19 C2 Operations on One Subnet: Inside a Banking Trojan With hVNC, CAPTCHA Harvesting, and a Criminal Neighborhood
Custom Flask+Go C2 on 1337 Services GmbH with 18 criminal neighbors
A custom-built banking trojan command-and-control server. A Go implant listener that redirects you to google.com if you knock on the door wrong. A Flask panel with 12 capabilities including hidden VNC, CAPTCHA harvesting, and cloud storage exfiltration. And behind it all, a single /24 subnet so dense with criminal infrastructure that mapping it reads like a malware family reunion.
This is the story of com-selfhelp[.]page -- a domain name designed to look like a mental health resource that instead serves as the nerve center for a previously undocumented financial fraud operation. But the C2 panel is only the beginning. The real story is the neighborhood it lives in.
It Started With a Tweet
On April 2, security researcher @Fact_Finder03 flagged an IP address on X: 45.154.98[.]13. A quick look at the panel on port 8443 confirmed something custom was running there -- not Cobalt Strike, not Sliver, not any open-source framework. Something built from scratch.
The login page was clean. Dark theme, glass morphism effects, purple accent gradient. The title simply read: "C2 Panel." The subtitle, buried in the CSS, was more revealing: "C2 Panel Premium Design System 2026."
Someone had built this from the ground up and was proud enough to brand it.
Two Listeners, Two Languages, One Operation
The infrastructure runs a split architecture that separates the operator interface from the implant communications -- a design pattern that shows deliberate engineering, not a point-and-click kit deployment.
Port 8443 hosts the operator panel. It's a Python Flask application with session-based authentication, serving a custom frontend with Google Fonts (Inter and JetBrains Mono), toast notifications, collapsible sidebar navigation, and data tables for managing infected machines. The static assets are versioned -- style.css?v=20260321 -- which tells us the last update was March 21, 2026. Ten days before we found it.
Port 443 runs the implant listener. This one is written in Go. And it does something clever.
The Google.com Decoy
Send any HTTP request to port 443 and you get an immediate 302 redirect to https://www.google.com. Every path. Every method. Every User-Agent. The response body is Go's default net/http redirect format: <a href="https://www.google.com">Found</a>.
This is a gatekeeper. If you're a security researcher scanning the internet, a honeypot operator collecting traffic, or a bot probing open ports -- you get google.com. The actual implant communication happens at a layer below HTTP routing. The server enforces TLS SNI filtering: it accepts connections for com-selfhelp.page but rejects c2.com-selfhelp.page. This means authentication likely occurs via mutual TLS, a custom handshake, or encrypted payload verification before the HTTP layer ever comes into play.
It's a simple trick, but effective. To casual observation, port 443 on this server is just a misconfigured redirect. You'd have to know exactly how to knock.
12 Capabilities, Zero Prior Reporting
The panel requires authentication to access its routes -- /agents, /builds, /logs, /campaigns -- and we didn't bypass it. But the operator made a critical mistake: the CSS and JavaScript files are served without authentication.
The stylesheet alone reveals the full capability set through its class names and UI components. Here's what this panel can do:
| Capability | Evidence | What It Means |
|---|---|---|
| Hidden VNC (hVNC) | .hvnc-container, .hvnc-canvas-wrap, .hvnc-toolbar | Real-time hidden desktop control -- the operator sees and controls the victim's screen without them knowing |
| Keylogger | .badge-keylog | Every keystroke captured and exfiltrated |
| Credential Stealer | .badge-steal | Browser passwords, session tokens, cookies |
| Clipboard Monitor | .badge-clipboard | Crypto wallet address swapping, password interception |
| MITM | .badge-mitm | Man-in-the-browser injection for session hijacking |
| CAPTCHA Harvester | .badge-captcha | Uses victim machines to solve CAPTCHAs for automated fraud |
| Google Drive Exfil | .badge-gdrive | Cloud document theft (even the CSS color is Google's #4285f4) |
| OneDrive Exfil | .badge-onedrive | Cloud document theft (Microsoft's #0078d4) |
| Document Preview | .badge-docpreview | Targeted document identification and theft |
| File Browser | .badge-file | Full filesystem enumeration and exfiltration |
| Remote Shell | .shell-wrap, .shell-output, .shell-input-row | Arbitrary command execution on victim machines |
| Payload Builder | .tpl-card, .tpl-grid | Template-based payload generation with selectable options |
This is not a surveillance tool. This is not an espionage framework. The combination of hVNC, CAPTCHA harvesting, credential stealing, and clipboard monitoring points in one direction: financial fraud. The operator watches the victim's screen via hidden VNC, intercepts banking credentials as they're typed, harvests CAPTCHAs to automate fraudulent transactions, and swaps cryptocurrency wallet addresses on the clipboard. It's the complete banking trojan playbook, wrapped in a polished custom interface.
