highStealer

StealC v2 Hidden in Candy Crush: A Multi-Campaign Crime Server on Google Cloud Running 6 Malware Families Across 3,778 Ports

PublishedMarch 12, 2026

Threat Actors:ProfileAssessmentTimeline

stealerstealcasyncratxwormphishingsocial-engineeringcredential-theftc2ransomwaredga

TL;DR: A 2.5MB StealC v2 infostealer packed inside a legitimate King game (Candy Crush Saga) binary is communicating with a live C2 server at joscramp[.]top hosted on Google Cloud Platform. Infrastructure pivoting reveals the C2 IP (34.41.139.193) is shared with NetWire RAT, ClearFake, AsyncRAT, XWorm, Formbook, and Zeppelin ransomware -- and hosts 8 co-located domains including a banking phishing operation with 1,028 certificate names targeting Chase, Citibank, Wells Fargo, and Intesa Sanpaolo. The operator has been reusing the same C2 gate path since 2023, and runs nginx on 3,778+ ports as an anti-fingerprinting measure. The server remains fully operational as of 2026-03-09.

The Sample: A Game You Do Not Want to Play

The investigation began with a PE32 binary submitted to MalwareBazaar on 2026-03-09. At first glance, the file looks like a King game executable -- the binary is riddled with legitimate RTTI strings from the Candy Crush Saga engine family: CStarLevelManager, EpisodeRace, PopupTrickOrTreat, SendCandyState, along with King's internal SDKs (KsdkInternal, winsdkfb, kvast).

It is not a game.

Property	Value
SHA-256	`0267f046308eb37ee48f932dce3ed33d578fc7e4bec5b24c9b845ac42a902253`
MD5	`e2d51e426aefafcaa2064691c920e282`
SHA-1	`3910f18bd957d7e70b063233e613514d868c2410`
File Size	2,621,440 bytes (2.5 MB)
Type	PE32 executable (GUI) Intel 80386, for MS Windows
Linker	MSVC 2012 (Build 21022)
Compile Timestamp	2022-01-31 00:15:46 UTC (likely forged)
PDB Path	`C:\babura\yexovadakob\dubayoje\letimamadecom\vi.pdb`
Family	StealC v2 (information stealer / MaaS)

The compilation timestamp predates the C2 domain registration by 4 years. It is almost certainly forged.

Anatomy of the Packer: 89.9% Encrypted Overlay

The binary uses a custom packing technique where legitimate King game code serves as the carrier, with the actual StealC payload hidden in an encrypted overlay that comprises nearly 90% of the file.

Section	Raw Size	Entropy	Assessment
`.text`	192.5 KB	7.44	Packed/encrypted -- contains the unpacking stub
`.data`	12.0 KB	2.29	RTTI metadata and vtables from King game code
`.rsrc`	38.5 KB	4.64	PE resources
`.reloc`	15.0 KB	2.94	Relocation table
OVERLAY	2,301.0 KB	4.76	Encrypted StealC v2 payload

The .text section entropy of 7.44 (near-random) confirms packed executable code. At runtime, the stub allocates memory via VirtualAlloc, decrypts the 2.3MB overlay using RC4, and transfers execution to the real StealC payload.

Import Table: A Classic Packer Signature

The binary imports from only 3 DLLs -- a telltale packer fingerprint. Most of the 110 KERNEL32 imports are decoys (SetDefaultCommConfigW, CreateHardLinkA, DnsHostnameToComputerNameA) designed to pollute automated analysis. The real imports tell the story:

# Unpacking
LoadLibraryA, LoadLibraryW, GetProcAddress, VirtualAlloc, VirtualQuery, VirtualFree

# Anti-analysis
IsDebuggerPresent, GetTickCount, QueryPerformanceCounter, QueryPerformanceFrequency, DebugBreak

# Execution
HeapAlloc, HeapFree, GetModuleHandleA, Sleep, ExitProcess

GDI32.dll contributes 3 decoy imports. ADVAPI32.dll contributes 1. None are used by the actual malware.

