Three IPs, Three Threat Actors: Forensic Dissection of a FortiGate Mass Exploitation Campaign, a Remcos RAT Deployment, and an Exposed Honeypot Research Server

TL;DR

A single night of passive reconnaissance against three flagged IPs uncovered a Russian-speaking APT group running an unauthenticated operations dashboard tracking 3,233 FortiGate targets (28 confirmed compromises including the Thai Royal Navy), a Colombian actor deploying Remcos RAT v7.2.0 through multi-stage SOSTENER dropper scripts with process hollowing, and a misconfigured security researcher's honeypot leaking 35,615 captures and a live ARM32 Mirai-variant binary. All infrastructure was live and unauthenticated at time of analysis on February 26, 2026.

---

1. Investigation Scope

On February 26, 2026, we conducted passive forensic analysis against three IPs flagged during routine IoT vulnerability monitoring. What we found spans the full spectrum of offensive operations: nation-state-adjacent mass exploitation, commodity RAT deployment, and accidental research exposure.

IP	Classification	Threat Level	Actor Profile
212.11.64.250	FortiGate mass exploitation campaign	CRITICAL	Russian-speaking APT, bulletproof hosting
186.169.75.221	Remcos RAT C2 + malware distribution	HIGH	Colombian individual (TELLEZ FABIAN)
46.62.221.89	Misconfigured honeypot/research server	INFORMATIONAL	Security researcher (sidebrain-dev)

---

2. The FortiGate Campaign: 3,233 Targets, Zero Authentication

2.1 Infrastructure

212.11.64.250 hosts three services -- all unauthenticated, all publicly accessible:

Port	Service	Function
8889	Werkzeug/3.1.3 Python/3.13.9	"PWNED Targets Dashboard v2" -- full operations management
8888	Werkzeug/3.1.3 Python/3.13.9	"HexStrike AI Tools API Server v6.0.0" -- automated offensive toolkit
8443	Go HTTP 1.9.1	C2/proxy relay (/health, /version only)

The server sits on AS42624 (Global-Data System IT Corporation), a Seychelles-registered shell company with Swiss IP allocations and UK phone numbers. The /24 block was allocated April 2025. Classic bulletproof hosting indicators: offshore shell, recent allocation, randomized VPS hostname (VPS-VcZzSLKZ), no TLS on any port.

2.2 Operational Scale

The PWNED Targets Dashboard exposes the complete operational picture in Russian:

Metric	Value
FortiGate targets tracked	3,233
Countries affected	205+
Fully compromised (domain admin)	11
Admin-level access	17
Stolen credentials	191
Internal hosts discovered	16,182
HexStrike commands executed	57,742 (24.2% success rate)
Network data transferred	74.1 GB in / 24.3 GB out
Server uptime	~10 days

The dashboard is a Russian-language Flask app with auto-refresh, country filtering, per-target modals showing internal network maps, domain controllers, stolen credentials, and openconnect VPN instructions. API endpoints /api/pwned_targets, /api/stats, and /api/countries return everything with Access-Control-Allow-Origin: *.

Dashboard categories use Russian operational slang:

• RABOTKA ("working on it") -- 7 targets
• RESCAN -- 4 targets
• PROBLEMATIC_ACCESS -- 14 targets
• LOOT -- 1 target

2.3 Attack Chain

PHASE 1: Mass scan FortiGate firewalls (likely CVE-2022-42475 / CVE-2023-27997 / CVE-2024-21762)
    |
    v
PHASE 2: Extract + decrypt FortiGate admin/VPN credentials from config files
    |
    v
PHASE 3: VPN tunnel → internal network recon (nmap, masscan, enum4linux, SMB/SNMP/WMI enum)
    |
    v
PHASE 4: Lateral movement via EternalBlue (46 instances), SMBGhost (40), PrintNightmare (11)
    |
    v
PHASE 5: Credential spray with decrypted FortiGate passwords → domain admin → full compromise

2.4 High-Value Compromises

Eleven organizations are fully compromised with domain admin credentials. Notable entries:

