highLoader

The Fake AutoCAD That Phones Home to Xiamen: Inside a Three-Year Trojanized Installer Operation

PublishedMarch 12, 2026

Threat Actors:uses it for victim communication.ProfileIndicatorsConfidence: **MEDIUM**

loadercobalt-strikesocial-engineeringc2

TL;DR: A trojanized AutoCAD installer (autocad_v1.4.exe, 30MB) packed with Enigma Protector is running a JSON API-based C2 channel to a Django server at 121[.]204[.]249[.]146 in Xiamen, China. The binary is signed with a revoked Extended Validation code signing certificate purchased from a Polish CA under a Guangzhou shell company name -- obtained just three weeks before the compile timestamp. The C2 domain adobecad[.]com[.]cn has been active since May 2023 with 10+ subdomains, the WHOIS registrant used a personal QQ email address, MySQL is exposed to the internet on port 3306, and the BaoTa admin panel is wide open on 8888. Imphash pivoting links this sample to at least two other fake utility installers (including "Disk-Squeezer_v2.0.exe"), confirming a multi-tool distribution campaign. Despite all of this, only 15 of 76 AV engines detect it -- Kaspersky and ANY.RUN both whiff completely.

A 30MB EXE Named autocad_v1.4

Somewhere in a torrent forum, a warez channel, or a sketchy download portal, someone clicks a link promising a free copy of AutoCAD. What they get is a 30MB PE32+ executable called autocad_v1.4.exe. It has an Autodesk icon. It has a valid (well, formerly valid) digital signature. If they check the file properties, the original filename is goods_web.exe -- but nobody checks file properties.

The sample was uploaded to MalwareBazaar on March 11, 2026 by reporter juroots. But this is not a new threat. Kaspersky first saw it on May 8, 2025 -- the same day it was compiled. ReversingLabs picked it up two months later. The infrastructure behind it has been operational since May 2023. This is a campaign with a nearly three-year runway, and it is still active.

AutoCAD licenses run over $1,800 a year. That price tag creates a predictable market of people searching for "AutoCAD free download" or "AutoCAD crack" -- and this threat actor has been supplying that market since at least 2023, through a purpose-built fake software distribution portal behind the typosquatting domain adobecad[.]com[.]cn.

What Was Found vs. What Was Known

Aspect	Prior Public Knowledge	This Investigation
Sample type	AutoCAD trojan flagged on VT since May 2025	Full static analysis: Enigma Protector with `.enigma1` section containing 28.9MB encrypted payload, Qt5 framework with SSL networking, six embedded crypto algorithms
C2 communication	IP flagged by some sandbox reports	Complete API mapping: 3 confirmed endpoints (`/api/soft/app/info/`, `/api/soft/version/info/`, `/hc`) running Django/gunicorn over plaintext HTTP
Code signing	Cert marked revoked on VT	Full certificate chain: EV cert from Certum (Poland) issued to "Guangzhou Recording Network Technology" -- obtained 3 weeks before compile, strongly suggesting purpose-built acquisition
Infrastructure	C2 IP known	Full reconnaissance: 9 open services including exposed MySQL 5.6, BaoTa admin panel, EOL OpenSSH 7.4 with 20 CVEs. Domain `adobecad[.]com[.]cn` registered since 2023 with 10 subdomains
Attribution	None public	WHOIS registrant "Yuan Shouchuang" with personal QQ email, FTP cert leaking Dongguan/Guangdong metadata, Guangzhou-based code signing entity
Campaign scope	Single sample	3 samples via imphash pivot including "Disk-Squeezer_v2.0.exe" -- multi-tool distribution operation dating to August 2024
Persistence	Unknown	`autodesk360.lnk` desktop shortcut, Enigma Virtual Box DLL extraction to `%TEMP%\evb*.tmp`, NetBIOS probing on local network
Detection evasion	Not documented	15/76 VT detection (19.7%), evades Kaspersky and ANY.RUN sandboxes entirely

The Attack Chain

[Victim searches for "AutoCAD download" or "AutoCAD crack"]
        |
        v
[SEO poisoning or direct link to adobecad[.]com[.]cn portal]
        |
        v
[Downloads autocad_v1.4.exe (30MB, EV code-signed)]
        |
        v
[Windows SmartScreen: PASSES (EV certificate)]
        |
        v
[Enigma Protector unpacks Qt5 framework + DLLs to %TEMP%\evb*.tmp]
        |
        v
[Creates autodesk360.lnk on Desktop (persistence)]
        |
        v
[HTTP POST → 121[.]204[.]249[.]146:8000/api/soft/app/info/]
  |--- JSON check-in: application registration
        |
        v
[HTTP POST → 121[.]204[.]249[.]146:8000/api/soft/version/info/]
  |--- JSON version check: update/payload delivery
        |
        v
[HTTP GET → 121[.]204[.]249[.]146:9901/hc]
  |--- Health check / keepalive
        |
        v
[Fetches branding assets: autodesk.png, cadlogo.png, cadmain.png]
  |--- Displays fake AutoCAD UI to victim
        |
        v
[53kf.com live chat widget loads]
  |--- Fake "customer support" interface
        |
        v
[NBT/NetBIOS probing on local network (port 137/UDP)]
  |--- Network reconnaissance / lateral movement prep

