StealC v2 "GodGuest" Build: Following a Copyright String Through Three Years of Bulletproof Hosting, Shell Companies, and a Developer Who Signs His Work

TL;DR: A StealC v2 infostealer sample uploaded to MalwareBazaar on March 9, 2026 communicates with a C2 gate at joscramp[.]top (botnet group 3, now suspended). The sample is unremarkable on the surface -- another day, another commodity stealer. But the developer left fingerprints everywhere: a copyright string ("shmaer"), product metadata ("GodGuest" / "GoldenSnow"), and a PDB path with randomized directory names that persist across builds. Pivoting on the sample's import hash reveals 19 related binaries spanning three malware families -- StealC, RedLine Stealer, and Rhadamanthys -- dating back to March 2023. The infrastructure behind joscramp[.]top traces through a DNS hosting provider called hwrn[.]net ("Global Internet Telemetry Measurement Collective") into a bulletproof hosting network operated under a single RIPE maintainer in Ambrolauri, Georgia, with at least five shell companies registered at the same London address. One of those companies is NEKOBYTE INTERNATIONAL LIMITED -- a name that has appeared in prior Breakglass Intelligence reporting. Three years of infrastructure. Five shell companies. One import hash. One developer who could not resist putting his name in the copyright field.

---

A Stealer That Signs Its Own Work

Most infostealers arrive on MalwareBazaar as anonymous blobs. A SHA-256 hash, a tag or two, maybe a C2 URL if the submitter is generous. The analyst's job is to work backward from nothing toward something.

This sample arrived differently. Not because it was louder or more sophisticated than the hundreds of other StealC builds circulating in March 2026, but because the person who compiled it embedded enough metadata to build a timeline, a cluster, and a partial attribution -- all without running a single debugger.

The binary in question:

Attribute	Value
SHA-256	0267f046308eb37ee48f932dce3ed33d578fc7e4bec5b24c9b845ac42a902253
MD5	e2d51e426aefafcaa2064691c920e282
SHA1	3910f18bd957d7e70b063233e613514d868c2410
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	2,621,440 bytes (2.5 MiB -- suspiciously round)
Compiler	Microsoft Visual C++
Compile Timestamp	2022-01-31 00:15:46 UTC
First Seen	2026-03-09 10:05:27 UTC

That compile timestamp is the first lie. StealC did not exist in January 2022 -- Sekoia's initial reporting places its emergence in January 2023, advertised on Russian-language forums as a successor to the Vidar and Raccoon stealer lineage. The forged timestamp is a deliberate anti-analysis measure (MITRE T1070.006), intended to pollute timeline analysis and confuse automated clustering. It is also standard practice for StealC builds, which makes it useful as a behavioral fingerprint even when the date itself is fiction.

The sample communicates with a C2 gate at hxxp://joscramp[.]top/410b5129171f10ea.php, identifying itself as botnet group 3. By the time our analysis was underway, the domain had already been placed on serverHold by the registrar -- suspended, but not before the infrastructure behind it could be mapped.

The Binary: What Lives Inside 2.5 Megabytes of "GUI Application"

The PE structure tells a story before you even run the binary.

PE Sections

Section	Virtual Size	Raw Size	Entropy	Notes
.text	196,846	197,120	7.44	High entropy -- packed or encrypted code
.data	2,896,636	12,288	2.29	240x expansion at runtime -- this is the unpacking arena
.rsrc	39,168	39,424	4.64	Resources, dialog templates, version info
.reloc	15,188	15,360	2.94	Relocations

The .data section is the tell. A raw size of 12 kilobytes that expands to 2.8 megabytes at runtime means the section is an unpacking buffer -- the binary writes decrypted payloads into this space during execution. The .text section entropy of 7.44 (where 8.0 is maximum randomness) confirms the executable code is encrypted or heavily packed.

The resource section is more interesting than it should be. It contains dialog box templates with button labels like "Error," "Retry," "Restart," and "Ignore" -- the binary masquerades as a legitimate error dialog application. But the dialog body text is gibberish: the same randomized-syllable encoding scheme used for the configuration strings. It is a costume, and not a particularly convincing one.

Developer Fingerprints

This is where the operator's discipline breaks down.

