SmokeLoader's Egyptian Shadow: How a Fully-Functional Arabic LMS Shares Infrastructure with Malware C2
TL;DR
A deep investigation into SmokeLoader C2 domain baxe[.]pics reveals it shares a Hetzner VPS (65.21.104.235) with qimmaedu[.]com — a genuine, fully-functional Arabic Learning Management System with 224 API endpoints, 62 React source files, and months of real development effort. The server operator controls both domains, running malware C2 infrastructure alongside a legitimate education platform. An exposed 4.8MB source map leaks the entire frontend codebase, including hardcoded developer identity artifacts pointing to an Egyptian developer operating under the handle sasa4452.
Background: The SmokeLoader Trail
On March 5, 2026, sandbox analysis of a SmokeLoader sample (bac70244b93a4a92b9d633415435cd81e8643ecd20b52b962b369ceaaddc3958) revealed two active C2 endpoints:
| Function | Domain | IP | Port | Protocol |
|---|---|---|---|---|
| Check-in / Beacon | coox[.]live | 168.231.114.49 | 28313 | TCP |
| Data Exfiltration | baxe[.]pics | 65.21.104.235 | 48261 | HTTP POST (multipart) |
The exfiltration channel on baxe[.]pics pushed over 1MB of stolen data (browser credentials, email client data, cryptocurrency wallets) across 798 packets in a single sandbox run, all returning HTTP 200 OK. Both backends run Node.js/Express behind nginx with token-authenticated multipart POST endpoints.
The operator behind these domains — tracked under the fabricated WHOIS identity "German Ingrmen" (ingermany1@inbox.eu, Krasnodar, Russia) — registered coox[.]live and ropea[.]top via PDR Ltd/Regway on February 19, 2026, and baxe[.]pics through Namecheap on February 10, 2026. A third domain, ropea[.]top, was already suspended (serverHold) by the time of analysis.
This post focuses on the infrastructure behind baxe[.]pics — specifically, what else lives on 65.21.104.235.
The Cover Story: qimmaedu.com
Connecting to 65.21.104.235 on HTTPS with any unrecognized SNI (including baxe[.]pics) triggers a 301 redirect to https://qimmaedu.com/. This is not a parking page. It is a fully operational Arabic-language education management system.
Application Stack
Frontend: React (production) + React Router 6.30.1 + Redux Toolkit
TailwindCSS 3.4.17, Recharts, D3.js, Socket.IO client
40 npm packages, 62 custom source files
Build timestamp: 2025-10-03T23:34:51Z
Backend: Python FastAPI with Swagger UI at /api/docs
JWT Bearer token auth with refresh tokens
OpenAPI 3.0 spec: 133,495 bytes (224 endpoints)
Infra: Hetzner Cloud VPS (Finland)
Ubuntu Linux, OpenSSH 8.9p1, nginx
Let's Encrypt auto-renewal (certbot, 90-day cycle)
It Is Real
This is not a template drop or a throwaway landing page. The evidence for genuine functionality:
- 224 API endpoints documented in a 133KB OpenAPI specification, covering user management, exams, question banks, gamification, live streaming, chat rooms, support tickets, scheduling, and notifications
- Three role-based dashboards (admin, teacher, student) with dedicated permission scopes
- Database-backed authentication —
POST /api/auth/loginreturns localized Arabic error messages ("البريد الإلكتروني أو كلمة المرور غير صحيحة") from a live database, not a static response - Active health endpoint —
GET /api/healthreturns{"status":"healthy","timestamp":"2026-03-06T..."}with real timestamps - Arabic-first UI —
lang="ar" dir="rtl", Cairo + Tajawal Google Fonts, all user-facing strings in Arabic - PWA manifest with Arabic
short_name("نظام التعليم") and standalone display mode
The JS bundle alone is 1.4MB. The CSS is 98KB. This is months of development work.
The Source Map Leak
The production build ships with an exposed source map:
GET /static/js/main.f2b3235e.js.map
Content-Length: 4,839,414 bytes (4.8MB)
This file contains the complete, unminified React source code for the entire application — every component, every Redux slice, every API call. It is publicly accessible with no authentication.
