ResolverRAT Unleashed: A Multi-Tool Cybercrime Arsenal Spanning 22 C2 Nodes and 12 Bulletproof Hosts
TL;DR: A Donut-decrypted .NET payload reveals a sprawling cybercrime operation deploying five malware families -- ResolverRAT, PureRAT, PureHVNC, PureLogs Stealer, and Lumma/ZgRAT -- across 22 C2 IP addresses, 8 domains, and 12+ hosting providers in 8+ countries. The campaign has been active since November 2025 with fresh infrastructure deployed as recently as one day before our investigation. German-language artifacts in domain names, Austrian TLD abuse, and a distinctive batch-registration pattern through a single registrar provide attribution leads. The payload uses .NET Reactor obfuscation with 119 GUID-named config fields, multi-layer AES/3DES encryption, certificate pinning with 14 SHA-256 hashes, and communicates on both standard and non-standard ports. Five domains were batch-registered within 48 hours via the same registrar, all of which have since been suspended -- but the operator has already rotated to fresh infrastructure.
Key Findings
This investigation began with a single Donut-decrypted .NET executable (87053d0a...) submitted to MalwareBazaar on March 5, 2026 by researcher PedroGabaldon. What emerged from static analysis, infrastructure pivoting, and threat intelligence correlation was far more than a single RAT deployment.
The Scale of the Operation
The binary contains hardcoded references to 22 distinct C2 IP addresses dispersed across 12+ hosting providers in at least 8 countries. Five of these IPs were already flagged in ThreatFox as active ResolverRAT or PureRAT command-and-control nodes. The remaining 17 were previously unreported, representing a significant expansion of the known infrastructure footprint.
Eight C2 domains were extracted and confirmed through ThreatFox correlation, with five of them batch-registered within a 48-hour window through the same registrar (Hosting Concepts B.V. / Registrar.eu). This registration cluster -- March 20-21, 2025 -- was followed by nine months of dormancy before activation in December 2025, indicating a deliberate pre-registration strategy for future campaign phases.
Multi-Tool Deployment
This is not a single-malware operation. The campaign deploys a coordinated toolkit:
- ResolverRAT: Primary remote access trojan with encrypted C2 communications
- PureRAT: Secondary RAT for persistent access and command execution
- PureHVNC: Hidden VNC for real-time remote desktop control and screen capture
- PureLogs Stealer: Credential harvester targeting browsers, wallets, and applications
- ClearFake/ClickFix: Social engineering delivery mechanism via fake browser update pages
- Lumma/ZgRAT: Additional stealer capabilities (tagged but not fully confirmed in this sample)
All tools share the same C2 infrastructure, meaning a single takedown operation could impact the entire toolkit -- but it also means the operator has built redundancy into the system with 22 fallback IPs.
Infrastructure Freshness
The most concerning finding is the operational tempo. On the day of our investigation (March 10, 2026), a new Google Trust Services certificate was issued for huehnchenfarm[.]ru, and the most recent C2 IP (45[.]141[.]119[.]34) and domain (kampf[.]huehnchenfarm[.]ru) had been first reported to ThreatFox just one day prior, on March 9. This operator is actively refreshing infrastructure faster than the security community can block it.
Attack Chain
The infection begins with social engineering and ends with data exfiltration through encrypted channels across a distributed C2 network.
Phase 1: Delivery
ClearFake/ClickFix social engineering (fake browser update pages)
Hosted on dndhub[.]xyz (confirmed ClearFake delivery domain)
|
v
Phase 2: Loading
Donut shellcode loader executes in memory
Original filename: donut_decrypted_netexe.bin
No disk artifacts from loader stage
|
v
Phase 3: Execution
ResolverRAT .NET payload loads in memory
.NET Reactor obfuscation with 119 GUID-named config fields
295KB encrypted resource blob decrypted via AES-CBC
|
v
Phase 4: Tool Deployment
+-- PureRAT (persistent access, port 4782)
+-- PureHVNC (hidden remote desktop)
+-- PureLogs Stealer (credential harvesting)
+-- Lumma/ZgRAT (additional stealing capabilities)
|
v
Phase 5: Exfiltration
Encrypted C2 over HTTPS (port 443/8443)
Non-standard ports as fallback (56001, 1337, 7777, 9090)
RSA key exchange + AES encrypted channel
14 certificate pins prevent MITM interception
The Donut loader is a critical component of this chain. By executing the .NET assembly entirely in memory, the operator avoids leaving the primary payload on disk -- making traditional file-based detection significantly harder. The original filename donut_decrypted_netexe.bin confirms this delivery mechanism.
