The Sentinel Variant: evilgrou-tech Deploys HVNC-Equipped QuasarRAT for Crypto Targeting While PFCLOUD Nexus Links Three Malware Operations to One Bulletproof /24
Dual-targeting forex and crypto, 8 cryptographic schemes, live payload rotation, and a 3-year infrastructure timeline — all converging on a single bulletproof hosting block
TL;DR: A follow-up investigation into the evilgrou-tech/WaterHydra threat actor — previously attributed by BGI — reveals a second QuasarRAT variant ("Sentinel") equipped with Hidden VNC, keylogging, and browser credential theft, targeting cryptocurrency users under the campaign tag "Pumpfun." More critically, the Sentinel C2 at 192.109.200[.]147 sits in the same /24 as CountLoader's fake CCleaner C2 at 192.109.200[.]130 — both hosted by PFCLOUD UG, a German shell company routing through 1337 Services LLC in Saint Kitts and Nevis. The same PFCLOUD upstream also provides transit for the Amadey botnet staging server distributing 23 malware families across 100+ samples. We also recovered a complete 3-year infrastructure timeline spanning 7 historical C2 domains, caught the operator rotating live payloads at 05:15 UTC, and confirmed Russian origin via a "russia978" dynamic DNS hostname and UTC+3 commit timestamps across 132 git commits.
From Forex to Crypto: The Dual-Targeting Pivot
Our previous investigation fully decrypted evilgrou-tech's primary QuasarRAT v1.4.1 deployment — a forex-targeting campaign tagged "Office04" operating from 91.124.98[.]29:2626. That variant used standard QuasarRAT capabilities with 4096-bit RSA and PBKDF2-SHA1 key derivation.
The Sentinel variant is a significant operational escalation.
QuasarRAT v1.8.8 "Sentinel" — Fully Decrypted Configuration
| Field | Value |
|---|---|
| Version | 1.8.8 |
| TAG | Pumpfun |
| C2 | 192.109.200[.]147:6767 |
| Install Path | SubDir\Sys.exe |
| Startup Key | Runtime Broker |
| Mutex | 95e56cb6-e641-4ffa-b96a-3e896483c37f |
| RSA Key | 8192-bit (double the v1.4.1 variant) |
| Cert CN | JOYUSO=hjkdashjksdajkh (gibberish, 50-year validity, created 2026-03-04) |
| Encryption Key | 6B58BFD60FC3150331254A46D2E75F0856F5D0AE |
| PBKDF2 Salt | af2b9e3bf72d77fbf2f923b4a015b8f3209d1624a21b6fb1c4a123b2a6b329a1 |
| SHA256 | a342889b6129444756d089aacbd647b1fcb0273ed5894885e1641038a001a2d7 |
The "Pumpfun" tag — a reference to the Solana memecoin launch platform — confirms this campaign targets cryptocurrency users. The "Office04" tag on the primary variant targets forex traders. The operator runs parallel campaigns against two distinct financial verticals from the same infrastructure.
Sentinel Capabilities: HVNC, Keylogging, Browser Theft
The Sentinel binary is Costura.Fody packed with six embedded DLLs:
| DLL | Size | Purpose |
|---|---|---|
invokedcommon.dll | 97KB | QuasarRAT core + Hidden VNC module |
Gma.System.MouseKeyHook.dll | — | Global keyboard/mouse hook keylogger |
Newtonsoft.Json.dll | — | JSON serialization |
protobuf-net.dll | — | Protocol Buffers (C2 comms) |
System.Diagnostics.DiagnosticSource.dll | — | Diagnostics |
Costura.dll | — | Assembly loader |
The HVNC module is the critical escalation. Hidden VNC creates an invisible desktop session, allowing the operator to interact with the victim's browser — including crypto wallet extensions, exchange sessions, and 2FA prompts — without the victim seeing any visual activity. Combined with the keylogger and Chromium/Firefox credential theft modules, this gives the operator complete access to cryptocurrency accounts.
The salt was extracted from invokedcommon.dll FieldRVA at offset 0x17490.
Delivery: sentinel.ps1
The Sentinel variant is delivered via a 779KB PowerShell wrapper (sentinel.ps1) that:
- Requests admin elevation via UAC prompt
- Decompresses a GZip-compressed .NET PE from an embedded byte array
- Writes to
SubDir\Sys.exeand registers as "Runtime Broker" in HKCU\Run
The PFCLOUD Nexus: Three Malware Operations, One /24
This is the investigation's most significant finding. Three apparently independent malware operations share infrastructure through PFCLOUD UG (AS51396):
192.109.200.0/24 — Shared Bulletproof Block
| IP | Operation | Malware |
|---|---|---|
192.109.200[.]147 | evilgrou-tech | Sentinel QuasarRAT v1.8.8 (crypto targeting) |
192.109.200[.]130 | CountLoader | Fake CCleaner C2 (ccleaner[.]gl) |
192.109.200[.]1 | Unknown | PTR: rkntest4 (Roskomnadzor reference) |
PFCLOUD Upstream Transit
| IP | Operation | Relationship |
|---|---|---|
158.94.211[.]222 | Amadey botnet | Staging server (campaign fbf543), transit via AS51396 PFCLOUD |
PFCLOUD UG is a German shell company routing through vmheaven.io and ultimately 1337 Services LLC — registered in Saint Kitts and Nevis. The three-jurisdiction chain (Bulgaria LIR → Germany hosting → Caribbean shell company) is designed to frustrate law enforcement cooperation.
