mediumPhishing

SEAL RAT: A Czech-Language Job Phishing Dropper With a Proof-of-Work Twist and a Microsoft-Signed Certificate

InvestigatedMarch 16, 2026PublishedMarch 16, 2026

phishingxwormlummaquasarratsocial-engineeringc2aptspearphishing

Czech-speaking job seekers are being targeted with a polished, two-stage malware campaign disguised as a confidential recruitment offer. The dropper -- NDAvia_Nabidka_Linzer.exe -- impersonates Robert Walters s.r.o., a legitimate global recruitment agency with Czech operations, and dangles a fake expansion role at EDEKA Cesko (the German retail giant's Czech subsidiary). The social engineering is unusually sharp: real company names, plausible GDPR-compliant NDA language, and a valid Microsoft Trusted Signing certificate that expired three days after issuance. Behind the convincing facade, a background thread decrypts and executes an embedded HTTP RAT that phones home to sealchecks.com -- a domain registered exactly eight days before the first sample surfaced.

The C2 was confirmed active on 14 March 2026. Attribution confidence is low. The malware family appears novel and previously unreported.

The Lure: NDA-as-a-Weapon

The executable presents a two-step Czech-language GUI rendered via an embedded Internet Explorer WebBrowser OLE control. The victim sees what looks like a legitimate recruitment workflow.

Step 1 -- NDA Agreement (Krok 1 ze 2):

Branded as Robert Walters s.r.o.
Czech GDPR-compliant NDA text (convincing legalese)
Three data-processing consent checkboxes
Full name input field -- harvested directly by the malware

Step 2 -- Confidential Job Offer (Krok 2 ze 2 -- Duverna):

Position at EDEKA Cesko tied to their "National Expansion 2026-2027" (60 stores across the Czech Republic)
Full-time HPP or contractor options
Annual and quarterly bonuses, up to 25 vacation days, hybrid work in Praha and Brno

The Czech language quality is high. Either a native speaker wrote the lure content or someone did a careful manual review of machine translation. The EDEKA Czech expansion angle tracks with real 2026 business news, which means the actor is monitoring the regional job market for credible bait.

While the victim reads and signs, the malware is already running Stage 2 in a background thread.

Technical Analysis

Stage 1: The Dropper

Sample: NDAvia_Nabidka_Linzer.exe

PE32+ GUI executable, x86-64, 134,104 bytes
Compiled: 12 March 2026 09:00:58 UTC (two days before first submission)
Six sections; only 5,120 bytes of .text -- the bulk is encrypted payloads

The dropper's .data section (60,416 bytes, entropy 7.91) contains the entire HTML UI, encrypted with a rolling-XOR scheme:

key = 0xf616f482
counter = 0xea2c  (59,948 bytes)
loop:
    *data++ ^= (key & 0xFF)
    key = ROL32(key, counter & 0xFF)
    counter--

Decryption yields 59,539 bytes of self-contained HTML. The dropper then:

Parses command-line args -- a /s flag triggers silent/headless mode (Sleep(0xFFFFFFFF)), suggesting the RAT can be deployed as a background service without the lure GUI
Sets HKCU\...\FEATURE_BROWSER_EMULATION to 0x2AF9 (IE 11 standards mode) for proper CSS rendering
Initializes OLE, creates a window titled Duverna pracovni nabidka | Robert Walters s.r.o. ("Confidential job offer")
Exposes COM callbacks (OnButtonClick, OnNextPage, OnClose) to the HTML via window.external
Runs a GetAsyncKeyState keylogger inside the window message loop

The import table is deliberately minimal -- focused on resource loading, memory allocation, registry manipulation, and COM/OLE for the GUI. No networking imports in Stage 1; all C2 communication lives in Stage 2.

Stage 2: Proof-of-Work Anti-Analysis

This is where it gets interesting. The Stage 2 loader runs in a separate thread (VA 0x21a0) and implements a computational proof-of-work gate before decrypting the embedded RAT.