The EV code signing certificate is the skeleton key for initial execution. Extended Validation certificates tell Windows SmartScreen that the publisher has been identity-verified by a certificate authority. On many systems, this means the binary runs without the "Windows protected your PC" warning that would otherwise alert the user. The certificate was revoked after discovery, but the timestamped signature means older Windows versions may still trust it.

Peeling Back the Enigma

The binary is built on the Qt5 framework -- specifically Qt5Core, Qt5Gui, Qt5Network, Qt5Widgets, and Qt5Svg -- bundled alongside OpenSSL libraries (libcrypto-1_1-x64.dll, libssl-1_1-x64.dll) and a full MinGW runtime. All of this is packed inside Enigma Protector, a commercial packing tool that bundles application files into an encrypted container and extracts them at runtime.

The Sample

Field	Value
SHA-256	`17d2b3fb0c1942c43588d26ba9aecd6f6a9a549f86a8bb4120865cfbd9caf137`
SHA-1	`2c3470eaea2614ee5d3385c073abd4f1260bd3d6`
MD5	`a0feaefbe343954e61544f32827ccb96`
Imphash	`4a69501d065aecd17da3f8f42bc46478`
SSDeep	`786432:B+G5eaaDqy3rc/OlBy9g4aLpOQlqjfLZSZoK:fcrc/OlBhhLphlEfVSqK`
File Size	30,344,064 bytes (28.9 MB)
File Type	PE32+ executable (GUI) x86-64, stripped to external PDB
Original Name	`goods_web.exe`
Distribution Name	`autocad_v1.4.exe`
Compile Time	2025-05-08 04:50:00 UTC
VT Detection	15/76 (19.7%)

That detection rate deserves emphasis. Fewer than one in five security products flag this binary. The combination of Enigma Protector packing and a (now-revoked) EV code signing certificate is doing exactly what the threat actor intended: buying trust. Kaspersky returns clean. ANY.RUN finds no threats. The Triage sandbox gives it a 7/10 -- notable but not definitive. For a trojan with a revoked certificate and known C2 infrastructure, 19.7% detection is an embarrassment for the industry.

PE Section Layout

The .enigma1 section consumes 28.9MB of the 30MB file -- 95% of the binary is the encrypted Enigma Virtual Box payload. At runtime, Enigma unpacks the entire Qt5 application framework into temporary files:

Section	Virtual Size	Raw Size	Entropy	Notes
`.text`	0x14b70	0x14c00	5.92	Code section
`.rdata`	0x7bc08	0x7be00	7.94	High entropy -- encrypted/compressed data
`.enigma1`	0x1000	0x1b95000 (28.9MB)	7.93	Enigma Protector payload -- bulk of file
`.enigma2`	0xae000	0xae000	5.36	Enigma Protector unpacker

Unpacked Contents

Qt5Core.dll, Qt5Gui.dll, Qt5Network.dll, Qt5Widgets.dll, Qt5Svg.dll -- full GUI framework
libcrypto-1_1-x64.dll, libssl-1_1-x64.dll -- OpenSSL for HTTPS capability
D3Dcompiler_47.dll, opengl32sw.dll, libEGL.dll, libGLESv2.dll -- graphics rendering
MinGW runtime -- libgcc_s_seh-1.dll, libstdc++-6.dll, libwinpthread-1.dll
Qt plugins -- qwindows.dll, qgenericbearer.dll, qjpeg.dll, qsvg.dll

This is not a lightweight dropper. This is a fully functional application that presents a convincing AutoCAD-like interface to the victim while performing C2 communication in the background. The investment in building a credible fake application -- complete with branding assets downloaded from the C2 at runtime -- suggests this operation generates enough revenue to justify the development effort.

