medium🎣Phishing

investigatedMarch 16, 2026publishedMarch 16, 2026

SEAL RAT: A Czech-Language Job Phishing Dropper With Proof-of-Work Anti-Sandbox and a Microsoft-Signed Certificate

#phishing#xworm#lumma#quasarrat#social-engineering#c2#exploit#apt#spearphishing

Published: 2026-03-16 | Author: BGI | Investigation Date: 2026-03-16

TL;DR

A previously unreported malware family dubbed "SEAL RAT" is targeting Czech-speaking job seekers through a PE32+ dropper masquerading as an NDA-signing tool for Robert Walters s.r.o., a legitimate global recruitment agency. The lure dangles a fabricated confidential job offer from EDEKA Czech Republic tied to the German retail chain's real 2026-2027 Czech expansion plans. The dropper carries a valid Microsoft Trusted Signing AOC certificate issued to "Robert Walters, Placentia, CA" -- a 3-day certificate that expired before most threat intel pipelines could push a revocation. Behind the Czech-language NDA facade, a background thread runs a Murmur3-style proof-of-work computation (124 million iterations, 5-30 seconds wall time) to defeat sandbox execution windows, then decrypts and launches an embedded HTTP RAT that beacons to sealchecks.com. The RAT performs system reconnaissance, fingerprints 17 security products including CrowdStrike, SentinelOne, and Windows Defender ATP, and provides remote shell execution and arbitrary file download capabilities. The C2 domain was registered six days before the dropper was compiled, all infrastructure was stood up in a single 6-day window, and the C2 was confirmed active on 14 March 2026. Attribution confidence is low. This appears to be a novel malware family with no prior campaign cluster.

Campaign Overview

On 14 March 2026, automated OSINT pipelines flagged a suspicious PE32+ executable submitted to malware repositories under the name NDAvia_Nabidka_Linzer.exe. The binary was signed with a valid Microsoft Trusted Signing certificate, presented a polished Czech-language GUI, and impersonated a real recruitment company. Initial triage revealed a two-stage architecture: a foreground lure designed to hold the victim's attention while a background thread decrypted and executed a previously undocumented remote access trojan.

The social engineering is unusually sharp. The actor chose Robert Walters s.r.o. -- a legitimate global recruitment agency with active Czech operations -- as the impersonated brand, and baited the lure with a fictitious job offer from EDEKA Czech Republic that references real 2026-2027 expansion plans. The Czech language quality is high enough to suggest either a native speaker or careful manual review of machine translation. This is not a spray-and-pray campaign. It is targeted at Czech-speaking professionals in the job market, exploiting trust in known brands and plausible business context.

The C2 was confirmed active on 14 March 2026 at 16:23 UTC. The malware family appears novel and previously unreported. We are tracking this as "SEAL RAT" based on the actor's own internal project name, which appears across multiple artifacts.

The Lure: NDA-as-a-Weapon

The executable presents a two-step Czech-language GUI rendered via an embedded Internet Explorer WebBrowser OLE control. The victim sees what looks like a legitimate recruitment workflow.

Step 1 -- NDA Agreement (Krok 1 ze 2)

The first screen is branded as Robert Walters s.r.o. and displays a Czech-language NDA with GDPR-compliant data-processing language. The victim encounters:

Professional NDA text with convincing Czech legalese
Three data-processing consent checkboxes (GDPR-style)
A full name input field -- harvested directly by the malware

The NDA language tracks with what a real recruitment agency would send before sharing confidential job details. The victim has no reason to suspect the document is fake.

Step 2 -- Confidential Job Offer (Krok 2 ze 2 -- Duverna)

After "signing" the NDA, the victim sees a detailed job offer:

Field	Detail
Employer	EDEKA Cesko (Czech subsidiary of German retail giant)
Context	National Expansion 2026-2027 (60 stores across the Czech Republic)
Employment	Full-time HPP or contractor options
Compensation	Annual and quarterly bonuses
Benefits	Up to 25 vacation days, hybrid work
Locations	Praha and Brno

The EDEKA Czech expansion angle tracks with real 2026 business news. The actor is monitoring the regional job market for credible bait -- a level of research that separates targeted operations from commodity phishing.

The Critical Detail

While the victim reads and signs, the malware is already running Stage 2 in a background thread. The NDA GUI is not just a lure -- it is a timing mechanism. The proof-of-work computation and RAT deployment complete during the 30-60 seconds the victim spends reading the NDA and job offer. By the time they close the window, the RAT is already beaconing home.