Artifact	Value	Significance
PDB Path	C:\babura\yexovadakob\dubayoje\letimamadecom\vi.pdb	Randomized directory names, "vi" project name
Copyright	Copyright (C) 2023, shmaer	Developer alias -- signed into the binary
InternalName	GodGuest	Build identifier
ProductName	GoldenSnow	Build identifier
FileVersion	15.18.62.51	Possibly obfuscated versioning
Language	041301F2 (Spanish - Chile)	Likely false flag

The copyright string is the kind of mistake that makes attribution possible. "shmaer" is either a developer handle or a build tag, but either way it is unique, searchable, and present in a field that most analysts check early in triage. The PDB path -- C:\babura\yexovadakob\dubayoje\letimamadecom\vi.pdb -- uses randomized Romanized syllable patterns for directory names, a technique common in automated build environments. But the path structure itself is a fingerprint. If this developer uses the same build system across projects, the pattern will recur.

The "GodGuest" and "GoldenSnow" identifiers in the InternalName and ProductName fields are build markers. They serve no functional purpose in the malware's execution but persist across samples compiled from the same project file. For defenders, they are free clustering pivots.

The Spanish-Chile language code (041301F2) is almost certainly a false flag. Nothing else about this sample -- infrastructure, tooling, operational patterns -- points to South America.

Anti-Analysis: RC4 Encryption and a Sandbox That Crashes on Contact

StealC v2 does not run naked. The binary employs multiple layers of defense against analysis, each targeting a different class of analyst or automated system.

Encrypted Configuration

The .text section contains ASCII strings that look like someone fell asleep on a keyboard:

Offset	Encoded String	Probable Purpose
0x2AD4	huliguxabuponetexuxibepiwasudamidoviwepucovavomaxuj	C2 URL or build ID
0x2B08	cusifavodojadowofajokuvowocen	C2 URL component
0x2B28	bilezizileperuseduxiporutiloyez	C2 URL component
0x2B48	puvewoyoloyunu	C2 URL component
0x2C48	jiwuyiwoxevopelafam	Config string
0x2C5C	lokirarojukejedodatafapa	Config string
0x2C78	sonipasegutimijubibihe	Config string

These are RC4-encrypted configuration values -- the C2 URL, build identifiers, and operational parameters that the malware decrypts at runtime. The all-lowercase, vowel-consonant-alternating pattern is characteristic of StealC's string encoding scheme. They look random but are not: the pattern is consistent enough to write detection rules against (and we have -- see the YARA section below).

Dynamic API Resolution

The binary also contains encrypted wide-character (UTF-16LE) strings used for dynamic API resolution:

Offset	Encoded String	Context
0x2AB2	mopiceyerowedemi	Near kernel32.dll reference
0x2B5A	cmexep	Short API name
0x2B68	cotopewiluvepogomi	API function name
0x2BBE	Rakeyihisego	Near msimg32.dll reference

Instead of importing Windows API functions normally (which would appear in the import table for static analysis tools to read), StealC decrypts the DLL and function names at runtime and resolves them dynamically. This is why the import table is sparse enough to produce a meaningful imphash -- and why that imphash becomes such a powerful clustering tool.

Sandbox Behavior

When executed in sandbox environments (Triage, ANY.RUN), the sample follows a predictable anti-analysis sequence:

Behavior	Details
Process Chain	x0267f046...exe (PID 5352) --> WerFault.exe (crash)
Language Check	Reads HKLM\SYSTEM\ControlSet001\Control\NLS\Language (T1614.001)
DNS Activity	Queries c.pki.goog (CRL check via Microsoft-CryptoAPI)
Execution Path	C:\Users\Admin\AppData\Local\Temp\
C2 Communication	Failed -- domain already on serverHold

The system language discovery is a common CIS-region malware behavior: check the victim's language settings, and if the system is configured for Russian, Ukrainian, Belarusian, or another CIS-region language, terminate execution. It is an insurance policy -- do not steal from your neighbors, because your neighbors might know people who will come looking for you.

The WerFault.exe crash is the more interesting behavior. Rather than simply exiting when it detects a sandbox, the malware triggers Windows Error Reporting, which generates noise in process telemetry and may cause some automated analysis pipelines to classify the sample as "crashed" rather than "evasive." It is a small trick, but an effective one against analysis infrastructure that relies on clean execution to extract IOCs.