And before this investigation, not a single public report existed on this operation. Zero VirusTotal context beyond generic honeypot tags. Zero ThreatFox entries. Zero URLhaus submissions. A fully operational financial fraud platform running in broad daylight.
The Domain: Social Engineering Starts at Registration
The domain com-selfhelp[.]page was registered on February 21, 2026, through NiceNIC International Group Co., Limited -- a Chinese registrar (IANA 3765) with a well-documented history of poor abuse enforcement. NiceNIC is the registrar of choice when you don't want your domain taken down. The nameservers sit on my-ndns.com, another NiceNIC property using DNSPod infrastructure.
The domain name itself is calculated. com-selfhelp.page reads like a self-help website or a mental wellness resource. In a phishing email or a social engineering lure, a URL containing "selfhelp" draws less scrutiny than a random string of characters. The .page TLD adds legitimacy -- it's a Google-managed TLD often used by real documentation sites. This is a domain name designed to survive a human glance test.
Six Certificates in Six Weeks
The certificate history tells a development story:
| Date | Certificate | What It Tells Us |
|---|---|---|
| Feb 21 | Let's Encrypt R12 for com-selfhelp.page | Day-one deployment. Infrastructure goes live same day as domain registration. |
| Feb 27 | Let's Encrypt R13 for com-selfhelp.page | Six days later, already iterating. Server reconfiguration or new deployment. |
| Mar 1 | Let's Encrypt R13 for com-selfhelp.page | Two days later. Active development cycle. |
| Mar 7 | Self-signed CA cert, CA:TRUE, 10-year validity | The panel's mTLS certificate. A self-signed certificate authority valid until 2036. This operator is planning to use this infrastructure for a decade. |
| Mar 9 | ZeroSSL wildcard for *.com-selfhelp.page | Wildcard cert signals planned expansion to more subdomains. |
| Mar 23 | Let's Encrypt R12 for com-selfhelp.page | Current active cert. The operation is maintained and current. |
Six certificates in six weeks. That's not someone who bought a kit and clicked deploy. That's active development, testing, and iteration. The self-signed CA certificate on March 7 is particularly notable -- it's configured as a certificate authority (CA:TRUE) with a ten-year validity window. This is long-term infrastructure investment.
The Secondary Server
Five subdomains resolve to two different IP addresses:
com-selfhelp.pageandc2.com-selfhelp.pagepoint to 45.154.98[.]13 (the live C2)admin.com-selfhelp.page,ftp.com-selfhelp.page, andstaging.com-selfhelp.pagepoint to 172.86.111[.]19
The secondary IP sits on Cloudzy/FranTech Solutions (BuyVM's PONYNET-16 allocation). As of our investigation, this server is offline -- ports closed, no HTTP response. But the subdomain names are telling: admin, ftp, staging. This was (or will be) the development and staging environment. The operator separates production C2 from their build pipeline. Another indicator of deliberate operational planning.
The Subnet Is the Story
Here's where a single C2 investigation becomes something larger.
45.154.98[.]13 lives on a /24 subnet allocated to 1337 Services GmbH (AS210558), a hosting provider operating out of Hamburg, Germany under the brand rdp.sh. Querying ThreatFox for the entire 45.154.98.0/24 range returned 19 confirmed C2 operations across 10 malware families. Nineteen.