Developer Identity: sasa4452
Hardcoded in components/admin/AdminProfile.js (extracted from the source map):
{
"username": "sasa4452",
"email": "admin@school.com",
"full_name": "مدير النظام",
"phone": "+20123456789",
"address": "القاهرة، مصر",
"created_at": "2024-01-01",
"last_login": "2024-12-19 10:30:00"
}
| Artifact | Value | Analysis |
|---|---|---|
| Username | sasa4452 | Matches GitHub account (ID 195141892) |
| Phone prefix | +20 | Egypt country code (placeholder number) |
| Address | القاهرة، مصر | Cairo, Egypt |
| GitHub created | 2025-01-15 | 7 months before qimmaedu.com registration |
| Public repos | 0 | Empty profile, no name/bio/location set |
| WhatsApp QR | KGFOXHASELCAB1 | Embedded in application, suggests real customer operations |
The Egyptian locale indicators (phone code, address, Arabic-first UI) contrast sharply with the "German Ingrmen" / Krasnodar, Russia WHOIS identity used for the SmokeLoader domains — either dual identities or the Russian WHOIS data is fabricated (the investigation into the WHOIS data already confirmed it: invalid postal code, wrong phone region prefix, nonexistent street name).
TLS Certificate Analysis
Certificate Transparency logs tell a clear story:
qimmaedu.com — 5 certificates (regular renewal)
| Issue Date | CA | SANs |
|---|---|---|
| 2025-08-19 | Let's Encrypt R10 | qimmaedu.com, www.qimmaedu.com |
| 2025-10-18 | Let's Encrypt R13 | qimmaedu.com, www.qimmaedu.com |
| 2025-12-18 | Let's Encrypt R12 | qimmaedu.com, www.qimmaedu.com |
| 2026-02-18 | Let's Encrypt R12 | qimmaedu.com, www.qimmaedu.com |
Standard 90-day certbot auto-renewal. First certificate issued one day after domain registration.
baxe.pics — 0 certificates
No TLS certificate has ever been issued for baxe[.]pics. The server presents qimmaedu.com's certificate for all SNI requests, causing a certificate mismatch for any standards-compliant TLS client.
This means the SmokeLoader bot either:
- Ignores TLS certificate validation (common in malware)
- Communicates over raw HTTP on port 48261 (the observed exfil port)
- Uses a non-standard protocol on that port
The sandbox traffic confirms option 2 or 3 — the C2 communication on port 48261 does not require a valid TLS handshake for baxe[.]pics.
Passive DNS: The VPS History
OTX AlienVault passive DNS for 65.21.104.235 reveals a pattern of domain rotation:
| Domain | First Seen | Last Seen | Current Status | Registrar |
|---|---|---|---|---|
demobitimen[.]com | 2024-02-10 | 2024-06-20 | Moved to ArvanCDN (185.143.233.x) | joker.com |
qimmaedu[.]com | 2025-08-20 | 2026-02-26 | LIVE on this IP | Dynadot |
forestoaker[.]com | 2026-02-26 | 2026-02-28 | SUSPENDED (clientHold) | Realtime Register |
baxe[.]pics | 2026-02-10 | current | LIVE (DNS points here) | Namecheap |
demobitimen.com — Crypto Exchange Demo
Before qimmaedu, this VPS hosted demobitimen[.]com — a cryptocurrency exchange demo/development platform. CT logs show 216 certificates across an extensive subdomain structure:
demobitimen.com
admin.demobitimen.com
api.demobitimen.com
rpc.demobitimen.com
xdba.demobitimen.com
apidev.demobitimen.com
adminstage.demobitimen.com
apidevstage.demobitimen.com
rpcstage.demobitimen.com
frontendstage.demobitimen.com
*.demobitimen.com
The staging/production separation and RPC endpoints indicate real exchange infrastructure. The domain now uses ArvanCDN (Iranian CDN provider) nameservers. This predates qimmaedu by 6 months — the VPS was reused.
forestoaker.com — Burned Fast
Registered February 22, 2026. Pointed to 65.21.104.235 on February 26. Suspended by Realtime Register (Netherlands) by March 2. Zero TLS certificates ever issued. Two days of active DNS resolution. Likely another malicious domain flagged by registrar abuse response.
nginx Configuration Inference
Observed server behavior maps the nginx routing logic:
HTTPS qimmaedu.com → 200 (React SPA + FastAPI)
HTTPS www.qimmaedu.com → 200 (same)
HTTPS baxe.pics (-k) → 301 → https://qimmaedu.com/
HTTPS 65.21.104.235 (-k) → 301 → https://qimmaedu.com/
HTTP baxe.pics → connection drop (no response)
HTTP qimmaedu.com → connection drop (no response)
The default_server block catches all unrecognized SNI and redirects to qimmaedu.com. There is no dedicated server block for baxe[.]pics. Port 80 is effectively dead — Shodan confirms only ports 22 and 443 are open. The C2 exfiltration operates on port 48261, entirely outside the nginx web server configuration.