Embedded RC4 Keys

Six randomized lowercase strings extracted from the binary match StealC v2's documented pattern of hardcoded RC4 keys used for string and configuration decryption:

huliguxabuponetexuxibepiwasudamidoviwepucovavomaxuj   (50 chars, primary key)
cusifavodojadowofajokuvowocen                         (29 chars)
bilezizileperuseduxiporutiloyez                       (31 chars)
lokirarojukejedodatafapa                               (24 chars)
sonipasegutimijubibihe                                 (22 chars)
jiwuyiwoxevopelafam                                    (19 chars)

These are not random noise -- they are the decryption keys that unlock the stealer's runtime configuration, C2 URLs, and target application paths after the overlay is unpacked.

The Attack Chain

Delivery              Execution              Unpacking                C2 Init                  Exfiltration
   |                     |                      |                       |                          |
Malvertising/      Victim runs            Overlay decrypt          HTTP POST to             Browser creds,
Phishing           trojanized King        via VirtualAlloc +       joscramp.top/            crypto wallets,
                   game binary            RC4 decryption           410b5129171f10ea.php     files, screenshots
                                                                   (build registration)     via Base64 JSON POST

C2 Protocol: StealC v2 JSON-over-HTTP

The stealer communicates with its C2 at hxxp://joscramp[.]top/410b5129171f10ea[.]php using StealC v2's documented JSON-over-HTTP POST protocol:

Registration -- {"type":"create","hwid":"<hardware_id>","build":"410b5129171f10ea"} -- registers the infected host and receives an access token plus operational flags
Config receipt -- server returns which modules to activate (browsers, wallets, file grabber, screenshots)
Data upload -- {"type":"upload_file","token":"<token>","file":"<base64_data>"} -- exfiltrates stolen data
Completion -- {"type":"done","token":"<token>"} -- signals exfiltration complete
Loader (optional) -- {"type":"loader"} -- pulls additional payloads for second-stage delivery

The build ID 410b5129171f10ea is a 16-character hex string unique to this campaign or affiliate. This same gate path has been active since at least 2023-03-27 (see infrastructure timeline below), meaning the operator has been running this exact build configuration for nearly three years.

What StealC v2 Steals

Based on documented StealC v2 capabilities, once the payload unpacks and registers with the C2, victims can expect comprehensive data theft:

Browser data -- Chrome, Firefox, Edge, Opera, Brave credentials, cookies, autofill, and history. Chromium-based browsers send encrypted credential files to the C2 for server-side decryption. Firefox: loads nss3.dll locally.
Cryptocurrency wallets -- Browser extension wallets (MetaMask, Phantom), desktop wallets (Exodus, Atomic, Electrum), private keys and recovery phrases.
Application data -- Telegram sessions, Discord tokens, Steam credentials, FileZilla/WinSCP saved sessions, Outlook PST/OST files, VPN configurations.
System reconnaissance -- Multi-monitor screenshots, file grabber targeting Desktop/Documents/AppData for .txt, .pwd, .wallet, and .doc files, plus full system profiling.

Infrastructure Deep Dive: One IP, Eight Domains, Six Malware Families

This is where the investigation gets interesting. The C2 resolves to 34.41.139.193, a Google Cloud Platform instance in AS396982. Pivoting on that IP reveals a sprawling criminal operation.

The C2 Server

Property	Value
IP	`34.41.139.193`
IPv6	`2600:1900:4001:96e:8000:1:cfc9:766a`
ASN	AS396982 (Google Cloud)
OS	Ubuntu Linux
Web Server	nginx
SSH	OpenSSH 8.9p1
Open Ports	3,778+ (see anti-fingerprinting below)
Status	LIVE as of 2026-03-09

Anti-Fingerprinting: 3,778 Decoy Ports

The server runs nginx configured to return HTTP 200 OK with an empty body on 3,778+ open ports (range 2-65432). This is a deliberate anti-scanning technique: port scanners see thousands of apparently identical services, making it impossible to determine which port hosts the actual C2 panel. Combined with robots.txt: Disallow: / to block crawlers, the operator has made automated infrastructure profiling effectively useless.

