) Intel 80386, Mono/.Net assembly
Original Name	Client.exe
Product	Quasar
Copyright	Copyright MaxXor 2023
Version	1.4.1
.NET Framework	v4.5.2
First Seen	2026-03-08 (ReversingLabs), 2026-03-10 (MalwareBazaar)
VT Detection	62/76 (81.6%)

QuasarRAT v1.4.1 is the latest stable release of the open-source RAT, and this operator has not modified it in any meaningful way. The binary is a stock build with standard capabilities: remote shell, keylogging, browser credential recovery, WinSCP credential recovery, screen capture, file operations, reverse proxy, registry manipulation, and network reconnaissance.

The configuration is encrypted using AES-CBC-256 with PBKDF2 key derivation (SHA1, 50,000 iterations) -- the default QuasarRAT encryption scheme. 314 unique 64-character hex strings were extracted from the binary's static analysis, representing the encrypted configuration values.

The NjRAT Connection

ThreatFox linked two NjRAT samples to the same C2 IP:

Property	Sample 1	Sample 2
SHA256	`279997c885d062...`	`eff8a9f48e98e5...`
Filename	ZCGm9Ky.exe	Server.exe
C2	196[.]251[.]107[.]24:5552	196[.]251[.]107[.]24:5552
First Seen	2026-03-10 20:35 UTC	--

Running two RAT families on the same server is a known operational pattern for mid-tier cybercriminals. If the victim's antivirus catches QuasarRAT, they switch to NjRAT. If one RAT's network signature gets blocked, the other keeps working on a different port. It is redundancy through diversity -- the same logic that drives an operator to use three different DDNS providers.

The downside is that it links two otherwise separate campaigns to the same infrastructure. Any defender who blocks the QuasarRAT C2 also kills the NjRAT operation, and vice versa. Co-hosting amplifies the blast radius of a single takedown.

Operator Profile: Intermediate, Russian, Sloppy

Sophistication: Intermediate. The operator uses open-source RATs without modification, relies on bulletproof hosting rather than operational sophistication, and runs multiple RATs for redundancy rather than investing in a single, customized toolchain.

Language: Russian-speaking (MEDIUM confidence). The ospanel certificate is the primary indicator. Open Server Panel is predominantly used in Russian-speaking countries, though it is not exclusively so.

Resources: Individual or small group. The infrastructure cost is minimal -- a single bulletproof hosting server, commodity RATs, default certificates.

OPSEC Grade: POOR. Five distinct failures:

Default Quasar Server CA certificate on the C2 port
ospanel certificate on port 443 revealing Russian-language tooling
VM instance UUID in the RDP certificate
Multi-RAT co-hosting on a single IP
SSH, SMB, and RDP exposed on the C2 server

This operator knows enough to use bulletproof hosting but not enough to clean up after themselves.

Timeline

Date	Event	Evidence
2024-08-08	FEMO IT SOLUTIONS LIMITED registered with RIPE	RIPE created timestamp
2026-03-03	QuasarRAT Server CA certificate issued	TLS cert NotBefore
2026-03-04	VM created (RDP certificate issued)	RDP cert NotBefore
2026-03-08	Sample first seen by ReversingLabs	RL first_seen
2026-03-10	Sample submitted to MalwareBazaar (Netherlands)	MB first_seen
2026-03-10	NjRAT IOC reported to ThreatFox	ThreatFox first_seen
2026-03-11	C2 confirmed LIVE by Breakglass Intelligence	TLS handshake verification

The entire operation -- from infrastructure creation to live C2 -- was stood up in under a week. This has the hallmarks of a disposable operation: spin up a cheap BPH server, deploy stock RATs, run campaigns until the IP gets burned, then move on.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Execution	Command and Scripting Interpreter	T1059	Remote shell capability
Persistence	Scheduled Task/Job	T1053.005	Scheduled task for auto-restart
Privilege Escalation	Process Injection	T1055	WriteProcessMemory (sandbox behavior)
Defense Evasion	Obfuscated Files or Information	T1027	AES-encrypted config, 314 hex values
Credential Access	Input Capture: Keylogging	T1056.001	Keyboard hook implementation
Credential Access	Credentials from Password Stores: Browsers	T1555.003	Browser recovery module
Discovery	System Information Discovery	T1082	WMI system enumeration
Discovery	System Network Configuration Discovery	T1016	Network interface enumeration
Collection	Screen Capture	T1113	Bitmap/Graphics capture
Command and Control	Encrypted Channel: Asymmetric Crypto	T1573.002	TLS with RSA-4096 self-signed cert
Command and Control	Non-Standard Port	T1571	Port 4782 (QuasarRAT), 5552 (NjRAT)