Security Headers
Ironically, the server is security-hardened for the education platform:
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Attribution Assessment
Three theories were evaluated:
| Theory | Assessment | Key Counter-Evidence |
|---|---|---|
| Compromised legitimate site | Rejected | baxe[.]pics DNS was pointed TO this IP externally; no compromise indicators on the server; different registrars |
| Purpose-built cover site | Unlikely | 1.4MB JS bundle, 4.8MB source map, 224 API endpoints, 62 custom source files — disproportionate effort for a cover |
| Same operator runs both | Most likely | Developer maintains legitimate LMS on Hetzner VPS; added baxe[.]pics DNS alias for SmokeLoader C2 operations; VPS has history of multi-project use |
Supporting evidence for same-operator theory:
- The VPS has hosted three distinct projects over two years (crypto exchange, education LMS, malware C2) — consistent with a developer reusing infrastructure
forestoaker[.]combriefly pointed here before suspension — ongoing domain rotation- The "German Ingrmen" WHOIS identity is confirmed fabricated (invalid postal code, wrong phone region, nonexistent street), while the education platform has organic Egyptian developer artifacts
- WhatsApp QR code in the LMS suggests real customer-facing operations running parallel to C2 infrastructure
Timeline
2024-02-08 demobitimen.com registered (joker.com)
2024-02-10 demobitimen.com → 65.21.104.235
2024-06-20 demobitimen.com migrates to ArvanCDN
2025-01-15 GitHub user "sasa4452" created
2025-08-18 qimmaedu.com registered (Dynadot, WHOIS privacy)
2025-08-19 First Let's Encrypt cert for qimmaedu.com
2025-10-03 React application build deployed
2026-02-10 baxe.pics registered (Namecheap) — SmokeLoader C2 domain
2026-02-18 qimmaedu.com cert renewal (current cert)
2026-02-19 coox.live + ropea.top registered (PDR/Regway, "German Ingrmen")
2026-02-22 forestoaker.com registered (Realtime Register)
2026-02-26 forestoaker.com → 65.21.104.235 (2 days)
2026-02-28 forestoaker.com DNS removed
2026-03-01 baxe.pics WHOIS record updated
2026-03-02 forestoaker.com suspended (clientHold)
2026-03-05 SmokeLoader sample analyzed, baxe.pics C2 confirmed live
MITRE ATT&CK Mapping
| Technique ID | Name | Context |
|---|---|---|
| T1583.001 | Acquire Infrastructure: Domains | baxe[.]pics, coox[.]live, forestoaker[.]com registered for C2 |
| T1583.003 | Acquire Infrastructure: Virtual Private Server | Hetzner VPS 65.21.104.235 |
| T1036.005 | Masquerading: Match Legitimate Name or Location | Education LMS as cover for C2 VPS |
| T1071.001 | Application Layer Protocol: Web Protocols | HTTP POST multipart exfiltration on port 48261 |
| T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | SmokeLoader browser data harvesting |
| T1119 | Automated Collection | Cryptocurrency wallet, email client, browser credential harvesting |
| T1041 | Exfiltration Over C2 Channel | 1MB+ exfiltrated to baxe[.]pics:48261 per run |
| T1553.002 | Subvert Trust Controls: Code Signing | Bot ignores TLS certificate mismatch |
Indicators of Compromise
Network Indicators
# SmokeLoader C2 — Data Exfiltration
baxe[.]pics
65.21.104.235
65.21.104.235:48261
# SmokeLoader C2 — Beacon / Check-in
coox[.]live
168.231.114.49
168.231.114.49:28313
# SmokeLoader C2 — Suspended
ropea[.]top
# Co-hosted Education Platform (same operator)
qimmaedu[.]com
www.qimmaedu[.]com
# Historically Co-hosted Domains
forestoaker[.]com
demobitimen[.]com
Hashes
# SmokeLoader Sample
SHA256: bac70244b93a4a92b9d633415435cd81e8643ecd20b52b962b369ceaaddc3958
Operator Indicators
# WHOIS Identity (fabricated)
Name: German Ingrmen
Email: ingermany1@inbox.eu
Phone: +79114890282
Address: OSVALT, Krasnodar, 512211, Russia
# Developer Identity (from source map)
Username: sasa4452
GitHub: https://github.com/sasa4452 (ID 195141892)
WhatsApp: https://wa.me/qr/KGFOXHASELCAB1
Locale: Egyptian Arabic (Cairo, +20 phone prefix)
Infrastructure Signatures
# Hetzner VPS
rDNS: static.235.104.21.65.clients.your-server.de
Ports: 22 (SSH), 443 (HTTPS), 48261 (C2 exfil)
OS: Ubuntu Linux
Server: nginx → FastAPI (qimmaedu) / Node.js Express (C2)
# SmokeLoader C2 HTTP Characteristics
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Content-Type: multipart/form-data
Auth: Token-based (custom header)
Investigation conducted March 6, 2026. All indicators were live at time of analysis.