Import Analysis

The import table is relatively lean for the stub itself:

kernel32.dll: 131+ imports including GetTempPathW, GetTempFileNameW, GetStdHandle, ExitProcess
ntdll.dll: ZwProtectVirtualMemory (memory protection manipulation), RtlFormatCurrentUserKeyPath
advapi32.dll: RegOpenKeyA (registry access)
user32.dll: MessageBoxA, GetSystemMetrics
oleaut32.dll: SafeArray functions, SysAllocStringLen (COM automation)
shlwapi.dll: PathMatchSpecW (path matching)

The ZwProtectVirtualMemory import from ntdll is notable -- it allows the malware to change memory protection flags at the NT native API level, bypassing higher-level API monitoring.

Cryptographic Toolkit

YARA analysis confirms embedded cryptographic constants for six algorithms:

Algorithm	Detection Rule
Blowfish	BLOWFISH_Constants
MD5	MD5_Constants
SHA-1	SHA1_Constants
SHA-512	SHA512_Constants
RIPEMD-160	RIPEMD160_Constants
Whirlpool	WHIRLPOOL_Constants

This is a heavier crypto toolkit than most legitimate applications carry. The presence of both common (MD5, SHA-1) and unusual (Whirlpool, RIPEMD-160) algorithms suggests the malware implements its own cryptographic protocol for C2 communication or data exfiltration, rather than relying solely on the bundled OpenSSL libraries.

The Revoked EV Certificate Gambit

This is where the operation gets interesting from a tradecraft perspective.

Field	Value
Signer	Guangzhou Recording Network Technology Co., Ltd.
Issuer	Certum Extended Validation Code Signing 2021 CA
Serial	`21:EC:6F:C7:87:8B:F7:B2:8D:99:4C:F6:6D:BF:C9:94`
Thumbprint (SHA-256)	`5348CD6FD9DB43CC8BFF7285CA0194F3BB639A0EFD3F49F764EAA35F262222F1`
Thumbprint (SHA-1)	`42740DC2EC85960A5374AD86B055AFFF65F8FAC6`
Valid From	2025-04-15
Valid To	2026-04-15
Timestamped By	DigiCert Timestamp 2024
Status	REVOKED

The certificate is an Extended Validation code signing certificate -- the most expensive and theoretically most trustworthy tier of code signing. Getting one requires proving organizational identity through legal documentation, notarized paperwork, and phone verification. Certum, a Polish certificate authority, issued this one to a company in Guangzhou, China.

The timeline is revealing: the certificate was issued on April 15, 2025. The binary was compiled on May 8, 2025 -- twenty-three days later. EV certificates cost hundreds of dollars and require weeks of validation. Either "Guangzhou Recording Network Technology Co., Ltd." is a shell company created specifically for this purpose, or the certificate was purchased through a broker who specializes in selling EV certs to threat actors. Either way, the certificate served its purpose: until it was revoked, this binary sailed past SmartScreen, endpoint protection, and the instinctive trust that a signed executable earns from both users and security products.

The certificate has since been revoked, but VirusTotal still shows it doing its job. The DigiCert timestamp means the signature was valid at the time of signing, and some systems will honor timestamped signatures from revoked certificates. On those systems, this three-week-old certificate is still doing the work it was bought to do.

Command and Control: A Django REST API in Xiamen

The C2 architecture is straightforward -- a Django REST API running on gunicorn, listening on port 8000 of 121[.]204[.]249[.]146, with a secondary Java/Spring Boot service on port 9901.

Confirmed C2 Endpoints

Endpoint	Method	Purpose
`http://121[.]204[.]249[.]146:8000/api/soft/app/info/`	POST (JSON)	Initial registration / check-in
`http://121[.]204[.]249[.]146:8000/api/soft/version/info/`	POST (JSON)	Version check / update delivery
`http://121[.]204[.]249[.]146:9901/hc`	GET	Health check / keepalive
`http://121[.]204[.]249[.]146:8000/static/soft/autodesk.png`	GET	Autodesk branding asset
`http://121[.]204[.]249[.]146:8000/static/soft/cadlogo.png`	GET	AutoCAD logo
`http://121[.]204[.]249[.]146:8000/static/soft/cadmain.png`	GET	Main UI background

All C2 traffic runs over plaintext HTTP. No TLS on the operational ports. The server responds with CORS headers (Access-Control-Allow-Origin: *) and X-Content-Type-Options: nosniff, suggesting the Django application was built by someone who knows web development conventions but did not bother implementing transport encryption for their malware C2. The User-Agent string is a generic Mozilla/5.0 -- enough to blend in, but no attempt at a convincing browser fingerprint.

The static asset paths (/static/soft/autodesk.png, cadlogo.png, cadmain.png) confirm the binary downloads Autodesk branding from the C2 at runtime to maintain the illusion of legitimacy. The Django static/ convention means the C2 developer is following standard Python web framework patterns -- this is a professional-looking backend, not a hastily assembled script.