Infrastructure Analysis
Bulletproof Hosting Hierarchy
The operator demonstrates sophisticated provider selection, deliberately choosing hosting providers known for abuse tolerance:
Tier 0 -- Bulletproof Hosting (known abuse-tolerant):
| Provider | ASN | Country | IP | Notes |
|---|---|---|---|---|
| Aeza Group Ltd | AS216246 | Russia | 79[.]137[.]192[.]174 | Known BPH, serves ResolverRAT + PureLogs C2 |
| DEDIK SERVICES LIMITED | DEDIKIO-MNT | UK/Poland | 193[.]111[.]117[.]0 | Hosts ResolverRAT C2 since Nov 2025, port 1337 |
| VMHeaven.io / pfcloud | AS51396 | Netherlands | 45[.]153[.]34[.]13, 45[.]156[.]87[.]142 | Two IPs from same BPH, one discovered via DNS pivot |
Tier 1 -- Abuse-Tolerant VPS:
| Provider | Country | IP | Notes |
|---|---|---|---|
| Cloudzy / FranTech | US | 172[.]86[.]113[.]29 | Iranian-linked VPS provider, hosts ResolverRAT + PureLogs |
| DEMENIN B.V. | NL (registered UA) | 83[.]142[.]209[.]92 | RDP + C2 port 8443 active |
| Lain (Julian Achter) | DE/CH | 45[.]141[.]119[.]34 | Newest C2 -- PureRAT/PureHVNC, deployed Mar 9 |
| Global-Data System IT | SC/CH | 86[.]54[.]42[.]53 | Seychelles-registered, Switzerland-hosted |
Tier 2 -- Standard Hosting:
Rica Web Services (Canada), Lanedonet (Netherlands), Hyonix (Singapore), Integen Inc (US), and Manjul/Larus (US) round out the infrastructure with IPs that may be compromised hosts or simply less-scrutinized providers.
Domain Registration Pattern
The batch-registration pattern is one of the strongest infrastructure fingerprints in this campaign:
| Domain | Registrar | Created | Activated | Status |
|---|---|---|---|---|
| stathub[.]quest | Registrar.eu | 2025-03-20 | 2025-12-13 | SUSPENDED |
| mktblend[.]monster | Registrar.eu | 2025-03-21 | 2025-12-13 | SUSPENDED |
| stategiq[.]quest | Registrar.eu | 2025-03-21 | 2025-12-13 | SUSPENDED |
| dsgnfwd[.]xyz | Registrar.eu | 2025-03-21 | 2025-12-13 | SUSPENDED |
| dndhub[.]xyz | Registrar.eu | 2025-03-21 | 2025-12-12 | SUSPENDED |
All five were registered through the same registrar within 48 hours, sat dormant for nine months, activated simultaneously in December 2025, and have since been suspended. Each domain used a different Cloudflare nameserver pair, suggesting either multiple free-tier accounts or deliberate NS rotation to avoid clustering -- a technique that ultimately failed.
The non-batch domains tell a different story:
- pat[.]microsoft-telemetry[.]at: Austrian NIC, now pendingDelete. The
.atTLD for Microsoft impersonation is geographically telling. - kampf[.]huehnchenfarm[.]ru: R01-RU registrar, cert issued today. German words ("kampf" = fight/battle, "huehnchenfarm" = chicken farm) on a Russian TLD.
- windirautoupdates[.]top: Namecheap, registered Dec 16 2025, still LIVE. Windows Update impersonation with aggressive cert rotation (6 certificates across two CAs).
Certificate Analysis
All domains use wildcard certificates (*.domain), indicating planned subdomain infrastructure. The certificate rotation is aggressive:
windirautoupdates[.]tophas 6 certificates from both Sectigo and Google Trust Services, with the most recent issued February 13, 2026huehnchenfarm[.]rureceived a new Google WE1 certificate on the day of this investigation (March 10, 2026)- The batch-registered domains used a mix of Cloudflare TLS and Let's Encrypt wildcards
This rotation pattern suggests automated certificate management and active infrastructure maintenance.