Target	Country	Domain	Credential	Internal Hosts
Thai Royal Navy	TH	navy.mi.th	admin / Admin@inext!	214
IRESSEF (research institute)	SN	iressef.org	fortigate / L@tDior2021	201
Ageroute (govt road agency)	ML	ageroute.local	admin / Adminaddns0126	154
SC Palmeiras (football club)	BR	scpalmeiras.sp	admin / @Firewall2026!	539
Giunti Psychometrics	IT	giuntipsy.local	-	1,893
Claroid Pharma (4 networks)	IN	claroidpharma.com	it / p@ss8980	1,716

The Claroid Pharma group is particularly instructive: a single password (p@ss8980 / P@ss8980) was reused across four separate networks (Claroid, Indigo, Atlas, second Claroid site), giving the attacker domain admin across 1,716 internal hosts from one credential.

2.5 HexStrike Toolkit

The HexStrike AI Tools API Server (v6.0.0) provides 75 offensive tools via a Python/Werkzeug REST API. Operational tempo: ~5,774 commands/day, ~240/hour. Key tools installed: nmap, masscan, Metasploit, Hydra, SQLmap, NetExec, evil-winrm, Responder, Nuclei. The server has processed 256M packets inbound and 55M outbound in 10 days.

2.6 MITRE ATT&CK Coverage

Technique	ID	Implementation
Exploit Public-Facing Application	T1190	FortiGate CVE exploitation
Valid Accounts	T1078	Decrypted FortiGate credentials reused on domain
Remote Services: SMB	T1021.002	NetExec credential spraying
Exploitation of Remote Services	T1210	EternalBlue, SMBGhost, PrintNightmare
Network Service Discovery	T1046	nmap/masscan internal scanning
System Network Configuration Discovery	T1016	SNMP/WMI enumeration
Domain Trust Discovery	T1482	Domain controller identification

---

3. SOSTENER: A Colombian Remcos RAT Operation

3.1 Infrastructure

186.169.75.221 runs Apache/2.4.58 (Win64) with XAMPP on Telefonica Colombia (AS14080, Bogota). Directory listing is enabled at root, serving malware to anyone who visits. The operator didn't even disable the default XAMPP self-signed cert (expired 2019).

Port	Service
80	Apache/XAMPP -- malware hosting, directory listing enabled
443	HTTPS -- expired self-signed CN=localhost
3306	MySQL -- open, no banner
5000	Remcos C2 (TLS 1.3) -- self-signed ECDSA, epoch-zero validity (1970-2090)
8443	HTTP/2 -- "Method Not Allowed"

3.2 Kill Chain

Four files hosted at http://186.169.75.221/:

File	Size	SHA256
SOSTENER.bat	7,190 B	dbbe57125f33467c8ead5285622b4336bddc19c54bc14324ab9b15e937c6f357
SOSTENER.vbs	16,181 B	9f2f363bcbb2c4830150bc23cb79a2f7000325636b4714ecc2e568eaf48a90f7
SOSTENER.js	34,419 B	34c8bb04d2cc46bb1d88dc701487801546392fbc9c37908fd09d8ca6cb426c4c
a.exe	528,384 B	4f0c95a1885411100649bf8150c2f189dc0941ac569b801b3765d1ca64b760dc

"SOSTENER" is Spanish for "to sustain" -- consistent with the Colombian origin. All three scripts deliver identical decoded PowerShell through different scripting engines:

STAGE 0: Victim downloads SOSTENER.bat/.vbs/.js (email, Discord, social engineering)
    |
STAGE 1: Script deobfuscation (GOTO spaghetti / junk code / delimiter concat)
         All use f# → r character substitution on base64, UTF-16LE decode
    |
STAGE 2: PowerShell → compile C# DomainLoader in memory → download .NET PE from:
         - https://pastefy.app/sLC7Jpkp/raw  (LIVE at analysis time)
         - https://yaso.su/raw/UpxC8OJX      (403 - taken down)
    |
STAGE 3: .NET process hollowing loader (myprogram.dll, 50,688 bytes)
         PDB: C:\Users\Administrator\source\repos\testpowershell\...\myprogram.pdb
         Kills RegAsm.exe, Vbc.exe, MsBuild.exe
         RunPE: ZwUnmapViewOfSection → VirtualAllocEx → WriteProcessMemory
    |
STAGE 4: Remcos RAT v7.2.0 injected into MSBuild.exe (x86 LOLBin)
         C2: oficialrem.duckdns.org:5000 (TLS)

3.3 Obfuscation Per Script Variant

.bat -- GOTO spaghetti with random labels, base64 split across 55+ SET variables, hidden PowerShell execution.

