Twelve Samples, One Operation: Inside the HTA Crypto Stealer MaaS Platform
Published: 2026-03-14 | Author: BGI | Investigation Dates: 2026-03-10 through 2026-03-14
TL;DR
Twelve separate malware investigations -- each triggered independently by different samples submitted to our analysis pipeline -- converged on a single Malware-as-a-Service operation. All twelve use HTA files executed via mshta.exe to deploy a crypto wallet stealer targeting 78 browser extensions and 6 desktop wallets. The infrastructure spans five C2 domains, all registered through NICENIC International Group (Hong Kong) within a 90-day window, all fronted by Cloudflare DNS, and all running panel version v4.1.1 with distinct MaaS affiliate keys. The operator is Russian-speaking, avoids CIS targets via a Windows system language check, and routes victims through a tiered C2 architecture that separates corporate networks, hardware wallet users, and general crypto holders to different backend servers across Iran, Bulgaria, Moldova, and the United States. This is not twelve campaigns. It is one.
The Campaign: How Twelve Became One
Over the course of four days, our autonomous threat hunting infrastructure flagged twelve samples for investigation. Each arrived with a different name, a different submission context, and a different surface-level identity. One was labeled "BetaLoader." Another was "ExplorerPS." A third was "DeerStealer HTA v4.1.1." A fourth called itself "GlassWorm Stealer." The naming diversity suggested independent operations, distinct threat actors, separate campaigns.
That assessment lasted approximately forty minutes.
The first two investigations completed within minutes of each other and both flagged the domain communicationfirewall-security.cc as a command-and-control endpoint. By the time the third sample resolved to the same registrar, the same DNS infrastructure, and the same panel version string, we pivoted from individual analysis to cluster mapping. The remaining nine investigations confirmed what the first three suggested: every sample was a customer of the same MaaS platform, differentiated only by affiliate key and C2 routing preference.
The twelve samples and their affiliate identifiers:
| # | Investigation ID | Label | Affiliate Key | Primary C2 Domain |
|---|---|---|---|---|
| 1 | beta_dataset_sydney_4868-4a76c14f | MSHTA Crypto-Stealer / BetaLoader | TN2FOVFABMT0WCNHGYJR | communicationfirewall-security.cc |
| 2 | core_data_europe_6231-0ad8b2ce | ExplorerPS | MVPOW0B7KUPE6KB6CJ17 | Multi-C2 tiered routing |
| 3 | devops_audio_alpha_7570-26dddc0a | Win64/Coins (Convagent) | 4DKRXGCNTVKHOQXFDBOA | communicationfirewall-security.cc |
| 4 | family_journal_archive_2032-0435da3a | DeerStealer HTA v4.1.1 | MV6B2DKZRXWNP8U6VF0O | indeanapolice.cc |
| 5 | internal_config_secondary_4043-ff100a7e | Explorer Stealer v4.1.1 | (unique key) | explorer.vg |
| 6 | logs_newyork__70-d00607f4 | Lumma Stealer v4.1.1 | (unique key) | Multi-C2 (Iran/Bulgaria/US) |
| 7 | photos_release_v9-9-5e54ce0c | ExplorerStealer v4.1.1 | (unique key) | explorer.vg |
| 8 | production_report_backup_1031-98691728 | LoadJS Stealer | (unique key) | communicationfirewall-security.cc |
| 9 | summer_notes_new_195-15f2a002 | LummaC2 HTA Loader | (unique key) | indeanapolice.cc |
| 10 | template_sydney__96-fbfcbd84 | MaaS Panel Client | (unique key) | communicationfirewall-security.cc |
| 11 | x_journal_london_308-93c84af9 | HTA Crypto Stealer (CCleaner Lure) | (unique key) | ccleaner.gl |
| 12 | z_invoice_london_9789-989669d5 | GlassWorm Stealer | (unique key) | ccleaner.gl |
Twelve names. At least four confirmed affiliate keys. Five shared C2 domains. One platform.
How the Stealer Works: The Shared Attack Chain
Despite the cosmetic diversity in naming and branding, all twelve samples execute an identical attack chain. This is the hallmark of a MaaS builder -- the operator provides a turnkey kit, and affiliates configure their C2 preferences and branding while the underlying code remains constant.
Stage 1: HTA Delivery via mshta.exe
The initial access vector across all samples is an HTML Application file executed via mshta.exe, the Windows HTML Application Host. HTA files are distributed with deliberately misleading extensions -- .ini, .png, .jpg, .mp3, .xml, .docx, .dat, .mp4, .bak, .zip, and bare filenames with no extension at all. When a victim opens one, Windows routes execution through mshta.exe, which interprets the embedded JavaScript with full COM and ActiveX privileges. No UAC prompt. No sandbox. No mark-of-the-web intervention on most configurations.
