SmokeLoader Remus Plugin: From ClickFix Lure to Live C2 in Six Stages
TL;DR: A SmokeLoader campaign deploying the Remus plugin was traced from a ClickFix social engineering lure hosted on Latvian bulletproof infrastructure through a four-stage kill chain ending at a live command-and-control server in Singapore. The C2 at baxe[.]pics:48261 was confirmed operational, accepting file uploads for data exfiltration via a Node.js/Express backend. Critical operator security failures -- including a mismatched TLS certificate that exposes the legitimate domain sdigi[.]net, a Vietnamese server management panel left on the default page, and same-day Namecheap registration of both C2 domains -- enabled full infrastructure mapping. The same builder output was identified across Amadey, Phorpiex, and GOLoader delivery networks, indicating a shared malware-as-a-service supply chain.
Background
SmokeLoader has been a persistent fixture in the cybercrime ecosystem since at least 2011, functioning as a modular loader and botnet platform. Its plugin architecture allows operators to extend capabilities beyond the core loader functionality. The Remus plugin, specifically, provides data collection and exfiltration capabilities including screenshot capture, clipboard theft, and WMI-based system profiling.
This investigation began with a single sample hash reported to MalwareBazaar on March 3, 2026. Starting from that indicator, Breakglass Intelligence mapped the complete delivery chain, confirmed live C2 infrastructure, extracted encryption keys and campaign identifiers from the binary configuration, and identified multiple distribution vectors sharing the same builder output.
What makes this campaign notable is not the malware family itself -- SmokeLoader is well-documented -- but rather the completeness of the infrastructure mapping achieved through the operator's own mistakes.
Key Findings
- The primary C2 server at baxe[.]pics:48261 is fully operational, hosted on an OVH Singapore VPS, and returns structured JSON responses to POST requests consistent with a file upload exfiltration endpoint.
- The complete kill chain was mapped: ClickFix social engineering lure served from a Latvian bulletproof host, to an MSI installer, to a Go-based loader with browser credential theft capabilities, to the SmokeLoader Remus plugin as the final payload.
- A TLS certificate on the C2 server contains Subject Alternative Names for sdigi[.]net rather than baxe[.]pics, linking the C2 operator to a legitimate domain registered through Squarespace in 2023.
- Both C2 domains (baxe[.]pics and vinte[.]online) were registered on the same day (February 10, 2026) via Namecheap, confirming unified ownership.
- The sample shares an import hash with four other active SmokeLoader variants distributed through Amadey and Phorpiex botnets, indicating the same builder is supplying multiple affiliate distribution networks.
- A ChaCha20 encryption key was extracted from the binary configuration, along with a campaign identifier and the Remus plugin marker string.
Attack Chain
The delivery chain moves through six distinct stages, each serving a specific operational purpose.
Stage 1: ClickFix Social Engineering
The attack begins with a ClickFix lure -- a social engineering technique that presents victims with a fake "I Am Not a Robot" verification page. The lure was served from 193.169.194[.]5 on port 5506, hosted by SIA GOOD, a Latvian bulletproof hosting provider operating under the GOODTEC-MNT maintainer handle. SIA GOOD controls at least five IP prefixes and has been associated with malicious hosting activity.
The ClickFix page delivers a command (likely PowerShell or mshta) that initiates the next stage.
Stage 2: MSI Installer
The initial payload is an MSI installer (SHA256: 8af75100ed69758e4da91255e0fae90f4ac40db2d1cfe52b9ea90c637ea30a82) weighing 2.4 MB. It was flagged by YOROI and VMRay as SmokeLoader-related. The MSI format provides a degree of legitimacy, as Windows users are accustomed to running installer packages.
Stage 3: Go-Based Loader
The MSI drops a Go-compiled binary (SHA256: b93484fd64dee8ad3b45ddddcb58e54efaf751f33a12c8807f8d0765e8237337) at 2.1 MB. This intermediate loader is not merely a dropper -- it has its own credential theft capabilities including browser credential harvesting, cryptocurrency wallet discovery, and process enumeration. This means even if the final payload fails to deploy, the operator still captures value from the compromise.