The Attack Chain

DELIVERY (unknown vector)
    |
    v
EXECUTION: PE32 GUI binary runs from %LOCALAPPDATA%\Temp\
    |
    v
UNPACKING: .data section expands from 12KB to 2.8MB
    |
    v
API RESOLUTION: RC4-decrypts DLL/function names, resolves dynamically
    |
    v
ANTI-ANALYSIS: System language check (T1614.001) --> sandbox crash trigger (WerFault)
    |
    v
C2 COMMUNICATION: HTTP POST to /410b5129171f10ea.php (RC4-encrypted body)
    |
    v
CREDENTIAL THEFT: Browsers, wallets, email clients, applications
    |
    v
EXFILTRATION: HTTP POST to C2 gate

The delivery vector is unknown for this sample. StealC is typically distributed through malvertising campaigns, cracked software downloads, and loader-as-a-service platforms. The binary itself is the second stage -- something upstream delivered it to the victim's %LOCALAPPDATA%\Temp\ directory.

Following the Infrastructure: From a Dead Domain to a Bulletproof Empire

The C2 domain joscramp[.]top was dead by the time we analyzed the sample. But dead domains still have WHOIS records, DNS history, and certificate transparency logs. And those records tell a story that extends far beyond a single stealer campaign.

The Domain

Attribute	Value
Domain	joscramp[.]top
Registrar	Dynadot LLC
Created	2026-02-10
Status	SUSPENDED (serverHold)
Nameservers	ns1.hwrn[.]net / ns2.hwrn[.]net
TLS Certificate	ZeroSSL wildcard (*.joscramp.top), issued same day as registration

The domain was registered on February 10, 2026 via Dynadot and received a wildcard ZeroSSL certificate the same day. Wildcard certificates are a hallmark of operators who spin up subdomains rapidly for different campaigns or botnet groups. The certificate serial (29170d61adf776323e46586e6aef26c5) can be monitored in CT logs for reuse.

But the nameservers are where things get interesting.

hwrn[.]net: The DNS Layer

Attribute	Value
Domain	hwrn[.]net
Registrar	Gandi SAS
Created	2023-11-28
Registrant	"Global Internet Telemetry Measurement Collective"
Incorporation	Delaware
TLS	Let's Encrypt R3, issued 2023-05-13

"Global Internet Telemetry Measurement Collective" is a name designed to sound legitimate to a WHOIS reviewer scrolling through abuse reports. It is registered in Delaware -- the US state of choice for shell entities due to minimal disclosure requirements. The nameservers themselves are hosted on Google Cloud infrastructure, adding another layer of apparent legitimacy.

hwrn[.]net provides DNS hosting for C2 domains. Any new domain registered with ns1.hwrn[.]net / ns2.hwrn[.]net as its nameservers should be treated as high-confidence malicious infrastructure. Monitoring certificate transparency logs for domains using these nameservers is one of the most actionable takeaways from this investigation.

The Bulletproof Hosting Network

The C2 infrastructure resolves to IP addresses managed by a network of companies that all trace back to a single RIPE maintainer:

RIPE Maintainer: lir-ge-fast-1-MNT
Registered: Ambrolauri, Georgia
Admin Contact: Sergey Aleksandrovich Miroshkin

    +-- Partner Hosting LTD (71-75 Shelton St, London WC2H 9JQ)
    |     +-- 178.236.252.0/24 (NL)
    |     +-- 193.233.112.0/23 (FI) <-- kazahstan[.]email, StealC C2
    |
    +-- Cloud Hosting Solutions, Limited (71-75 Shelton St, London WC2H 9JQ)
    |     +-- 85.28.47.0/24 (DE) <-- StealC C2
    |     +-- 109.237.96.0/24 (DE)
    |     +-- 144.31.80-81,194-195/24 (DE)
    |     +-- 146.19.207.0/24 (DE)
    |     +-- 178.236.244.0/23 (RU)
    |
    +-- NEKOBYTE INTERNATIONAL LIMITED (London)
    |     +-- 178.236.243.0/24 (DE, IT-GARAGE)
    |
    +-- WAIcore Ltd (London)
    |     +-- 178.236.254.0/24 (DE)
    |
    +-- nuxt.cloud hosting provider (London)
    |     +-- 109.237.97.0/24 (DE)
    |
    +-- Sergey Aleksandrovich Miroshkin (Georgia)
          +-- 77.91.64.0/20 (EU, parent allocation)
          +-- 109.237.96.0/23 (EU, parent allocation)