Each HTA file contains a single <script type="text/javascript"> block spanning approximately 1,340 lines and weighing between 113 KB and 125 KB. The filenames follow a template engine pattern -- city names (NewYork, London, Sydney), business terminology (Invoice, Config, Dataset, Report), and generic personal references (Family, Photos, Journal) combined with random numbers:
Logs_NewYork__70.ini
DevOps_Audio_Alpha_7570.png
Z_Invoice_London_9789.zip
Photos_Release_v9.9.jpg
Internal_Config_Secondary_4043.jpeg
Template_Sydney__96
Beta_Dataset_Sydney_4868.bak
Family_Journal_Archive_2032.mp3
Production_Report_Backup_1031.xml
Core_Data_Europe_6231.docx
Summer_Notes_New_195.dat
X_Journal_London_308.mp4
This is a lure generation system. The MaaS panel likely lets affiliates select or randomize filename themes for their distribution campaigns.
Stage 2: XOR-Obfuscated String Table
The builder's signature is its string table. All 382 strings in every sample are stored as integer arrays and decoded at runtime through a XOR-based function. The XOR key is the only parameter that changes between builds. Despite the cosmetic differences -- different key values, different function names (getEventValue(), loadString(), checkError(), _paramsCount(), _factory(), _thread()) -- the decoded string table is functionally identical across all twelve samples. The same 382 strings appear in the same index positions. The builder randomizes the encoding but not the data.
Upon execution, the HTA immediately deletes itself from disk via Scripting.FileSystemObject.DeleteFile(), then validates its execution context and bypasses the Internet Explorer script execution limit by writing MaxScriptStatements = 0xFFFFFFFF to the registry. Anti-sandbox checks follow: the stealer exits silently if the hostname contains AZURE-PC or the username matches Bruno, SYSTEM, or the Cyrillic SISTEMA (Russian for "system").
Stage 3: Victim Profiling and Three-Tier Routing
This is where the platform reveals its operational sophistication. Before exfiltrating any data, the stealer profiles the victim machine through WMI queries and routes it to the appropriate C2 tier based on what it finds:
Corporate/enterprise victims -- machines that return true for Win32_ComputerSystem.PartOfDomain -- are redirected to communicationfirewall-security[.]cc. The logic is explicit: domain-joined hosts represent higher-value targets with potential access to enterprise crypto custody operations, corporate wallets, or sensitive financial infrastructure.
Hardware wallet users -- machines where Ledger Live is detected across any of seven standard installation paths, or where Trezor Suite, Exodus, Atomic, Guarda, KeepKey, or BitBox02 directories exist under %APPDATA% -- are redirected to favourite-guide[.]cc. Hardware wallet holders represent the highest individual-value targets, as their wallets typically hold larger cryptocurrency balances.
General crypto users -- everyone else, meaning users with browser extension wallets but no hardware wallet presence -- go to the affiliate's assigned primary C2: indeanapolice[.]cc, ccleaner[.]gl, explorer[.]vg, or communicationfirewall-security[.]cc depending on their tier.
The enterprise and hardware wallet C2 domains are shared across all samples regardless of the affiliate, while the "general population" C2 is affiliate-specific. This tells us something critical about the platform architecture: the MaaS operator keeps the high-value victims for themselves (or routes them to a premium processing pipeline), while affiliates handle the commodity theft.
Stage 4: Wallet Extension Harvesting
The stealer scans for 78 cryptocurrency wallet browser extensions across 66+ Chromium and Gecko-based browsers. The extension ID list is hardcoded and identical across all twelve samples. Major targets include MetaMask, Phantom, Trust Wallet, Coinbase Wallet, Rabby, Keplr, OKX Wallet, Brave Wallet, TronLink, Yoroi, Temple, Solflare, Eternl, and dozens more -- spanning every major blockchain ecosystem from Ethereum and Solana to Cosmos, Cardano, Tezos, Polkadot, Aptos, StarkNet, and NEAR.