Resource extraction:

FindResourceA(NULL, MAKEINTRESOURCE(101), RT_RCDATA)
→ 41,472-byte encrypted blob from .rsrc section
→ VirtualAlloc(RW) + memcpy

The PoW search: The malware iterates a 32-bit counter from zero, computing a Murmur3-style hash of both the counter and its bitwise complement, sleeping 1ms every 32,768 iterations to keep CPU usage around 50%:

def hash_fn(x):
    x ^= x >> 17
    x *= 0xe2d97d43
    x ^= x >> 13
    x *= 0xb86bb9bd
    x ^= x >> 18
    return x & 0xFFFFFFFF

# Halt when:
hash_fn(ebx) == 0xa3670424  AND  hash_fn(~ebx) == 0xf153cb35

Solved key: ebx = 0x76632cd (124,468,685 iterations). At typical CPU speeds, this takes 5-30 seconds -- long enough to outlast most sandbox execution windows, short enough that a real victim won't notice while they are reading the fake NDA.

The periodic Sleep(1) calls serve double duty: they prevent the CPU spike that behavioral engines flag, and they extend wall-clock time past sandbox timeouts.

Payload decryption uses a custom streaming cipher with two keys derived from the PoW answer:

r10d = 0xb742ffbe  # hardcoded key1
r11d = 0xb538711b  # derived key2 = hash_finalize(inner_loop_hash(ebx))

for i, byte in enumerate(resource):
    shift = (i & 3) * 8
    k1 = (r10d >> shift) & 0xFF
    r10d = (r10d + byte) & 0xFFFFFFFF  # key1 accumulates ciphertext
    k2 = (r11d >> shift) & 0xFF
    decrypted[i] = k1 ^ k2 ^ byte

After decryption: VirtualProtect(PAGE_EXECUTE_READ), read the entry RVA from offset 0x1c, and jump.

Stage 2: The SEAL RAT

The decrypted payload is a standalone PE (SHA256: 8c4a3a1de374dd996bc76f9f70f638690a428645e5e8181849f253268c4ca822) with a spoofed compile timestamp of July 2007.

C2 endpoint: http://sealchecks.com/index.php

Communication uses HTTP via WinINet with a custom binary protocol (Content-Type: application/binary-). The server returns ERROR # 1 to unrecognized requests.

Capabilities:

Function	Description
`CollectSystemInfo`	Hostname, username, language, CPU arch, timezone, PID, MachineGUID, domain membership
`_GetAvInfo`	Registry enumeration of 17 security products (Kaspersky, ESET, CrowdStrike, SentinelOne, Carbon Black, Cylance, Sophos, Bitdefender, McAfee, TrendMicro, Norton, F-Secure, Dr.Web, Panda, Avast/AVG, Windows Defender, Windows ATP)
`HandleCmd_CmdLine`	Remote shell via `CreateProcessW` + `CreatePipe` with output capture
`HandleCmd_Exe`	Download and execute arbitrary files
`Install_TS`	Self-installation with copy-and-rename persistence
`SrvCom_ConnectAlive`	Heartbeat/keepalive loop
`SrvCom_Send`	Typed data exfiltration

The AV fingerprinting is thorough. Checking for Windows Defender ATP onboarding state (SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status\OnboardingState) tells the operator whether the target is running enterprise EDR -- useful for deciding whether to deploy noisy follow-on tools or stay quiet.

The Certificate Problem

The dropper carries a valid Microsoft Trusted Signing certificate -- the AOC (Authenticode One-time Certificate) tier that issues 3-day certificates after identity verification via government ID.

Field	Value
Subject	`CN=Robert Walters, O=Robert Walters, L=Placentia, ST=California, C=US`
Issuer	Microsoft ID Verified CS AOC CA 01
Valid	11 Mar 2026 11:10:47 -- 14 Mar 2026 11:10:47 UTC
Serial	`33:00:08:4b:4d:b3:fb:ee:f8:cd:c8:01:60:00:00:00:08:4b:4d`
Key Size	3072-bit RSA
HSM	nShield TSS ESN:7800-05E0-D9471503 (Entrust)

The certificate subject -- "Robert Walters, Placentia, California" -- matches the recruitment company being impersonated in the lure. The actor either registered the cert under the target brand name deliberately (to pass casual inspection) or used a stolen/synthetic identity. The Entrust nShield HSM backing the signature suggests persistent signing infrastructure, not a one-off operation.