There is a lot to unpack here. The address 71-75 Shelton Street, London WC2H 9JQ is one of the most overused virtual office addresses in UK company fraud. It is a serviced office building in Covent Garden that provides registered agent services -- a postbox and a name on Companies House filings, nothing more. Multiple shell companies under the same RIPE maintainer, all registered at the same virtual office, all managing IP allocations spread across the Netherlands, Finland, Germany, and Russia: this is textbook bulletproof hosting infrastructure.

NEKOBYTE INTERNATIONAL LIMITED is a name that has appeared in prior Breakglass Intelligence reporting. The company manages a /24 allocation in Germany routed through IT-GARAGE, and its presence under the same RIPE maintainer as the StealC C2 infrastructure confirms that the lir-ge-fast-1-MNT network is a shared resource for multiple cybercriminal operations.

Active C2 Nodes

The investigation identified four live IP addresses associated with StealC C2 operations:

IP	ASN / Provider	Open Ports	Services	Status
193.233.112.44	Partner Hosting LTD	21,22,25,53,80,110,123,143,443,465,587,993,995,1500	nginx, Exim, OpenSSH	LIVE
196.251.107.23	internet-security (SIL3-MNT, Seychelles)	21,22,80,443,7777	nginx, Apache, OpenSSH	LIVE
85.28.47.152	Cloud Hosting Solutions	22	OpenSSH 8.2p1	LIVE
194.195.209.91	Linode (Akamai)	22,80	nginx 1.24.0, OpenSSH 9.6p1	LIVE

The 193.233.112.44 node is particularly interesting -- it has a hostname of kazahstan[.]email (note the misspelling), runs a full mail stack (Exim with SMTP, POP3, and IMAP on standard and TLS ports), and falls within the Partner Hosting LTD allocation. A mail server on C2 infrastructure suggests the operator may also be using this network for phishing or spam distribution.

The Seychelles-registered internet-security provider hosting 196.251.107.23 adds another layer of jurisdictional complexity. Between Georgia, the UK, Finland, Germany, Russia, the Seychelles, and the United States (Linode/Akamai), any coordinated takedown effort would need to span at least seven legal jurisdictions.

The Imphash Cluster: Three Years, Three Families, Nineteen Samples

This is where a single sample turns into a campaign.

The import hash (imphash) 21829bcb83e2224c2104cf7cefe96c53 is shared by 19 samples on MalwareBazaar, spanning March 2023 to March 2026. An imphash is computed from the ordered list of imported DLL functions -- two binaries sharing the same imphash import the same functions in the same order from the same libraries. For packed or crypted samples with sparse import tables, this is a strong indicator of a shared builder, packer, or crypter service.

Date	SHA-256 (truncated)	Size	Family	C2
2026-03-09	0267f046...	2,621,440	StealC	joscramp[.]top
2023-04-06	30f1762d...	367,616	RedLine	193.233.20[.]33:4125
2023-04-06	39ec0135...	367,616	Unknown	Unknown
2023-04-06	95c1ab6b...	307,712	Unknown	Unknown
2023-03-27	fa0854b2...	328,704	Rhadamanthys	Unknown
2023-03-27	f6395303...	265,216	StealC	joscramp[.]top
2023-03-27	64ca65d7...	264,704	Unknown	Unknown
...	(11 more samples)	264-710 KB	StealC/Unknown	Various

Three distinct malware families sharing the same import hash. There are three plausible explanations:

1. A shared crypter/packer service. The operator purchases packing from a third-party service that produces binaries with consistent import tables. This is the most likely explanation -- crypter-as-a-service is a mature market on Russian-language forums, and operators frequently pack different payload families through the same service.

