ShadowLadder Unmasked: GhostPulse IDAT Steganography Delivers Rhadamanthys via Trojanized KMS Activators
TL;DR: A trojanized KMS activator MSI installer delivers the Rhadamanthys information stealer through a sophisticated multi-stage infection chain leveraging GhostPulse IDAT steganography, HijackLoader DLL sideloading, and legitimate Zoner Photo Studio binaries. This sample is part of the ShadowLadder campaign -- a prolific malware delivery operation active since September 2024 with 35 confirmed samples across five malware families (Rhadamanthys, HijackLoader, ACRStealer, DeerStealer, PeakLight). Infrastructure analysis revealed 7 campaign domains across 4 Cloudflare accounts and 5 registrars, with hosting on MediaLand bulletproof hosting (Russia) and QWINS LTD (Germany/UK). A live 2xClub gambling scam panel co-located on the same delivery infrastructure, combined with Indian business domains and a personal name in certificate transparency logs, provides strong attribution leads pointing to a South Asian operator.
Key Findings
A 14-Month Campaign with 35 Samples
What initially appeared to be a single trojanized KMS installer turned out to be one node in a much larger operation. By pivoting through infrastructure, certificate transparency logs, and MalwareBazaar submissions, we identified 35 ShadowLadder campaign samples spanning from September 2024 through November 2025, delivering five distinct malware families:
- Rhadamanthys: Primary information stealer (most samples)
- HijackLoader: DLL sideloading framework used as intermediate loader
- ACRStealer: Alternative stealer deployed in later campaign phases
- DeerStealer: Credential-focused stealer
- PeakLight: Earlier campaign variant linked through infrastructure overlap
The campaign evolved through distinct phases -- starting with ISO/ZIP delivery of PeakLight-related samples in September 2024, transitioning to signed MSIs via bulletproof hosting in June 2025, pivoting to piracy-themed lures in July-August 2025, and shifting to Booking.com phishing themes by September 2025.
Sophisticated DLL Sideloading Chain
The infection chain abuses legitimate, Authenticode-signed software to load malicious code:
- VoTransmitt.exe -- A genuine Zoner Photo Studio Autoupdate binary (compiled January 2017, digitally signed by ZONER software). Contains zero malicious code.
- sciter32.dll -- A trojanized Sciter HTML rendering engine that functions as HijackLoader. Loaded via DLL search order hijacking when VoTransmitt.exe starts.
- mfc110u.dll -- A modified Microsoft MFC library with a high-entropy
.rsrcsection (7.55 entropy) containing an embedded PE executable and a decoy PNG image.
GhostPulse IDAT Steganography
The payload concealment technique is particularly notable. The file Crock.elf (1.9MB) uses the GhostPulse IDAT chunk technique:
- 238 IDAT chunks, each 8,192 bytes
- Combined payload: 1,948,728 bytes of custom-encrypted data
- Valid IEND marker at offset 1,968,050 with correct CRC
- No valid PNG header -- this is not a displayable image
- Not zlib compressed -- uses custom encryption (chi-squared: 604,754)
- Dominant byte distribution: 0x05 (35K), 0x04 (35K), 0x21 (29K), 0x68 (29K) -- highly structured
The IDAT chunk format is borrowed from the PNG specification, but the data within is entirely custom-encrypted shellcode. This approach evades file-type detection (it looks like a corrupt PNG) while providing a structured container for the encrypted payload.