The Live Chat Angle

The binary embeds a URL for 53kf.com -- a legitimate Chinese customer service chat platform:

https://tb[.]53kf[.]com/code/client/b42c571f6a4c7fd01a6b00c3e1591dea7/1

53kf.com is widely used by Chinese businesses for website live chat. Embedding it in a trojanized installer suggests the malware displays a fake "customer support" interface to victims -- complete with a real chat widget connected to the threat actor's 53kf account. This blurs the line between malware and social engineering: the victim thinks they are chatting with AutoCAD tech support while their machine phones home to Xiamen.

Behavioral Footprint

Sandbox analysis reveals the binary's post-execution behavior:

Creates autodesk360.lnk on the Desktop (persistence via shortcut)
Extracts numerous evb*.tmp DLLs to %TEMP% (Enigma Virtual Box unpacking)
Accesses user Documents, Pictures, and AppData directories
Sets the Direct3D MostRecentApplication registry key
Performs NBT/NetBIOS probing on the local network (port 137/UDP)

The NetBIOS probing is notable. This is not just a trojan that phones home -- it maps the victim's local network, probing for Windows hosts on port 137/UDP. This is lateral movement reconnaissance, suggesting capabilities beyond simple data theft. The threat actor is interested in what else is on the network.

Infrastructure: An OPSEC Disaster in Xiamen

The C2 server is a case study in what happens when a threat actor invests in offense (EV certificates, commercial packers, professional Django backends) but neglects defense.

Server Profile: 121[.]204[.]249[.]146

Field	Value
IP	`121[.]204[.]249[.]146`
Hostname	`360[.]adobecad[.]com[.]cn`
ASN	AS133776 (Quanzhou)
ISP	CHINANET Fujian province (China Telecom)
Location	Xiamen, Fujian, China
Network	121.204.248.0/22

Exposed Services (Shodan)

Port	Service	Version	Assessment
21	Pure-FTPd	--	TLS-enabled, no anonymous
22	OpenSSH	7.4	EOL -- 20 known CVEs
80	Apache httpd	--	Returns 404
443	nginx	--	SSL cert: CN=360[.]adobecad[.]com[.]cn
888	nginx	--	403 Forbidden
3306	MySQL	5.6.50-log	Exposed to internet -- critical
8000	gunicorn	--	Django C2 API
8888	nginx	--	BaoTa (BT-Panel) admin interface
9901	Java/Spring	--	Secondary C2 / health check

Nine services exposed. MySQL 5.6 -- which reached end-of-life in February 2018 -- is directly accessible from the internet on its default port. The BaoTa web administration panel sits on port 8888 with no apparent access restriction. OpenSSH 7.4 has twenty known CVEs.

The FTP server's SSL certificate leaks identifiable metadata:

emailAddress = admin@bt[.]cn
O = BT-PANEL
L = Dongguan
ST = Guangdong

This places the server administrator in Dongguan, Guangdong province -- approximately 60 kilometers from Guangzhou, where the code signing company is registered. The admin@bt[.]cn email confirms BaoTa panel usage and suggests the administrator used default BT-Panel certificate settings without customization.

This is an attacker who spent money on an EV certificate and a commercial packer, then parked their C2 on a server with an exposed MySQL database and an unprotected admin panel. The contrast between offensive sophistication and defensive negligence is striking -- and useful. Every exposed service is an intelligence collection opportunity.

Three Years of Infrastructure: The crt.sh Timeline

The domain adobecad[.]com[.]cn was registered on May 25, 2023, with a five-year term paid through 2028. Certificate transparency logs from crt.sh reveal ten subdomains, telling the story of an operation that grew methodically over nearly three years:

Subdomain	First Seen	Inferred Purpose
`www[.]adobecad[.]com[.]cn`	2023-05-26	Main website (one day after registration)
`360[.]adobecad[.]com[.]cn`	2023-06-18	Primary C2 / fake installer portal
`123[.]adobecad[.]com[.]cn`	2023-08-23	Test/development environment
`php[.]adobecad[.]com[.]cn`	2023-10-12	PHP-based service or panel
`20231011[.]adobecad[.]com[.]cn`	2023-10-11	Date-stamped test deployment
`cad[.]adobecad[.]com[.]cn`	2023-12-10	AutoCAD-themed download site
`setup[.]adobecad[.]com[.]cn`	2023-12-10	Installer delivery
`bd[.]adobecad[.]com[.]cn`	2024-04-07	Backdoor / secondary service
`360exp[.]adobecad[.]com[.]cn`	2024-04-26	Experimental / staging C2
`store[.]adobecad[.]com[.]cn`	2024-05-03	Fake software store

All certificates issued by TrustAsia Technologies (a Chinese CA subsidiary of DigiCert) with 90-day DV certificates, automatically renewed. The continuous rotation from 2023 to present confirms sustained, uninterrupted operation.

