ResolverRAT Bundles LummaStealer in a Triple-Encrypted .NET Loader: Five Linked Samples, Four C2 Servers, and a Fake Microsoft Domain
TL;DR: A 605KB .NET binary decrypted from a Donut loader shell delivers both ResolverRAT and LummaStealer in a single package -- a dual-payload architecture that gives operators persistent backdoor access even if the credential stealer is burned, and vice versa. The loader hides behind three layers of encryption (Donut shell, .NET Reactor with ZgRAT crypter, then AES-256-CBC with a custom block cipher), reconstructs WinAPI function names from string fragments to dodge YARA rules, and injects both payloads via process hollowing. Five campaign samples sharing imphash f34d5f2d4577ed6d9ceec516c1f5a744 span January through March 2026, with C2 infrastructure running on port 56001 across bulletproof hosting in Russia, the Netherlands, Germany, and Poland. One C2 domain -- pat[.]microsoft-telemetry[.]at -- impersonated Microsoft telemetry infrastructure before being taken down.
Why a Dual-Payload Loader Matters
Most commodity loaders deliver a single malware family. This one delivers two simultaneously -- and the pairing is deliberate.
ResolverRAT is a remote access trojan. It opens a persistent backdoor on port 56001, giving operators interactive access to the compromised machine. LummaStealer is a credential harvester. It grabs browser passwords, session cookies, and cryptocurrency wallets, then exfiltrates everything over HTTP to disposable domains.
By packaging both into one binary, the operators create redundancy. If an EDR catches the RAT beacon on port 56001, the stealer may have already exfiltrated credentials via HTTPS. If the stealer's C2 domain gets sinkholed, the RAT maintains persistent access. The victim loses twice from a single infection event.
This is not theoretical -- the C2 infrastructure analysis confirms both families are active and independently operated. The ResolverRAT C2 servers run on port 56001 with long-lived IPs. The LummaStealer C2 domains rotate rapidly across .fun, .club, and .cyou TLDs with /api endpoints. Different operational tempo, same loader.
The Attack Chain
[Delivery Unknown] --> [Donut Loader Shell] --> [.NET Reactor Obfuscated Binary]
|
[ZgRAT Crypter Layer]
|
+-------------------+-------------------+
| |
[AES-256-CBC Decrypt] [Custom Block Cipher]
[GZip Decompress] [Config Decryption]
| |
[Process Hollowing] [C2 Config Extraction]
[kernel32 P/Invoke] |
| [8 Encrypted Strings]
+--------------+--------------+ |
| | [C2 Domains/IPs/Ports]
[ResolverRAT] [LummaStealer]
[RAT/Backdoor] [Credential Theft]
[Port 56001 C2] [HTTP /api C2]
The initial delivery mechanism remains unknown -- no phishing lure or dropper has been attributed to this campaign cluster yet. What we have is the Donut loader output: a decrypted .NET executable that begins the multi-stage unwrapping process.
Binary Analysis
Primary Sample
| Property | Value |
|---|---|
| SHA256 | 87053d0ad81ac3367ef5e6305f4cf4eec11776e94971f3f54bc66eaddf756eb5 |
| SHA1 | 70188c653e409b08f1591f5c7fd95e4716edf649 |
| MD5 | 43bfb580c664206153734859442ead26 |
| Imphash | f34d5f2d4577ed6d9ceec516c1f5a744 |
| File Size | 605,184 bytes |
| File Type | PE32 .NET CIL (GUI, I386, Mono/.Net assembly) |
| Runtime | v4.0.30319 |
| Internal Name | Efyfqp.exe |
| Entry Point | MethodDef[9] KedTgyFC3 (obfuscated) |
| First Seen | 2026-03-05 13:00:41 UTC |
The binary is a pure .NET assembly -- a single import of mscoree.dll!_CorExeMain with no native code. The .text section contains 602,624 bytes at entropy 7.19, which is where all the encrypted payloads live. The .NET metadata reveals 361 TypeDefs with randomized 18-character names (i0XQl9UoSkFPZs8HTp, rOjCZorAEL2T0AfbFR) and 2,040 obfuscated methods -- hallmarks of .NET Reactor obfuscation.