Indian Attribution Trail
Multiple OPSEC failures point toward a South Asian operator:
- nishidhjain.freefugga.com subdomain visible in certificate transparency logs -- a personal name
- schoolerp and smartschool subdomains on freefugga.com suggest Indian EdTech connections
- Server at 194.195.113.17 hosts aakashdoot.com and indwaredigital.com -- both Indian business domains
- bom1.int3rnet.net hostname (BOM is Mumbai's airport code)
- Co-location of malware delivery with a 2xClub gambling scam panel on the same domain
Attack Chain
Stage 1: Social Engineering & Delivery
Victim searches for KMS activator (piracy lure)
Lands on kms-download[.]freefugga[.]com
Redirected to Box.com cloud storage for download
Downloads trojanized MSI installer
|
v
Stage 2: MSI Installation (WiX 4.0)
Product: "Loquitur" v0.10.0.0
Manufacturer: "Transudate Desirable"
Drops 8 files to %LocalAppData%\Eyalet\
Custom action LaunchFile (Type 210, Sequence 6601)
Executes VoTransmitt.exe immediately after install
|
v
Stage 3: DLL Sideloading
VoTransmitt.exe (legitimate Zoner Photo Studio binary)
Loads sciter32.dll via DLL search order hijacking
sciter32.dll = HijackLoader (trojanized Sciter engine)
|
v
Stage 4: Payload Decryption
HijackLoader reads mfc110u.dll .rsrc section
Extracts embedded PE from offset 251499
Processes Crock.elf (238 IDAT chunks)
Decrypts 1.9MB of GhostPulse shellcode
Reads Kroudroum.fvn (29KB encrypted config)
|
v
Stage 5: Final Payload
Rhadamanthys information stealer deployed
Targets: browser credentials, crypto wallets, system info
Exfiltrates via HTTP POST to C2
MSI Installer Details
The MSI was built with WiX Toolset 4.0.0.0 and uses deliberately obscure metadata:
| Property | Value |
|---|---|
| Product Name | Loquitur |
| Version | 0.10.0.0 |
| Manufacturer | Transudate Desirable |
| ProductCode | {DCEE34D6-5BDA-4775-AA7C-C694E38DE31B} |
| UpgradeCode | {E6809AD1-B748-4EE7-B4D5-D81312C55847} |
| Install Directory | %LocalAppData%\Eyalet |
"Loquitur" (Latin: "he/she speaks") and "Transudate Desirable" are nonsense strings chosen to avoid obvious malware signatures. The install path Eyalet (a historical Ottoman administrative division) is equally obscure -- but all of these become strong behavioral detection signatures precisely because they are so unusual.
Infrastructure Analysis
Delivery Infrastructure
The delivery chain uses Cloudflare proxying to hide the true hosting:
| Domain | IP | Provider | Status | Purpose |
|---|---|---|---|---|
| kms-download[.]freefugga[.]com | Cloudflare | AS13335 | DEAD | KMS download redirect |
| freefugga[.]com | 172.67.210.236 | Cloudflare | LIVE | Primary delivery domain |
| copred[.]freefugga[.]com | 194[.]195[.]113[.]17 | Linode/Akamai (GB) | LIVE | 2xClub gambling panel |
The freefugga.com domain serves dual purposes -- malware delivery via the kms-download subdomain and a gambling scam panel via the copred subdomain. This co-location is a significant OPSEC failure, linking the malware operation to the gambling scam and providing additional attribution data.
Campaign-Wide Infrastructure
Pivoting through ThreatFox reports, certificate transparency logs, and shared Cloudflare nameserver pairs revealed the broader ShadowLadder infrastructure:
| Domain | NS Pair | Registrar | First Seen | Theme |
|---|---|---|---|---|
| shim4[.]familygater[.]com | Cloudflare | GoDaddy | 2025-08-02 | KMS C2 |
| shim1[.]jovimix[.]com | parklogic | N/A | 2025-07-27 | KMS C2 |
| rhada[.]babynamebanner[.]com | Cloudflare | Namecheap | 2025-07-27 | Rhadamanthys C2 |
| invitation-confirm[.]com | phil/aspen | NiceNIC | 2025-09-19 | Booking.com phishing |
| maut-swiss[.]com | phil/aspen | Realtime Register | 2025-09-19 | Booking.com phishing |
| auric-cdn[.]pro | georgia/apollo | Unknown | 2025-07-28 | CDN impersonation |
Shared Cloudflare Account Analysis
Cloudflare assigns nameserver pairs per account, not per domain. This means domains sharing the same NS pair are managed by the same Cloudflare account:
| NS Pair | Domains | Implication |
|---|---|---|
| phil / aspen | invitation-confirm[.]com, maut-swiss[.]com | Same operator runs both Booking.com phishing domains |
| marty / melissa | freefugga[.]com | KMS delivery operator (may be same or different) |
| georgia / apollo | auric-cdn[.]pro | CDN impersonation operator |
The phil/aspen cluster is the most significant -- it links two distinct phishing domains to the same Cloudflare account, confirming they are operated by the same entity.