Additionally, six desktop wallet applications are targeted for credential and data theft:
| Desktop Wallet | Paths Checked | Data Targeted |
|---|---|---|
| Ledger Live | 7 paths across %ProgramFiles%, %APPDATA%, %LOCALAPPDATA%, %ProgramData% | Account data, device pairing, transaction history |
| Trezor Suite | %APPDATA%@trezor | Wallet files, account metadata |
| Exodus | %APPDATA%\Exodus | Wallet seed data, transaction logs |
| Atomic Wallet | %APPDATA%\atomic | Local Storage leveldb |
| Electrum | Standard Electrum paths | Wallet files |
| Bitcoin Core | Standard Bitcoin paths | wallet.dat |
The browser scan is equally comprehensive, covering Chrome (all channels including Beta, Canary, Dev), Edge (all channels), Opera (including GX, Crypto, and Gaming editions), Brave, Vivaldi, Yandex, Arc, CocCoc, Baidu, Whale, Falkon, QQBrowser, and dozens of niche browsers.
Stage 5: Persistence via Windows Task Scheduler
All samples install persistence via the Schedule.Service COM object with identical parameters: a scheduled task set to execute every 30 minutes (PT30M) with an expiration window of 760 days (P760D) -- approximately 2 years and 1 month. A secondary logon trigger fires at each user login. The task action calls mshta.exe back to the C2 URL. If CrowdStrike Falcon is detected in the process list (csfalconservice), the command is wrapped in cmd.exe /c start "" /b to evade Falcon's process tree monitoring.
The 760-day figure is distinctive. It is not a round number, not a standard Windows default, and appears in every sample without variation. This is a builder default that no affiliate has bothered to change -- a fingerprint as reliable as any hash.
The task name prefix varies by affiliate tier and serves as an additional clustering indicator:
| Task Name Prefix | C2 Tier | Primary Domain |
|---|---|---|
YandexUpdateService | Lumma/DeerStealer | indeanapolice[.]cc |
CCleanerTaskID | CCleaner/GlassWorm | ccleaner[.]gl |
ExplorerID | ExplorerStealer | explorer[.]vg |
Workspace | BetaLoader/LoadJS | communicationfirewall-security[.]cc |
Stage 6: C2 Communication and Exfiltration
All C2 traffic uses an encrypted REST API protocol. Payloads are XOR'd with a random 6-digit numeric key, prepended with the key, and Base64-encoded before transmission. The API follows a consistent endpoint pattern across all twelve samples:
| Endpoint | Purpose |
|---|---|
/connect | Victim registration with full system telemetry |
/getUpdates | Task queue polling (Bearer JWT authentication) |
/getModule | Binary/script module download |
/getPsModule | PowerShell module download |
/approveUpdate | Task completion acknowledgment |
The initial /connect registration transmits the HWID (MD5 hash of hardware fingerprint), OS version, AV products, processor ID, domain membership status, installed wallets, detected extensions, and the affiliate's Bearer token. The response is either "created" (victim enrolled, scheduled task handles future check-ins) or a JWT session token for immediate task execution.
The C2 operator can issue eleven distinct task types, including download-and-execute, DLL sideloading via rundll32, MSI installation, PowerShell IEX cradles, USB propagation via .lnk shortcuts, and arbitrary HTA re-launch. For payload downloads, the builder includes a seven-method fallback chain: curl.exe, PowerShell irm, VBScript via MSScriptControl.ScriptControl, MSXML2.XMLHTTP with ADODB.Stream, WinHttp.WinHttpRequest, bitsadmin.exe, and certutil.exe.
The C2 Infrastructure: Five Domains, One Registrar, One Purpose
The infrastructure convergence is the strongest evidence that these twelve samples belong to a single operation. Five C2 domains. All registered through the same registrar. All within a 90-day window. All behind the same CDN.
Domain Registration Cluster
| Domain | Registered | Registrar | CDN | Backend IP | Country | Provider |
|---|---|---|---|---|---|---|
communicationfirewall-security[.]cc | 2025-12-16 | NICENIC (HK) | Cloudflare | 85.121.148.13 | Moldova | Ava Host Srl |
indeanapolice[.]cc | 2025-12-22 | NICENIC (HK) | Cloudflare | 94.183.233.21 | Iran (Shiraz) | Tahlil Dadeh Novin Fadak |
favourite-guide[.]cc | 2026-02-11 | NICENIC (HK) | Cloudflare | 94.26.106.134 | Bulgaria (Sofia) | Traffic Broadband |
explorer[.]vg | 2026-02-28 | NICENIC (HK) | Cloudflare | 45.156.23.185 | Netherlands | CGI Global Limited |
ccleaner[.]gl | 2026-03-08 | NICENIC (HK) | Cloudflare | 178.255.222.234 | Netherlands | CGI Global Limited |
A sixth domain, memory-scanner[.]cc, was discovered via infrastructure pivoting -- registered 2025-12-29 through NICENIC, hosted at 94.26.106.119 in Sofia on the same /24 subnet as the favourite-guide[.]cc backend. It serves as a secondary C2 for PowerShell module delivery.