.vbs -- Hundreds of junk Dim/Const/TimeSerial declarations, Ugfdfging() string accumulator, nAcmafbp(N) random-loop Chr() generator, anti-sandbox checks (MAA1, CAV, LNP2, -PC in ComputerName).

.js -- coirkckkcfekpo junk delimiter injected between fragments, 627 += operations building eiIafodS, WMI Win32_Process.Create() with hidden window.

All three produce identical 1,278-character PowerShell:

Start-Sleep -Seconds 3
[Net.SecurityProtocolType]::Tls12
# Add-Type compiles C# DomainLoader in memory
# Downloads from paste sites with randomized URL order
# Extracts between <<BASE64_START>> and <<BASE64_END>> markers
# Calls myprogram.Homees.runss() with reversed GitLab URL

3.4 Remcos RAT v7.2.0 Configuration

Extracted from RC4-encrypted SETTINGS resource in a.exe:

C2 Server:      oficialrem.duckdns.org:5000 (TLS)
Mutex:          Rmc-VMJ5WS
Window Class:   RemcosMsgWindowClass
Install Name:   remcos.exe
Keylog File:    logs.dat
Screenshot Dir: Screenshots
Audio Dir:      MicRecords
License GUID:   6F0955F0A20D4EC3E42DC7A8302EFBDB
Geoloc API Key: QPVvv1rHQJD2pd2

Capabilities: keylogging, screen/webcam/audio capture, clipboard monitoring, credential theft (Chrome/Firefox/Brave/IE/FoxMail), remote shell, file manager, process injection (svchost/explorer/userinit/werfault), UAC bypass (CMSTPLUA COM + EnableLUA registry), self-restarting watchdog.

3.5 Attribution: TELLEZ FABIAN

The operator's OPSEC is catastrophic:

1. GitLab profile uses real name: TELLEZ FABIAN (user SUDO_MOM2025, ID 34931303)
2. Repository sudohodl created the same day as malware upload (2026-02-26 13:44 UTC)
3. PDB path reveals C:\Users\Administrator\source\repos\ on development machine
4. Assembly metadata contains unique typo: "Myrpgoram"
5. C2 domain literally contains "remcos" in the name (oficialrem.duckdns.org)
6. Directory listing enabled, exposing all hosted malware
7. MySQL port 3306 open to the internet
8. All staging URLs still live at time of analysis

Skill level: intermediate. Uses pre-built tools (commercial Remcos license), custom .NET loader with process hollowing, multi-platform script delivery, paste site staging. No operational security whatsoever.

---

4. The Exposed Honeypot: sidebrain-dev's Research Server

4.1 The Misconfiguration

46.62.221.89 is a Hetzner Cloud server in Helsinki (AS24940) running a legitimate security research operation with a critical mistake: port 8888 serves python -m http.server over the entire working directory with no authentication, exposing 36,517 files.

Port	Service	Assessment
22	SSH	Honeypot ingress
443	HTTPS	Self-signed cert: CN=atlas.local, O=Volvo CE IR, L=Gothenburg, C=SE
5555	Unknown	No banner -- possibly ADB or custom protocol
8080	Apache/2.4.41	"Server Admin Panel" login form -- likely another honeypot
8888	Python SimpleHTTP/0.6	Wide open directory listing of research workspace

4.2 What's Exposed

35,615 honeypot captures from 5,002 unique attacker IPs, each containing agent_results.json and reputation_score.json. The analysis pipeline uses AbuseIPDB, Ollama (local LLM), and Claude/Codex for AI-powered infrastructure intelligence.

Top attacker by capture count: 46.151.182.35 with 3,482 captures.