2. A single operator running multiple stealer families. One person or group deploying StealC, RedLine, and Rhadamanthys simultaneously, using the same build pipeline. This would indicate a higher level of operational maturity -- diversifying across stealer families to hedge against takedowns or detection improvements targeting any single family.

3. Code lineage. StealC is a documented fork of the Vidar stealer, which itself evolved from the Raccoon stealer lineage. Shared import tables could reflect inherited code structure. However, this does not explain the RedLine and Rhadamanthys overlap.

The most critical data point: joscramp[.]top appears as a C2 domain for a sample dated March 27, 2023 -- nearly three years before the domain was registered on February 10, 2026. This means either the domain was previously registered, expired, and was re-registered by the same or a different operator; or the 2023 sample was retroactively tagged with the domain after the 2026 registration. Either way, the joscramp[.]top infrastructure has a documented lineage that predates the current campaign.

What Was Found vs. What Was Known

Aspect	Prior Public Reporting	This Investigation
C2 Infrastructure	1 URL (joscramp.top)	Full hosting chain: Dynadot --> hwrn.net DNS --> BPH network (lir-ge-fast-1-MNT) with 5+ shell companies
Related Samples	2 samples linked to the C2	19 samples via imphash cluster spanning 3 malware families over 3 years
Attribution	Unknown developer	Developer alias "shmaer", PDB fingerprint, GodGuest/GoldenSnow product names
Hosting	Unknown	Georgian RIPE maintainer (Miroshkin), NEKOBYTE connection, 71-75 Shelton St shell network
Campaign Duration	First seen 2026-03-09	Imphash cluster active since 2023-03-27

The gap between what was publicly known and what 30 minutes of infrastructure pivoting reveals is the entire argument for threat intelligence work that goes beyond IOC collection. A single C2 URL is useful for blocking. A hosting hierarchy with shell company names and RIPE maintainer handles is useful for predicting where the next C2 will appear.

Threat Actor Profile

Attribution Assessment

• Confidence: MEDIUM
• Developer Alias: "shmaer"
• Region: Russian-speaking (assessed)
• Motivation: Financial -- credential theft for sale or direct use
• Sophistication: Moderate

Evidence for Russian-Speaking Origin

The evidence for CIS-region origin is circumstantial but convergent:

1. RIPE maintainer lir-ge-fast-1-MNT is registered in Georgia (former Soviet state) to Sergey Aleksandrovich Miroshkin -- a Russian name
2. IP allocations include Russian address space (178.236.244.0/23, 77.105.146.0/24 via Fotontelecom)
3. C2 hostname kazahstan[.]email references another former Soviet state (misspelled, suggesting non-native English)
4. StealC is a Russian-origin family, advertised and sold on Russian-language forums
5. BPH operational patterns -- shell companies, virtual offices, multi-jurisdictional IP allocations -- match CIS-region cybercrime infrastructure models extensively documented in industry reporting

OPSEC Failures

The developer made five mistakes that enable clustering and partial attribution:

1. Copyright string: "shmaer" in PE resources -- a direct, searchable developer fingerprint
2. PDB path: C:\babura\yexovadakob\dubayoje\letimamadecom\vi.pdb -- the randomized pattern is itself a fingerprint that persists across builds
3. Product metadata: "GodGuest" and "GoldenSnow" in InternalName/ProductName fields
4. Shared imphash: The same import hash across 19 samples over 3 years creates a long-running operational fingerprint
5. Reused C2 gate path: /410b5129171f10ea.php appears in multiple samples, making network detection trivial once the pattern is identified

These are not sophisticated mistakes. They are the kind of errors made by a developer who either does not know that analysts check PE metadata, or knows and does not care because the economics of commodity malware make burn-and-rebuild cheaper than operational security. When you can register a new domain for $2 and pack a new binary in 10 minutes, why spend time scrubbing metadata?

The answer, of course, is that metadata is what turns a single blocked domain into a three-year campaign timeline.

