Same Mutex, Three Lures: Tracking an AsyncRAT Operator Targeting Young Users with Spotify and Roblox Bait
TL;DR: Three AsyncRAT 0.5.8 samples -- two disguised as Spotify, one as a Roblox cheat -- were submitted to MalwareBazaar within 5.5 hours on March 7, 2026. Identical mutexes, PBKDF2 salts, PE timestamps, imphashes, and a shared self-signed TLS certificate prove a single operator compiled all three from the same builder session. The C2 infrastructure spans three domains registered within days of each other, all behind Cloudflare on port 80, all already flagged as suspected phishing.
Why This Cluster Matters
AsyncRAT is ubiquitous, which makes individual samples unremarkable. What makes this cluster worth documenting is the targeting: the operator is luring minors. Spotify piracy and Roblox cheat tools are distribution vectors that overwhelmingly reach teenagers and children -- demographics with minimal security awareness and often no endpoint protection beyond Windows Defender.
The operator's tradecraft is low-sophistication but operationally disciplined: three C2 domains registered across different registrars and TLDs, Cloudflare CDN for IP obfuscation, port 80 for traffic blending, and WHOIS privacy on all registrations. The 8-day infrastructure setup cycle (domain registration through sample deployment) suggests a practiced workflow, not a first-time builder.
All three C2 domains were flagged by Cloudflare within hours of the samples appearing on MalwareBazaar. The operator's infrastructure is currently burned. This report documents the cluster for future pivoting when the operator inevitably rebuilds.
Attack Chain
1. LURE β Fake popular software targeting young users
Filenames: Spotify.exe, RobloxHack.exe
Distribution: Likely Discord, YouTube tutorials, piracy forums
β
2. EXECUTION β .NET assembly, 46,592 bytes
No obfuscation | Anti-analysis: disabled | BDOS: disabled
Internal name: Stub.exe (default AsyncRAT builder output)
β
3. SANDBOX EVASION β timeout.exe delay
3-second delay before payload execution
β
4. PERSISTENCE β Dual mechanism
Scheduled Task β %AppData%\Spotify.exe
Registry Run key (reversed string to evade static detection)
β
5. C2 β AsyncRAT 0.5.8 over port 80
TLS-encrypted (self-signed RSA-4096/SHA512 cert)
Proxied through Cloudflare CDN
β
6. POST-COMPROMISE β Standard AsyncRAT capabilities
Keylogging, screen capture, file exfil, plugin execution
Sample Matrix
| # | File Name | SHA256 | First Seen (UTC) | C2 Domain(s) |
|---|---|---|---|---|
| 1 | Spotify.exe | 3efd7528...d381 | 2026-03-07 18:15:35 | malotabcn.com, www.malotabcn.com, malware.malotabcn.com |
| 2 | Spotify.exe | 9c970c29...30b2 | 2026-03-07 18:06:13 | www.webcottages.co.uk, malware.webcottages.co.uk |
| 3 | RobloxHack.exe | a4019387...d31f | 2026-03-07 23:34:34 | indotech.it.com |
All three samples are 46,592 bytes with imphash f34d5f2d4577ed6d9ceec516c1f5a744. The ~9 minute gap between Sample 1 and Sample 2 submissions, followed by Sample 3 five hours later, suggests the operator was actively testing C2 connectivity.
Extracted Configuration
RAT King parser successfully decrypted the embedded configuration from all three samples. The shared fields prove a single builder session:
Shared Config (All Samples)
| Field | Value |
|---|---|
| AsyncRAT Version | 0.5.8 |
| C2 Port | 80/TCP |
| Install Path | %AppData%\Spotify.exe |
| Mutex | fhtrbleYfAeC |
| PBKDF2 Salt | bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941 |
| Group | Default |
| Delay | 3 seconds |
| Anti-Analysis | false |
| BDOS | false |
| PE Compile Time | 2026-03-06 09:13:00 UTC (0x69aa9a9c) |
| Internal Name | Stub.exe |
| File Size | 46,592 bytes |
| Imphash | f34d5f2d4577ed6d9ceec516c1f5a744 |
Embedded TLS Certificate
CN: AsyncRAT Server
Algorithm: SHA512withRSA / RSA-4096
Created: 2026-03-05 18:04:40 UTC
SHA256: 1b1f3aabc166086bbff364f669c1fa80cce9ea0f6f99cba049191f980536bb09
SHA1: D9:19:25:1B:29:F8:1A:61:10:6E:CF:1C:B3:33:12:CA:72:20:74:33
The self-signed certificate was created on March 5, the PE was compiled on March 6, and samples appeared on March 7. The operator's build-to-deploy cycle is approximately 48 hours.