Technical Analysis

Stage 1: The Dropper

Sample: NDAvia_Nabidka_Linzer.exe

Property	Value
Format	PE32+ GUI executable, x86-64
Size	134,104 bytes
Compiled	12 March 2026 09:00:58 UTC
Sections	6 total; 5,120 bytes of `.text`
Signed	Microsoft Trusted Signing (valid at compile time)

The binary is deliberately compact. Only 5,120 bytes of executable code in .text -- the bulk of the file is encrypted payloads. The .data section (60,416 bytes, entropy 7.91) contains the entire HTML UI, encrypted with a rolling-XOR scheme.

HTML UI Decryption

key = 0xf616f482
counter = 0xea2c  (59,948 bytes)
loop:
    *data++ ^= (key & 0xFF)
    key = ROL32(key, counter & 0xFF)
    counter--

Decryption yields 59,539 bytes of self-contained HTML -- the Czech NDA form, job offer content, CSS styling, and JavaScript callbacks that communicate with the dropper via COM.

Dropper Execution Flow

The dropper's initialization sequence reveals careful engineering:

Command-line parsing -- A /s flag triggers silent/headless mode (Sleep(0xFFFFFFFF)), suggesting the RAT can be deployed as a background service without the lure GUI. This implies the actor has or plans for a second delivery mechanism where the NDA social engineering is not needed.
IE11 emulation -- Sets HKCU\...\FEATURE_BROWSER_EMULATION to 0x2AF9 (11001) for proper CSS rendering of the embedded HTML.
OLE initialization -- Creates a window titled Duverna pracovni nabidka | Robert Walters s.r.o. ("Confidential job offer") with an embedded WebBrowser control.
COM callbacks -- Exposes OnButtonClick, OnNextPage, and OnClose to the HTML via window.external, enabling the NDA form to communicate user actions (and the victim's typed name) back to the native code.
Keylogger -- Runs a GetAsyncKeyState keylogger inside the window message loop. Every keystroke while the NDA window is active is captured.

The import table is deliberately minimal -- focused on resource loading, memory allocation, registry manipulation, and COM/OLE for the GUI. No networking imports in Stage 1. All C2 communication lives in Stage 2.

Stage 2: Proof-of-Work Anti-Analysis

This is where the malware gets interesting. The Stage 2 loader runs in a separate thread (VA 0x21a0) and implements a computational proof-of-work gate before decrypting the embedded RAT.

Resource Extraction

FindResourceA(NULL, MAKEINTRESOURCE(101), RT_RCDATA)
--> 41,472-byte encrypted blob from .rsrc section
--> VirtualAlloc(RW) + memcpy

The Proof-of-Work Search

The malware iterates a 32-bit counter from zero, computing a Murmur3-style hash of both the counter and its bitwise complement. The hash function:

def hash_fn(x):
    x ^= x >> 17
    x *= 0xe2d97d43
    x ^= x >> 13
    x *= 0xb86bb9bd
    x ^= x >> 18
    return x & 0xFFFFFFFF

The search halts when both conditions are met simultaneously:

hash_fn(ebx) == 0xa3670424  AND  hash_fn(~ebx) == 0xf153cb35

Solved key: ebx = 0x76632cd -- requiring 124,468,685 iterations.

Why Proof-of-Work?

This is a deliberately calculated anti-sandbox mechanism. The computation takes 5-30 seconds depending on CPU speed. Most automated sandbox environments execute samples for 60-120 seconds, but many of those seconds are consumed by system initialization, screenshot capture, and behavioral monitoring overhead. A 5-30 second delay eats a significant portion of the effective analysis window.

The implementation is subtle. The malware sleeps 1ms every 32,768 iterations to keep CPU usage around 50%. This serves double duty:

Prevents the CPU spike that behavioral engines flag as suspicious
Extends wall-clock time past sandbox timeouts without being obviously evasive

From the victim's perspective, this delay is invisible. They are reading the NDA and filling out the form while the proof-of-work runs silently in the background.

Payload Decryption

After solving the proof-of-work, the malware decrypts the embedded RAT using a custom streaming cipher with two keys:

r10d = 0xb742ffbe  # hardcoded key1
r11d = 0xb538711b  # key2 derived from PoW answer via hash_finalize()

for i, byte in enumerate(resource):
    shift = (i & 3) * 8
    k1 = (r10d >> shift) & 0xFF
    r10d = (r10d + byte) & 0xFFFFFFFF  # key1 accumulates ciphertext
    k2 = (r11d >> shift) & 0xFF
    decrypted[i] = k1 ^ k2 ^ byte

The cipher is notable for its key accumulation: r10d incorporates each ciphertext byte as it is processed, making the keystream dependent on the entire preceding ciphertext. This prevents simple known-plaintext attacks against the stream cipher.