Hosting Providers
| IP | ASN | Provider | Country | Purpose |
|---|---|---|---|---|
| 80[.]253[.]249[.]210 | AS213702 | QWINS LTD | DE/GB | Booking.com phishing C2 |
| 45[.]141[.]87[.]249 | AS206728 | MediaLand | RU | Signed MSI hosting (bulletproof) |
| 194[.]195[.]113[.]17 | AS63949 | Linode/Akamai | GB | 2xClub gambling panel |
MediaLand (AS206728) is a well-documented Russian bulletproof hosting provider frequently used for malware distribution. Its presence in this campaign's infrastructure for hosting signed MSI installers indicates the operator prioritizes hosting resilience over cost.
Malware Technical Analysis
Component Inventory
| Component | Filename | Size | Purpose |
|---|---|---|---|
| VoTransmitt.exe | FPgllPeT | 680 KB | Legitimate Zoner Photo Studio sideloading host |
| sciter32.dll | sSaoBi6t6COQ | 4.2 MB | HijackLoader (trojanized Sciter engine) |
| mfc110u.dll | FEemFP5am3Q22 | 4.2 MB | Modified MFC with encrypted .rsrc payload |
| MSVCR110.dll | BWmk1o8i8bBr22O | 855 KB | Legitimate MSVC Runtime |
| MSVCP110.dll | tjQLseMlNINiw50s | 522 KB | Legitimate MSVC Runtime |
| zpsres.US.dll | WOOsHfo4mu | 618 KB | Legitimate Zoner resource DLL |
| Kroudroum.fvn | GTChkPsZ4 | 29 KB | Encrypted config/key material |
| Crock.elf | PgXoFq6gZVaSVX9v | 1.9 MB | IDAT-encrypted GhostPulse payload |
Five of the eight dropped files are legitimate binaries -- the sideloading host, two MSVC runtime libraries, and a Zoner resource DLL. Only three files contain malicious or suspicious content: the trojanized sciter32.dll, the modified mfc110u.dll, and the IDAT-encrypted Crock.elf. The config file Kroudroum.fvn acts as key material for the decryption process.
HijackLoader (sciter32.dll)
The trojanized Sciter library maintains its original functionality while injecting malicious code:
- Compile timestamp: 2015-08-14 (original Sciter build date preserved)
- Imphash:
3297c878977a6c31dd6a16538ef07faa - .text section: 3.3MB at entropy 6.61 (moderate -- packed but not encrypted)
- Import table: 19 Windows DLLs including ws2_32 (networking), wininet (HTTP), urlmon (URL handling)
The broad import table provides the loader with everything it needs -- network communication, COM automation, graphics rendering (to maintain Sciter functionality), and shell execution.
Resource Payload (mfc110u.dll)
The modified MFC library's .rsrc section is the most interesting component:
- Section size: 1.4MB
- Entropy: 7.55 (indicating encryption or compression)
- Embedded PNG: 757-byte decoy image at resource offset 119272
- Embedded PE: Full executable at resource offset 251499
The decoy PNG image may serve as a smokescreen for basic resource analysis -- an analyst might see the PNG and assume the resource section is benign. The actual payload PE is hidden deeper in the resource data.