An APT-grade Go malware binary (go_sample.elf, 2.8 MB ARM32 ELF) is downloadable by anyone:

Property	Value
SHA256	9b53b1602ab093243bbbbcb4158736d53bd63daa5b6d141a3a12b17eb8e4de7f
Classification	Multi-platform dropper, Mirai variant
C2	115.11.111.11:9999
Embedded	47 MZ headers (Windows PE) + 68 PK headers (ZIP archives)
Protection	4-layer: custom packer, VM detection, self-destruct (NULL deref), ptrace anti-debug

The research files also include reverse-engineered C2 protocol details, Frida bypass scripts (bypass_ptrace.js), and LD_PRELOAD libraries for VM detection evasion (fake_baremetal.c). This is useful intelligence for defenders -- but also a gift to botnet operators looking to harden their infrastructure.

Operator identity confirmed via dashboard.log auto-pushes to github.com:sidebrain-dev/neurawl-site.git and TLS cert organization "Volvo CE IR" (Gothenburg, Sweden).

4.3 Assessment

This is not malicious infrastructure. It is a well-instrumented honeypot research platform with an accidental exposure. The risk is that the exposed malware samples, C2 protocol details, and bypass techniques are freely downloadable by anyone -- including the threat actors being studied.

---

5. Cross-Investigation Correlations

XAMPP Stack Overlap

Both 186.169.75.221 (Remcos) and the pinkiecraft.com distribution site (from the related SILENT RAT investigation) run identical Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 XAMPP stacks. While XAMPP is widely used, the version-exact match in the same operational timeframe is worth tracking for future correlation.

FortiGate Campaign and SILENT RAT: Distinct Threat Models

The FortiGate campaign (212.11.64.250) targets enterprise perimeter appliances with custom tooling and a Russian-language operations dashboard. The SILENT RAT (pinkiecraft.com / network-sync-protocol.net) targets gamers with a French-developed MaaS infostealer sold on weekly subscriptions. Different actors, different TTPs, different target demographics -- but both were active and exposed simultaneously on February 26, 2026.

Shared Pattern: Zero Authentication

All three IPs expose sensitive services without authentication. The FortiGate dashboard runs wide open on port 8889. The Remcos server has directory listing enabled. The honeypot serves its research directory via SimpleHTTP. Operational security remains the weakest link across the entire threat spectrum.

---

6. Detection Opportunities

YARA Rules

rule SOSTENER_Dropper_Family {
    meta:
        author      = "breakglass.intelligence"
        date        = "2026-02-26"
        description = "SOSTENER multi-format dropper for Remcos RAT"
        severity    = "HIGH"
    strings:
        $delim    = "coirkckkcfekpo"
        $deobf    = "f#"
        $marker1  = "<<BASE64_START>>"
        $marker2  = "<<BASE64_END>>"
        $class    = "myprogram.Homees"
        $method   = "runss"
        $sandbox1 = "MAA1"
        $sandbox2 = "LNP2"
        $func_vbs = "Ugfdfging"
        $var_js   = "eiIafodS"
    condition:
        3 of them
}

rule Remcos_RAT_v72_oficialrem {
    meta:
        author      = "breakglass.intelligence"
        date        = "2026-02-26"
        description = "Remcos RAT v7.2.0 tied to oficialrem C2 infrastructure"
    strings:
        $mutex   = "Rmc-VMJ5WS"
        $c2      = "oficialrem"
        $class   = "RemcosMsgWindowClass"
        $license = "6F0955F0A20D4EC3E42DC7A8302EFBDB"
        $apikey  = "QPVvv1rHQJD2pd2"
    condition:
        2 of them
}

rule PWNED_Dashboard_v2 {
    meta:
        author      = "breakglass.intelligence"
        date        = "2026-02-26"
        description = "PWNED Targets Dashboard v2 - FortiGate exploitation campaign"
    strings:
        $title    = "PWNED TARGETS DASHBOARD"
        $api1     = "/api/pwned_targets"
        $api2     = "/api/stats"
        $russian  = "skompromentirovannymi"
        $hexstrike = "HexStrike AI Tools"
    condition:
        2 of them
}