An unusual structural indicator: two Module GUIDs ({1F4B02DF-696E-486A-8B35-F56CCA1C23C6} and {b8bddd2a-a952-4523-8049-3c5b3829d6dc}), which indicates merged assemblies. Standard .NET binaries have one.
Three Layers of Encryption
The payload protection is layered deliberately, with each layer requiring different analysis approaches to defeat.
Layer 1: .NET Reactor + ZgRAT Crypter
The outermost protection is .NET Reactor commercial obfuscation wrapped by the ZgRAT crypter. This handles control flow obfuscation, string encryption, and anti-debugging. The Donut loader shell adds another detonation gate that must execute in memory before the .NET assembly is even visible.
Layer 2: Custom Block Cipher Pre-Processing
Before AES decryption, the encrypted resource data passes through a custom transformation using 4-byte block processing with hardcoded XOR constants:
0x5D4CCC7F
0x16346282
0x3D9CE791
0x3B675D0F
Each block undergoes XOR with these constants plus shift-left operations and byte recombination. This layer exists specifically to prevent analysts from simply extracting the AES key and decrypting the payload offline -- you must either execute the IL or reimplement the transformation.
Layer 3: AES-256-CBC + GZip
The main decryption uses AES-256-CBC with key material stored in .NET static field initializers via FieldRVA entries:
AES Key (32 bytes, FieldRVA[235]):
ce25356e4df1263a34e4f1a7bf13e518dc5904a2f5a8d2ccca5681752c5e9878
AES IV (16 bytes, FieldRVA[241]):
c5b42ecf93f69ffd61b3616d8ab014aa
These are loaded via the ldtoken + RuntimeHelpers.InitializeArray pattern at IL offset 0x3a9d. After AES decryption, the output is GZip-decompressed via GZipStream + MemoryStream to produce the final PE executables.
The Critical Payload Resource
The encrypted payloads are stored in five .NET managed resources. The critical one is Resource[4]:
| Resource | Size | Entropy | Purpose |
|---|---|---|---|
Efyfqp.Properties.Resources.resources | 294,650 bytes | 7.99 | Main encrypted payload (ResolverRAT + LummaStealer) |
Entropy 7.99 across 294KB -- that is wall-to-wall encrypted data with no structure visible. Every 1KB block measures between 7.8 and 7.85.
Process Hollowing via Fragmented API Strings
The injection technique is where the evasion engineering gets interesting. Instead of storing complete WinAPI function names that YARA rules can match, the loader constructs them at runtime from string fragments:
| Concatenated Fragments | Resolved API |
|---|---|
"Virtual " + "Alloc" | VirtualAlloc |
"Write " + "Process " + "Memory" | WriteProcessMemory |
"Virtual " + "Protect" | VirtualProtect |
"Open " + "Process" | OpenProcess |
"Close " + "Handle" | CloseHandle |
"kernel " + "32.dll" | kernel32.dll |
"Find " + "ResourceA" | FindResourceA |
Each fragment alone is benign. The concatenation happens at runtime, and the resolved function addresses are obtained via GetDelegateForFunctionPointer -- P/Invoke delegation that bypasses the normal import table entirely. The injection target is determined dynamically from the assembly's own Location property.
This forces defenders to write behavioral detection rather than simple string-matching rules. A YARA rule looking for "VirtualAlloc" as a contiguous string will miss this entirely.
C2 Infrastructure
ResolverRAT Command and Control
All four known C2 IPs operate on the same characteristic port: 56001.
| IP | Port | ASN | Provider | Country | Status |
|---|---|---|---|---|---|
88[.]214[.]50[.]195 | 56001 | AS51396 | Online Connect Ltd | RU | Unknown |
64[.]188[.]91[.]191 | 56001 | AS215730 | H2NEXUS LTD | NL | Live |
109[.]120[.]137[.]101 | 56001 | AS215730 | H2NEXUS LTD | DE | Unknown |
193[.]111[.]117[.]0 | 56001 | AS207043 | DEDIK Services Ltd | PL | Live |
The hosting provider selection reveals operational intent:
- H2NEXUS LTD (AS215730) hosts two of the four C2 IPs across both the Netherlands and Germany. This is a bulletproof hosting indicator -- a single provider operating in multiple jurisdictions complicates takedown coordination.