Indicators of Compromise

File Indicators

# QuasarRAT v1.4.1 Client
SHA256: 7a706b95301ad94c287c2a3eaa38116fcc7343ca28758a76cbfae2fedc8e7b78
MD5:    0d59800d2c3053699a175b176422a11e
SHA1:   6cfdb81829e1554facee6244ce9eeaa35962cb77

# NjRAT Sample 1 (ZCGm9Ky.exe)
SHA256: 279997c885d0624ed794d19abbe608b1601def6047ea0380112ca9a4efe33de1
MD5:    85c65dcbe69c05eb41c04c283428f4fd

# NjRAT Sample 2 (Server.exe)
SHA256: eff8a9f48e98e52609f75d9ab7baed6f695c2557b29a52f6df48a5f6232f0674

Network Indicators

# C2 IP (defanged)
196[.]251[.]107[.]24

# C2 Ports
196[.]251[.]107[.]24:4782    (QuasarRAT)
196[.]251[.]107[.]24:5552    (NjRAT)

# BPH Network Range
196[.]251[.]107[.]0/24       (AS214351, FEMO IT)

# Associated Domains (defanged)
as214351[.]com               (ASN abuse contact, Njalla DNS)
pointtoserver[.]com          (Hosting admin contact)

Behavioral Indicators

# TLS Certificate Fingerprints
CN=Quasar Server CA          (QuasarRAT C2 certificate)
Issuer: CN=ospanel           (Russian-language dev tool certificate)
CN=VM-0d53cd5b-e339-4aae-97be-60b949f783ad  (VM instance ID)

# Assembly Identifiers
Client, Version=1.4.1.0      (.NET assembly version)
GUID: 9f847deb-b441-461d-a6fb-89cab43a8f66  (Assembly GUID)

# Botnet TAG
google chrome                 (Campaign identifier)

Recommended Actions

Immediate (24-48 hours)

Block 196[.]251[.]107[.]24 at perimeter firewalls (all ports)
Search EDR telemetry for connections to 196[.]251[.]107[.]24:4782 and :5552
Hunt for Client.exe or files matching SHA256 7a706b95...7b78 on endpoints
Implement TLS inspection rules to flag CN=Quasar Server CA certificates in network traffic

Short-term (1-2 weeks)

Block the entire 196[.]251[.]107[.]0/24 range -- it is confirmed bulletproof hosting
Add AS214351 to threat intelligence blocklists
Monitor for new certificate issuances to pointtoserver[.]com and as214351[.]com
Submit abuse reports to StormWall, DDoS-Guard, and AFRINIC (temper expectations)
Track VM UUID VM-0d53cd5b-e339-4aae-97be-60b949f783ad across RDP certificate scans (Shodan/Censys)

Medium-term (1-3 months)

Develop behavioral detection for QuasarRAT TLS handshake patterns (RSA-4096, self-signed CA)
Monitor MalwareBazaar and ThreatFox for new samples using this C2
Track FEMO IT SOLUTIONS LIMITED through UK Companies House for corporate changes
Build Suricata rules keyed on the QuasarRAT certificate serial: 00:c6:93:b7:fb:a0:08:7a:90:e1:d2:ea:a5:ca:8c:f3

References

MalwareBazaar: https://bazaar.abuse.ch/sample/7a706b95301ad94c287c2a3eaa38116fcc7343ca28758a76cbfae2fedc8e7b78/
ThreatFox IOC ID 1763006
MITRE ATT&CK QuasarRAT: https://attack.mitre.org/software/S0262/
ANY.RUN: https://app.any.run/tasks/7a416b0f-d625-4aac-9e42-e8c89bc027f7
CAPE Sandbox: https://www.capesandbox.com/analysis/56980/
Triage: https://tria.ge/reports/260310-zjwx3sg13x/

Published by Breakglass Intelligence. Investigation conducted 2026-03-11. 1 IP. 2 RATs. 3 OPSEC failures. 1 week-old bulletproof server with a Russian developer certificate it should not have. Classification: TLP:CLEAR