IDAT Chunk Structure (Crock.elf)
The GhostPulse IDAT technique warrants detailed examination:
Offset 0x0000 - 0x404E: Header region (16,462 bytes)
- Custom format, not PNG compliant
- 51% null bytes (padding/alignment)
- Contains obfuscated configuration data
Offset 0x404E - 0x1E0732: IDAT chunks (238 chunks)
- Each chunk: 8,192 bytes payload
- Standard IDAT chunk format (length + type + data + CRC)
- Combined payload: 1,948,728 bytes
- NOT zlib compressed -- custom encryption
Offset 0x1E0732: IEND chunk
- Valid CRC: ae426082
- Proper PNG termination marker
The technique borrows PNG structural elements to create a container that passes superficial format validation while concealing custom-encrypted shellcode. The valid IEND marker and CRC values mean some PNG parsing libraries will consider this a "valid but corrupt" PNG rather than flagging it as an unknown file type.
Config Blob (Kroudroum.fvn)
The 29,634-byte config file has entropy of 5.09 -- significantly lower than the IDAT payload, suggesting a less aggressive encryption scheme:
- 40% null bytes with interleaved alphanumeric strings
- No cleartext URLs or IP addresses
- Likely contains XOR-encoded C2 configuration and decryption keys for the IDAT payload
Detection
YARA Detection Summary
Detection rules target:
- MSI metadata strings: "Loquitur", "Transudate Desirable", ProductCode/UpgradeCode GUIDs
- Install path:
%LocalAppData%\Eyalet - IDAT chunk structure: 238 sequential IDAT chunks without valid PNG header
- mfc110u.dll resource section entropy exceeding 7.0
- HijackLoader sciter32.dll imphash
- Config file characteristics: Kroudroum.fvn byte patterns
- VoTransmitt.exe + sciter32.dll co-location (sideloading indicator)
Suricata Detection Summary
Network rules cover:
- DNS queries for all campaign domains (freefugga.com, familygater.com, jovimix.com, babynamebanner.com, invitation-confirm.com, maut-swiss.com, auric-cdn.pro)
- HTTP requests to Box.com cloud storage matching MSI download patterns
- TLS SNI matching for campaign domains behind Cloudflare
- Connections to known C2 IPs (80[.]253[.]249[.]210, 45[.]141[.]87[.]249)
- MSI download via redirect chain (freefugga.com to box.com)
IOCs (Defanged)
Network Indicators
Delivery Domains:
kms-download[.]freefugga[.]com
freefugga[.]com
copred[.]freefugga[.]com
Campaign C2 Domains:
shim4[.]familygater[.]com
shim1[.]jovimix[.]com
rhada[.]babynamebanner[.]com
invitation-confirm[.]com
maut-swiss[.]com
auric-cdn[.]pro
IP Addresses:
194[.]195[.]113[.]17 # Linode/Akamai (GB) - 2xClub panel
80[.]253[.]249[.]210 # QWINS LTD (DE/GB) - Booking C2
45[.]141[.]87[.]249 # MediaLand (RU) - MSI hosting [BPH]
File Hashes
MSI Installer:
SHA-256: e49862174e4d6393136a8315c6050b364bc6a73aac881b543c539d61d0426fe5
MD5: 2f1bd37e470f8e06efaf54909c914828
SHA-1: f5a2f9e0e1b9aa89789a4d1d48421053664cd73c
HijackLoader (sciter32.dll):
SHA-256: 2e9c997b0bb74e9bc9ba5768034aa9114c43779e60e4a8575989c07e0cb2e52b
Imphash: 3297c878977a6c31dd6a16538ef07faa
Modified MFC (mfc110u.dll):
SHA-256: 68734bc4eb077a53e842fe997aee2dcf329df12945b607b7f184a38a8dc75a70
Sideloading Host (VoTransmitt.exe):
SHA-256: 1432faeddfe57877873e8608ace13739ca66e8ce12b3453531e7eec4753df21d
IDAT Payload (Crock.elf):
SHA-256: 85d2a2495f6ea2c61bd86f126cf37cba3194c87e08b56834c68571dbc13c2f83
Config (Kroudroum.fvn):
SHA-256: 4666f0546a53349abc76e36030903aa7d94ea49d98e18684ba3e3407e18845ef
Behavioral Indicators