The progression tells a story of operational maturity: a main website within 24 hours of domain registration in May 2023, a primary C2 subdomain three weeks later, test infrastructure through the fall, dedicated download and installer-delivery subdomains by December 2023, and a full fake software store by mid-2024. The bd subdomain -- plausibly short for "backdoor" -- appeared in April 2024. The 360exp staging environment followed shortly after. The date-stamped 20231011 subdomain is a development artifact that reveals the operator's workflow: they test new deployments on disposable subdomains before rolling them into production.

This is not a weekend project. This is a sustained operation with development, staging, and production infrastructure, managed by someone comfortable enough to use date-stamped test deployments and dedicated subdomains for each function.

The Campaign: More Than Just AutoCAD

Pivoting on the import hash 4a69501d065aecd17da3f8f42bc46478 -- a hash of the import address table that identifies binaries built with the same toolchain and linking configuration -- reveals two additional samples:

SHA-256	Filename	Size	First Seen
`17d2b3fb0c1942c43588d26ba9aecd6f6a9a549f86a8bb4120865cfbd9caf137`	autocad_v1.4.exe	30.3MB	2026-03-11
`16ed87bc2ca3fb12aa50ed5de9ffeb8ba14df383e937d9dd047464e7a2c2c859`	Disk-Squeezer_v2.0.exe	22.0MB	2025-11-24
`b61490f4f0edf574703224d38c5c00b867b6191bbf09b10bf1a81b7cd8a1e9b6`	(unnamed)	5.8MB	2024-08-27

"Disk Squeezer" -- a purported disk optimization utility. AutoCAD. An unnamed third binary dating back to August 2024. Same Enigma Protector packer, same import structure, same build chain. Both the AutoCAD and Disk Squeezer samples trigger identical YARA rules for Enigma Protector, anti-debugging, and Cobalt Strike patterns.

The threat actor distributes multiple trojanized installers for whatever software their target audience is searching for -- CAD tools for engineers, disk utilities for general users, likely others not yet identified. The store[.]adobecad[.]com[.]cn subdomain reinforces this: a "store" implies a catalog of products, not a single offering. Same packer, same C2 framework, same build environment, different lures.

The earliest sample in the cluster dates to August 2024, predating the AutoCAD sample by seven months. But the domain infrastructure dates to May 2023, meaning the operation likely had even earlier samples that have not yet been identified.

WHOIS: The QQ Email That Should Not Be There

Field	Value
Domain	`adobecad[.]com[.]cn`
Registered	2023-05-25
Expires	2028-05-25
Registrant	Yuan Shouchuang (袁守闯)
Email	`842310870@qq[.]com`
Registrar	Guangzhou Yunxun IT Co. (广州云讯信息科技有限公司)
DNS	DNSPod (Tencent Cloud)

A personal QQ email address in the WHOIS registration of a malware distribution domain. QQ numbers are tied to Tencent accounts, which in China require identity verification. QQ numbers are sequential and can sometimes be correlated to account creation dates and other Tencent services. This is either the operator's real identity or a compromised QQ account -- either way, it is an attribution lead that most cybercriminals would not leave behind.

Threat Actor Profile

Attribution Chain

Every piece of infrastructure converges on a consistent profile:

Indicator	Source	Confidence
Registrant: Yuan Shouchuang (袁守闯)	WHOIS	PROBABLE
Email: `842310870@qq[.]com`	WHOIS	PROBABLE
Code signing: Guangzhou Recording Network Technology Co., Ltd.	PE certificate	CONFIRMED
Server: Xiamen, Fujian, China	Shodan / IP geolocation	CONFIRMED
ISP: China Telecom Fujian (AS133776)	BGP routing	CONFIRMED
FTP cert: Dongguan, Guangdong	SSL certificate inspection	PROBABLE
DNS: DNSPod (Tencent Cloud)	WHOIS	CONFIRMED
SSL: TrustAsia (Chinese CA)	crt.sh	CONFIRMED
Live chat: 53kf.com (Chinese platform)	String extraction	CONFIRMED
Registrar: Guangzhou Yunxun IT Co.	WHOIS	CONFIRMED

The domain registrar is in Guangzhou. The code signing entity is in Guangzhou. The FTP certificate metadata points to Dongguan, 60km away. The server sits in Xiamen, Fujian -- same province-level China Telecom network. The DNS provider is Tencent's DNSPod. The SSL issuer is TrustAsia, a Chinese DigiCert subsidiary. The live chat is a Chinese platform. The target audience appears to be Chinese-speaking users seeking pirated software, based on the .com.cn domain and Chinese-language customer service integration.