Snort/Suricata Rules

# FortiGate campaign C2
alert tcp any any -> 212.11.64.0/24 any (msg:"PWNED Dashboard FortiGate Campaign C2"; sid:3000001; rev:1;)

# Remcos RAT C2
alert tcp any any -> any 5000 (msg:"Remcos RAT C2 - oficialrem.duckdns.org"; content:"oficialrem"; sid:3000002; rev:1;)

# SOSTENER loader markers
alert http any any -> any any (msg:"SOSTENER Loader BASE64 Markers"; content:"<<BASE64_START>>"; content:"<<BASE64_END>>"; sid:3000003; rev:1;)

# Mirai variant C2
alert tcp any any -> 115.11.111.11 9999 (msg:"Mirai Variant C2 Communication"; sid:3000004; rev:1;)

---

7. Indicators of Compromise

Network Indicators

FortiGate Campaign (212.11.64.250)

Type	Value	Context
IP	212.11.64.250	Operations server (dashboard + HexStrike + Go proxy)
ASN	AS42624	Global-Data System IT Corp (Seychelles shell)
IP Range	212.11.64.0/24	Full allocation, should be blocked
PTR	VPS-VcZzSLKZ	Randomized VPS hostname

28 Compromised FortiGate IPs:

190.30.50.221  (AR)    45.229.21.250  (BR)    187.92.59.130  (BR)
177.200.78.50  (BR)    189.43.139.162 (BR)    45.173.44.161  (CO)
200.26.175.130 (DO)    181.175.105.230(EC)    41.38.196.245  (EG)
41.65.138.30   (EG)    197.149.206.198(GN)    115.85.93.130  (ID)
59.95.102.250  (IN)    103.58.99.179  (IN)    59.95.102.112  (IN)
103.190.6.90   (IN)    182.56.135.53  (IN)    93.150.183.140 (IT)
194.184.2.110  (IT)    69.160.97.226  (JM)    154.118.129.154(ML)
203.83.19.81   (PG)    196.207.230.70 (SN)    203.150.126.2  (TH)
45.117.208.2   (TH)    47.186.151.6   (US)    115.75.67.44   (VN)
27.72.105.70   (VN)

Remcos RAT (186.169.75.221)

Type	Value	Context
IP	186.169.75.221	Malware hosting + Remcos C2
Domain	oficialrem.duckdns.org	Remcos C2 (resolves to 186.169.75.221)
URL	https://pastefy.app/sLC7Jpkp/raw	Stage 2 .NET loader hosting
URL	https://yaso.su/raw/UpxC8OJX	Stage 2 mirror (403)
URL	https://gitlab.com/SUDO_MOM2025/sudohodl/-/raw/main/hold.txt	Stage 3 payload
URL	https://pro.ip-api.com/line/?key=QPVvv1rHQJD2pd2&fields=25948155	Victim geolocation

Exposed Honeypot (46.62.221.89)

Type	Value	Context
IP	46.62.221.89	Misconfigured research server
C2 (from RE)	115.11.111.11:9999	Mirai variant C2 extracted during analysis
GitHub	sidebrain-dev/neurawl-site	Operator identity

File Hashes

File	SHA256	MD5
SOSTENER.bat	dbbe57125f33467c8ead5285622b4336bddc19c54bc14324ab9b15e937c6f357	11d28c6a9f2ee7cc6ce1528af48d0664
SOSTENER.js	34c8bb04d2cc46bb1d88dc701487801546392fbc9c37908fd09d8ca6cb426c4c	d4ee87e780ce7e6e5d536377be12c810
SOSTENER.vbs	9f2f363bcbb2c4830150bc23cb79a2f7000325636b4714ecc2e568eaf48a90f7	1444d015697a2651e4f9285f5dec05d2
a.exe (Remcos v7.2.0)	4f0c95a1885411100649bf8150c2f189dc0941ac569b801b3765d1ca64b760dc	7998aa5ec5515ae80a5fcb6f246e6bef
.NET Loader (Stage 2)	bd6b60ce34d8fa3f2b9d032b49aac5b47f868b09ab24ccbd9c7168e5bfc8e963	13743b70ab1afec1d36b6b3d929cd44c
Stage 3 Payload	326d1f8770468aa80b810b6483f18f18afd3e5f9e763b05b092901d12d7f6cdb	a15a183240d91df08acf9ad148ccd473
go_sample.elf (Mirai)	9b53b1602ab093243bbbbcb4158736d53bd63daa5b6d141a3a12b17eb8e4de7f	--