- DEDIK Services Ltd (AS207043) is a known cybercrime infrastructure host (DEDIK-IO). Their server at
193[.]111[.]117[.]0runs a self-signed certificate on port 1337 in addition to the standard 56001. - Online Connect Ltd (AS51396) provides the Russian hosting component under netname
RU-NELEEL.
One live server (64[.]188[.]91[.]191) has a PTR record of s224689.love-is.nexus and runs Cloudflare with OpenSSH 8.9p1 on Ubuntu -- consistent with a VPS acting as a proxy or relay rather than a direct C2 panel.
The Microsoft Impersonation Domain
pat[.]microsoft-telemetry[.]at
This domain used the Austrian .at ccTLD to impersonate Microsoft telemetry infrastructure. It has since been taken down -- DNS returns no records and WHOIS returns "nothing found." The domain name was carefully chosen: security teams that see connections to anything matching microsoft-telemetry.* in their logs may dismiss them as legitimate Windows telemetry before investigating further.
LummaStealer C2 Domains (Last 48 Hours)
The LummaStealer component uses a completely separate C2 infrastructure with rapidly rotating domains:
| Domain | First Seen | C2 Path |
|---|---|---|
brocaez[.]club | 2026-03-09 | -- |
gennods[.]cyou | 2026-03-09 | -- |
familbg[.]club | 2026-03-09 | -- |
mobbyyt[.]club | 2026-03-09 | -- |
superyupp[.]fun | 2026-03-08 | /api |
curtainjors[.]fun | 2026-03-08 | /api |
retiriu[.]cyou | 2026-03-08 | /api |
The pattern is consistent across the LummaStealer ecosystem: random pronounceable words on disposable TLDs (.fun, .club, .cyou) with a /api endpoint. These domains churn daily, making static blocklists a losing game without automation.
Campaign Cluster: Five Linked Samples
All PE samples in this campaign share imphash f34d5f2d4577ed6d9ceec516c1f5a744, confirming a common build pipeline. The spread of dates and file sizes suggests an actively maintained build system producing fresh variants.
| SHA256 (truncated) | File Name | Size | Date | Notes |
|---|---|---|---|---|
87053d0a... | donut_decrypted_netexe.bin | 605KB | 2026-03-05 | Primary analysis sample |
6454800a... | 729e1fea...exe | 624KB | 2026-03-07 | Newest PE variant |
6bbb5ea1... | 42b7e92f...exe | 667KB | 2026-02-26 | Mid-campaign sample |
4be77204... | RuntimeBroker.exe | 1.3MB | 2026-02-17 | Masquerades as Windows RuntimeBroker (AMD64) |
f87dcded... | Form_1768322935.js | 4.2MB | 2026-01-14 | JavaScript loader variant |
Two observations stand out. First, the RuntimeBroker.exe variant (T1036.005 -- Masquerading) uses a legitimate Windows process name, is compiled for AMD64, and is more than twice the size of the other samples -- suggesting it carries additional payloads or functionality. Second, the 4.2MB JavaScript variant from January indicates experimentation with web-based delivery mechanisms, possibly through malicious email attachments or drive-by downloads.