NICENIC International Group Co., Ltd. (IANA ID 3765/4340) is a Hong Kong-based domain registrar that has appeared in prior threat intelligence reporting as a registrar of choice for malware operators. The appeal is straightforward: competitive pricing on exotic TLDs (.cc, .gl, .vg), minimal verification requirements, and a jurisdiction that complicates Western law enforcement takedown requests. The consistent use of a single registrar across all five primary domains is the operator's most significant OPSEC failure -- a single WHOIS pivot connects the entire infrastructure.
Registration Timeline
2025-12-16 communicationfirewall-security.cc registered
2025-12-22 indeanapolice.cc registered
2025-12-29 memory-scanner.cc registered
2026-02-11 favourite-guide.cc registered
2026-02-28 explorer.vg registered
2026-03-08 ccleaner.gl registered
2026-03-13 First HTA samples appear on MalwareBazaar
2026-03-14 12 samples submitted within 14-hour window
The infrastructure was staged over a three-month period starting in December 2025. The first two domains (communicationfirewall-security.cc and indeanapolice.cc) were registered within six days of each other, suggesting the initial infrastructure buildout. The remaining three primary domains followed at roughly two-week intervals through early March, coinciding with the platform's go-live.
Domain Name Strategy
The domain names themselves reveal the operator's social engineering philosophy:
communicationfirewall-security.cc-- designed to resemble a legitimate security product in proxy logs. A network analyst scanning DNS queries might dismiss it as a firewall management console.ccleaner.gl-- typosquatting on the legitimate CCleaner brand. The.glTLD (Greenland) passes casual inspection as a plausible software domain.indeanapolice.cc-- a deliberate misspelling of "Indianapolis Police." The domain would blend into environments where law enforcement portal traffic is expected.explorer.vg-- short, generic, plausibly a legitimate web tool. The.vgTLD (British Virgin Islands) adds offshore obscurity.favourite-guide.cc-- British spelling of "favorite," generic enough to evade keyword-based domain filtering.
Backend Server Distribution
Behind the Cloudflare layer, the backend servers are distributed across four countries to prevent any single law enforcement jurisdiction from taking down the entire operation:
| Location | Provider | ASN | Role |
|---|---|---|---|
| Chisinau, Moldova | Ava Host Srl | AS48753 | Panel hosting, affiliate management, enterprise victim C2 |
| Shiraz, Iran | Tahlil Dadeh Novin Fadak | AS211881 | Lumma/DeerStealer tier backend |
| Sofia, Bulgaria | Traffic Broadband | AS48452 | Hardware wallet victim C2, PowerShell module delivery |
| Netherlands | CGI Global Limited | AS56971 | ExplorerStealer and CCleaner tier backends |
All C2 servers run nginx/1.24.0 on Ubuntu Linux and return HTTP 444 (nginx connection drop) for unauthorized requests -- a deliberate OPSEC measure to block automated scanners. Infrastructure analysis confirmed that explorer[.]vg and communicationfirewall-security[.]cc share identical JARM TLS fingerprints, further confirming unified ownership despite different hosting providers and countries.
The Bulgaria-hosted server at 94.26.106.134 (favourite-guide[.]cc) exposed RDP on port 3389, WinRM on port 5985, and SSH on port 22 to the public internet. The RDP certificate leaked the machine name vm8514 running Windows Server 2022 -- likely the operator's control panel, managed via direct RDP with no VPN or proxy layer. This is the server that receives the highest-value victims: hardware wallet holders.
The MaaS Panel: Version 4.1.1 and the Affiliate Model
Five of the twelve samples explicitly identify themselves as version 4.1.1 in their beacon strings. This version consistency across samples submitted days apart by different sources confirms a stable, production-grade platform -- not a rapidly iterating development build, but a release the operator considers mature enough to sell.
The Affiliate Key System
Each sample carries a unique Bearer token -- a 20-character uppercase alphanumeric string hardcoded into the HTA payload and transmitted with every C2 callback. Four keys were confirmed:
TN2FOVFABMT0WCNHGYJR (BetaLoader - communicationfirewall-security.cc)
MVPOW0B7KUPE6KB6CJ17 (ExplorerPS - multi-C2 tiered routing)
4DKRXGCNTVKHOQXFDBOA (Win64/Coins - communicationfirewall-security.cc)
MV6B2DKZRXWNP8U6VF0O (DeerStealer HTA - indeanapolice.cc)
The key format is consistent and likely generated server-side during affiliate onboarding. These tokens allow the panel operator to track per-affiliate steal volume, calculate revenue shares (MaaS platforms typically operate on a 70/30 or 80/20 split), enforce access control, and monitor affiliate behavior. The presence of at least four distinct keys across twelve samples means this platform has multiple paying customers operating simultaneously -- and these are only the affiliates whose samples reached our pipeline during a four-day window.