Per-Sample Differences
Only encryption keys and C2 host lists differ between samples, which is expected -- AsyncRAT regenerates AES keys per build while reusing the builder configuration (mutex, salt, cert):
| Field | Sample 1 | Sample 2 | Sample 3 |
|---|---|---|---|
| AES Key | 0YREVY2fEe7gelluVJNIfjGJ1Ypykq5M | i1ETgT0as851XPZ6tnxINDgzpn53OKHh | (extracted via Triage sandbox) |
| Config Key | e57121fe... | 1558afa5... | (different) |
| C2 Hosts | malotabcn.com (+2 subdomains) | webcottages.co.uk (+1 subdomain) | indotech.it.com |
The .NET assembly structure is consistent across all three: 92 base64-encoded strings at identical offsets for non-config values.
C2 Infrastructure
All three domains follow the same playbook: registered in late February, pointed at Cloudflare, Let's Encrypt certificates issued on the same day, and C2 running on port 80 to blend with HTTP traffic.
Domain 1: malotabcn.com
| Field | Value |
|---|---|
| Registrar | Onamae.com (GMO Internet, Japan) |
| Created | 2026-02-28 19:20:47 UTC |
| Privacy | Onamae.com Privacy Protection Service |
| Nameservers | ada.ns.cloudflare.com, yoxall.ns.cloudflare.com |
| TLS | Let's Encrypt E7, issued 2026-03-02 |
| DNS A | 172.67.131.136, 104.21.10.147 (Cloudflare) |
| HTTP Status | 403 -- "Suspected phishing site" |
The domain name likely encodes "Malo Barcelona" (malo = "bad" in Spanish, bcn = Barcelona IATA code). Whether this is meaningful or random is unclear.
Domain 2: webcottages.co.uk
| Field | Value |
|---|---|
| Registrar | Namecheap, Inc. |
| Created | 2026-01-01 |
| Validation | FAILED (Nominet could not verify registrant) |
| Nameservers | guy.ns.cloudflare.com, harmony.ns.cloudflare.com |
| TLS | Let's Encrypt E7, issued 2026-03-02 |
| DNS A | 172.67.216.44, 104.21.53.188 (Cloudflare) |
| HTTP Status | 403 -- "Suspected phishing site" |
The failed Nominet validation is notable. UK .co.uk domains require registrant identity verification through Nominet. The operator either provided false information or failed to respond to verification requests, which typically triggers suspension.
Domain 3: indotech.it.com
| Field | Value |
|---|---|
| Type | Subdomain of it.com (SLD registry service) |
| TLS | Let's Encrypt E7, issued 2026-03-02 |
| DNS A | 104.21.24.97, 172.67.218.40 (Cloudflare) |
| HTTP Status | 403 (Cloudflare blocked) |
Using it.com as a second-level domain provider is an interesting OpSec choice. It avoids direct WHOIS exposure entirely -- the domain owner is it.com itself, not the subdomain registrant.
Infrastructure Timeline
2026-01-01 webcottages.co.uk registered (Namecheap)
2026-02-28 malotabcn.com registered (Onamae.com)
2026-03-02 Let's Encrypt certs issued for all three domains (same day)
2026-03-05 Self-signed AsyncRAT server certificate created
2026-03-06 PE compiled (all three samples, single builder session)
2026-03-07 Samples uploaded to MalwareBazaar (18:06 - 23:34 UTC)
2026-03-07 Cloudflare flags all domains as suspected phishing
The operator registered webcottages.co.uk two months before use, suggesting either advance planning or a previously registered domain repurposed for this campaign.
Attribution: Single Operator (HIGH Confidence)
Ten independent indicators confirm all three samples originate from one operator:
| Evidence | Conclusion |
|---|---|
Identical mutex (fhtrbleYfAeC) | Same builder config |
| Identical PBKDF2 salt | Same builder config |
| Identical self-signed TLS cert (created Mar 5) | Same AsyncRAT server instance |
Identical PE timestamp (0x69aa9a9c) | Same compilation session |
| Identical file size (46,592 bytes) | Same builder, same options |
| Identical imphash | Same import table / same binary template |
| Identical .NET structure (92 base64 strings) | Same code generation |
| All submissions from Germany (DE) | Same upload origin |
| All submitted within 5.5 hours | Same operational window |
| Anti-analysis + BDOS disabled | Same risk tolerance |
Operator Profile
- Skill: Low-to-moderate. Default AsyncRAT 0.5.8 builder, no packer, no obfuscation, anti-analysis disabled, default group name ("Default"), unchanged internal name ("Stub.exe").
- OpSec: Moderate for the skill level. WHOIS privacy across registrars, Cloudflare proxying, multiple C2 domains for redundancy, port 80 for traffic blending,
it.comsubdomain to avoid WHOIS. - Targets: Young users. Spotify piracy and Roblox cheats are vectors that primarily reach minors.
- Distribution: Not directly observed. Probable vectors: Discord servers, YouTube "free Spotify premium" tutorials, Roblox exploit forums.
- Geography: Mixed signals. Japanese registrar (Onamae.com), UK domain (Namecheap), possible Spanish reference in domain name, submissions from Germany. The use of multiple international registrars may be deliberate diversification rather than geographic indication.