Malware Technical Analysis
Sample Overview
| Property | Value |
|---|---|
| SHA-256 | 87053d0ad81ac3367ef5e6305f4cf4eec11776e94971f3f54bc66eaddf756eb5 |
| File Type | PE32 executable (GUI) Intel 80386 Mono/.Net assembly |
| Size | 605,184 bytes |
| Framework | .NET Framework 4.0.30319 |
| Obfuscator | .NET Reactor |
| Compilation | 2052-03-03 01:23:11 UTC (FORGED) |
| First Seen | 2026-03-05 (MalwareBazaar) |
The forged compilation timestamp of 2052 is an anti-forensics measure intended to confuse timeline analysis. The extreme future date is counterproductive -- it immediately flags the binary as suspicious to any analyst examining PE headers.
.NET Reactor Obfuscation
The binary uses .NET Reactor with 119 GUID-named configuration fields -- an unusually high count that suggests a complex, multi-module configuration system. The assembly metadata uses randomized names:
- Assembly:
Htdzey - Namespace:
Efyfqp - Module GUID:
{1F4B02DF-696E-486A-8B35-F56CCA1C23C6}
Five obfuscated classes were identified, with likely purposes inferred from their structure:
| Obfuscated Name | Likely Purpose |
|---|---|
| VyybV3Hbk9BA0KxyMx.0Vo8aGnLWYBq6AMFYc | Main RAT class |
| ekJCbABmLGs77U1b9R.L8RUNjK99qgMXaV3Uo | Crypto/loader module |
| iTJg9l6IfQ2Tc5gkYe.4fA0eIhH69ZoXcl0by | Communications handler |
| SRTESUHnMlWtoUBmlCn.lnpjfBHHitTcIbxkN7U+... | Generic config decryptor type |
| ahxa.BPb | Entry point class |
Multi-Layer Encryption Architecture
The encrypted configuration is stored in a .NET resource named g91b9c41d2ff549a58f4d9ee3b69c22c1 -- a 295,424-byte blob with entropy exceeding 7.9 bits per byte (near-random). Decryption follows a four-stage chain:
- Base64 decode: Key material decoded from Base64 strings
- MD5 hash: AES key derived from the decoded material via MD5
- AES-CBC decrypt: Primary config blob decrypted with the derived key
- GZip decompress: Plaintext configuration extracted from compressed output
The binary also imports RijndaelManaged (alternative symmetric cipher), TripleDES (additional encryption layer), and RSACryptoServiceProvider (C2 authentication and key exchange) -- indicating multiple encryption paths for different operational needs.
Certificate Pinning
Fourteen SHA-256 certificate fingerprints are embedded in the binary for C2 server authentication:
03DCEB56B5842C722DE2821DA9906CD70AB73267EAB1A3947BFD894D19372BC7
0E448EF5E5E60630BDDB19388CB6378436E3C65D03DD66DA7C6EBFF563BD857A
128605DD5EC3F87EB915E0EDA22D0F52C595C0CF7986D911ED2CA1C403FB7B83
4BED3ADC52D4904075F6BBF279EC4ACEDE079533B95E229A29809542EA324A7B
59058FDDE6089BCA6236FD2AE2D98B3ABB38A7BC80D8DD4C75CEFD7A5D247074
62E6F13B53D67FDD780E20D89A6E8EE503B197AC16AC3F1D2571C147FDD324C9
742EB14EC82FD7DCE8A8B8165C5AE7AABD3935C69B50E82F066C4890BD7C5D1F
7F535673D836D3D77A97DB03EB3D71EA780F44372F5AEBECEBEDD696AAEB8378
841F6FF48991C286754FBA5647CA30986070C8F457C22D30959D113010CC164C
97E613E5A3A47DEC76B7E50D47644B35EA4322F00D594D80D2F1C1F3644F8A4A
C356AFF1A01C2B0DA472E584C8E3C8F875B9A24280435D42836A77B19F5A8C18
C61B1941CF756EB7551F7C661743802362728B785ADC22E860D269713DFB01A6
D5B7247C497788CF0031CEB06E3DF77A45FEF59F1E49633DC7159816D64759B5
F1C3EBE78BD8C38559BF3CFCC9A9FA37D221E31780774A3787E26160A61F5348
This level of certificate pinning makes man-in-the-middle interception of C2 traffic extremely difficult, even in enterprise environments with TLS inspection. The 14 pins likely correspond to certificates deployed across different C2 nodes, allowing the operator to rotate servers without updating the binary.