The affiliate keys cluster into four groups by C2 tier and scheduled task name:
| Tier | Task Name Prefix | Primary C2 | Known Affiliates |
|---|---|---|---|
| Lumma/DeerStealer | YandexUpdateService | indeanapolice[.]cc | 3+ tokens |
| CCleaner/GlassWorm | CCleanerTaskID | ccleaner[.]gl | 3+ tokens |
| ExplorerStealer | ExplorerID | explorer[.]vg | 3+ tokens |
| Workspace/BetaLoader | Workspace | communicationfirewall-security[.]cc | 3+ tokens |
This distribution -- roughly three affiliates per panel instance -- may reflect pricing tiers, geographic targeting preferences, or infrastructure load balancing across the operator's server fleet.
The .NET Backend
The production_report_backup_1031 investigation (LoadJS Stealer) revealed that the panel backend is built on the .NET framework. A server error response leaked the filesystem path C:\Users\Administrator\Desktop\Load\Files\ -- confirming the panel is an ASP.NET application running directly from the Windows Administrator desktop. The developer never moved the panel from their development path to a proper deployment location before going operational. This is a development-stage OPSEC failure preserved in production, and the internal name "Load" aligns with the LoadJS label.
Who Is Behind It: Russian-Speaking Operator, CIS Avoidance
Attribution in MaaS operations requires distinguishing between the platform operator and the affiliates. The evidence consistently points to a Russian-speaking platform operator with strict CIS avoidance policies.
The CIS Language Check
Multiple samples, most explicitly the photos_release_v9-9 investigation (ExplorerStealer v4.1.1), contain a system language check that queries the Windows locale for Russian-language identifiers. The check references the Cyrillic SISTEMA -- the Russian word for "system" -- to determine whether the victim machine is configured for a CIS-region language. If the check returns positive, the stealer terminates without executing.
CIS avoidance is one of the most reliable indicators of a Russian-speaking operator. It serves a dual purpose: it reduces the risk of attracting attention from Russian law enforcement (who generally do not pursue cybercriminals targeting foreign victims), and it reflects an informal code among Russian-speaking threat actors that domestic targets are off-limits. The Workspace and BetaLoader variants reinforce this with the Russian error string Oshibka: ("Error:") -- a developer locale artifact that was never localized.
Infrastructure and OPSEC Profile
The infrastructure decisions reinforce the attribution:
- NICENIC registrar (Hong Kong) -- commonly used by Russian-speaking operators who want to avoid Western registrars' abuse response teams
- Ava Host (Moldova) -- a hosting provider in a former Soviet state with a Russian-speaking customer base and minimal Western law enforcement cooperation
- Iranian backend servers -- Iran has no extradition treaties with Western nations and hosts affordable server infrastructure
- Bulgarian infrastructure -- the Sofia-based servers sit in a jurisdiction with limited cybercrime enforcement capacity for non-domestic cases
- Cloudflare fronting -- standard OPSEC for sophisticated MaaS operations where the panel must remain accessible to affiliates worldwide
- The "Bruno" anti-sandbox check -- targets the CAPE malware sandbox's default username, indicating the developer tested specifically against CAPE during development
Parallel Operations
Pivoting on historical DNS data for communicationfirewall-security[.]cc revealed an earlier backend IP (82.29.128.113, Hosteons VPS in New York) that also hosted domains associated with a Mexican courier phishing campaign using Estafeta and DHL lures. The same VPS served both the crypto stealer C2 and a smishing operation, suggesting either a single multi-campaign threat actor or a shared infrastructure broker.
What GHOST Found: Autonomous Investigation Disclosure
All twelve investigations were conducted autonomously by GHOST (General Heuristic OSINT and Security Tracker), BGI's automated threat hunting system. GHOST ingested each sample independently, performed static and dynamic analysis, extracted IOCs, and mapped infrastructure connections. The cluster identification -- the recognition that twelve separate investigations pointed to a single MaaS operation -- was flagged automatically when GHOST's infrastructure correlation engine detected overlapping C2 domains, shared registrar fingerprints, identical panel version strings, and matching GUID values across multiple concurrent investigations.