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Evidence |
|---|---|---|---|
| Execution | Command and Scripting Interpreter: JavaScript | T1059.007 | JS loader variant (Form_1768322935.js) |
| Defense Evasion | Obfuscated Files: Software Packing | T1027.002 | Donut + .NET Reactor + ZgRAT (three-layer packing) |
| Defense Evasion | Deobfuscate/Decode Files | T1140 | AES-256-CBC + custom block cipher + GZip at runtime |
| Defense Evasion | Masquerading: Match Legitimate Name | T1036.005 | RuntimeBroker.exe, microsoft-telemetry.at |
| Defense Evasion | Process Injection: Process Hollowing | T1055.012 | VirtualAlloc + WriteProcessMemory via fragmented P/Invoke |
| Credential Access | Credentials from Password Stores | T1555 | LummaStealer browser credential extraction |
| Credential Access | Steal Web Session Cookie | T1539 | LummaStealer cookie theft |
| Collection | Data from Local System | T1005 | LummaStealer wallet and 2FA exfiltration |
| Command and Control | Non-Standard Port | T1571 | Port 56001 for ResolverRAT C2 |
| Command and Control | Encrypted Channel: Symmetric Cryptography | T1573.001 | AES-encrypted C2 communications |
Indicators of Compromise
Network Indicators
ResolverRAT C2 (port 56001):
88[.]214[.]50[.]195
64[.]188[.]91[.]191
109[.]120[.]137[.]101
193[.]111[.]117[.]0
ResolverRAT C2 Domain:
pat[.]microsoft-telemetry[.]at
LummaStealer C2 (active as of 2026-03-09):
hxxps://superyupp[.]fun/api
hxxps://curtainjors[.]fun/api
hxxps://retiriu[.]cyou/api
brocaez[.]club
gennods[.]cyou
familbg[.]club
mobbyyt[.]club
File Indicators
| Type | Value |
|---|---|
| SHA256 | 87053d0ad81ac3367ef5e6305f4cf4eec11776e94971f3f54bc66eaddf756eb5 |
| SHA1 | 70188c653e409b08f1591f5c7fd95e4716edf649 |
| MD5 | 43bfb580c664206153734859442ead26 |
| Imphash | f34d5f2d4577ed6d9ceec516c1f5a744 |
| SSDeep | 12288:x0PRNYLhJdkEefw+AAf3BEODSPGepldpbGhp:wNe/kThfRFDSPrpld5G/ |
| TLSH | T101D49E7776934E21C2890373C5DB4E4693B8A682B6E7F70E7145239614063EFEE0B267 |
Behavioral Indicators
AES Key: ce25356e4df1263a34e4f1a7bf13e518dc5904a2f5a8d2ccca5681752c5e9878
AES IV: c5b42ecf93f69ffd61b3616d8ab014aa
XOR Constants: 0x5D4CCC7F, 0x16346282, 0x3D9CE791, 0x3B675D0F
Module GUIDs: {1F4B02DF-696E-486A-8B35-F56CCA1C23C6}
{b8bddd2a-a952-4523-8049-3c5b3829d6dc}
Internal Names: Efyfqp.exe, Htdzey.exe
Detection Opportunities
YARA
rule ResolverRAT_ZgRAT_Loader_March2026 {
meta:
description = "Detects ResolverRAT/ZgRAT loader with embedded encrypted payloads"
author = "Breakglass Intelligence"
date = "2026-03-09"
hash = "87053d0ad81ac3367ef5e6305f4cf4eec11776e94971f3f54bc66eaddf756eb5"
tlp = "TLP:CLEAR"
strings:
$asm1 = "Efyfqp" ascii wide
$asm2 = "Htdzey" ascii wide
$asm3 = "Nugnaeqeq" ascii wide
$crypto1 = "System.Security.Cryptography.AesCryptoServiceProvider" ascii wide
$inject1 = "Virtual " ascii wide
$inject2 = "Alloc" ascii wide
$inject3 = "Write " ascii wide
$inject4 = "Process " ascii wide
$inject5 = "Memory" ascii wide
$inject6 = "kernel " ascii wide
$inject7 = "32.dll" ascii wide
$delegate = "GetDelegateForFunctionPointer" ascii wide
$aes_key = {CE 25 35 6E 4D F1 26 3A 34 E4 F1 A7 BF 13 E5 18
DC 59 04 A2 F5 A8 D2 CC CA 56 81 75 2C 5E 98 78}
$aes_iv = {C5 B4 2E CF 93 F6 9F FD 61 B3 61 6D 8A B0 14 AA}
$guid1 = {DF 02 4B 1F 6E 69 6A 48 8B 35 F5 6C CA 1C 23 C6}
$guid2 = {2A DD BD B8 52 A9 23 45 80 49 3C 5B 38 29 D6 DC}
condition:
uint16(0) == 0x5A4D and filesize < 1MB and
(
(3 of ($inject*) and $delegate) or
(any of ($asm*) and $crypto1) or
($aes_key and $aes_iv) or
($guid1 and $guid2)
)
}
rule ResolverRAT_Fragmented_PInvoke_Generic {
meta:
description = "Generic detection for .NET loaders using fragmented WinAPI string construction"
author = "Breakglass Intelligence"
date = "2026-03-09"
tlp = "TLP:CLEAR"
strings:
$frag1 = "Virtual " wide
$frag2 = "Alloc" wide