Actor Timeline

Date	Event
2023-03-27	First samples with imphash 21829bcb... appear on MalwareBazaar
2023-03-27	joscramp[.]top C2 URL first reported to ThreatFox
2023-04-06	RedLine Stealer samples with same imphash surface (multi-family operation)
2023-11-28	hwrn[.]net DNS hosting domain registered via Gandi
2026-02-10	joscramp[.]top registered via Dynadot; ZeroSSL wildcard cert issued same day
2026-03-08	ANY.RUN sandbox analysis of current sample
2026-03-09	Sample uploaded to MalwareBazaar; C2 reported to ThreatFox
2026-03-10	Domain suspended (serverHold); Breakglass Intelligence investigation

The gap between April 2023 and February 2026 is notable. Either the operator was inactive, or they were operating under different infrastructure that has not yet been linked to this cluster. The hwrn[.]net registration in November 2023 suggests the DNS hosting layer was being prepared during the quiet period -- infrastructure buildout before the next operational phase.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Defense Evasion	Obfuscated Files or Information	T1027	RC4-encrypted config, obfuscated dialog strings
Defense Evasion	Deobfuscate/Decode Files	T1140	Runtime decryption of API names and C2 config
Defense Evasion	Indicator Removal: Timestomp	T1070.006	Forged PE compile timestamp (2022-01-31)
Defense Evasion	Virtualization/Sandbox Evasion	T1497	WerFault crash trigger in sandbox environments
Discovery	System Language Discovery	T1614.001	NLS\Language registry key check
Discovery	System Location Discovery	T1614	Geographic profiling before payload execution
Command and Control	Application Layer Protocol: Web	T1071.001	HTTP POST to C2 gate PHP endpoint
Command and Control	Encrypted Channel	T1573	RC4-encrypted C2 traffic
Collection	Data from Local System	T1005	Browser credentials, wallet data, application data
Credential Access	Credentials from Password Stores	T1555	Browser credential database extraction
Exfiltration	Exfiltration Over C2 Channel	T1041	HTTP POST exfiltration to C2 gate
Resource Development	Acquire Infrastructure: Domains	T1583.001	joscramp[.]top via Dynadot with hwrn[.]net DNS
Resource Development	Acquire Infrastructure: Server	T1583.004	BPH network via lir-ge-fast-1-MNT shell companies

Detection

YARA Rules

Three YARA rules target different aspects of this campaign:

Rule 1: GodGuest/Shmaer Build Detection -- Fires on the developer's metadata fingerprints and encrypted configuration strings.

rule StealC_GodGuest_Shmaer : stealc infostealer
{
    meta:
        author = "GHOST (Breakglass Intelligence)"
        date = "2026-03-10"
        description = "StealC with GodGuest/GoldenSnow metadata and shmaer developer"
        hash = "0267f046308eb37ee48f932dce3ed33d578fc7e4bec5b24c9b845ac42a902253"

    strings:
        $pdb = "babura" ascii wide
        $copyright = "shmaer" ascii wide
        $internal = "GodGuest" ascii wide
        $product = "GoldenSnow" ascii wide
        $cfg1 = "huliguxabuponetexuxibepiwasudamidoviwepucovavomaxuj" ascii
        $cfg2 = "cusifavodojadowofajokuvowocen" ascii
        $cfg3 = "bilezizileperuseduxiporutiloyez" ascii

    condition:
        uint16(0) == 0x5A4D and filesize < 5MB and
        (
            ($copyright and $internal) or
            ($copyright and $product) or
            ($pdb and any of ($cfg*)) or
            (3 of ($cfg*))
        )
}

Rule 2: Imphash Campaign Cluster -- Catches any PE binary matching the shared import hash across the 19-sample cluster.

import "pe"

rule StealC_Imphash_Cluster : stealc campaign
{
    meta:
        author = "GHOST (Breakglass Intelligence)"
        date = "2026-03-10"
        description = "StealC/RedLine/Rhadamanthys cluster via shared imphash"
        imphash = "21829bcb83e2224c2104cf7cefe96c53"

    strings:
        $pdb_pattern = /C:\\[a-z]{4,12}\\[a-z]{6,16}\\[a-z]{6,12}\\[a-z]{8,16}\\[a-z]{2,4}\.pdb/ ascii
        $encoded_pattern = /[a-z]{16,50}\x00[a-z]{16,50}/ ascii

    condition:
        uint16(0) == 0x5A4D and filesize < 5MB and
        (
            pe.imphash() == "21829bcb83e2224c2104cf7cefe96c53" or
            ($pdb_pattern and $encoded_pattern)
        )
}