The BGP route for 192.109.200.0/24 was announced on 2026-01-18 — just 49 days before our investigation. The domain was in pendingTransfer status on the investigation date. All ports on the Sentinel C2 are closed to non-whitelisted IPs — zero Shodan coverage, zero GreyNoise data.
CountLoader: Targeting Security Researchers from the Same /24
CountLoader — previously investigated by BGI — distributes via a filename specifically designed to lure security researchers: source code of carbanak backdoor discovered.exe.
Its C2 at ccleaner[.]gl resolves to 192.109.200[.]130 — seventeen IPs from evilgrou-tech's Sentinel C2. The CountLoader panel leaked a full .NET stack trace revealing a Windows backend (D:\Panel\Files\) behind a Linux nginx reverse proxy, with the panel binary identified as a UI assembly using Helpers.HostConfigurator.GetFile().
CountLoader's secondary C2 at burning-edge[.]sbs (65.21.174[.]205, Hetzner) has phpMyAdmin exposed at /phpmyadmin/, MySQL on port 3306, and 120+ CVEs including regreSSHion.
The CountLoader HTA payload targets 50+ cryptocurrency wallet browser extensions (MetaMask, Phantom, Coinbase, Keplr, OKX, Trust, Exodus, Brave) across 40+ Chromium-based browsers, plus hardware wallets (Ledger Live, Trezor, Atomic, Exodus). It uses six different download methods (curl, PowerShell IRM, bitsadmin, certutil, msiexec, VBScript COM), persists via Windows Task Scheduler with a 30-minute interval and 760-day expiry (task name "CCleanerTaskID"), and spreads via USB drives using LNK files with mshta callbacks.
Amadey BaaS: 23 Families, 100+ Samples, Same Upstream
The Amadey botnet staging server at 158.94.211[.]222 — operating under campaign tag fbf543 — has distributed over 100 samples across 23 malware families in 10 days, including a near-twin QuasarRAT build (b9b51e29..., 646,656 bytes). The panel remains live at /index.php.
This server sits on AS202412 OMEGATECH — an ASN created on 2026-01-12 (less than two months before our investigation) and registered to a Seychelles shell company. Its upstream transit provider is AS51396 PFCLOUD — the same provider hosting evilgrou-tech's Sentinel C2.
The Amadey fbf543 campaign distributes: Vidar, StealC, SmokeLoader, LummaStealer, Rhadamanthys, RemcosRAT, ValleyRAT, XWorm, and more. Four XWorm samples were observed in the distribution, using ConfuserEx obfuscation — commodity RATs bundled alongside more sophisticated payloads.
3-Year Infrastructure Archaeology
Pivoting from the DarkMe configs extracted across 9 imphash-matched samples, we reconstructed the operator's complete C2 evolution:
Phase 1: 2023 — Seven Gibberish Domains on Comcast
| Domain | Status |
|---|---|
armousteddgmo[.]com | Expired |
marketisportsstumi[.]win | Expired |
mastrrokiakivasai[.]com | Still resolving |
mmnedgeggrrva[.]com | Expired |
kerlamaabramsurf[.]com | Expired |
kaliinuxnowwdangerou[.]org | Expired |
caddimilopidelphsimpl[.]de | Expired |
All registered via NameSilo with 3-year terms and DNSowl nameservers, pointing to a single Comcast residential IP: 216.162.194[.]8. DarkMe config password: 12311231!, port 443.
Phase 2: 2024 — The russia978 OPSEC Leak
The operator switched to No-IP dynamic DNS: russia978.sytes[.]net.
The "russia" substring in the hostname is a catastrophic OPSEC failure, confirming Russian origin. This is consistent with the UTC+3 (Moscow Standard Time) timezone derived from 132/132 git commits, the weekday-heavy work pattern (dead 01:00-06:00 MSK, peak 10:00-16:00 MSK), and the Russian language strings in the forex.sct COM scriptlet.
Currently resolves to 45.94.31[.]53. Password weakened to 123, port 2022.
