Shadow RAT Panel v2.0: Inside a Live MaaS Platform With APT Crossover
TL;DR: Breakglass Intelligence discovered a fully operational Shadow RAT command-and-control panel running at 87.120.107[.]117 on Ukrainian-operated bulletproof hosting infrastructure (Shinomiya Hosting, AS215428). The panel -- a modern Vite/React SPA backed by an Express.js API -- provides a complete Malware-as-a-Service platform with user registration, licensing, and a malware builder capable of producing Windows RAT payloads with rootkit, surveillance, credential theft, and remote shell capabilities. The operator was identified as Aleksei Ezhov via Telegram channel @spyingsystem. Critically, Shadow RAT is attributed by Malpedia and Seqrite Labs to UNG0002, a South Asian espionage actor that has conducted campaigns against defense, aviation, and government targets across China, Hong Kong, and Pakistan. The IP address hosting the live panel is completely absent from all public threat intelligence feeds -- this is first-to-find intelligence for a new C2 deployment.
Background
Shadow RAT occupies a particularly interesting niche in the threat landscape: it is both a commercially sold Malware-as-a-Service product and a tool used by a tracked APT group. This dual-use nature makes it a priority for tracking, as compromises involving Shadow RAT could indicate anything from opportunistic cybercrime to state-aligned espionage.
This investigation began when Breakglass Intelligence identified the IP 87.120.107[.]117 hosting a web application on port 80. Subsequent analysis revealed a fully functional RAT panel, and cross-referencing with existing threat intelligence linked it to the Shadow RAT family and, through that, to the APT group UNG0002.
The previous known C2 for Shadow RAT -- at 5.9.228[.]188 on Hetzner infrastructure -- has gone dark, with only RDP responding. The migration to Shinomiya bulletproof hosting represents a deliberate operational upgrade by the panel operator.
Key Findings
- A live Shadow RAT Panel v2.0 is operating at 87.120.107[.]117 on port 80, built with Vite/React on the frontend and Express.js on the backend, with full RAT building, client management, and administration capabilities.
- The panel creator is identified as Aleksei Ezhov, credited in the panel UI and linked to Telegram channel @spyingsystem and @CrackBaseProxy.
- The hosting provider is Shinomiya Hosting (AS215428), operated by Mykyta Skorobohatko from Shostka, Sumska Oblast, Ukraine, and flagged as bulletproof hosting by the Dutch government in 2024.
- Shadow RAT is attributed to UNG0002 (a South Asian APT group) by both Malpedia and Seqrite Labs. The presence of a commercial panel with registration and licensing alongside DLL sideloading variants used in government-themed spearphishing confirms the dual-use nature.
- An exposed phpinfo() page on port 8081 leaks the server hostname (DESKTOP-GKGI28A), Windows OS details, username (Admin), and development tooling including Cursor IDE and Python 3.10.
- The IP 87.120.107[.]117 is not present in ThreatFox, OTX, VirusTotal community notes, or any other public threat intelligence feed.
- A likely database server at 87.120.107[.]123 (same fl-14 hostname) exposes PostgreSQL on port 5432.
Attack Chain
Shadow RAT operates as a builder-based platform. The operator (or a licensed customer) accesses the panel, configures payload options, and generates a compiled RAT executable. The generated payload is then distributed to victims through the operator's chosen delivery method.
Builder Configuration Options
The panel builder at /api/builder/build accepts extensive configuration parameters:
Persistence mechanisms include scheduled tasks via Windows Task Scheduler, registry run keys, and startup folder shortcuts. The builder can also add the entire C:\ drive to Windows Defender exclusions and enable a rootkit mode using the $77 file prefix, which requires administrator privileges or UAC bypass.
Payload options include melt-build (self-delete of the original executable after installation), assembly copy (cloning PE metadata from a donor executable for masquerading), icon injection for custom executable icons, and configurable connection delay with a default of 3 seconds.