Operational Pattern

Domain strategy: Typosquatting combining brand names (Adobe + AutoCAD = "adobecad")
Certificate abuse: EV code signing certificates from European CAs (Certum/Poland) under Chinese company names
Infrastructure: Chinese hosting (China Telecom), Chinese DNS (DNSPod), Chinese SSL (TrustAsia), managed via BT-Panel
Distribution: Fake software installer downloads (AutoCAD, Disk Squeezer, others)
Tooling: Enigma Protector (commercial packer), Qt5 framework (cross-platform GUI), Django/gunicorn backend
Targeting: Chinese-speaking users seeking pirated software
Longevity: Infrastructure active since at least May 2023 (nearly three years)

The Nine OPSEC Failures

#	Failure	Impact
1	Personal QQ email in WHOIS registration	Direct attribution lead via Tencent identity verification
2	MySQL 5.6 exposed to internet on port 3306	Server compromise risk; EOL database with known vulnerabilities
3	BaoTa (BT-Panel) admin interface open on port 8888	Server management visible; potential unauthorized access
4	FTP SSL certificate leaks Dongguan/Guangdong metadata	Geographic narrowing of operator location
5	Hardcoded IP address in binary	No domain-based C2 rotation; single point of failure for takedown
6	Plaintext HTTP for all C2 communication	Network monitoring trivial; no encrypted transport
7	EOL OpenSSH 7.4 with 20 known CVEs	Server compromise risk from known vulnerabilities
8	Static branding asset filenames (autodesk.png, cadlogo.png)	Intent is immediately obvious from HTTP logs
9	Original filename "goods_web.exe" left in PE version info	Reveals internal naming convention

The asymmetry is common in financially motivated operations: invest heavily in victim-facing components (certificates, packing, professional UI) and spend nothing on infrastructure defense. Every exposed service is an intelligence collection opportunity for defenders.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Execution	User Execution: Malicious File	T1204.002	Victim runs fake AutoCAD installer
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	`autocad_v1.4.exe` with Autodesk branding
Defense Evasion	Subvert Trust Controls: Code Signing	T1553.002	Revoked EV certificate from Certum CA
Defense Evasion	Obfuscated Files: Software Packing	T1027.002	Enigma Protector with encrypted .enigma1 payload
Persistence	Boot or Logon Autostart: Shortcut Modification	T1547.009	`autodesk360.lnk` on Desktop
Command and Control	Application Layer Protocol: Web Protocols	T1071.001	HTTP POST JSON to Django REST API
Command and Control	Ingress Tool Transfer	T1105	Version check endpoint for update/payload delivery
Discovery	System Network Configuration Discovery	T1016	NetBIOS probing on port 137/UDP

Detection

Endpoint

Process-level monitoring:

Alert on PE files with .enigma1 or .enigma2 section names executing from user-writable directories
Monitor for bulk evb*.tmp DLL creation in %TEMP% -- a signature of Enigma Virtual Box unpacking
Flag processes creating autodesk360.lnk on the Desktop
Detect ZwProtectVirtualMemory calls from unsigned or revoked-cert binaries
Monitor for NetBIOS probing (port 137/UDP) from GUI applications

Certificate-based blocking:

Block or alert on execution of binaries signed with certificate serial 21:EC:6F:C7:87:8B:F7:B2:8D:99:4C:F6:6D:BF:C9:94
Maintain revoked-certificate blocklists and validate code signing status at execution time, not just at download

Host-based indicators:

# Persistence artifact
%USERPROFILE%\Desktop\autodesk360.lnk

# Enigma Virtual Box extraction pattern
%TEMP%\evb*.tmp

# Original filename in PE metadata
goods_web.exe

# Campaign imphash
4a69501d065aecd17da3f8f42bc46478

Network

Firewall rules:

# Block C2 IP (all ports)
deny ip any host 121.204.249.146

DNS sinkhole:

# Sinkhole C2 domain and all subdomains
*.adobecad.com.cn → sinkhole

Suricata signatures (selected):

# C2 check-in: POST to /api/soft/app/info/ with JSON
alert http $HOME_NET any -> 121.204.249.146 8000 (
  msg:"MALWARE TrojanizedAutoCAD C2 - App Info POST";
  flow:established,to_server;
  content:"POST"; http_method;
  content:"/api/soft/app/info/"; http_uri;
  content:"application/json"; http_header;
  classtype:trojan-activity;
  sid:2026031101; rev:1;
)

# Health check on secondary port
alert http $HOME_NET any -> 121.204.249.146 9901 (
  msg:"MALWARE TrojanizedAutoCAD C2 - Health Check";
  flow:established,to_server;
  content:"/hc"; http_uri;
  classtype:trojan-activity;
  sid:2026031103; rev:1;
)