Eight Co-Hosted Domains

Every domain on this IP uses the same registrar (Dynadot), the same nameservers (ns1/ns2.hwrn.net), and the same ZeroSSL wildcard certificates -- confirming unified ownership.

Domain	Registered	Purpose
`joscramp[.]top`	2026-02-10	StealC C2 (this investigation)
`zzkongqipao[.]com`	2022-10-09	Chinese gambling (baccarat subdomains)
`flashdot[.]tech`	2026-03-04	Has "xsoar" and "secbot" subdomains (5 days old)
`gwangjuhorse[.]xyz`	2024-04-20	Korean horse racing gambling
`xxxy[.]biz`	2025-05-27	Banking phishing -- 1,028 certificate names
`ipcheker[.]com`	2022-07-08	IP checking / victim geolocation
`shofha[.]online`	2025-11-26	DGA-like random hash subdomains
`relogiosreplicassbr1[.]xyz`	2024-05-10	Portuguese replica watches scam

The Banking Phishing Operation (xxxy[.]biz)

Certificate transparency logs for xxxy[.]biz reveal 1,028 subdomain names on a single wildcard certificate, targeting major financial institutions across multiple countries:

Target	Example Subdomains
Chase Bank	`chaseverify02secure.xxxy.biz`
Citibank	`cit1bankonline.xxxy.biz`
Wells Fargo	`wellfarg.xxxy.biz`, `wellslive.xxxy.biz`, `wellslivelogin.xxxy.biz`
Huntington Bank	`w1huntingtonvbankw1.xxxy.biz`
Intesa Sanpaolo	`www-infocenter-intesasanpaolo-by-boxer.xxxy.biz`
Netflix	`2netflixv2securevpage2.xxxy.biz`
WhatsApp	Dozens of Indonesian-language social engineering subdomains

This is the same operator running StealC, phishing campaigns targeting US and European banks, and social engineering campaigns in Southeast Asia -- all from one Google Cloud VM.

Six Malware Families, One IP

OTX threat intelligence associates 34.41.139.193 with additional malware families beyond StealC:

Family	Type	Period
StealC	Infostealer	Feb-Mar 2026
NetWire RAT	Remote access trojan (ports 5202, 8081)	Nov 2025-Feb 2026
ClearFake	Fake browser update distribution	Feb 2026
AsyncRAT	Remote access trojan	Feb 2026
XWorm	RAT/worm	Feb 2026
Formbook	Infostealer	Feb 2026
Zeppelin	Ransomware	Feb 2026

DNS and Mail Infrastructure

The operator runs their own DNS and mail infrastructure through shell organizations:

Tier 0 (Upstream):     Google Cloud Platform (AS396982)
                              |
Tier 1 (DNS):          hwrn.net ("Global Internet Telemetry Measurement Collective")
                        ns1.hwrn.net -> 34.32.207.228 (GCP)
                        ns2.hwrn.net -> 34.46.191.171 (GCP)
                              |
Tier 2 (Mail):          csof.net (same registrant org)
                        mx1.csof.net -> 46.4.12.146 (Hetzner DE)
                        mx2.csof.net -> 46.4.10.173 (Hetzner DE)
                              |
Tier 3 (C2):           joscramp.top -> 34.41.139.193 (GCP)
                        + 7 additional domains -> same IP

Both hwrn.net and csof.net are registered to "Global Internet Telemetry Measurement Collective," a Delaware entity that provides DNS and mail services exclusively to domains on this C2 infrastructure.

Certificate Timeline

Domain	Issuer	Issued	Expires	SANs
`*.joscramp[.]top`	ZeroSSL	2026-02-10	2026-05-11	`*.joscramp.top`, `joscramp.top`
`*.zzkongqipao[.]com`	ZeroSSL	2025-12-24	2026-03-24	`*.zzkongqipao.com`, `zzkongqipao.com`

Both wildcard certificates were provisioned through ZeroSSL's free tier -- no identity verification, automated issuance.