Phase 3: 2025-2026 — Bulletproof Hosting
| IP | ASN | Purpose |
|---|---|---|
45.94.31[.]53 | AS211826 PrefixBroker/ISTQRAR | DarkMe C2 (RDP hostname: "Copy-of-VM-2022") |
38.57.44[.]173 | ThinkHuge | DarkMe + QuasarRAT v1.4.1 (port 4242) |
91.124.98[.]29 | ThinkHuge | QuasarRAT v1.4.1 primary (port 2626) |
38.57.40[.]95 | ThinkHuge | Flask debug C2 panel |
192.109.200[.]147 | PFCLOUD | Sentinel QuasarRAT v1.8.8 (port 6767) |
Password evolution: 12311231! → 123 → password — a clear degradation in OPSEC discipline as the operator scales operations.
ThinkHuge /21 Infrastructure Sweep
Expanding our initial 15-IP scan, we mapped 77 active hosts across the ThinkHuge /21 block:
- 31 SSH-only Linux boxes
- 14 Windows RPC-only
- 5 Windows RPC+WinRM
- 4 Windows RPC+WSD
- 2 SQL Server instances (port 1433)
- 4 AnyDesk management plane instances (port 7070, documented here)
38.57.40[.]237: 9 exposed services including Telnet, SMTP, POP3, SOCKS, FTP
Live Payload Rotation Caught
At approximately 05:15 UTC on March 8, we observed the operator actively rotating payloads on the GitHub drive repository:
encrypted.b64changed from a 7.2MB QuasarRAT payload (AES key derived from "OneDrive") to a fresh 138KB DarkMe VB6 build (AES key derived from "NewSecret_2026_Forex")- New SHA256:
5dfb9954260d3b53adda4f22187442bfc437530c8fa96496e4539284e26228d3 - This hash is not on MalwareBazaar — a fresh build deployed by an active operator
We also confirmed a 2-layer AES nesting scheme: the forex.sct COM scriptlet (with Russian comment: "Komanda PowerShell s pravilnym ekranirovaniem kavychek" — "PowerShell command with proper quote escaping") decrypts through Scheme H (AES key NewSecret_2000_Forex) which wraps Scheme G (AES key NewSecret_2026_Forex) before reaching the final DarkMe payload.
Additionally, the grovi/settings.dat decryption key was confirmed as WinUpdate2025SuperKey1234567890_1 (note the underscore before the final digit), producing a 3,266,048-byte .NET PE — QuasarRAT v1.4.1 with an identical configuration to all other repositories. All three GitHub repos deliver the same QuasarRAT config through different AES loader keys.
8 Cryptographic Schemes — Complete Inventory
| Scheme | Algorithm | Key Source | Payload |
|---|---|---|---|
| A | AES-256-CBC | PBKDF2("OneDrive") | QuasarRAT v1.4.1 |
| B | AES-256-CBC | PBKDF2("EvilGroup2026") | DarkMe VB6 |
| C | AES-256-CBC | PBKDF2("NewSecret_2026") | QuasarRAT v1.4.1 |
| D | AES-256-CBC | SHA256("NewSecret_2000_Forex") | Outer wrapper (2-layer) |
| E | AES-256-CBC | SHA256("NewSecret_2026_Forex") | Inner wrapper → DarkMe |
| F | XOR | Single-byte 0xA5 | config.dat.b64 → PS1 loader |
| G | AES-256-CBC | SHA256("WinUpdate2025SuperKey1234567890_1") | grovi/settings.dat → QuasarRAT |
| H | AES-256-CBC | PBKDF2 (Sentinel salt) | Sentinel QuasarRAT v1.8.8 |
9 Persistence Mechanisms
HKCU\Run\OneDriveUpdateHelper→ forex.ps1 (Scheme A)HKCU\Run\WindowsUpdateHelper→ forex.ps1 (Scheme B)HKCU\Run\SystemUpdate→ sysupdate.jsStartup\Update.lnk→ sysupdate.js- Scheduled Task: "Windows Update Runtime Broker" (ONLOGON, HIGHEST)
HKCU\Run\OneDrive Sync→ mshta.exe OneDriveSync.hta%APPDATA%\Microsoft\Windows\System32\OneDriveSync.htaHKCU\Run\WindowsUpdate→ powershell.exe update.ps1Startup\Windows Defender.lnk→ powershell.exe update.ps1
Operator Profile Update
| Attribute | Value |
|---|---|
| Alias | evilgrou-tech (GitHub), @evilgrou (Telegram) |
| Attribution | WaterHydra/DarkCasino APT (high confidence) |
| Origin | Russia (confirmed: "russia978" hostname, UTC+3 timezone, Russian code comments) |
| Timezone | UTC+3 / Moscow Standard Time (132/132 commits) |
| Work Pattern | Dead 01:00-06:00 MSK, peak 10:00-16:00 MSK, weekday-heavy |
| Active Days | 33 (Jan 31 – Mar 5, 2026) |
| Web Footprint | Zero across 40+ platforms (disciplined personal OPSEC) |
| Targeting | Dual: forex traders (Office04) + cryptocurrency users (Pumpfun) |
| RAT Families | QuasarRAT v1.4.1, QuasarRAT v1.8.8 Sentinel, DarkMe VB6 |
| Distribution | GitHub repos (drive, drivers, grovi) + Amadey BaaS (fbf543) |
| Infrastructure | 5 C2 IPs, 8 historical domains, ThinkHuge /21 + PFCLOUD /24 |
Bonus Finding: XWorm in the Amadey Pipeline
Four XWorm samples were observed in the Amadey fbf543 distribution pipeline alongside evilgrou-tech's payloads. The samples use ConfuserEx-style obfuscation with encrypted string storage — standard AES-ECB/MD5 decryption failed, indicating a custom or modified packer. These are commodity RATs purchased through Amadey's Pay-Per-Install model, not custom evilgrou-tech tooling — but their presence in the same distribution channel confirms the Amadey partnership services multiple customers simultaneously.