After decryption: VirtualProtect(PAGE_EXECUTE_READ), read the entry RVA from offset 0x1c, and jump.

Stage 2: The SEAL RAT

The decrypted payload is a standalone PE with a spoofed compile timestamp of July 2007 -- an anti-analysis measure designed to confuse automated timeline reconstruction.

Property	Value
SHA256	`8c4a3a1de374dd996bc76f9f70f638690a428645e5e8181849f253268c4ca822`
MD5	`4d7457136a9621cb828c7e80608d6fa0`
C2 Endpoint	`http://sealchecks.com/index.php`
Protocol	HTTP via WinINet, custom binary (`Content-Type: application/binary-`)

Capabilities

The RAT implements a focused but operationally complete command set:

Function	Description
`CollectSystemInfo`	Hostname, username, language, CPU architecture, timezone, PID, MachineGUID, domain membership
`_GetAvInfo`	Registry enumeration of 17 security products
`HandleCmd_CmdLine`	Remote shell via `CreateProcessW` + `CreatePipe` with output capture
`HandleCmd_Exe`	Download and execute arbitrary files
`Install_TS`	Self-installation with copy-and-rename persistence
`SrvCom_ConnectAlive`	Heartbeat/keepalive loop
`SrvCom_Send`	Typed data exfiltration

AV Fingerprinting: 17 Products

The _GetAvInfo function enumerates the registry for 17 specific security products:

Kaspersky        ESET             CrowdStrike      SentinelOne
Carbon Black     Cylance          Sophos           Bitdefender
McAfee           Trend Micro      Norton           F-Secure
Dr.Web           Panda            Avast/AVG        Windows Defender
Windows ATP

The Windows Defender ATP check is particularly telling. The RAT queries SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status\OnboardingState to determine whether the target is running enterprise EDR. This is an operational decision point: if ATP is active, the operator knows they are dealing with a managed enterprise environment and can decide whether to deploy noisy follow-on tools or stay quiet and exfiltrate what they can through the existing RAT.

C2 Protocol

Communication uses HTTP POST to http://sealchecks.com/index.php with a custom binary protocol. The server returns ERROR # 1 to unrecognized requests -- a simple but effective way to distinguish legitimate RAT traffic from researcher probes and web crawlers.

The Certificate Problem

The dropper carries a valid Microsoft Trusted Signing certificate -- specifically the AOC (Authenticode One-time Certificate) tier that issues 3-day certificates after identity verification via government ID.

Field	Value
Subject	`CN=Robert Walters, O=Robert Walters, L=Placentia, ST=California, C=US`
Issuer	Microsoft ID Verified CS AOC CA 01
Valid	11 Mar 2026 11:10:47 -- 14 Mar 2026 11:10:47 UTC
Serial	`33:00:08:4b:4d:b3:fb:ee:f8:cd:c8:01:60:00:00:00:08:4b:4d`
Key Size	3072-bit RSA
HSM	nShield TSS ESN:7800-05E0-D9471503 (Entrust)

Certificate Subject Analysis

The certificate subject -- "Robert Walters, Placentia, California" -- matches the recruitment company being impersonated in the lure. This is not a coincidence. The actor either:

Registered the cert under the target brand name deliberately, to pass casual inspection by security teams reviewing signed binaries
Used a stolen or synthetic identity that happens to match the impersonated company

Either scenario represents significant premeditation. The Entrust nShield HSM backing the signature suggests persistent signing infrastructure, not a one-off operation.

The 3-Day Window Tactic

The 3-day certificate lifespan is tactically sound:

Day 1 (11 Mar): Certificate issued
Day 2 (12 Mar): Dropper compiled and signed
Day 3 (14 Mar): Certificate expires; first sample surfaces

By the time anyone flags the certificate, it is already invalid. The cert expires before most threat intel pipelines can push a revocation. This abuse pattern has been documented across multiple 2025-2026 campaigns (Lumma Stealer, XWorm, QuasarRAT), and Microsoft has yet to meaningfully address the issuance pipeline. The AOC tier's minimal identity verification -- a government ID scan -- is insufficient to prevent adversaries from registering certificates under impersonated brand names.