Stage 4: SmokeLoader Remus Plugin
The final payload is the Remus plugin itself -- a 217 KB PE32+ executable compiled on February 21, 2026. Once deployed, it establishes communication with the C2 server and begins its collection operations.
Stages 5-6: C2 Communication and Exfiltration
The plugin communicates with baxe[.]pics on port 48261 over unencrypted HTTP, with payload encryption handled at the application layer via ChaCha20. The C2 expects file uploads via POST requests, returning structured JSON responses that indicate a Node.js/Express backend.
Social engineering lures included fake "Carbanak source code" archives and a cryptocurrency wallet application (Qtum), both designed to appeal to specific target demographics -- security researchers in the first case, and cryptocurrency users in the second.
Infrastructure Analysis
Primary C2: OVH Singapore
The primary C2 at 15.235.192.42 sits on OVH's Singapore VPS platform. Port scanning revealed SSH (22), HTTP (80), HTTPS (443), and the C2 service on port 48261. The server runs nginx as a reverse proxy in front of the Node.js application.
C2 Protocol Behavior:
| Request | Response | Interpretation |
|---|---|---|
| GET / | <div>Hello world!</div> (HTTP 404) | Health check or decoy landing page |
| POST / (empty) | {"success":false,"message":"no file","data":null} (HTTP 400) | File upload endpoint expecting payload |
| GET /any-path | HTTP 403, 23-byte JSON body | Application-level access control |
The presence of CORS headers (Vary: Origin, Access-Control-Allow-Credentials: true) suggests a browser-based administration panel exists alongside the C2 API.
The TLS Certificate Mistake
The most significant finding is the TLS certificate deployed on port 443 of the C2 server. Rather than a certificate for baxe[.]pics, the operator deployed a Cloudflare Origin Certificate created for sdigi[.]net -- a legitimate domain registered through Squarespace in July 2023, using Cloudflare nameservers.
This is a 15-year certificate (valid from October 2025 to October 2040), issued by CloudFlare Origin SSL Certificate Authority. The Subject Alternative Names explicitly list *.sdigi.net and sdigi.net.
This mistake creates a direct link between the C2 infrastructure and whatever entity controls sdigi[.]net. The operator likely generated the Origin certificate for their legitimate domain and then reused it on the C2 server out of convenience or ignorance of the attribution risk.
The FlashPanel Indicator
Port 80 on the C2 server displays a FlashPanel welcome page. FlashPanel is a Vietnamese-language server management tool, providing a geographic indicator for the operator. While not definitive for attribution, it narrows the field.
Domain Registration Pattern
| Domain | Registrar | Created | Status |
|---|---|---|---|
| baxe[.]pics | Namecheap | 2026-02-10 | LIVE (resolves to 15.235.192.42) |
| vinte[.]online | Namecheap | 2026-02-10 | SUSPENDED (serverHold) |
Both domains were registered on the same day through the same registrar, a pattern that strongly suggests a single operator or operation. Vinte[.]online has already been suspended, while baxe[.]pics remains active.
Delivery Infrastructure: SIA GOOD
The ClickFix delivery server at 193.169.194[.]5 is hosted by SIA GOOD (GOODTEC-MNT), a Latvian entity controlling multiple IP prefixes. The abuse contact for this infrastructure is a Hotmail address (ramsuleyman@hotmail.com), which is atypical for a legitimate hosting provider and consistent with bulletproof hosting operations.
Older C2 Cluster: H2NEXUS / LuxHost
Five additional IPs in the 109.120.137.0/24 range were identified as older SmokeLoader C2 servers, all hosted by H2NEXUS LTD (registered at 71-75 Shelton Street, London WC2H 9JQ -- a well-known virtual office address). These servers run identical nginx/1.22.1 configurations on Debian and remain live, suggesting either continued operation or abandonment without takedown.