This isn't a hosting provider that occasionally has a bad tenant. This is a criminal ecosystem:
45.154.98.0/24 — 1337 Services GmbH (AS210558)
|
.12 -- iCloud/Apple phishing (spoofed hostnames)
.13 -- THIS INVESTIGATION: Custom banking trojan C2
.17 -- Rhadamanthys stealer (tagged by Operation Endgame)
.20 -- ZerPanel stealer
.23 -- speedtest.net spoofing
.29 -- cardprotect-espana.cc (Spanish carding operation)
.33 -- TOR exit node
.41 -- Remcos RAT (active March 2026)
.48 -- Mythic C2 + Remcos backup (1,330 sightings)
.51 -- Cloudflare.com spoofing
.52-.58 -- Amazon.com PTR spoofing cluster
.62 -- EvilGinx phishing proxy
.65 -- Remcos RAT (768 sightings)
.120 -- XWorm
.127 -- AsyncRAT (733 sightings)
.138 -- Quasar RAT
.149 -- EvilGinx phishing proxy
.164 -- ScreenConnect (malicious RMM abuse)
.167 -- Remcos RAT (two ports, two campaigns)
.170 -- Sliver C2 (808 sightings)
.174 -- AsyncRAT
.181 -- Cobalt Strike
.191 -- Venom RAT
.213 -- Remcos RAT (active March 2026)
.228 -- Remcos RAT (1,127 sightings, Jan-Mar 2026)
.229 -- ScreenConnect (malicious RMM abuse)
.251 -- Albiriox (Android malware)
Count the Remcos instances: five separate deployments across the subnet, with .228 alone accumulating 1,127 sightings over three months. The Mythic C2 on .48 has 1,330 sightings. Sliver on .170 has 808. This subnet is generating thousands of threat intelligence hits across multiple malware families simultaneously.
The lineup reads like a cybercrime starter pack. Remcos for remote access. AsyncRAT for mass infection. Cobalt Strike and Sliver for post-exploitation. EvilGinx for credential phishing. ScreenConnect for legitimate-looking remote access. XWorm and Venom RAT for commodity infections. Rhadamanthys for information stealing. And in the middle of it all, our custom banking trojan panel -- the only bespoke tool in a neighborhood of commodity malware.
1337 Services GmbH announces 20 /24 prefixes through AS210558. If this single /24 contains 19 confirmed C2 operations, the full AS likely hosts hundreds. This is bulletproof hosting in its purest form: infrastructure specifically designed to resist takedown requests, with an abuse contact (abuse@as210558.net) that almost certainly goes nowhere.
What We Don't Know
We did not bypass authentication on the panel. We cannot determine:
- Victim count: How many machines are infected and reporting to this C2
- Campaign targets: Which financial institutions or services are being targeted
- Geographic focus: Where the victims are located
- Operator identity: NiceNIC (Chinese registrar) and 1337 Services (German BPH) are service providers, not attribution indicators
- Delivery method: How the implant reaches victims (the attack chain before the C2 beacon)
A linked malware sample exists -- SHA256 3975fce3783a3b8a4780d70e7d8d9588825cf92cba92128a16f86bec50890b99, detected as Win32:RATX-gen [Trj] and Win.Malware.Mikey -- but it wasn't available in MalwareBazaar for deeper analysis.
Two AlienVault OTX pulses tagged this IP with Kimsuky and BlueNoroff labels. Our assessment: likely incidental. Those pulses are automated Twitter feed ingestion, and the IP was probably included due to shared infrastructure or automated scanning. A custom Flask panel on German bulletproof hosting with NiceNIC domains and a financial fraud capability set does not match the DPRK cyber espionage profile.