Notification is handled through Telegram, with configurable bot token and chat ID for alerting the operator when a new victim connects.
Post-Compromise Capabilities
Once deployed, Shadow RAT provides the operator with a comprehensive feature set organized into six categories:
Surveillance: Real-time screen streaming with configurable quality and FPS, single-frame screenshot capture, webcam access, and microphone recording. The monitor feature also captures mouse and keyboard input, making it a real-time observation tool rather than just a screen viewer.
Remote Control: Interactive command shell (cmd.exe), file manager with browse/download/upload capabilities, process manager with kill functionality, local file execution, URL-based download-and-execute, and forced URL opening in the victim's browser.
Data Theft: Telegram session extraction, browser credential theft, browser cookie theft, and cryptocurrency wallet detection and theft.
Persistence and Evasion: Multiple persistence mechanisms as described above, plus Windows Defender exclusion and rootkit capabilities.
Harassment: Display manipulation (flip screen, crazy mouse), audio manipulation (volume control, system beep, TTS), physical interaction (CD eject, monitor off), and message box display.
Destructive: System restart, shutdown, BSOD trigger, and self-delete.
Infrastructure Analysis
Panel Architecture
The Shadow RAT Panel v2.0 is a modern single-page application:
- Frontend: Built with Vite and React 18.3.1, last modified on March 6, 2026. The JavaScript bundle (index-BO7-OOXD.js, 358 KB) and CSS bundle (index-C-RiDQxT.css) carry specific SHA256 hashes that can be used for panel fingerprinting.
- Backend: Express.js (Node.js) with JWT-based authentication for regular users and a separate admin key header (x-admin-key) for administrative operations.
- Localization: The panel supports four languages -- English, Russian, Korean, and Turkish -- indicating a diverse target customer base.
- CORS: Fully open (
Access-Control-Allow-Origin: *), which is a significant security weakness that allows any domain to make authenticated requests if a valid token is obtained.
API Surface
The panel exposes a comprehensive RESTful API:
Public endpoints include /api/auth/login and /api/auth/register (requiring email, username, and password with a minimum of 4 characters). Registration is open, but accounts require administrator approval before they can log in.
User endpoints (JWT-authenticated) include bot listing (/api/bots), payload building (/api/builder/build), activity logs (/api/logs), settings management (/api/settings), and profile operations.
Admin endpoints (admin-key authenticated) include platform statistics (/api/admin/stats), full user management with CRUD operations, all-bots view, bot hiding, and complete log access.
The user model includes a licensing system with license_days and license_expires_at fields, confirming the subscription-based MaaS model.
Hosting: Shinomiya Bulletproof Hosting
Shinomiya Hosting (AS215428) is a Ukrainian-operated hosting provider that has been flagged as bulletproof by the Dutch government. Key details:
| Attribute | Value |
|---|---|
| Operator | Mykyta Skorobohatko |
| Location | Shostka, Sumska Oblast, Ukraine |
| RIPE Organization | ORG-MS845-RIPE |
| Maintainer | merox-mnt / shinomiya-mnt |
| IP Allocations | 87.120.107.0/24, 77.105.161.0/24 |
| Transit Providers | AS212477, AS56630, AS52000 (Neterra) |
| Hardware | AMD EPYC 9454p, AMD Ryzen 9 5950x |
| Server Locations | Finland and Germany |
| BPH Indicator | Dutch government notification list (2024) |
Shinomiya uses Telegram for sales (@shinomiya_robot) and owner support (@shinomiya_sup), and its website (shinomiya-hosting.com) is described as "under development" in Russian.