Rule 3: C2 URI Pattern -- Detects the StealC gate format (16 hex characters followed by .php) alongside the characteristic encoded string pattern.

rule StealC_C2_URI_Pattern : stealc c2
{
    meta:
        author = "GHOST (Breakglass Intelligence)"
        date = "2026-03-10"
        description = "StealC C2 gate URI pattern (16 hex char PHP file)"

    strings:
        $uri = /\/[0-9a-f]{16}\.php/ ascii wide
        $stealc_enc = /[a-z]{20,50}\x00[a-z]{20,50}\x00[a-z]{20,50}/ ascii

    condition:
        uint16(0) == 0x5A4D and $uri and $stealc_enc
}

Suricata Rules

# StealC C2 gate pattern: POST to /<16hex>.php
alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"BREAKGLASS StealC C2 Gate URI Pattern (POST to /<16hex>.php)";
    flow:established,to_server;
    http.method; content:"POST";
    http.uri; pcre:"/^\/[0-9a-f]{16}\.php$/";
    classtype:trojan-activity;
    sid:2026031001; rev:1;
)

# StealC C2 domain lookup
alert dns $HOME_NET any -> any any (
    msg:"BREAKGLASS StealC C2 DNS Lookup (joscramp.top)";
    dns.query; content:"joscramp.top"; nocase;
    classtype:trojan-activity;
    sid:2026031002; rev:1;
)

# BPH network ranges (lir-ge-fast-1-MNT) -- high-confidence malicious
alert ip $HOME_NET any -> [77.91.64.0/20,109.237.96.0/23,178.236.240.0/20,
    193.233.112.0/23,85.28.47.0/24,144.31.80.0/24,144.31.81.0/24,
    144.31.194.0/24,144.31.195.0/24,146.19.207.0/24] any (
    msg:"BREAKGLASS BPH Network Communication (lir-ge-fast-1-MNT)";
    classtype:bad-unknown;
    sid:2026031005; rev:1;
)

# hwrn.net DNS hosting infrastructure
alert dns $HOME_NET any -> any any (
    msg:"BREAKGLASS Suspicious DNS Hosting Lookup (hwrn.net)";
    dns.query; content:"hwrn.net"; nocase;
    classtype:bad-unknown;
    sid:2026031006; rev:1;
)

Detection Guidance for SOC Teams

• EDR: Hunt for imphash 21829bcb83e2224c2104cf7cefe96c53 in endpoint telemetry. Search for the PDB substring babura and copyright string shmaer in file metadata.
• Network: Monitor for HTTP POST requests to URIs matching /<16_hex_chars>.php -- this is the StealC gate pattern. The body will be RC4-encrypted, appearing as binary data in a application/x-www-form-urlencoded content type.
• DNS: Any query for a domain using ns1.hwrn[.]net or ns2.hwrn[.]net as nameservers is suspect. Consider blocking the entire lir-ge-fast-1-MNT IP space at the network perimeter.
• Browser credentials: If StealC successfully executed on a host, assume all browser-saved credentials, cookies, and autofill data are compromised. Initiate credential rotation.

Indicators of Compromise

File Indicators

Type	Value
SHA-256	0267f046308eb37ee48f932dce3ed33d578fc7e4bec5b24c9b845ac42a902253
MD5	e2d51e426aefafcaa2064691c920e282
SHA-1	3910f18bd957d7e70b063233e613514d868c2410
Imphash	21829bcb83e2224c2104cf7cefe96c53
SSDEEP	12288:oDAkyWb+BEzNquZuAkvHM3GL9WsgJvJafWFwURUVzfB:QPxDRLZunvsm8Jaiwx
TLSH	T1F2C5C683A2930455E14AB370B54D01D59781EEA205E4BBBFA8F2FE683FA41441FF3A57
Unpacked SHA-256	a9200cfb3565dabeee166a35586b5edd13cc491ed670a71f9e8c1300b563c178
Related SHA-256	f639530345c52597fc8d4f6ccc98b71f03088a0c330a7df97cf4e3099da918b1