XWorm C2 addresses observed in the same timeframe:
172.94.15[.]100:6070198.23.177[.]219:444594.154.32[.]18:8383212.28.188[.]80:9090137.220.176[.]132(laohen29.myvnc[.]com)
IOC Summary
evilgrou-tech Sentinel Infrastructure
| Type | Value |
|---|---|
| IP | 192.109.200[.]147 (PFCLOUD, Sentinel C2) |
| IP | 91.124.98[.]29 (ThinkHuge, QuasarRAT v1.4.1 primary) |
| IP | 38.57.44[.]173 (ThinkHuge, DarkMe + QuasarRAT) |
| IP | 38.57.40[.]95 (ThinkHuge, Flask debug C2) |
| IP | 45.94.31[.]53 (PrefixBroker, DarkMe legacy) |
| Domain | russia978.sytes[.]net (No-IP DDNS, legacy) |
| Domain | mastrrokiakivasai[.]com (still resolving, 2023 DarkMe C2) |
| SHA256 | a342889b6129444756d089aacbd647b1fcb0273ed5894885e1641038a001a2d7 (Sentinel) |
| SHA256 | 5dfb9954260d3b53adda4f22187442bfc437530c8fa96496e4539284e26228d3 (Fresh DarkMe, not on MalwareBazaar) |
| Mutex | 95e56cb6-e641-4ffa-b96a-3e896483c37f (Sentinel) |
PFCLOUD Nexus
| Type | Value |
|---|---|
| IP | 192.109.200[.]130 (CountLoader C2, ccleaner[.]gl) |
| IP | 158.94.211[.]222 (Amadey staging, AS202412 OMEGATECH) |
| Domain | ccleaner[.]gl (CountLoader fake CCleaner) |
| Domain | burning-edge[.]sbs (CountLoader secondary) |
| Domain | labinstalls[.]info (Amadey panel) |
| ASN | AS51396 (PFCLOUD UG) |
| ASN | AS202412 (OMEGATECH, Amadey) |
XWorm (Amadey-distributed)
| Type | Value |
|---|---|
| IP | 172.94.15[.]100:6070 |
| IP | 198.23.177[.]219:4445 |
| IP | 94.154.32[.]18:8383 |
| IP | 212.28.188[.]80:9090 |
| Domain | laohen29.myvnc[.]com (137.220.176[.]132) |
MITRE ATT&CK
- T1219 — Remote Access Software (AnyDesk management plane)
- T1059.001 — PowerShell (sentinel.ps1, forex.ps1, update.ps1)
- T1059.005 — Visual Basic (DarkMe VB6)
- T1059.007 — JavaScript (sysupdate.js)
- T1218.005 — Mshta (OneDriveSync.hta, COM scriptlet)
- T1547.001 — Registry Run Keys (9 persistence mechanisms)
- T1053.005 — Scheduled Task
- T1140 — Deobfuscate/Decode (8 crypto schemes, 2-layer AES nesting)
- T1573.001 — Encrypted Channel: Symmetric (AES-256-CBC C2)
- T1573.002 — Encrypted Channel: Asymmetric (8192-bit RSA)
- T1056.001 — Keylogging (Gma.System.MouseKeyHook)
- T1021.005 — VNC (Hidden VNC module)
- T1555.003 — Credentials from Web Browsers
- T1567 — Exfiltration Over Web Service (GitHub payload hosting)
- T1583.003 — Virtual Private Server (PFCLOUD, ThinkHuge, OMEGATECH)
- T1588.004 — Digital Certificates (fake Microsoft Publisher certs)
This investigation builds on three prior BGI reports: WaterHydra Attribution, QuasarRAT Fake Client, and Multi-RAT Infrastructure Mapping. Explore all geolocated IOCs on the BGI Pew Pew Map.
— Breakglass Intelligence