C2 Port Strategy
The binary is configured to communicate on 10 different ports:
| Port | Count | Purpose |
|---|---|---|
| 443 | 29 refs | Primary HTTPS C2 (blends with legitimate traffic) |
| 1337 | 19 refs | Custom port on DEDIK-IO infrastructure |
| 9090 | 9 refs | Management/fallback |
| 7777 | 7 refs | Backup C2 |
| 56001 | 6 refs | ResolverRAT custom protocol |
| 8443 | 5 refs | Alternate HTTPS |
| 6666 | 5 refs | Additional fallback |
| 5555 | 4 refs | Additional fallback |
| 4782 | 4 refs | PureRAT default port |
| 4444 | 3 refs | Additional fallback |
The heavy use of port 443 (29 references) is a sound operational choice -- it blends with legitimate HTTPS traffic. The non-standard ports (56001, 4782, 1337) are more distinctive and can serve as high-confidence network detection signatures.
Detection
YARA Detection Summary
Detection rules target the following characteristics:
- .NET assembly metadata: assembly name
Htdzey, namespaceEfyfqp, module GUID - Encrypted resource blob name:
g91b9c41d2ff549a58f4d9ee3b69c22c1 - Obfuscated crypto wrapper function names
- Certificate pinning hash patterns
- .NET Reactor obfuscation artifacts with high GUID field counts
- Forged PE timestamp (2052)
Suricata Detection Summary
Network rules cover:
- DNS queries for all 8 C2 domains
- TLS SNI matching for C2 domains
- Connections to known C2 IPs on ports 443, 8443, 56001, 4782, 1337
- Certificate fingerprint matching for the 14 embedded SHA-256 hashes
- .NET Reactor beacon patterns in HTTPS traffic
IOCs (Defanged)
C2 Domains
pat[.]microsoft-telemetry[.]at
kampf[.]huehnchenfarm[.]ru
windirautoupdates[.]top
mktblend[.]monster
stathub[.]quest
stategiq[.]quest
dsgnfwd[.]xyz
dndhub[.]xyz
C2 IP Addresses
45[.]141[.]119[.]34 # Lain (DE/CH) - PureRAT/PureHVNC [NEWEST]
83[.]142[.]209[.]92 # DEMENIN (NL) - ResolverRAT
172[.]86[.]113[.]29 # Cloudzy/FranTech (US) - ResolverRAT/PureLogs
79[.]137[.]192[.]174 # Aeza Group (RU) - ResolverRAT/PureLogs [BPH]
193[.]111[.]117[.]0 # DEDIK SERVICES (GB/PL) - ResolverRAT [BPH]
45[.]156[.]87[.]142 # VMHeaven/pfcloud (NL) [BPH]
45[.]153[.]34[.]13 # VMHeaven/pfcloud (NL) [BPH]
77[.]83[.]39[.]211 # Lanedonet (NL)
45[.]139[.]104[.]209 # Non-RIPE managed
38[.]49[.]215[.]118 # Rica Web Services (CA)
161[.]129[.]47[.]173 # Unknown
142[.]147[.]99[.]237 # Unknown
185[.]246[.]223[.]69 # Unknown
86[.]54[.]42[.]53 # Global-Data (SC/CH)
45[.]202[.]109[.]72 # Manjul/Larus (US)
151[.]242[.]170[.]208 # Unknown
192[.]252[.]181[.]13 # Integen (US)
128[.]254[.]194[.]95 # Hyonix (SG)
181[.]134[.]206[.]134 # Unknown
194[.]113[.]106[.]125 # Unknown
88[.]214[.]50[.]195 # Unknown
109[.]120[.]137[.]101 # Unknown
64[.]188[.]91[.]191 # love-is.nexus
File Hashes
SHA-256: 87053d0ad81ac3367ef5e6305f4cf4eec11776e94971f3f54bc66eaddf756eb5
MD5: 43bfb580c664206153734859442ead26
SHA-1: 70188c653e409b08f1591f5c7fd95e4716edf649
imphash: f34d5f2d4577ed6d9ceec516c1f5a744
Behavioral Indicators
Assembly: Htdzey
Namespace: Efyfqp
Module GUID: {1F4B02DF-696E-486A-8B35-F56CCA1C23C6}
Resource: g91b9c41d2ff549a58f4d9ee3b69c22c1
C2 Ports: 443, 8443, 56001, 4782, 1337, 7777, 9090, 5555, 6666, 4444
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Application |
|---|---|---|---|
| Initial Access | Drive-by Compromise | T1189 | ClearFake/ClickFix via dndhub[.]xyz |
| Execution | User Execution: Malicious File | T1204.002 | Donut-wrapped .NET payload execution |
| Defense Evasion | Obfuscated Files: Software Packing | T1027.002 | .NET Reactor, 119 GUID-named config fields |
| Defense Evasion | Obfuscated Files: Indicator Removal | T1027.005 | Forged PE timestamp (2052), encrypted config |