The OPSEC Scorecard
The operator got some things right:
- Default credentials don't work (we tested 14 combinations)
- TLS SNI filtering on the implant listener rejects wrong virtual hosts
- Google.com decoy redirect hides the C2 from casual scanning
- Panel runs on non-standard port 8443
- Production and staging infrastructure are separated across different providers
- Self-signed CA with 10-year validity for mutual TLS authentication
But they got some things wrong:
- CSS and JavaScript served without authentication -- revealing the entire capability set to anyone who asks
- CORS set to
Access-Control-Allow-Origin: *-- wide open, no restrictions - Static asset versioning in the URL --
?v=20260321reveals the development timeline - Subdomain naming --
c2.com-selfhelp.pageliterally labels itself
The CSS leak is the critical failure. Without it, we'd know there was a Flask application on port 8443 and a Go redirect on port 443, and little else. The unauthenticated static assets transformed a network scan into a full capability assessment.
Indicators of Compromise
Network
45.154.98[.]13 Primary C2 (AS210558, 1337 Services GmbH)
172.86.111[.]19 Secondary infrastructure (FranTech/Cloudzy) -- OFFLINE
com-selfhelp[.]page C2 domain
c2.com-selfhelp[.]page C2 subdomain
admin.com-selfhelp[.]page Staging/admin (-> secondary server)
ftp.com-selfhelp[.]page FTP (-> secondary server)
staging.com-selfhelp[.]page Staging (-> secondary server)
Certificates
Port 8443: Self-signed CA, CN=com-selfhelp.page
Serial: 2f:6f:d8:d1:d1:27:b8:31:ed:44:1a:96:12:7b:d4:7b:30:75:ec:1c
Valid: 2026-03-07 to 2036-03-04
Port 443: Let's Encrypt R12, CN=com-selfhelp.page
Valid: 2026-03-23 to 2026-06-21
File Indicators
SHA256: 3975fce3783a3b8a4780d70e7d8d9588825cf92cba92128a16f86bec50890b99
Win32:RATX-gen [Trj] / Win.Malware.Mikey-9819889-0
Infrastructure Fingerprints
Port 8443: Flask/Werkzeug, "C2 Panel" title, style.css?v=20260321
Port 443: Go net/http, 302 redirect to google.com
Port 80: nginx 1.24.0, 301 to HTTPS
Port 22: OpenSSH 9.6p1 (Ubuntu)
Registrar: NiceNIC International Group (IANA 3765)
NS: ns3.my-ndns[.]com, ns4.my-ndns[.]com
Takeaways
For defenders: Block 45.154.98[.]13 and the domain com-selfhelp.page at your perimeter. If your risk tolerance allows it, consider blocking the entire 45.154.98.0/24 -- with 19 confirmed C2 operations, the probability of legitimate traffic from this range is vanishingly small. Search your proxy and firewall logs for connections to port 443 on this IP; the google.com redirect in response data is a fingerprint. If you find beacons, you're looking at a banking trojan infection with hVNC capability, meaning the operator may have already had real-time access to victim desktops.
For threat intelligence teams: 1337 Services GmbH (AS210558, rdp.sh) warrants treatment as a bulletproof hosting provider. Twenty /24 prefixes, at least 19 confirmed C2 operations in a single /24, and a client roster spanning Remcos, Cobalt Strike, Sliver, Mythic, Rhadamanthys, and custom frameworks. Monitor the entire AS for new deployments. Monitor NiceNIC registrations matching the com-*.page pattern for infrastructure expansion.
For the security community: The capability set on this panel -- hVNC combined with CAPTCHA harvesting and credential theft -- represents the current state of the art in financial fraud tooling. This isn't a commodity RAT. Someone built a purpose-specific banking trojan with a polished operator interface, deployed it on bulletproof hosting with careful OPSEC, and had it running undetected until a single tweet surfaced the IP. The gap between deployment and discovery was six weeks. In financial fraud, six weeks is a lifetime.
The domain name was the first act of social engineering. The google.com redirect was the second. The unauthenticated CSS was the mistake that unraveled both.
This investigation was triggered by a tweet from @Fact_Finder03. Infrastructure analysis and subnet mapping were produced by Breakglass Intelligence's autonomous GHOST investigation system. All evidence was captured via passive and semi-passive methods. YARA and Suricata detection rules for this operation are available in the full technical report.
Breakglass Intelligence | April 2, 2026