Infrastructure and Attribution

C2 Server Profile

Attribute	Value
Domain	`sealchecks.com`
IP	`103.163.187.12`
ASN	AS142594 (SpeedyPage Ltd)
Location	London, UK
PTR	`12.187.163.103.speedyvps.uk`
OS	Debian Linux
Web Server	nginx
SSH	OpenSSH 10.0p2 Debian-7
SSH Fingerprint	`a6:0b:15:ad:d5:61:a6:80:97:e9:5b:2c:9e:0d:8e:a4` (ecdsa-sha2-nistp256)
Open Ports	22/tcp, 80/tcp

The C2 is a budget UK VPS from SpeedyPage Ltd, a small hosting provider. The server runs only SSH and HTTP -- a minimal footprint consistent with single-purpose C2 infrastructure.

Domain Registration

Registered 06 March 2026 via Cloudflare. Privacy-protected behind a Wyoming LLC. Let's Encrypt TLS issued the same day. Nameservers: emerie.ns.cloudflare.com, tom.ns.cloudflare.com.

Operational Timeline

Date (UTC)	Event
06 Mar 2026	`sealchecks.com` registered; TLS certificates issued
11 Mar 2026	Code signing certificate issued to "Robert Walters"
12 Mar 2026	Dropper PE compiled (09:00:58 UTC)
13 Mar 2026	C2 DNS record updated
14 Mar 2026	Signing cert expired
14 Mar 2026 13:16	First sample submission (via SquiblydooBlog)
14 Mar 2026 16:23	C2 confirmed active (GHOST probe)

All infrastructure -- domain, TLS, code signing cert, compiled binary -- was stood up in a 6-day window. This is a single-operation setup, not reused infrastructure. The tight timeline suggests an operator with established playbooks for rapid campaign deployment.

The "SEAL" Branding

The actor's internal project name for this malware family appears across multiple artifacts:

PE version info: Seal Document Agent Service (ProductName)
C2 domain: sealchecks.com
Internal logging prefixes: SEAL-prefixed strings in the decrypted RAT

This level of self-branding is common in malware-as-a-service operations and solo developer projects. It suggests the author views this as a named product, possibly with plans for iteration or resale.

Three overlapping TTP clusters warrant monitoring:

TrustConnect/DocConnect (Feb 2026) -- Also abused Microsoft Trusted Signing with recruitment-themed lures and document-signing pretexts. Deployed RMM tools (not a custom RAT). Possible overlap or copycat sharing the same certificate abuse playbook.
UNK_GreenSec NDA lures (Aug 2025) -- Russia-attributed campaign using fake NDA documents to deliver the MixShell backdoor. Different payload family, but the NDA-as-dropper social engineering technique is shared.
Microsoft Trusted Signing 3-day cert abuse (2025-2026) -- A well-documented pipeline exploited by multiple unrelated actors. SEAL RAT follows the same OPSEC template: register cert, compile and sign within the validity window, distribute before expiry.

Attribution Assessment

Confidence: LOW.

Novel malware family with no prior reporting. TTP overlaps exist with multiple unrelated actors. The Czech-language targeting and EDEKA lure suggest regional awareness but not necessarily a Czech-based actor -- an operator with Czech language skills (or access to a translator) and knowledge of the Czech job market could be based anywhere. The "Placentia, California" certificate subject may indicate a US-based entity involved in the signing infrastructure, or may simply be a fabricated address.

Kill Chain

DELIVERY
  Job board / LinkedIn / spear-phishing email
  +-- Victim downloads NDAvia_Nabidka_Linzer.exe
      +-- Microsoft Trusted Signing certificate builds initial trust

STAGE 1 (DROPPER)
  |-- Rolling-XOR decrypt 59,539 bytes of HTML UI from .data section
  |-- Spawn Stage 2 loader thread (background, VA 0x21a0)
  |-- Set IE11 emulation registry key (FEATURE_BROWSER_EMULATION = 0x2AF9)
  |-- Render Czech NDA form (Robert Walters s.r.o. branding)
  |-- Collect victim full name from form input field
  +-- GetAsyncKeyState keylogger active in message loop

STAGE 2 LOADER (background thread, concurrent with GUI)
  |-- Extract 41,472-byte resource blob (RT_RCDATA ID 101)
  |-- Proof-of-work: Murmur3-style hash search, 124M+ iterations (~5-30 sec)
  |-- Sleep(1ms) every 32,768 iterations (CPU throttle + time extension)
  |-- Stream-cipher decrypt with PoW-derived keys --> embedded PE
  +-- VirtualProtect(RX) --> call entry point at RVA offset 0x1c