$frag3 = "Write " wide
$frag4 = "Process " wide
$frag5 = "Memory" wide
$frag6 = "kernel " wide
$frag7 = "32.dll" wide
$frag8 = "Open " wide
$frag9 = "Close " wide
$frag10 = "Handle" wide
$ref_crypto = "System.Security.Cryptography.AesCryptoServiceProvider" wide
$delegate = "GetDelegateForFunctionPointer" wide
$load1 = "file:///" wide
$load2 = "Location" wide
condition:
uint16(0) == 0x5A4D and filesize < 2MB and
(5 of ($frag*)) and $ref_crypto and $delegate and all of ($load*)
}
rule LummaStealer_ResolverRAT_MultiPayload {
meta:
description = "Detects dual-payload .NET loaders with AES+GZip decompression and multiple static array sizes"
author = "Breakglass Intelligence"
date = "2026-03-09"
tlp = "TLP:CLEAR"
strings:
$private_impl = "<PrivateImplementationDetails>" ascii
$init_256 = "__StaticArrayInitTypeSize=256" ascii
$init_64 = "__StaticArrayInitTypeSize=64" ascii
$init_32 = "__StaticArrayInitTypeSize=32" ascii
$init_16 = "__StaticArrayInitTypeSize=16" ascii
$resmanager = {CE CA EF BE}
$aes = "AesCryptoServiceProvider" wide ascii
$gzip = "GZipStream" ascii
$memstream = "MemoryStream" ascii
condition:
uint16(0) == 0x5A4D and
$private_impl and (3 of ($init*)) and
#resmanager >= 2 and $aes and $gzip and $memstream
}
Suricata / Snort
# ResolverRAT C2 on characteristic port 56001
alert tcp $HOME_NET any -> $EXTERNAL_NET 56001 (
msg:"MALWARE ResolverRAT C2 Communication on port 56001";
flow:established,to_server;
threshold:type limit, track by_src, count 1, seconds 300;
classtype:trojan-activity; sid:2026030901; rev:1;)
# Known ResolverRAT C2 IPs
alert ip $HOME_NET any -> [88.214.50.195,64.188.91.191,109.120.137.101,193.111.117.0] any (
msg:"MALWARE ResolverRAT Known C2 IP";
classtype:trojan-activity; sid:2026030902; rev:1;)
# ResolverRAT Microsoft impersonation domain
alert dns $HOME_NET any -> any any (
msg:"MALWARE ResolverRAT C2 Domain - microsoft-telemetry.at";
dns.query; content:"microsoft-telemetry.at"; nocase;
classtype:trojan-activity; sid:2026030903; rev:1;)
# LummaStealer C2 API pattern on disposable TLDs
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"MALWARE LummaStealer C2 API Call (.fun TLD)";
flow:established,to_server;
http.uri; content:"/api";
http.host; content:".fun"; endswith;
classtype:trojan-activity; sid:2026030904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"MALWARE LummaStealer C2 API Call (.cyou TLD)";
flow:established,to_server;
http.uri; content:"/api";
http.host; content:".cyou"; endswith;
classtype:trojan-activity; sid:2026030905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"MALWARE LummaStealer C2 API Call (.club TLD)";
flow:established,to_server;
http.uri; content:"/api";
http.host; content:".club"; endswith;
classtype:trojan-activity; sid:2026030906; rev:1;)
Hunting Queries
Imphash sweep -- search file telemetry for any binary matching the campaign imphash. This is the single highest-confidence indicator for this cluster:
imphash:f34d5f2d4577ed6d9ceec516c1f5a744
Network hunting -- search proxy/firewall logs for connections to port 56001, connections to any host matching *microsoft-telemetry*, and HTTP POST requests to /api on .fun, .club, or .cyou domains.
Endpoint hunting -- search EDR telemetry for .NET processes loading assemblies with internal names Efyfqp or Htdzey, or any process spawning from a RuntimeBroker.exe located outside C:\Windows\System32\.
ASN-level monitoring -- flag any outbound traffic to AS215730 (H2NEXUS LTD) or AS207043 (DEDIK Services Ltd). Both are associated with bulletproof hosting and have limited legitimate use in most enterprise environments.
Published by Breakglass Intelligence. Investigation conducted 2026-03-09. Five campaign samples analyzed. Four C2 servers identified. One Microsoft impersonation domain taken down. Classification: TLP:CLEAR