Install path: %LocalAppData%\Eyalet\
MSI Product: Loquitur v0.10.0.0
MSI Manufacturer: Transudate Desirable
ProductCode: {DCEE34D6-5BDA-4775-AA7C-C694E38DE31B}
UpgradeCode: {E6809AD1-B748-4EE7-B4D5-D81312C55847}
Config file: Kroudroum.fvn
Payload file: Crock.elf
Sideload target: sciter32.dll via VoTransmitt.exe
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Application |
|---|---|---|---|
| Initial Access | Spearphishing Link | T1566.002 | KMS piracy lure via freefugga.com |
| Execution | User Execution: Malicious File | T1204.002 | Victim runs downloaded MSI installer |
| Execution | Windows Installer | T1218.007 | WiX 4.0 MSI with custom action LaunchFile |
| Persistence | DLL Search Order Hijacking | T1574.001 | VoTransmitt.exe loads malicious sciter32.dll |
| Defense Evasion | DLL Side-Loading | T1574.002 | Legitimate signed binary loads trojanized DLL |
| Defense Evasion | Masquerading | T1036.005 | MSI poses as KMS activator |
| Defense Evasion | Obfuscated Files | T1027 | Multi-layer encryption across components |
| Defense Evasion | Steganography | T1027.003 | GhostPulse IDAT chunk technique in Crock.elf |
| Defense Evasion | Deobfuscate/Decode | T1140 | Runtime decryption of IDAT payload and config |
| Collection | Data from Local System | T1005 | Rhadamanthys harvests credentials and wallets |
| Exfiltration | Exfiltration Over C2 | T1041 | HTTP POST exfiltration to campaign C2 |
Campaign Timeline
| Period | Activity | Details |
|---|---|---|
| Sep 2024 | Campaign origin | PeakLight-related samples, ISO/ZIP delivery |
| Jun 2025 | Infrastructure upgrade | Signed MSI delivery via MediaLand BPH |
| Jul 2025 | Primary campaign launch | Rhadamanthys + DeerStealer via KMS piracy lures |
| Aug 2025 | Peak activity | Daily sample submissions, GhostPulse IDAT integration |
| Sep 2025 | Theme pivot | Shift to Booking.com phishing (invitation-confirm.com, maut-swiss.com) |
| Nov 2025 | New stealer integration | ACRStealer added to malware portfolio |
| Mar 2026 | This sample identified | KMS activator MSI via freefugga.com delivery |
Attribution Assessment
Confidence: MEDIUM
The convergence of multiple OPSEC failures points toward an operator based in India or South Asia:
- nishidhjain.freefugga.com -- A personal name (Nishidh Jain) visible in certificate transparency logs. This is the strongest single attribution indicator.
- Co-located infrastructure -- The same freefugga.com domain serves both malware and a 2xClub gambling scam panel, linking the operations.
- Indian business domains -- The server at 194.195.113.17 also hosts aakashdoot.com and indwaredigital.com (Indian businesses).
- EdTech connections -- schoolerp and smartschool subdomains on freefugga.com suggest connections to Indian educational technology.
- Mumbai hostname -- bom1.int3rnet.net (BOM = Chhatrapati Shivaji Maharaj International Airport, Mumbai).
The operator demonstrates intermediate sophistication -- the GhostPulse IDAT technique and DLL sideloading chain are technically advanced, but the co-location of malware with a gambling scam on the same domain and the personal name in CT logs represent fundamental OPSEC failures that undermine the technical tradecraft.
Published by Breakglass Intelligence -- Automated threat intelligence. Zero analyst fatigue.
Investigation conducted March 10, 2026. Infrastructure status reflects point-in-time observations.