# Generic: JSON POST to /api/soft/ on gunicorn backend
alert http $HOME_NET any -> $EXTERNAL_NET any (
  msg:"MALWARE TrojanizedAutoCAD C2 - Generic API Soft Pattern";
  flow:established,to_server;
  content:"POST"; http_method;
  content:"/api/soft/"; http_uri;
  content:"application/json"; http_header;
  content:"gunicorn"; http_header;
  classtype:trojan-activity;
  sid:2026031106; rev:1;
)

# DNS resolution for C2 domain
alert dns $HOME_NET any -> any 53 (
  msg:"MALWARE TrojanizedAutoCAD DNS Lookup - adobecad.com.cn";
  content:"adobecad"; nocase;
  content:"com"; nocase;
  content:"cn"; nocase;
  classtype:trojan-activity;
  sid:2026031107; rev:1;
)

# 53kf.com live chat beacon
alert http $HOME_NET any -> $EXTERNAL_NET any (
  msg:"SUSPICIOUS TrojanizedAutoCAD Live Chat Beacon - 53kf.com";
  flow:established,to_server;
  content:"tb.53kf.com"; http_host;
  content:"/code/client/"; http_uri;
  classtype:trojan-activity;
  sid:2026031108; rev:1;
)

YARA Rules

rule TrojanizedAutoCAD_GoodsWeb_Enigma
{
    meta:
        description = "Detects TrojanizedAutoCAD installer packed with Enigma Protector"
        author = "Breakglass Intelligence"
        date = "2026-03-11"
        hash = "17d2b3fb0c1942c43588d26ba9aecd6f6a9a549f86a8bb4120865cfbd9caf137"
        confidence = "HIGH"

    strings:
        $enigma1 = ".enigma1" ascii
        $enigma2 = ".enigma2" ascii
        $c2_api1 = "/api/soft/app/info/" ascii wide
        $c2_api2 = "/api/soft/version/info/" ascii wide
        $c2_ip = "121.204.249.146" ascii wide
        $original_name = "goods_web" ascii wide

    condition:
        uint16(0) == 0x5A4D and
        filesize > 20MB and filesize < 40MB and
        ($enigma1 and $enigma2) and
        (2 of ($c2_api1, $c2_api2, $c2_ip)) and
        $original_name
}

rule TrojanizedAutoCAD_C2_Strings
{
    meta:
        description = "Detects TrojanizedAutoCAD by C2 communication patterns"
        author = "Breakglass Intelligence"
        date = "2026-03-11"
        confidence = "HIGH"

    strings:
        $c2_1 = "121.204.249.146:8000" ascii wide
        $c2_2 = "121.204.249.146:9901" ascii wide
        $api1 = "/api/soft/app/info/" ascii wide
        $api2 = "/api/soft/version/info/" ascii wide
        $domain = "adobecad.com.cn" ascii wide

    condition:
        uint16(0) == 0x5A4D and
        (any of ($c2_*) or $domain) and
        (any of ($api*))
}

rule Enigma_Protector_Qt5_Dropper
{
    meta:
        description = "Generic: Enigma Protector packed Qt5 apps used as droppers"
        author = "Breakglass Intelligence"
        date = "2026-03-11"
        confidence = "MEDIUM"

    strings:
        $enigma1 = ".enigma1" ascii
        $enigma2 = ".enigma2" ascii
        $evb = "TVirtualBoxRegistryItem" ascii wide
        $qt_core = "Qt5Core.dll" ascii wide
        $qt_net = "Qt5Network.dll" ascii wide
        $qt_widget = "Qt5Widgets.dll" ascii wide
        $ssl1 = "libcrypto-1_1-x64.dll" ascii wide
        $ssl2 = "libssl-1_1-x64.dll" ascii wide

    condition:
        uint16(0) == 0x5A4D and
        filesize > 5MB and
        ($enigma1 or $enigma2 or $evb) and
        2 of ($qt_core, $qt_net, $qt_widget) and
        any of ($ssl*)
}

Indicators of Compromise

File Indicators

# Primary sample
SHA256:  17d2b3fb0c1942c43588d26ba9aecd6f6a9a549f86a8bb4120865cfbd9caf137
SHA1:    2c3470eaea2614ee5d3385c073abd4f1260bd3d6
MD5:     a0feaefbe343954e61544f32827ccb96
SSDeep:  786432:B+G5eaaDqy3rc/OlBy9g4aLpOQlqjfLZSZoK:fcrc/OlBhhLphlEfVSqK
Imphash: 4a69501d065aecd17da3f8f42bc46478
File:    autocad_v1.4.exe (original: goods_web.exe)