Host-Based Indicators (Remcos)

Type	Value
Mutex	Rmc-VMJ5WS
Window Class	RemcosMsgWindowClass
Install Path	remcos.exe
Keylog File	logs.dat
PDB Path	C:\Users\Administrator\source\repos\testpowershell\testpowershell\obj\Debug\myprogram.pdb
Assembly GUID	e298ec96-29bc-469d-8027-4b8f685b3955
Registry	HKCU\...\Run, HKLM\...\Run, RunOnce, RunOnceEx, Winlogon Shell/Userinit

Attribution Indicators

Type	Value	Actor
GitLab User	SUDO_MOM2025 (ID: 34931303)	TELLEZ FABIAN (Remcos)
Real Name	TELLEZ FABIAN	Remcos operator
Remcos License	6F0955F0A20D4EC3E42DC7A8302EFBDB	Buyer-traceable GUID
ip-api Key	QPVvv1rHQJD2pd2	Paid API account
Dashboard Language	Russian ("Управление скомпрометированными целями")	FortiGate campaign
Hosting	AS42624, Seychelles shell company	FortiGate campaign
GitHub	sidebrain-dev	Honeypot researcher
TLS Org	"Volvo CE IR", Gothenburg, Sweden	Honeypot researcher

---

8. Forensic Timeline

Timestamp (UTC)	Event
2026-02-03 17:38	Remcos RAT v7.2.0 (a.exe) compiled
~2026-02-16	FortiGate campaign server deployed (HexStrike uptime ~10 days)
2026-02-17 13:06	a.exe uploaded to 186.169.75.221
2026-02-26 08:57	SOSTENER.bat and SOSTENER.vbs uploaded
2026-02-26 08:58	SOSTENER.js uploaded
2026-02-26 13:44	GitLab repo SUDO_MOM2025/sudohodl created (Stage 3 payload)
2026-02-26 22:20	Investigation begins -- 46.62.221.89 analyzed
2026-02-26 22:30	186.169.75.221 analyzed -- all staging URLs LIVE
2026-02-26 22:40	212.11.64.250 analyzed -- dashboard fully unauthenticated
2026-02-26 23:00	Investigation concludes -- all infrastructure still operational

---

9. Recommended Actions

Immediate -- Victim Notification

The Thai Royal Navy (navy.mi.th), IRESSEF (iressef.org), Ageroute Mali, SC Palmeiras, and the Claroid Pharma group (4 networks in India) must be notified through their respective national CERTs. Military and government infrastructure is actively compromised.

Immediate -- Takedown

• GitLab Trust & Safety: SUDO_MOM2025/sudohodl hosts live Remcos payload
• Pastefy: Paste sLC7Jpkp hosts .NET loader
• DuckDNS: Suspend oficialrem.duckdns.org
• Telefonica Colombia: Active C2 on their residential IP space
• RIPE NCC: Review AS42624 allocation to Global-Data System IT Corporation
• Hetzner: Notify sidebrain-dev about exposed port 8888

Network Defense

# Block FortiGate campaign infrastructure
block 212.11.64.0/24

# Block Remcos infrastructure
block 186.169.75.221
block oficialrem.duckdns.org

# FortiGate-specific mitigations
# - Patch all FortiGate devices (CVE-2022-42475, CVE-2023-27997, CVE-2024-21762)
# - Rotate ALL FortiGate admin and VPN credentials
# - Disable FortiGate admin interface on WAN
# - Check configs for unauthorized admin accounts
# - Review logs for connections to/from 212.11.64.250

---

Analysis conducted February 26, 2026. All activities were passive analysis of publicly accessible, unauthenticated endpoints. No credentials were used and no authenticated access was attempted.

breakglass.intelligence // intel.breakglass.tech