Detection Opportunities
Network Signatures
AsyncRAT on port 80 through Cloudflare creates a distinctive pattern: persistent TCP connections to Cloudflare IP ranges with TLS-encrypted payloads that do not conform to HTTP request/response semantics. EDR products that perform TLS inspection will see the self-signed CN=AsyncRAT Server certificate before the Cloudflare tunnel wraps the outer connection.
# Snort/Suricata rule concept
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (
msg:"ASYNCRAT C2 - Known Mutex Campaign";
flow:established,to_server;
content:"|16 03|"; depth:2; # TLS handshake on port 80
reference:md5,550bf59eaf9f3dac8a873278d3c273f6;
sid:2026030701; rev:1;
)
Host Indicators
# File on disk
%AppData%\Spotify.exe (46,592 bytes, unsigned)
# Mutex
fhtrbleYfAeC
# Scheduled Task
schtasks /create ... %AppData%\Spotify.exe
# Registry persistence (reversed string)
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
YARA Pivot Points
imphash: f34d5f2d4577ed6d9ceec516c1f5a744
PE compile timestamp: 0x69aa9a9c
.NET internal name: Stub.exe
File size: 46,592 bytes
Any combination of imphash + compile timestamp + file size should surface additional samples from this operator's builder if they reuse the same AsyncRAT version.
Vendor Detection (as of 2026-03-07)
| Vendor | Detection |
|---|---|
| ClamAV | Win.Packed.AsyncRAT-9856570-1 |
| ReversingLabs | ByteCode-MSIL.Backdoor.AsyncRAT (80.56%) |
| Triage | AsyncRAT (behavioral) |
| CAPE | AsyncRAT (behavioral) |
| VMRay | Malicious |
| Kaspersky | AsyncRAT |
| Cloudflare | "Suspected phishing site" (all C2 domains) |
The 80% detection rate is typical for unobfuscated AsyncRAT. The 20% miss rate is concerning given the target demographic -- these users are unlikely to be running anything beyond default Windows Defender, which was not tested against these specific samples.
MITRE ATT&CK
| Tactic | ID | Technique | Campaign Detail |
|---|---|---|---|
| Initial Access | T1204.002 | User Execution: Malicious File | Fake Spotify/Roblox executables |
| Execution | T1059 | Command and Scripting Interpreter | .NET assembly execution |
| Persistence | T1053.005 | Scheduled Task/Job | Task creation for %AppData%\Spotify.exe |
| Persistence | T1547.001 | Boot or Logon Autostart: Registry Run Keys | Reversed string value to evade static scans |
| Defense Evasion | T1036.005 | Masquerading: Match Legitimate Name | Spotify.exe filename |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion | timeout.exe delay (3s) |
| Defense Evasion | T1140 | Deobfuscate/Decode Files | AES config decryption with PBKDF2 derivation |
| Discovery | T1082 | System Information Discovery | OS version, system language |
| Discovery | T1518.001 | Security Software Discovery | AV product enumeration |
| Discovery | T1010 | Application Window Discovery | Active window title capture |
| C2 | T1071.001 | Application Layer Protocol: Web | Port 80 traffic blending |
| C2 | T1090.002 | Proxy: External Proxy | Cloudflare CDN as C2 proxy |
| C2 | T1573.001 | Encrypted Channel: Symmetric Cryptography | TLS-encrypted C2 |
IOCs
File Hashes
SHA256
3efd75280f8f0c640d174d0fb55df5f3d17a10c4248bbb705281bd74bdf2d381
9c970c29df4fb1398940809e6e7a9bc5088eaca54eed4cdd878c06fd0ed030b2
a40193b7b352fe3a14cfe1ca65c9b5250c663f0240cbcda9be70b7898e57f31f
MD5
550bf59eaf9f3dac8a873278d3c273f6
8accd8a3915e3bbda7689143aacc8f54
SHA1
0f5a6a04f00ec390d62907b82375fa469c68882a
e6c26ce0aef9a6953806a966f3e8e7d3736cdb0e
Domains
malotabcn[.]com
www.malotabcn[.]com
malware.malotabcn[.]com
webcottages[.]co[.]uk
www.webcottages[.]co[.]uk
malware.webcottages[.]co[.]uk
indotech[.]it[.]com
Network
Port: 80/TCP
Imphash: f34d5f2d4577ed6d9ceec516c1f5a744
Mutex: fhtrbleYfAeC
TLS Certificate
CN: AsyncRAT Server
SHA256: 1b1f3aabc166086bbff364f669c1fa80cce9ea0f6f99cba049191f980536bb09
SHA1: D9:19:25:1B:29:F8:1A:61:10:6E:CF:1C:B3:33:12:CA:72:20:74:33
Not Before: 2026-03-05 18:04:40 UTC
Algorithm: SHA512withRSA / RSA-4096
PBKDF2 Salt
bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
Investigation by breakglass.intelligence | 2026-03-08