The 3-day certificate window is tactically sound: the cert expires before most threat intel pipelines can push a revocation. By the time anyone flags it, it is already invalid. This abuse pattern has been documented across multiple 2025-2026 campaigns (Lumma Stealer, XWorm, QuasarRAT), and Microsoft has yet to meaningfully address the issuance pipeline.

Infrastructure and Attribution

C2 Server Profile

Attribute	Value
Domain	`sealchecks.com`
IP	`103.163.187.12`
ASN	AS142594 (SpeedyPage Ltd)
Location	London, UK
PTR	`12.187.163.103.speedyvps.uk`
OS	Debian Linux
Web Server	nginx
SSH	OpenSSH 10.0p2 Debian-7
SSH Fingerprint	`a6:0b:15:ad:d5:61:a6:80:97:e9:5b:2c:9e:0d:8e:a4` (ecdsa-sha2-nistp256)
Ports	22/tcp, 80/tcp

Domain Registration

Registered 06 March 2026 via Cloudflare. Privacy-protected behind a Wyoming LLC. Let's Encrypt TLS issued same day. Nameservers: emerie.ns.cloudflare.com, tom.ns.cloudflare.com.

Timeline

Date (UTC)	Event
06 Mar 2026	`sealchecks.com` registered; TLS certificates issued
11 Mar 2026	Code signing certificate issued to "Robert Walters"
12 Mar 2026	Dropper PE compiled
13 Mar 2026	C2 DNS record updated
14 Mar 2026	Signing cert expired
14 Mar 2026 13:16	First sample submission (via SquiblydooBlog)
14 Mar 2026 16:23	C2 confirmed active

All infrastructure -- domain, TLS, code signing cert, compiled binary -- was stood up in a 6-day window. This is a single-operation setup, not reused infrastructure.

The "SEAL" Branding

The name appears across multiple artifacts: the PE version info (Seal Document Agent Service), the C2 domain (sealchecks.com), and internal logging prefixes. This is the actor's project name for the malware family.

TrustConnect/DocConnect (Feb 2026): Also abused Microsoft Trusted Signing with recruitment-themed lures and document-signing pretexts. Deployed RMM tools rather than a custom RAT. Possible overlap or copycat.
UNK_GreenSec NDA lures (Aug 2025): Russia-attributed; fake NDA documents delivering MixShell backdoor. Different payload family, but the NDA-as-dropper technique is shared.
Multiple actors abusing Microsoft Trusted Signing 3-day certs (2025-2026): Well-documented pipeline. SEAL RAT follows the same OPSEC template.

Attribution confidence: LOW. Novel malware family with no prior reporting. TTP overlaps exist with multiple unrelated actors. The Czech-language targeting and EDEKA lure suggest regional awareness but not necessarily a Czech-based actor.

Kill Chain

DELIVERY
  Job board / LinkedIn / spear-phishing email
  └─> Victim downloads NDAvia_Nabidka_Linzer.exe
      └─> Microsoft Trusted Signing cert builds trust

STAGE 1 (DROPPER)
  ├─ Rolling-XOR decrypt HTML UI from .data section
  ├─ Spawn Stage 2 loader thread (background)
  ├─ Set IE11 emulation registry key
  ├─ Render Czech NDA form (Robert Walters s.r.o.)
  ├─ Collect victim name from form input
  └─ GetAsyncKeyState keylogger active

STAGE 2 LOADER (background thread)
  ├─ Extract 41,472-byte resource blob (RT_RCDATA 101)
  ├─ Proof-of-work: iterate 124M+ hashes (~5-30 sec)
  ├─ Stream-cipher decrypt → embedded PE
  └─ VirtualProtect(RX) → call entry point

STAGE 2 (SEAL RAT)
  ├─ System recon: hostname, user, OS, AV, MachineGUID, ATP status
  ├─ HTTP POST → http://sealchecks.com/index.php
  ├─ Command dispatch: shell exec, file download+exec, exfil
  ├─ Self-install persistence (copy + rename)
  └─ Heartbeat loop