Malware Analysis
Binary Profile
The Remus plugin is a relatively compact 217 KB PE32+ executable targeting 64-bit Windows. Key characteristics include:
- PE sections with identity-mapped offsets: Raw offsets equal virtual addresses across all sections, an unusual characteristic that may indicate custom packing or a non-standard build process.
- Moderate entropy: Section entropy ranges from 3.32 (.data) to 6.23 (.text), indicating the binary is not packed or heavily obfuscated. This is consistent with a plugin expected to be decrypted by the parent SmokeLoader instance.
- GUI subsystem: Despite being a command-line operational tool, the binary uses the Windows GUI subsystem, likely to avoid console window creation.
Import Analysis and Capabilities
The import table reveals the plugin's operational capabilities:
Surveillance and Collection:
- GDI32.dll functions (BitBlt, CreateCompatibleBitmap, GetDIBits) provide screenshot capture capability.
- USER32.dll functions (OpenClipboard, GetClipboardData) enable clipboard theft.
- USER32.dll also imports CreateDesktopW, which allows the malware to create a hidden desktop for invisible operations.
System Profiling:
- OLE32.dll functions (CoCreateInstance, CoInitialize, CoSetProxyBlanket) indicate WMI-based system profiling through COM interfaces.
- KERNEL32.dll provides GetComputerNameA and GetComputerNameExA for machine identification.
- ADVAPI32.dll provides GetUserNameA for user enumeration.
Privilege Escalation:
- ADVAPI32.dll imports LookupPrivilegeValueW, suggesting token manipulation for privilege escalation.
Extracted Configuration
Static analysis of the binary revealed configuration data embedded in the PE sections:
| Parameter | Value | Location |
|---|---|---|
| C2 URL | http://baxe[.]pics:48261 | UTF-16LE at offset 0x32C94 |
| Encryption | ChaCha20/Salsa20 | "expand 32-byte k" constant at 0x32C48 |
| 32-byte Key | d16425ab2d021ae273d5fae993ce52a5aa61f379ade7bc27efd39d9bb3f46a55 | Adjacent to cipher constant |
| Counter | 0300000000000000 | Post-key data |
| Nonce | cffe89f3b050944e | Post-counter data |
| Campaign ID | e7d306351b2ed15ad158949881380114 | Offset 0x2CE22 |
| Plugin Marker | # REMUS LOG | Offset 0x2CE16 |
| Proxy Config | PROXYPROXYPROXY... (repeated) | Offset 0x2BD21 |
| Build Marker | 21.02.20 | Config section |
The "expand 32-byte k" string is the canonical ChaCha20/Salsa20 cipher constant, confirming the encryption algorithm. The 32-byte key, counter, and nonce provide everything needed to decrypt captured C2 traffic.
Cross-Campaign Builder Analysis
The import hash c81db0a320cdad5ab41c9a291ea9b6e9 was used to identify four additional samples from the same builder:
| SHA256 (truncated) | First Seen | Delivery Vector |
|---|---|---|
| a8952a36f1f43676... | 2026-03-09 | Amadey |
| e62a0100c482453f... | 2026-03-07 | Phorpiex |
| 62d0b74a54a7284e... | 2026-03-07 | Phorpiex |
| 1260de45ed211551... | 2026-03-06 | Phorpiex |
All five samples (including ours) share the same import hash and similar file sizes (217-224 KB), indicating they were produced by the same builder with minor configuration differences. The presence across three distinct distribution networks (Amadey, Phorpiex, and the ClickFix/GOLoader chain in our investigation) confirms a pay-per-install or affiliate model where the Remus plugin operator purchases distribution from multiple botnet operators.
Threat Actor Profile
Attribution Assessment
Confidence: LOW-MEDIUM
The operator demonstrates moderate technical capability -- using commodity malware (SmokeLoader) with a custom Remus plugin configuration -- but makes significant operational security mistakes that undermine their anonymity.
Geographic Indicators:
- The FlashPanel Vietnamese welcome page on the C2 server suggests a Vietnamese operator or at least someone familiar with Vietnamese server administration tools.