Network Indicators

Type	Indicator	Status
C2 URL	hxxp://joscramp[.]top/410b5129171f10ea.php	SUSPENDED
C2 Domain	joscramp[.]top	SUSPENDED
DNS Hosting	ns1.hwrn[.]net / ns2.hwrn[.]net	LIVE
DNS Domain	hwrn[.]net	LIVE
C2 IP	193.233.112[.]44 (kazahstan[.]email)	LIVE
C2 IP	196.251.107[.]23	LIVE
C2 IP	85.28.47[.]152	LIVE
C2 IP	194.195.209[.]91	LIVE
C2 IP	178.20.209[.]136	LIVE
C2 IP	185.123.102[.]253	LIVE
C2 IP	91.212.166[.]169	LIVE

BPH Network Ranges (lir-ge-fast-1-MNT)

CIDR	Country	Operator
77.91.64.0/20	EU	Sergey Miroshkin (direct)
109.237.96.0/23	EU	Sergey Miroshkin (direct)
178.236.240.0 - 178.236.254.255	DE/RU/NL	Multiple shell companies
193.233.112.0/23	FI	Partner Hosting LTD
85.28.47.0/24	DE	Cloud Hosting Solutions
144.31.80.0/24	DE	Cloud Hosting Solutions
144.31.81.0/24	DE	Cloud Hosting Solutions
144.31.194.0/24	DE	Cloud Hosting Solutions
144.31.195.0/24	DE	Cloud Hosting Solutions
146.19.207.0/24	DE	Cloud Hosting Solutions

Behavioral Indicators

Type	Value
PDB Path	C:\babura\yexovadakob\dubayoje\letimamadecom\vi.pdb
Copyright	Copyright (C) 2023, shmaer
InternalName	GodGuest
ProductName	GoldenSnow
FileVersion	15.18.62.51
C2 URI Pattern	/<16_hex_chars>.php
Registry Key	HKLM\SYSTEM\ControlSet001\Control\NLS\Language
Execution Path	%LOCALAPPDATA%\Temp\

Recommended Actions

Immediate (24-48 hours):

• Block all listed domains and IPs at firewall, proxy, and DNS sinkhole layers
• Search SIEM/EDR for any historical connections to joscramp[.]top or the listed C2 IPs
• Hunt for imphash 21829bcb83e2224c2104cf7cefe96c53 across endpoint telemetry
• Search file metadata for the string shmaer or babura

Short-term (1-2 weeks):

• Block entire BPH IP ranges from lir-ge-fast-1-MNT at the network perimeter
• Deploy the YARA and Suricata rules above to endpoint and network detection platforms
• Rotate credentials for any endpoints where StealC execution cannot be ruled out
• Assess organizational exposure to StealC's target list (browser credentials, crypto wallets, email clients, FTP clients)

Medium-term (1-3 months):

• Monitor CT logs for new certificates issued to domains using hwrn[.]net nameservers
• Track lir-ge-fast-1-MNT RIPE allocations for new IP assignments
• Monitor MalwareBazaar for new samples matching imphash 21829bcb83e2224c2104cf7cefe96c53
• Consider a blanket policy to block Dynadot-registered .top domains using hwrn[.]net nameservers -- the false positive rate should be near zero

References

• MalwareBazaar Sample: https://bazaar.abuse.ch/sample/0267f046308eb37ee48f932dce3ed33d578fc7e4bec5b24c9b845ac42a902253/
• ThreatFox IOC: ID 1094220
• CAPE Sandbox: https://www.capesandbox.com/analysis/56766/
• ANY.RUN Analysis: https://app.any.run/tasks/8b7d737b-f633-494b-a3d6-8a6c08c6b758
• Triage Report: https://tria.ge/reports/260309-l47y7adx6r/
• UnpacMe: https://www.unpac.me/results/4c88d0a1-399a-4051-bfd8-5eb79ee187cb/
• Intezer Analysis: https://analyze.intezer.com/analyses/430e8532-789e-4625-b26d-dcd266f77e06
• Sekoia StealC Analysis (Part 1): https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
• Malpedia StealC: https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

---

Published by Breakglass Intelligence. Investigation conducted 2026-03-10. 1 sample. 19 related binaries. 3 malware families. 5 shell companies. 1 developer who signs his work. Classification: TLP:CLEAR