Neighboring Infrastructure
The /24 netblock hosting Shadow RAT contains a telling mix of services:
- 87.120.107[.]82: Crypto City exchange (Russian), with exposed phpMyAdmin
- 87.120.107[.]110: moneyducky.bet (gambling)
- 87.120.107[.]123: Same fl-14 hostname as the Shadow RAT server, running PostgreSQL on port 5432 -- likely the panel's database
- 87.120.107[.]132: HTTPS certificate for tori.fi (Finnish marketplace) -- possible phishing
- 87.120.107[.]144: Hostname literally "bot-not-delete" with RDP only
- 87.120.107[.]191: keizak-dev.com (suspended), multiple high ports open
- 87.120.107[.]198: todocoleccion.shop with AMQP (RabbitMQ) on port 5672
This neighborhood profile is consistent with bulletproof hosting: gambling, cryptocurrency exchanges, bot infrastructure, and phishing sites sharing space with malware C2.
Server Profile from phpinfo()
The XAMPP default installation on port 8081 exposes a phpinfo() page that reveals extensive server details:
| Attribute | Value |
|---|---|
| Computer Name | DESKTOP-GKGI28A |
| OS | Windows 10 (build 19045) AMD64 |
| Username | Admin |
| Processor | AMD64 Family 25 Model 33 (Zen 3) |
| Web Server | Apache/2.4.58 (Win64) |
| PHP | 8.2.12 |
| Document Root | C:/xampp/htdocs |
| Dev Tools | Python 3.10, Cursor IDE, .NET SDK |
The presence of Cursor IDE (an AI-assisted code editor) and the DESKTOP- prefix in the hostname suggest this may be a development or staging environment running on a Windows desktop machine, possibly the operator's own workstation being used as a server.
Certificate Analysis
Port 443 presents a self-signed certificate with CN=localhost, originally issued in 2009 and expired in 2019. This is the default XAMPP certificate, indicating the operator never configured proper TLS -- a significant OPSEC failure, as it reveals the default software stack, and a security weakness, as all panel traffic on port 80 is unencrypted.
No certificates appear in Certificate Transparency logs for this IP or for shinomiya-hosting.com, which is consistent with an operator deliberately avoiding CT monitoring.
Malware Analysis
Known Sample: mustang.dll
The primary known sample associated with Shadow RAT is a 64-bit Windows DLL:
| Attribute | Value |
|---|---|
| SHA256 | 90c9e0ee1d74b596a0acf1e04b41c2c5f15d16b2acd39d3dc8f90b071888ac99 |
| Filename | mustang.dll |
| Size | 337,408 bytes |
| Type | Win64 PE DLL |
| Imphash | 9ca317db5c48a19751998fe7eef16fa2 |
| First Seen | 2025-01-28 |
| Reporter | JAMESWT_WT (MalwareBazaar) |
| Origin | Italy |
Developer Fingerprint
The PDB path embedded in the binary reveals significant attribution data:
C:\Users\The Freelancer\source\repos\JAN25\mustang\x64\Release\mustang.pdb
This tells us:
- Developer alias: "The Freelancer"
- Campaign code: JAN25 (January 2025)
- Project name: mustang
- Build configuration: x64 Release
- IDE: Visual Studio (the
source\reposdirectory structure is Visual Studio's default)
Deployment Method
The known sample uses DLL sideloading via rasphone.exe (Windows Remote Access Connection Manager). The RAT DLL is placed alongside a legitimate copy of rasphone.exe, which loads it automatically. Persistence is maintained through two scheduled tasks: SysUpdater and UtilityUpdater.
The UNG0002 Connection
Attribution Chain
Shadow RAT's link to APT activity comes through multiple sources:
- Malpedia tracks Shadow RAT under the
win.shadow_ratfamily entry and associates it with the UNG0002 threat group. - Seqrite Labs (Quick Heal's threat intelligence arm) published detailed research in July 2025 documenting UNG0002's campaigns, including the use of Shadow RAT in espionage operations.
UNG0002 Campaign History
| Campaign | Period | Targets |
|---|---|---|
| Operation Cobalt Whisper | May-September 2024 | Defense, aviation in China, Hong Kong |
| Operation AmberMist | January-May 2025 | Government, academia in China, Pakistan |
UNG0002 is characterized as a South Asian espionage actor with TTPs including spearphishing with weaponized documents, ClickFix social engineering, LNK file delivery, DLL sideloading, and fake government pages.