No human analyst directed the cluster analysis. The convergence emerged organically from the data. This is the operational model that Breakglass Intelligence was built to demonstrate: automated threat hunting at a scale and speed that would be impractical for a human analyst team processing twelve simultaneous investigations.
All analysis used passive reconnaissance and sample inspection only. No unauthorized access to C2 infrastructure was performed. All findings are based on sample analysis, WHOIS records, passive DNS data, certificate transparency logs, Shodan, and publicly available threat intelligence feeds.
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Initial Access | Phishing: Spearphishing Attachment | T1566.001 | HTA files with misleading extensions (.ini, .png, .jpg, .mp3, .xml, .docx) |
| Execution | System Binary Proxy Execution: Mshta | T1218.005 | All 12 samples execute via mshta.exe |
| Execution | Command and Scripting Interpreter: JavaScript | T1059.007 | XOR-obfuscated JavaScript in HTA payload |
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | PowerShell IEX cradles for module delivery |
| Execution | Command and Scripting Interpreter: Windows Command Shell | T1059.003 | cmd.exe wrapper for CrowdStrike Falcon evasion |
| Persistence | Scheduled Task/Job: Scheduled Task | T1053.005 | 30-minute interval, 760-day expiry via Schedule.Service COM |
| Defense Evasion | Obfuscated Files or Information | T1027 | XOR-encoded 382-string lookup table, per-build keys |
| Defense Evasion | Masquerading: Match Legitimate Name or Location | T1036.005 | Task names mimic YandexUpdate, CCleaner, Explorer |
| Defense Evasion | Virtualization/Sandbox Evasion: System Checks | T1497.001 | AZURE-PC hostname, Bruno/SYSTEM/SISTEMA username checks |
| Defense Evasion | Impair Defenses | T1562.001 | CrowdStrike Falcon process detection and evasion |
| Defense Evasion | Indicator Removal: File Deletion | T1070.004 | HTA self-deletes from disk on execution |
| Defense Evasion | Modify Registry | T1112 | MaxScriptStatements bypass for script execution limit |
| Discovery | System Information Discovery | T1082 | WMI queries for OS, CPU, UUID, disk serial, domain status |
| Discovery | Security Software Discovery | T1518.001 | WMI AntiVirusProduct enumeration, Falcon/csfalconservice check |
| Discovery | System Language Discovery | T1614.001 | CIS language check (Cyrillic SISTEMA detection) |
| Discovery | File and Directory Discovery | T1083 | 66+ browser profiles, 78 extension paths, wallet directories |
| Credential Access | Credentials from Password Stores: Web Browsers | T1555.003 | Browser extension local storage exfiltration |
| Credential Access | Unsecured Credentials: Credentials in Files | T1552.001 | Desktop wallet file enumeration |
| Collection | Data from Local System | T1005 | Wallet data, browser extension storage |
| Lateral Movement | Replication Through Removable Media | T1091 | USB .lnk propagation (task type 9) |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Stolen data POSTed to /connect endpoint |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 | HTTPS-based C2 communication |
| Command and Control | Encrypted Channel: Symmetric Cryptography | T1573.001 | XOR + Base64 encoding on all C2 traffic |
| Command and Control | Proxy: External Proxy | T1090.002 | Cloudflare as reverse proxy to obscure backend IPs |
| Resource Development | Acquire Infrastructure: Domains | T1583.001 | 5 domains via NICENIC within 90 days |
| Resource Development | Acquire Infrastructure: Web Services | T1583.006 | Cloudflare DNS fronting on all C2 domains |
Defensive Recommendations
Immediate Actions
-
Block all C2 domains at DNS and proxy layers:
communicationfirewall-security[.]ccindeanapolice[.]ccfavourite-guide[.]ccexplorer[.]vgccleaner[.]glmemory-scanner[.]cc
-
Null-route backend IPs at the firewall:
85.121.148.13(Moldova),94.183.233.21(Iran),94.26.106.134(Bulgaria),94.26.106.119(Bulgaria),45.156.23.185(Netherlands),178.255.222.234(Netherlands),82.29.128.113(US/historical). -
Hunt for scheduled tasks matching the patterns
YandexUpdateService*,CCleanerTaskID*,ExplorerID*, andWorkspace*. Check the task action formshta.exepointing to external URLs. Any match should be treated as a confirmed compromise. -
Audit the registry for
HKCU\Software\Microsoft\Internet Explorer\Styles\MaxScriptStatementsset to10000000or4294967295-- a telltale artifact of this builder's script timeout bypass. -
Block or restrict mshta.exe execution from browser download directories, email attachment paths, and temporary folders. Most enterprise environments have no legitimate need for HTA execution.