Three Years of the Same Gate Path

The most damning infrastructure finding: the C2 gate path 410b5129171f10ea.php has been reused across two separate domain registration periods. OTX passive DNS data reveals joscramp[.]top was first registered and used for StealC in 2023, expired, and was re-registered in February 2026 by the same operator:

# 2023 campaign (original registration)
hxxp://joscramp[.]top/notepadp.exe                          (payload, 2023-03-27)
hxxp://joscramp[.]top/c043bcd0ba06ae1d/nss3.dll             (Firefox credential theft kit)
hxxp://joscramp[.]top/c043bcd0ba06ae1d/freebl3.dll          (FreeBL crypto lib)
hxxp://joscramp[.]top/c043bcd0ba06ae1d/mozglue.dll          (Mozilla glue lib)
hxxp://joscramp[.]top/c043bcd0ba06ae1d/msvcp140.dll         (MSVC runtime)
hxxp://joscramp[.]top/410b5129171f10ea.php                   (StealC gate, 2023-12-03)

# 2026 campaign (re-registration)
hxxp://joscramp[.]top/410b5129171f10ea.php                   (same gate, 2026-03-09)

The NSS/FreeBL/mozglue DLL downloads are the standard StealC credential theft kit -- Mozilla libraries used to decrypt Firefox credential databases on the victim's machine. The reuse of the identical 16-character hex gate path across a 3-year gap is conclusive: this is the same operator, the same affiliate ID, and the same campaign infrastructure.

Actor Profile

Attribute	Assessment
Confidence	MEDIUM
Type	Cybercriminal (MaaS operator/affiliate)
Language	Possibly Chinese-speaking (based on `zzkongqipao.com`)
Motivation	Financial -- credential theft, cryptocurrency, banking phish, gambling
Sophistication	Moderate -- MaaS platform with custom packing and deliberate anti-analysis
Active Since	At least March 2023

OPSEC Failures

The operator made several mistakes that enabled full infrastructure clustering:

Shared C2 IP -- Running StealC, NetWire RAT, and 5 other malware families on one IP enabled cross-campaign linking
Co-hosted domains -- zzkongqipao.com and 6 other domains on the same IP reveal operator interests and targeting scope
Identical registrar/NS/CA stack -- Dynadot + hwrn.net + ZeroSSL across all domains confirms single ownership
Reused gate path -- Same 410b5129171f10ea.php across 3 years of operations
Wildcard DNS -- All subdomains of joscramp.top resolve to the C2 IP, making the domain trivially identifiable as malicious
PDB path leaked -- C:\babura\yexovadakob\dubayoje\letimamadecom\vi.pdb serves as a unique builder fingerprint

SHA-256	First Seen	C2	Family
`0267f046...a902253`	2026-03-09	`joscramp[.]top/410b5129171f10ea.php`	StealC (this investigation)
`f639530345c52597...da918b1`	2023-03-27	`joscramp[.]top/410b5129171f10ea.php`	StealC
`6e1ec623cf5e3d80...74aaf`	2025-11-24	`34.41.139.193:8081`	NetWire RAT

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Initial Access	Phishing / Drive-by Compromise	T1566 / T1189	Malvertising delivers trojanized King game binary
Execution	User Execution: Malicious File	T1204.002	Victim runs disguised game executable
Defense Evasion	Obfuscated Files or Information	T1027	RC4-encrypted strings, packed .text section, 2.3MB encrypted overlay
Defense Evasion	Deobfuscate/Decode Files	T1140	Runtime RC4 decryption of config, strings, and overlay payload
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	Binary contains legitimate King game RTTI and SDK strings
Defense Evasion	Virtualization/Sandbox Evasion	T1497	IsDebuggerPresent, GetTickCount/QueryPerformanceCounter timing checks
Defense Evasion	Indicator Removal: File Deletion	T1070.004	StealC self-terminates after exfiltration
Discovery	System Information Discovery	T1082	Hostname, username, OS version, installed software enumeration
Credential Access	Credentials from Password Stores	T1555	Browser credential database extraction
Credential Access	Credentials from Web Browsers	T1555.003	Chrome/Firefox/Edge password and cookie theft
Collection	Data from Local System	T1005	File grabber, wallet data, application configs
Collection	Screen Capture	T1113	Multi-monitor screenshot capture
Collection	Clipboard Data	T1115	Clipboard monitoring for crypto addresses
Command and Control	Application Layer Protocol: HTTP	T1071.001	JSON-over-HTTP POST to C2 gate
Command and Control	Encrypted Channel	T1573	RC4 + Base64 encoding of C2 traffic
Exfiltration	Exfiltration Over C2 Channel	T1041	Stolen data uploaded via HTTP POST
Resource Development	Acquire Infrastructure: Domains	T1583.001	joscramp[.]top + 7 co-hosted domains via Dynadot
Resource Development	Acquire Infrastructure: Server	T1583.004	Google Cloud VM with custom DNS/mail infrastructure
Resource Development	Obtain Capabilities: Malware	T1588.001	StealC v2 MaaS purchase/affiliation