- The delivery infrastructure on Latvian bulletproof hosting is consistent with Eastern European cybercrime operations, though BPH services are sold internationally.
Motivation: Financial. The combination of credential theft (Go loader), data exfiltration (Remus plugin), and multi-vector distribution through pay-per-install botnets points to financially motivated cybercrime.
Operational Security Failures
- TLS certificate cross-contamination: Deploying a Cloudflare Origin cert for sdigi[.]net on the baxe[.]pics C2 server creates a direct link to a potentially identifiable entity.
- FlashPanel default page: Leaving the Vietnamese-language server management welcome page on port 80 provides a geographic and tooling indicator.
- Same-day domain registration: Registering both C2 domains from the same Namecheap account on the same day links them trivially.
- Verbose C2 error messages: JSON responses reveal the backend technology stack (Node.js/Express) and API design patterns.
- CORS configuration: The
Access-Control-Allow-Credentials: trueheader suggests a browser-based admin panel, which expands the attack surface for defenders or researchers. - No C2 authentication: The file upload endpoint responds to unauthenticated requests (though it requires a specific payload format).
Campaign Timeline
| Date | Event |
|---|---|
| 2023-07-07 | sdigi[.]net registered (Squarespace) -- operator's legitimate domain |
| 2025-10-06 | Cloudflare Origin cert created for sdigi[.]net |
| 2026-02-10 | baxe[.]pics and vinte[.]online registered via Namecheap |
| 2026-02-21 | Remus plugin compiled (PE timestamp) |
| 2026-02-24 | ClickFix delivery chain first observed |
| 2026-03-01 | C2 domains reported to ThreatFox |
| 2026-03-03 | Primary sample first seen on MalwareBazaar |
| 2026-03-06-09 | Same builder output distributed via Phorpiex and Amadey |
| 2026-03-10 | Investigation conducted, C2 confirmed live |
Detection Guidance
YARA Rule Summary
Detection rules target three primary indicators:
- Remus plugin marker: The ASCII string
# REMUS LOGcombined with thePROXYPROXYPROXYrepeated marker in the data section. - ChaCha20 configuration block: The "expand 32-byte k" constant adjacent to the extracted encryption key bytes.
- Import hash: The
c81db0a320cdad5ab41c9a291ea9b6e9imphash shared across all known variants from this builder.
Suricata Rule Summary
Network detection rules focus on:
- C2 communication on non-standard port: HTTP traffic to port 48261 with the JSON error response pattern
"success":false,"message":"no file". - ClickFix delivery indicator: HTTP requests containing
I-AM-NOT-A-ROBOT-VERIFYin the URI path. - C2 domain resolution: DNS lookups for baxe[.]pics, vinte[.]online, and coox[.]live.
Hunting Queries
Defenders should search for:
- Network connections to port 48261 on any destination IP
- DNS resolution of baxe[.]pics, vinte[.]online, or coox[.]live
- File hashes matching the primary sample, the Go loader, or the MSI installer
- Import hash
c81db0a320cdad5ab41c9a291ea9b6e9in endpoint telemetry - MSI execution from user temp directories following web browser activity
- URL patterns containing
I-AM-NOT-A-ROBOT-VERIFY
IOCs (Defanged)
Domains
baxe[.]pics -- Primary C2 (LIVE)
vinte[.]online -- Backup C2 (SUSPENDED)
coox[.]live -- Related campaign C2
sdigi[.]net -- Linked via TLS cert (operator domain)
IP Addresses
15[.]235[.]192[.]42 -- OVH Singapore, baxe.pics C2
193[.]169[.]194[.]5 -- SIA GOOD Latvia, ClickFix delivery