STAGE 2 (SEAL RAT)
  |-- System recon: hostname, user, OS, CPU, MachineGUID, timezone, domain
  |-- AV fingerprint: 17 products + Windows ATP onboarding state
  |-- HTTP POST --> http://sealchecks.com/index.php (binary protocol)
  |-- Command dispatch: shell exec, file download+exec, data exfil
  |-- Self-install persistence (Install_TS: copy + rename)
  +-- Heartbeat loop (SrvCom_ConnectAlive)

Indicators of Compromise

File Hashes

Hash	Type	Description
`1096d2e220ecce73a4e7f0cdc673c2ff4f5b399693b2db5fc5dd098813633f19`	SHA256	Stage 1 dropper (`NDAvia_Nabidka_Linzer.exe`)
`0f935c1205ac456eccc4aa3dfeefbaaf`	MD5	Stage 1 dropper
`55e9a66bcbf87ee44e0bde755020169712b919d9`	SHA1	Stage 1 dropper
`8c4a3a1de374dd996bc76f9f70f638690a428645e5e8181849f253268c4ca822`	SHA256	Stage 2 RAT (decrypted payload)
`4d7457136a9621cb828c7e80608d6fa0`	MD5	Stage 2 RAT

Network Indicators

Indicator	Type	Context
`sealchecks.com`	Domain	C2 domain, registered 06 Mar 2026 via Cloudflare
`http://sealchecks.com/index.php`	URL	Primary C2 endpoint (active 14 Mar 2026)
`103.163.187.12`	IPv4	C2 server, AS142594 SpeedyPage Ltd, London UK
`12.187.163.103.speedyvps.uk`	PTR	Reverse DNS for C2 IP

Host Indicators

Indicator	Type	Context
`NDAvia_Nabidka_Linzer.exe`	Filename	Stage 1 dropper
`Container_WndClass`	Window Class	Dropper GUI window class name
`Seal Document Agent Service`	PE ProductName	Version info string in dropper
`0.1.5.7`	PE Version	Dropper file version
`HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION`	Registry Key	Set to `0x2AF9` (11001) at runtime

Code Signing Certificate

Field	Value
Subject	`CN=Robert Walters, O=Robert Walters, L=Placentia, ST=California, C=US`
Issuer	Microsoft ID Verified CS AOC CA 01
Serial	`33:00:08:4b:4d:b3:fb:ee:f8:cd:c8:01:60:00:00:00:08:4b:4d`
Valid	11-14 Mar 2026

Decryption Constants

Key	Value	Purpose
XOR seed	`0xf616f482`	Stage 1 HTML decryption
PoW answer	`0x76632cd`	Stage 2 key derivation (124,468,685 iterations)
Stream key 1	`0xb742ffbe`	Stage 2 payload decryption (hardcoded)
Stream key 2	`0xb538711b`	Stage 2 payload decryption (PoW-derived)

SSH Fingerprint (C2 Server)

Type	Fingerprint
ecdsa-sha2-nistp256	`a6:0b:15:ad:d5:61:a6:80:97:e9:5b:2c:9e:0d:8e:a4`

Detection Guidance

YARA Rule

rule SEAL_RAT_Dropper {
    meta:
        description = "SEAL RAT dropper - Czech job phishing campaign"
        author = "breakglass.intelligence"
        date = "2026-03-16"
        severity = "high"
        reference = "https://intel.breakglass.tech"
    strings:
        $product = "Seal Document Agent Service" ascii wide
        $c2_domain = "sealchecks.com" ascii
        $c2_path = "/index.php" ascii
        $window_title = "Duverna pracovni nabidka" ascii wide
        $window_class = "Container_WndClass" ascii
        $xor_key = { 82 f4 16 f6 }
        $pow_target1 = { 24 04 67 a3 }
        $pow_target2 = { 35 cb 53 f1 }
        $ie_emulation = "FEATURE_BROWSER_EMULATION" ascii
    condition:
        uint16(0) == 0x5A4D and
        (2 of ($product, $c2_domain, $c2_path, $window_title, $window_class)) or
        (any of ($xor_key, $pow_target1, $pow_target2) and $ie_emulation)
}

rule SEAL_RAT_Stage2 {
    meta:
        description = "SEAL RAT decrypted stage 2 payload"
        author = "breakglass.intelligence"
        date = "2026-03-16"
    strings:
        $c2 = "sealchecks.com" ascii
        $content_type = "application/binary-" ascii
        $error_marker = "<!--error-->ERROR" ascii
        $av_atp = "Windows Advanced Threat Protection" ascii wide
        $av_crowdstrike = "CrowdStrike" ascii wide
        $av_sentinel = "SentinelOne" ascii wide
    condition:
        uint16(0) == 0x5A4D and
        $c2 and 2 of ($content_type, $error_marker, $av_atp, $av_crowdstrike, $av_sentinel)
}