| Defense Evasion | Process Injection: DLL Injection | T1055.001 | Donut loader for in-memory .NET assembly |
| Defense Evasion | Deobfuscate/Decode Files | T1140 | Base64 to MD5 to AES-CBC to GZip chain |
| Credential Access | Credentials from Web Browsers | T1555.003 | PureLogs Stealer browser credential theft |
| Collection | Screen Capture | T1113 | PureHVNC remote desktop capture |
| Command and Control | Application Layer Protocol | T1071.001 | HTTPS C2 with certificate pinning |
| Command and Control | Encrypted Channel: Asymmetric Crypto | T1573.002 | RSA + AES encrypted C2, 14 cert pins |
| Command and Control | Non-Standard Port | T1571 | Ports 56001, 4782, 1337, 7777, 9090 |
| Command and Control | Fallback Channels | T1008 | 22 C2 IPs, 8 domains, 10+ port options |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Data exfiltration over encrypted C2 |
Campaign Timeline
| Date | Event |
|---|---|
| 2025-03-20 | stathub[.]quest registered via Registrar.eu |
| 2025-03-21 | Four more domains batch-registered (48-hour window) |
| 2025-09-21 | First certificates issued for batch domains |
| 2025-11-09 | microsoft-telemetry[.]at and DEDIK IP first reported to ThreatFox |
| 2025-12-12 | dndhub[.]xyz activated for ClearFake delivery |
| 2025-12-13 | All five batch domains activated simultaneously for PureHVNC C2 |
| 2025-12-16 | windirautoupdates[.]top registered via Namecheap |
| 2026-01-01 | windirautoupdates[.]top active as PureHVNC C2 |
| 2026-02-10 | Cloudzy IP active for PureLogs C2 |
| 2026-02-11 | Aeza Group IP active for PureLogs + ResolverRAT |
| 2026-02-20 | DEMENIN IP active for ResolverRAT |
| 2026-03-05 | Sample first submitted to MalwareBazaar |
| 2026-03-09 | NEW: kampf[.]huehnchenfarm[.]ru + Lain IP deployed |
| 2026-03-10 | NEW: Google WE1 certificate issued for huehnchenfarm[.]ru (investigation day) |
Attribution Notes
Attribution confidence is LOW-MEDIUM based on circumstantial evidence:
- German-language domain artifacts: "huehnchenfarm" (chicken farm) and "kampf" (fight/battle) strongly suggest a German-speaking operator
- Austrian TLD abuse: Using
.atfor Microsoft impersonation narrows the geographic profile to German-speaking Europe (DE/AT/CH) - Russian infrastructure ties: R01-RU registrar for the
.rudomain, Aeza Group (Russian BPH) hosting -- could indicate Russian-speaking collaboration or deliberate misdirection - Operational maturity: Domain pre-registration (9 months before activation), rapid infrastructure refresh, diverse provider selection, and multi-layer encryption all indicate an experienced operator
- Financial motivation: The toolkit (credential stealer + HVNC + RAT) is optimized for financial cybercrime
OPSEC Failures
Despite the sophistication, the operator made several mistakes:
- German language in domain names narrows the operator's likely native language
- Batch-registering 5 domains in 48 hours through the same registrar creates obvious clustering
- Reusing VMHeaven/pfcloud for multiple C2 IPs enables infrastructure pivoting
- The forged 2052 compilation timestamp is so extreme it immediately flags as suspicious
- All tools sharing the same C2 infrastructure means one compromise exposes the full operation
Sandbox Verdicts
| Sandbox | Verdict |
|---|---|
| CAPE | Malicious |
| ANY.RUN | Malicious activity |
| YOROI | Malicious (1.00 confidence) |
| Intezer | Suspicious |
| Triage | 7/10 (spyware/stealer) |
Published by Breakglass Intelligence -- Automated threat intelligence. Zero analyst fatigue.
Investigation conducted March 10, 2026. Infrastructure status reflects point-in-time observations.