Detection Engineering
-
Sigma rule: Alert on
mshta.exespawning network connections to.cc,.gl, or.vgTLDs. These TLDs have a high abuse ratio and low legitimate enterprise usage. -
YARA rule: Target the 382-entry string table decoding pattern and the shared GUID
{0830A3F8-70B8-40E1-A0F3-E0EC9092F861}. The integer-array-to-string decoding loop and the version string4.1.1in combination provide high-confidence detection with low false positives. -
Suricata/Snort rule: Match the C2 beacon parameter pattern in POST requests:
connect?hwid=...&os=...&av=...&version=4.1.1. -
EDR query: Scheduled task creation via
Schedule.ServiceCOM object from within anmshta.exeprocess context, with task parameters matchingPT30Minterval andP760Dduration. -
Browser extension audit: Deploy the 78 targeted extension IDs as a watchlist across endpoints. Any unauthorized wallet extension installation should trigger investigation, particularly on corporate machines.
Strategic Recommendations
-
Report domains to Cloudflare via their abuse portal with the IOCs in this report. Cloudflare has actioned abuse reports for stealer C2 infrastructure when provided with sufficient evidence.
-
Report to NICENIC abuse contacts. While the registrar's responsiveness is historically limited, establishing a paper trail supports future takedown efforts and potential ICANN complaints.
-
Notify cryptocurrency wallet vendors. The 78 targeted extension IDs and 6 desktop wallets should be shared with Ledger, Trezor, Exodus, MetaMask, Phantom, and Coinbase for integration into their fraud detection and user notification systems.
-
Restrict mshta.exe via WDAC or AppLocker as a medium-term hardening measure. The attack chain is entirely dependent on
mshta.exeexecution -- removing that single binary from the allowlist breaks every variant of this platform.
Complete IOC Table
C2 Domains
| Domain | Registrar | Registered | Backend IP | Country | Role |
|---|---|---|---|---|---|
communicationfirewall-security[.]cc | NICENIC | 2025-12-16 | 85.121.148.13 | Moldova | Enterprise redirect, Workspace tier C2 |
indeanapolice[.]cc | NICENIC | 2025-12-22 | 94.183.233.21 | Iran (Shiraz) | Lumma/DeerStealer tier C2 |
memory-scanner[.]cc | NICENIC | 2025-12-29 | 94.26.106.119 | Bulgaria (Sofia) | PowerShell module delivery |
favourite-guide[.]cc | NICENIC | 2026-02-11 | 94.26.106.134 | Bulgaria (Sofia) | Hardware wallet victim C2 |
explorer[.]vg | NICENIC | 2026-02-28 | 45.156.23.185 | Netherlands | ExplorerStealer/PS tier C2 |
ccleaner[.]gl | NICENIC | 2026-03-08 | 178.255.222.234 | Netherlands | CCleaner-themed tier C2 |
Backend Infrastructure
| IP Address | Domain(s) | Country | ASN | Provider | Notes |
|---|---|---|---|---|---|
85.121.148.13 | communicationfirewall-security[.]cc | Moldova | AS48753 | Ava Host Srl | Panel hosting |
82.29.128.113 | communicationfirewall-security[.]cc (historical) | USA (NYC) | AS142036 | Hosteons | Also hosts Mexican phishing |
94.183.233.21 | indeanapolice[.]cc | Iran (Shiraz) | AS211881 | Tahlil Dadeh Novin Fadak | |
94.26.106.134 | favourite-guide[.]cc | Bulgaria (Sofia) | AS48452 | Traffic Broadband | RDP exposed, Windows Server 2022 |
94.26.106.119 | memory-scanner[.]cc | Bulgaria (Sofia) | AS48452 | Traffic Broadband | Same /24 as above |
45.156.23.185 | explorer[.]vg | Netherlands | AS56971 | CGI Global Limited | |
178.255.222.234 | ccleaner[.]gl | Netherlands | AS56971 | CGI Global Limited |
Affiliate Keys
| Key | Associated Investigation | Label | C2 Tier |
|---|---|---|---|
TN2FOVFABMT0WCNHGYJR | beta_dataset_sydney_4868-4a76c14f | BetaLoader | Workspace |
MVPOW0B7KUPE6KB6CJ17 | core_data_europe_6231-0ad8b2ce | ExplorerPS | Multi-C2 |
4DKRXGCNTVKHOQXFDBOA | devops_audio_alpha_7570-26dddc0a | Win64/Coins (Convagent) | communicationfirewall-security.cc |