Indicators of Compromise

Network Indicators

# Primary C2
joscramp[.]top
34.41.139.193
2600:1900:4001:96e:8000:1:cfc9:766a

# C2 URL
hxxp://joscramp[.]top/410b5129171f10ea[.]php

# Co-hosted malicious domains (block all)
zzkongqipao[.]com
flashdot[.]tech
gwangjuhorse[.]xyz
xxxy[.]biz
ipcheker[.]com
shofha[.]online
relogiosreplicassbr1[.]xyz

# DNS infrastructure
ns1.hwrn[.]net  (34.32.207.228)
ns2.hwrn[.]net  (34.46.191.171)

# Mail infrastructure
mx1.csof[.]net  (46.4.12.146)
mx2.csof[.]net  (46.4.10.173)

# Historical payload URLs
hxxp://joscramp[.]top/notepadp.exe
hxxp://joscramp[.]top/c043bcd0ba06ae1d/nss3.dll
hxxp://joscramp[.]top/c043bcd0ba06ae1d/freebl3.dll
hxxp://joscramp[.]top/c043bcd0ba06ae1d/mozglue.dll
hxxp://joscramp[.]top/c043bcd0ba06ae1d/msvcp140.dll

File Indicators

Hash Type	Value
SHA-256	`0267f046308eb37ee48f932dce3ed33d578fc7e4bec5b24c9b845ac42a902253`
MD5	`e2d51e426aefafcaa2064691c920e282`
SHA-1	`3910f18bd957d7e70b063233e613514d868c2410`

Related sample (same C2 gate):

f639530345c52597fc8d4f6ccc98b71f03088a0c330a7df97cf4e3099da918b1

NetWire RAT (same C2 IP):

6e1ec623cf5e3d80211c348cbed953c38f95b937db786d736953b44b39a74aaf

Behavioral Indicators

PDB Path:           C:\babura\yexovadakob\dubayoje\letimamadecom\vi.pdb
Build ID:           410b5129171f10ea
TLS Cert Serial:    29170D61ADF776323E46586E6AEF26C5

Detection Opportunities

YARA Rules

rule StealC_v2_Joscramp_Campaign {
    meta:
        author = "Breakglass Intelligence"
        description = "StealC v2 infostealer - joscramp.top campaign with King game carrier"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"
        severity = "HIGH"
        reference = "https://intel.breakglass.tech"
        hash = "0267f046308eb37ee48f932dce3ed33d578fc7e4bec5b24c9b845ac42a902253"
    strings:
        $pdb = "babura\\yexovadakob\\dubayoje\\letimamadecom\\vi.pdb" ascii
        $rc4_key1 = "huliguxabuponetexuxibepiwasudamidoviwepucovavomaxuj" ascii
        $rc4_key2 = "cusifavodojadowofajokuvowocen" ascii
        $rc4_key3 = "bilezizileperuseduxiporutiloyez" ascii
        $rc4_key4 = "lokirarojukejedodatafapa" ascii
        $rc4_key5 = "sonipasegutimijubibihe" ascii
        $rc4_key6 = "jiwuyiwoxevopelafam" ascii
        $king1 = "CStarLevelManager" ascii
        $king2 = "PopupTrickOrTreat" ascii
        $king3 = "SendCandyState" ascii
        $king4 = "EpisodeRace" ascii
    condition:
        uint16(0) == 0x5A4D and
        filesize > 2MB and filesize < 5MB and
        ($pdb or (2 of ($rc4_key*))) and
        (2 of ($king*))
}