# Related sample — Disk Squeezer (same imphash)
SHA256:  16ed87bc2ca3fb12aa50ed5de9ffeb8ba14df383e937d9dd047464e7a2c2c859
File:    Disk-Squeezer_v2.0.exe

# Related sample — unnamed (same imphash)
SHA256:  b61490f4f0edf574703224d38c5c00b867b6191bbf09b10bf1a81b7cd8a1e9b6

Network Indicators

# C2 Server (defanged)
121[.]204[.]249[.]146                  (CHINANET Fujian, Xiamen, AS133776)
121[.]204[.]249[.]146:8000             (Django/gunicorn C2 API)
121[.]204[.]249[.]146:9901             (Java/Spring health check)

# C2 Domains (defanged)
adobecad[.]com[.]cn                    (Parent domain)
360[.]adobecad[.]com[.]cn              (Primary C2 hostname)
360exp[.]adobecad[.]com[.]cn           (Staging / experimental C2)
store[.]adobecad[.]com[.]cn            (Fake software store)
setup[.]adobecad[.]com[.]cn            (Installer delivery)
cad[.]adobecad[.]com[.]cn              (CAD-themed download portal)
bd[.]adobecad[.]com[.]cn               (Backdoor / secondary service)
php[.]adobecad[.]com[.]cn              (PHP-based service)

C2 URLs

hxxp://121[.]204[.]249[.]146:8000/api/soft/app/info/
hxxp://121[.]204[.]249[.]146:8000/api/soft/version/info/
hxxp://121[.]204[.]249[.]146:9901/hc
hxxp://121[.]204[.]249[.]146:8000/static/soft/autodesk.png
hxxp://121[.]204[.]249[.]146:8000/static/soft/cadlogo.png
hxxp://121[.]204[.]249[.]146:8000/static/soft/cadmain.png
hxxps://tb[.]53kf[.]com/code/client/b42c571f6a4c7fd01a6b00c3e1591dea7/1

Certificate Indicators

# Revoked EV Code Signing Certificate
Serial:          21:EC:6F:C7:87:8B:F7:B2:8D:99:4C:F6:6D:BF:C9:94
Thumbprint SHA1: 42740DC2EC85960A5374AD86B055AFFF65F8FAC6
Thumbprint SHA256: 5348CD6FD9DB43CC8BFF7285CA0194F3BB639A0EFD3F49F764EAA35F262222F1
Subject:         Guangzhou Recording Network Technology Co., Ltd.
Issuer:          Certum Extended Validation Code Signing 2021 CA
Valid:           2025-04-15 to 2026-04-15
Status:          REVOKED

Abuse Reporting Targets

Entity	Reason	Contact
Certum CA	Revoked certificate abuse documentation	certum.pl
China Telecom (CHINANET Fujian)	C2 hosting at 121[.]204[.]249[.]146	abuse@chinatelecom.cn
DNSPod / Tencent	Malicious domain adobecad[.]com[.]cn	abuse@dnspod.com
TrustAsia	SSL certificates for malicious domain	trustasia.com
Autodesk	Trademark abuse / brand impersonation	autodesk.com
53kf.com	Customer service platform abuse (client ID: b42c571f6a4c7fd01a6b00c3e1591dea7)	53kf.com

Recommended Actions

Immediate

Block all traffic to 121[.]204[.]249[.]146
Sinkhole *.adobecad[.]com[.]cn in DNS resolvers
Block/alert on certificate serial 21EC6FC7878BF7B28D994CF66DBFC994
Deploy YARA and Suricata rules from the detection section
Hunt for autodesk360.lnk on endpoints across the fleet
Search for evb*.tmp patterns in %TEMP% directories

Short-Term

Submit abuse reports to all six entities listed above
Monitor for new certificates issued to adobecad[.]com[.]cn subdomains via crt.sh
Track imphash 4a69501d065aecd17da3f8f42bc46478 on MalwareBazaar and VirusTotal for new campaign samples
Assess organizational exposure to fake software download campaigns

Strategic

Implement certificate revocation checking at execution time, not just download time
Block Enigma Protector-packed binaries from user-writable directories via application control policies
Monitor for Qt5+OpenSSL+Enigma combinations in submitted samples as a generic campaign indicator
Evaluate blocking .com.cn domain categories at the proxy level for high-security environments

Published by Breakglass Intelligence. Investigation conducted 2026-03-11. A fake AutoCAD installer. A revoked EV certificate. A Django API in Xiamen. Three years of infrastructure, nine OPSEC failures, and 80% of antivirus engines looking the other way. Classification: TLP:CLEAR