BreakglassIntelligence
Back to reports

48 Hours Old, Already Serving Payloads: Inside RodexRMM, a GoLang RAT-as-a-Service Abusing Bubble.io for Delivery

A previously undocumented RaaS platform with remote desktop, screen blanking, and a delivery chain abusing a legitimate no-code platform

PublishedApril 3, 2026
rodexrmmgolangraasitalybubble-ioremote-desktop

On April 1, 2026, someone registered preziosamagazines[.]cc. Two days later, researcher @ShadowOpCode flagged it as a C2 for a GoLang RAT targeting Italian users. By the time we investigated, the infrastructure was fully operational: a Next.js management panel, a MongoDB backend, a GoLang implant with remote desktop capability, and a delivery chain that abuses Bubble.io -- a legitimate no-code platform -- to host the initial phishing page.

RodexRMM is not in any vendor threat feed. No Securonix report. No Recorded Future entry. No Picus analysis. This is the first documented analysis of this RAT-as-a-Service platform.

The Delivery Chain

The attack targets Italian users via email:

Phishing email (Italian language)
  → URL to impersonated_mail[.]bubbleapps[.]io (legitimate Bubble.io platform)
    → HTA file download
      → Triple-fallback downloader (WinHTTP → PowerShell → curl)
        → GoLang PE64 agent installed as "RodexAgent" Windows service

The Bubble.io abuse is notable. Bubble is a legitimate no-code application platform used by thousands of businesses. Hosting the phishing lure page on bubbleapps.io means the URL passes domain reputation checks, doesn't trigger web gateway blocks, and benefits from Bubble's legitimate TLS certificate. The attacker didn't need to set up their own infrastructure for the delivery stage -- they built a page on a SaaS platform and pointed victims to it.

The HTA dropper implements triple-fallback downloading: it tries WinHTTP COM first, falls back to PowerShell Invoke-WebRequest, and finally tries curl.exe -- ensuring the payload downloads regardless of which HTTP client is available on the victim's system.

The Agent

RodexRMM's GoLang agent installs as a Windows service named "RodexAgent" with automatic recovery options. Capabilities include:

  • Remote desktop via WebSocket relay (wss://relay.client[.]io) with adaptive frame rate
  • Screen blanking -- blacks out the victim's monitor during remote access
  • Clipboard synchronization between operator and victim
  • Remote PowerShell execution
  • Process management -- list, kill, and launch processes
  • Self-update mechanism for deploying new agent versions
  • Heartbeat telemetry for bot health monitoring

The WebSocket relay for remote desktop is a design choice that avoids direct connections between operator and victim, routing all RDP-like traffic through a relay service. This provides NAT traversal and makes the traffic harder to attribute.

RaaS Model

The C2 panel at preziosamagazines[.]cc exposes /register and /pricing endpoints, confirming this is a multi-tenant platform. Operators can sign up, configure their campaigns, and manage their bots through the Next.js dashboard. The MongoDB backend stores campaign configurations, bot registrations, and exfiltrated data.

A campaign ID extracted from the infrastructure (69cce9bcd01476be56868ba0) is a MongoDB ObjectID with a creation timestamp of April 1, 2026 -- confirming this specific campaign was created the same day the domain was registered.

The version string "1.5.1" indicates this is not a first release. Despite the fresh domain, the platform has been through multiple development iterations. The operators likely rotate domains frequently while maintaining the same backend codebase.

Infrastructure

ComponentDetail
C2 domainpreziosamagazines[.]cc (registered Apr 1, 2026 via NameSilo)
C2 IP45[.]61[.]151[.]3 (FranTech/BuyVM)
Panel stackNext.js + MongoDB + nginx
AgentGoLang PE64, installs as Windows service
Deliveryimpersonated_mail[.]bubbleapps[.]io (Bubble.io abuse)
Relaywss://relay.client[.]io (WebSocket RDP relay)

Detection

Three YARA rules covering the HTA dropper, GoLang agent binary, and configuration artifacts, plus eight Suricata signatures for network detection are available on our GitHub:

Hunt Queries

  • Windows service named "RodexAgent"
  • Files: Rodex_helper.log, rodex_cmd_*.ps1
  • Outbound WebSocket connections to relay.client[.]io
  • HTA files downloaded from bubbleapps.io subdomains

h/t @ShadowOpCode for the initial tip.

Share