Dual-Use Assessment
The evidence suggests Shadow RAT serves two purposes simultaneously:
-
Commercial MaaS: The panel with user registration, licensing, multi-language support (EN/RU/KO/TR), and a builder interface is clearly designed for commercial sale. The operator (Ezhov) manages customer accounts and approves access.
-
APT tooling: The DLL sideloading variant with government-themed lures, the "mustang" project name (possibly referencing targets), and the systematic deployment in campaigns tracked by threat intelligence vendors indicate APT-grade usage.
This is not unprecedented -- tools like Cobalt Strike and Brute Ratel began as legitimate security tools before being adopted by threat actors, and conversely, tools like njRAT started as cybercrime tools and were adopted by APT groups. Shadow RAT appears to have been built for criminal sale and subsequently adopted (or specifically contracted) by UNG0002.
Detection Guidance
YARA Rule Summary
Detection rules should target:
- Panel artifacts: The JavaScript bundle hash (
4b3a209028d5...) and CSS bundle hash for panel identification on networks. - DLL sideloading pattern: mustang.dll combined with rasphone.exe in the same directory.
- PDB path patterns: The distinctive "The Freelancer" developer path.
- Import hash:
9ca317db5c48a19751998fe7eef16fa2for variant detection.
Suricata Rule Summary
Network detection should focus on:
- C2 traffic patterns: HTTP traffic to 87.120.107[.]117 with Express.js headers (
X-Powered-By: Express). - Panel API patterns: Requests to
/api/auth/,/api/bots,/api/builder/buildendpoint patterns. - CORS fingerprint: The fully open CORS policy combined with JWT Bearer authentication.
Host-Based Indicators
- Scheduled tasks named SysUpdater or UtilityUpdater
- DLL sideloading via rasphone.exe with non-standard DLL names
- Files prefixed with $77 (rootkit mode indicator)
- Windows Defender exclusion for C:\ added via command line
- Connections to 87.120.107.0/24 or 77.105.161.0/24
IOCs (Defanged)
Network Indicators
87[.]120[.]107[.]117 -- LIVE Shadow RAT Panel v2.0 C2 (port 80)
87[.]120[.]107[.]123 -- Likely Shadow RAT PostgreSQL database (port 5432)
5[.]9[.]228[.]188 -- Previous Shadow RAT C2 (DEAD, was port 5000)
Domains
fl-14.hosted-by.shinomiya-hosting[.]com -- Reverse DNS for C2
shinomiya-hosting[.]com -- BPH provider
URLs
hxxp://87[.]120[.]107[.]117/login -- Panel login
hxxp://87[.]120[.]107[.]117/admin -- Admin panel
hxxp://87[.]120[.]107[.]117/api/auth/login -- Auth API
hxxp://87[.]120[.]107[.]117/api/builder/build -- RAT builder
hxxp://87[.]120[.]107[.]117:8081/dashboard/phpinfo.php -- Exposed phpinfo
hxxps://t[.]me/spyingsystem -- Operator Telegram
File Hashes
mustang.dll (Shadow RAT DLL):
SHA256: 90c9e0ee1d74b596a0acf1e04b41c2c5f15d16b2acd39d3dc8f90b071888ac99
SHA1: 23382a69715a8e597d7ff605b9e41ef0f64b9897
MD5: 2d2dc4dbefa47b9ac563a0f9fd65929f
Panel JavaScript Bundle:
SHA256: 4b3a209028d5f47cffa758f5681884321e85bd35e3da52b77ba23391d8b217be
Behavioral Indicators
PDB Path: C:\Users\The Freelancer\source\repos\JAN25\mustang\x64\Release\mustang.pdb
Sched Tasks: SysUpdater, UtilityUpdater
DLL Sideload: rasphone.exe + mustang.dll
File Prefix: $77 (rootkit mode)
HTTP Header: X-Powered-By: Express