rule StealC_v2_Packed_King_Carrier {
    meta:
        author = "Breakglass Intelligence"
        description = "StealC packed in King game binary carrier - generic detection"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"
        severity = "HIGH"
    strings:
        $rtti1 = ".?AV?$CJuegoEventHandler" ascii
        $rtti2 = "@king@@" ascii
        $rtti3 = "KsdkInternal" ascii
        $rtti4 = "winsdkfb" ascii
        $rtti5 = "@kvast@@" ascii
        $api1 = "VirtualAlloc" ascii
        $api2 = "LoadLibraryA" ascii
        $api3 = "GetProcAddress" ascii
        $api4 = "IsDebuggerPresent" ascii
    condition:
        uint16(0) == 0x5A4D and
        filesize > 2MB and
        (3 of ($rtti*)) and
        all of ($api*)
}

rule StealC_v2_RC4_Keys_Generic {
    meta:
        author = "Breakglass Intelligence"
        description = "StealC v2 RC4 key pattern - lowercase gibberish strings from this campaign"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"
    strings:
        $key1 = "huliguxabuponetexuxibepiwasudamidoviwepucovavomaxuj" ascii
        $key2 = "cusifavodojadowofajokuvowocen" ascii
        $key3 = "bilezizileperuseduxiporutiloyez" ascii
        $key4 = "lokirarojukejedodatafapa" ascii
        $key5 = "sonipasegutimijubibihe" ascii
    condition:
        uint16(0) == 0x5A4D and
        3 of ($key*)
}

Suricata Rules

# StealC C2 domain
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"BREAKGLASS StealC C2 - joscramp.top"; \
  flow:established,to_server; http.host; content:"joscramp.top"; \
  sid:2026030901; rev:1;)

# StealC C2 gate path
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"BREAKGLASS StealC C2 - Build ID in URI"; \
  flow:established,to_server; http.uri; content:"/410b5129171f10ea.php"; \
  sid:2026030902; rev:1;)

# StealC/NetWire C2 IP
alert ip $HOME_NET any -> [34.41.139.193] any (msg:"BREAKGLASS StealC/NetWire C2 IP"; \
  sid:2026030903; rev:1;)

# StealC v2 generic gate pattern (16-char hex PHP endpoint)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"BREAKGLASS StealC v2 POST to hex gate"; \
  flow:established,to_server; http.method; content:"POST"; \
  http.uri; pcre:"/\/[0-9a-f]{16}\.php$/"; \
  http.header; content:"Content-Type"; content:"application/"; \
  sid:2026030904; rev:1;)

# Co-hosted phishing domain
alert dns $HOME_NET any -> any any (msg:"BREAKGLASS StealC Infra - xxxy.biz phishing domain"; \
  dns.query; content:"xxxy.biz"; \
  sid:2026030905; rev:1;)

Hunting Queries

EDR/SIEM -- Network connections to C2 infrastructure:

Any DNS resolution of joscramp.top, zzkongqipao.com, flashdot.tech, xxxy.biz, ipcheker.com, shofha.online, gwangjuhorse.xyz, or relogiosreplicassbr1.xyz
Any connection to 34.41.139.193 on any port (the server runs 3,778+ open ports)
HTTP POST requests to URI paths matching /<16-hex-chars>.php

Endpoint -- File and process indicators:

PE files > 2MB with King game RTTI strings (CStarLevelManager, KsdkInternal, @king@@)
PDB paths containing babura\yexovadakob
Processes loading nss3.dll, freebl3.dll, and mozglue.dll from non-standard paths (StealC credential theft kit)

Certificate Transparency monitoring:

New certificates issued to joscramp.top or any of the co-hosted domains
New domains using ns1.hwrn.net / ns2.hwrn.net nameservers

Published by Breakglass Intelligence. Investigation conducted 2026-03-09. C2 server confirmed live. 8 co-hosted domains identified. 3-year operator timeline established. Classification: TLP:CLEAR