IOCs

File Hashes

Hash	Type	Description
`1096d2e220ecce73a4e7f0cdc673c2ff4f5b399693b2db5fc5dd098813633f19`	SHA256	Stage 1 dropper (`NDAvia_Nabidka_Linzer.exe`)
`0f935c1205ac456eccc4aa3dfeefbaaf`	MD5	Stage 1 dropper
`55e9a66bcbf87ee44e0bde755020169712b919d9`	SHA1	Stage 1 dropper
`8c4a3a1de374dd996bc76f9f70f638690a428645e5e8181849f253268c4ca822`	SHA256	Stage 2 RAT (decrypted payload)
`4d7457136a9621cb828c7e80608d6fa0`	MD5	Stage 2 RAT

Network Indicators

Indicator	Type	Context
`sealchecks.com`	Domain	C2 domain, registered 06 Mar 2026 via Cloudflare
`http://sealchecks.com/index.php`	URL	Primary C2 endpoint (active 14 Mar 2026)
`103.163.187.12`	IPv4	C2 server, AS142594 SpeedyPage Ltd, London UK
`12.187.163.103.speedyvps.uk`	PTR	Reverse DNS for C2 IP

Host Indicators

Indicator	Type	Context
`NDAvia_Nabidka_Linzer.exe`	Filename	Stage 1 dropper
`Container_WndClass`	Window Class	Dropper GUI window class
`Seal Document Agent Service`	PE ProductName	Version info string
`0.1.5.7`	PE Version	Dropper file version
`HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION`	Registry Key	Set to `0x2AF9` (11001) at runtime

Code Signing Certificate

Field	Value
Subject	`CN=Robert Walters, O=Robert Walters, L=Placentia, ST=California, C=US`
Issuer	Microsoft ID Verified CS AOC CA 01
Serial	`33:00:08:4b:4d:b3:fb:ee:f8:cd:c8:01:60:00:00:00:08:4b:4d`
Valid	11-14 Mar 2026

Decryption Keys

Key	Value	Purpose
XOR seed	`0xf616f482`	Stage 1 HTML decryption
PoW answer	`0x76632cd`	Stage 2 key derivation
Stream key 1	`0xb742ffbe`	Stage 2 payload decryption
Stream key 2	`0xb538711b`	Stage 2 payload decryption

SSH Fingerprint (C2 Server)

Type	Fingerprint
ecdsa-sha2-nistp256	`a6:0b:15:ad:d5:61:a6:80:97:e9:5b:2c:9e:0d:8e:a4`

MITRE ATT&CK

Technique	ID	Detail
Phishing: Spearphishing Attachment	T1566.001	EXE delivered as NDA document
User Execution: Malicious File	T1204.002	Victim runs the signed executable
Masquerading: Match Legitimate Name	T1036.005	Impersonates Robert Walters s.r.o.
Code Signing	T1553.002	Microsoft Trusted Signing 3-day AOC cert
Deobfuscate/Decode Files or Information	T1140	Rolling-XOR + PoW stream cipher
Process Injection: Thread Execution Hijacking	T1055.003	VirtualAlloc + VirtualProtect + CreateThread
Virtualization/Sandbox Evasion: Time-Based	T1497.003	Proof-of-work delay (5-30 seconds)
Obfuscated Files or Information: HTML Smuggling	T1027.006	HTML UI encrypted in PE .data section
Registry Run Keys / Startup Folder	T1547.001	IE emulation key + Install_TS persistence
Input Capture: Keylogging	T1056.001	GetAsyncKeyState in window message loop
System Information Discovery	T1082	OS, CPU, hostname, MachineGUID, timezone
Security Software Discovery	T1518.001	Registry enumeration of 17 AV products + ATP
Query Registry	T1012	System and security product fingerprinting
Application Layer Protocol: Web Protocols	T1071.001	HTTP POST C2 via WinINet
Command and Scripting Interpreter	T1059	Remote shell via CreateProcessW
Ingress Tool Transfer	T1105	Download and execute arbitrary binaries
Gather Victim Identity Information	T1589	Victim full name collected via NDA form

Investigation by FGBOT automated OSINT pipeline. Sample reported by SquiblydooBlog. C2 liveness confirmed by GHOST probe 14 March 2026 16:23 UTC.