HTTP Header: Access-Control-Allow-Origin: *
Hostname: DESKTOP-GKGI28A
ASN: AS215428 (Shinomiya Hosting)
Infrastructure Indicators
IP Ranges: 87.120.107.0/24, 77.105.161.0/24
RIPE Org: ORG-MS845-RIPE
Maintainer: merox-mnt
Telegram: @shinomiya_robot (sales), @shinomiya_sup (support)
MITRE ATT&CK Mapping
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | Spearphishing Attachment | T1566.001 |
| Initial Access | Spearphishing Link | T1566.002 |
| Execution | User Execution: Malicious File | T1204.002 |
| Execution | PowerShell | T1059.001 |
| Execution | Windows Command Shell | T1059.003 |
| Persistence | Scheduled Task | T1053.005 |
| Persistence | Registry Run Keys | T1547.001 |
| Defense Evasion | Disable or Modify Tools | T1562.001 |
| Defense Evasion | Masquerading | T1036.005 |
| Defense Evasion | File Deletion | T1070.004 |
| Defense Evasion | DLL Side-Loading | T1574.002 |
| Defense Evasion | Rootkit | T1014 |
| Discovery | System Information Discovery | T1082 |
| Discovery | Process Discovery | T1057 |
| Collection | Screen Capture | T1113 |
| Collection | Video Capture | T1125 |
| Collection | Audio Capture | T1123 |
| Collection | Keylogging | T1056.001 |
| Credential Access | Credentials from Web Browsers | T1555.003 |
| Credential Access | Steal Web Session Cookie | T1539 |
| Credential Access | Steal Application Access Token | T1528 |
| Exfiltration | Exfiltration Over C2 Channel | T1041 |
| Command and Control | Web Protocols | T1071.001 |
| Command and Control | Ingress Tool Transfer | T1105 |
| Impact | System Shutdown/Reboot | T1529 |
Recommended Actions
Immediate (24-48 hours):
- Block 87.120.107[.]117 and 87.120.107[.]123 at perimeter firewalls
- Search proxy/firewall logs for connections to 87.120.107.0/24
- Check for scheduled tasks named SysUpdater or UtilityUpdater on Windows endpoints
- Deploy YARA rules for Shadow RAT artifact detection
- Deploy Suricata rules for C2 traffic detection
Short-term (1-2 weeks):
- Submit 87.120.107[.]117:80 to ThreatFox as new Shadow RAT C2
- Block ASN AS215428 (87.120.107.0/24 and 77.105.161.0/24) at network edge
- Hunt for mustang.dll and imphash
9ca317db5c48a19751998fe7eef16fa2across EDR telemetry - Monitor @spyingsystem Telegram channel for new panel deployments
Medium-term (1-3 months):
- Develop behavioral detections for Shadow RAT builder output (WD exclusion + schtasks + $77 prefix pattern)
- Monitor Shinomiya Hosting IP ranges for new C2 deployments
- Cross-reference UNG0002 TTPs with internal incident data
- Coordinate with CERT-UA regarding Shinomiya Hosting abuse
- Pursue upstream provider disconnection (AS212477, AS56630, AS52000/Neterra) as the BPH provider is unlikely to self-police
References
- Seqrite Labs: "UNG0002: Regional Threat Operations Tracked Across Multiple Asian Jurisdictions" (July 2025)
- Malpedia: win.shadow_rat family documentation
- ThreatFox: IOC 1737301 (5.9.228.188:5000, Shadow RAT C2)
- MalwareBazaar: mustang.dll (SHA256: 90c9e0ee...)
- The Hacker News: "UNG0002 Group Hits China, Hong Kong, Pakistan" (July 2025)
- Dutch Data Centers: Hosting customer notification list 2024
Published by Breakglass Intelligence -- intel.breakglass.tech Investigation conducted 2026-03-10