Snort/Suricata Signatures

alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"SEAL RAT C2 Beacon - sealchecks.com";
    content:"sealchecks.com"; http_header;
    content:"POST"; http_method;
    content:"/index.php"; http_uri;
    content:"application/binary-"; http_header;
    sid:2026031601; rev:1;
)

alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"SEAL RAT C2 Beacon - Direct IP";
    content:"103.163.187.12"; http_header;
    content:"POST"; http_method;
    content:"/index.php"; http_uri;
    sid:2026031602; rev:1;
)

Behavioral Indicators

Endpoint detection teams should watch for:

GetAsyncKeyState calls from processes with embedded WebBrowser OLE controls
FindResourceA followed by VirtualAlloc(RW) + VirtualProtect(RX) in rapid succession
High iteration count loops with periodic 1ms sleeps (PoW computation pattern)
HTTP POST to /index.php with Content-Type: application/binary-
Registry writes to FEATURE_BROWSER_EMULATION from non-browser processes

MITRE ATT&CK Mapping

Technique	ID	Detail
Phishing: Spearphishing Attachment	T1566.001	EXE delivered as NDA document
User Execution: Malicious File	T1204.002	Victim runs the signed executable
Masquerading: Match Legitimate Name	T1036.005	Impersonates Robert Walters s.r.o.
Code Signing	T1553.002	Microsoft Trusted Signing 3-day AOC cert
Deobfuscate/Decode Files or Information	T1140	Rolling-XOR + PoW-gated stream cipher
Process Injection: Thread Execution Hijacking	T1055.003	VirtualAlloc + VirtualProtect + CreateThread
Virtualization/Sandbox Evasion: Time-Based	T1497.003	Proof-of-work delay (5-30 seconds, 124M iterations)
Obfuscated Files or Information	T1027.006	HTML UI encrypted in PE .data section
Registry Run Keys / Startup Folder	T1547.001	IE emulation key + Install_TS persistence
Input Capture: Keylogging	T1056.001	GetAsyncKeyState in window message loop
System Information Discovery	T1082	OS, CPU, hostname, MachineGUID, timezone
Security Software Discovery	T1518.001	Registry enumeration of 17 AV products + ATP onboarding
Query Registry	T1012	System and security product fingerprinting
Application Layer Protocol: Web Protocols	T1071.001	HTTP POST C2 via WinINet
Command and Scripting Interpreter	T1059	Remote shell via CreateProcessW
Ingress Tool Transfer	T1105	Download and execute arbitrary binaries
Gather Victim Identity Information	T1589	Victim full name collected via NDA form

Defensive Recommendations

Immediate Actions

Block sealchecks.com and 103.163.187.12 at your DNS and network perimeter. The C2 was confirmed active as of 14 March 2026 and may remain operational.
Hunt for the certificate serial in your code signing logs. Any binary signed with serial 33:00:08:4b:4d:b3:fb:ee:f8:cd:c8:01:60:00:00:00:08:4b:4d should be treated as malicious.
Alert recruitment and HR teams in Czech Republic operations. The lure is convincing enough to fool professionals who are actively job hunting. Emphasize that legitimate recruitment agencies do not distribute executable NDA-signing tools.
Deploy the YARA rules above to scan endpoints and mail gateways for the dropper and decrypted RAT.

Broader Mitigations

Audit Microsoft Trusted Signing certificate trust in your environment. Consider whether 3-day AOC certificates from unrecognized organizations should be trusted at all. Several EDR vendors now offer policy controls to flag or block recently-issued AOC certificates.
Monitor for FEATURE_BROWSER_EMULATION registry writes from non-browser executables. This is an uncommon registry path that legitimate software rarely touches, making it a high-fidelity detection signal.
Implement application allowlisting where feasible. The dropper's 134KB footprint and unusual section layout (5KB of code, 60KB of encrypted data) would be flagged by most application control solutions.

Investigation by FGBOT automated OSINT pipeline. Sample reported by SquiblydooBlog. C2 liveness confirmed by GHOST probe 14 March 2026 16:23 UTC. Analysis and report by Breakglass Intelligence.