168[.]231[.]114[.]49 -- Hostinger, coox.live C2
109[.]120[.]137[.]73 -- H2NEXUS, older SmokeLoader C2
109[.]120[.]137[.]75 -- H2NEXUS, older SmokeLoader C2
109[.]120[.]137[.]78 -- H2NEXUS, older SmokeLoader C2
109[.]120[.]137[.]123 -- H2NEXUS, older SmokeLoader C2
109[.]120[.]137[.]129 -- H2NEXUS, older SmokeLoader C2
62[.]60[.]226[.]159 -- Payload delivery
URLs
hxxp://baxe[.]pics:48261 -- Remus plugin C2
hxxp://193[.]169[.]194[.]5:5506/I-AM-NOT-A-ROBOT-VERIFY.txt -- ClickFix lure
File Hashes
SmokeLoader Remus Plugin:
SHA256: 77a2c2761bd439548177a36b6a10d8979c0e41d2cf3c1c98329307cbe5251ab6
SHA1: f2aefc8b54f7540ebf975e466d272ae836c42cbd
MD5: 4a2e5a268b422b207f87ffeeaf83fbf1
Go-Based Loader:
SHA256: b93484fd64dee8ad3b45ddddcb58e54efaf751f33a12c8807f8d0765e8237337
MD5: b846d20cdc94ad76e774f7ee0909f39d
MSI Installer:
SHA256: 8af75100ed69758e4da91255e0fae90f4ac40db2d1cfe52b9ea90c637ea30a82
MD5: 46df524510ad40e83979108a1a8ad109
Behavioral Indicators
Imphash: c81db0a320cdad5ab41c9a291ea9b6e9
Campaign ID: e7d306351b2ed15ad158949881380114
Plugin Marker: # REMUS LOG
Proxy Marker: PROXYPROXYPROXY (repeated)
Encryption Constant: expand 32-byte k
C2 Error Pattern: {"success":false,"message":"no file","data":null}
Server Banner: FlashPanel welcome page on C2 IP port 80
MITRE ATT&CK Mapping
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | Drive-by Compromise | T1189 |
| Execution | User Execution: Malicious File | T1204.002 |
| Execution | Windows Management Instrumentation | T1047 |
| Persistence | Registry Run Keys | T1547.001 |
| Defense Evasion | Hidden Window | T1564.003 |
| Defense Evasion | Obfuscated Files | T1027 |
| Credential Access | Credentials from Web Browsers | T1555.003 |
| Credential Access | Clipboard Data | T1115 |
| Discovery | System Information Discovery | T1082 |
| Discovery | Account Discovery | T1087 |
| Discovery | Software Discovery | T1518 |
| Collection | Screen Capture | T1113 |
| Collection | Clipboard Data | T1115 |
| Command and Control | Application Layer Protocol | T1071.001 |
| Command and Control | Non-Standard Port | T1571 |
| Command and Control | Encrypted Channel | T1573 |
| Exfiltration | Exfiltration Over C2 Channel | T1041 |
Recommended Actions
Immediate (24-48 hours):
- Block all listed domains and IPs at network perimeter
- Search EDR/SIEM for connections to baxe[.]pics, port 48261, and all listed C2 IPs
- Hunt for imphash
c81db0a320cdad5ab41c9a291ea9b6e9across endpoint fleet - Block MSI execution from user temp directories matching the delivery pattern
- Monitor for
I-AM-NOT-A-ROBOT-VERIFYin URL logs
Short-term (1-2 weeks):
- Deploy YARA and Suricata detection rules
- Report abuse to OVH Singapore for 15.235.192.42
- Report abuse to Namecheap for baxe[.]pics
- Scan historical DNS logs for any past resolution of campaign domains
Medium-term (1-3 months):
- Monitor for new domains registered via the same Namecheap account pattern
- Track the import hash across MalwareBazaar for new variants
- Monitor sdigi[.]net for infrastructure changes
- Track SIA GOOD IP ranges for new malicious hosting activity
References
- SideQuest Lab: "ClickFix to SmokeLoader with Remus Plugin" (March 2026)
- Malpedia: SmokeLoader family documentation
- MalwareBazaar: Sample 77a2c276...ab6
- CAPE Sandbox: Analysis 55471
- ThreatFox: IOC 1756408 (baxe.pics)
- Triage: Analysis 260301-tvk23acv7e
Published by Breakglass Intelligence -- intel.breakglass.tech Investigation conducted 2026-03-10