MV6B2DKZRXWNP8U6VF0O | family_journal_archive_2032-0435da3a | DeerStealer HTA v4.1.1 | indeanapolice.cc |
Investigation-to-Sample Mapping
| Investigation ID | Hash Prefix | Surface Label | Primary C2 |
|---|---|---|---|
| beta_dataset_sydney_4868-4a76c14f | 4a76c14f | MSHTA Crypto-Stealer / BetaLoader | communicationfirewall-security.cc |
| core_data_europe_6231-0ad8b2ce | 0ad8b2ce | ExplorerPS (multi-C2 tiered routing) | explorer.vg + tiered |
| devops_audio_alpha_7570-26dddc0a | 26dddc0a | Win64/Coins (Convagent) -- Three-Tier C2 | communicationfirewall-security.cc, favourite-guide.cc, ccleaner.gl |
| family_journal_archive_2032-0435da3a | 0435da3a | DeerStealer HTA v4.1.1 -- LummaC2 Payload | indeanapolice.cc |
| internal_config_secondary_4043-ff100a7e | ff100a7e | Explorer Stealer v4.1.1 | explorer.vg, communicationfirewall-security.cc |
| logs_newyork__70-d00607f4 | d00607f4 | Lumma Stealer v4.1.1 | Iran/Bulgaria/US backends |
| photos_release_v9-9-5e54ce0c | 5e54ce0c | ExplorerStealer v4.1.1 (Russian SISTEMA check) | explorer.vg |
| production_report_backup_1031-98691728 | 98691728 | LoadJS Stealer -- XOR-Obfuscated (.NET backend) | communicationfirewall-security.cc |
| summer_notes_new_195-15f2a002 | 15f2a002 | LummaC2 HTA Loader | indeanapolice.cc |
| template_sydney__96-fbfcbd84 | fbfcbd84 | MaaS Panel Client (Moldova/Ava Host) | communicationfirewall-security.cc |
| x_journal_london_308-93c84af9 | 93c84af9 | HTA Crypto Stealer -- CCleaner Lure | ccleaner.gl |
| z_invoice_london_9789-989669d5 | 989669d5 | GlassWorm Stealer -- MaaS C2 Panel | ccleaner.gl |
Host-Based Indicators
| Type | Value | Notes |
|---|---|---|
| Scheduled Task | YandexUpdateService* | Lumma/DeerStealer tier |
| Scheduled Task | CCleanerTaskID* | CCleaner/GlassWorm tier |
| Scheduled Task | ExplorerID* | ExplorerStealer tier |
| Scheduled Task | Workspace* | Workspace/BetaLoader/LoadJS tier |
| Registry | HKCU\Software\Microsoft\Internet Explorer\Styles\MaxScriptStatements | Value: 10000000 or 0xFFFFFFFF |
| GUID | {0830A3F8-70B8-40E1-A0F3-E0EC9092F861} | Shared COM CLSID across all builds |
| Version | 4.1.1 | Builder version in all C2 beacons |
| Task Interval | PT30M (30 minutes) | Identical across all samples |
| Task Duration | P760D (760 days) | Identical across all samples |
Conclusion
What appeared to be twelve separate malware campaigns is a single Malware-as-a-Service platform distributing through at least twelve affiliate channels simultaneously. The builder (version 4.1.1) produces functionally identical HTA droppers that differ only in their XOR encoding key, affiliate token, and cosmetic obfuscation layer. The C2 infrastructure is unified: five domains registered through the same Hong Kong registrar, hosted across Iran, Bulgaria, Moldova, and the Netherlands, all behind Cloudflare, all running the same nginx/Ubuntu stack, all sharing a version string and a GUID that the builder embeds in every payload.
The operator made enough mistakes to map the entire cluster from a single sample. The shared registrar gave us the domain cluster for free. The exposed RDP panel in Bulgaria revealed the management infrastructure. The .NET path leak confirmed the backend stack. The Russian language artifacts and CIS avoidance check confirmed the operator profile. The hardcoded affiliate keys -- transmitted in plaintext to the C2 with every beacon -- gave us the affiliate structure.
But the operational architecture is sound. The three-tier victim routing system demonstrates a mature understanding of how to extract maximum value from stolen data. Corporate victims go to one pipeline. Hardware wallet holders go to another. The commodity crypto users go to a third. The geographic distribution of backend servers across four countries with limited cross-border law enforcement cooperation means no single takedown action can be decisive.
For defenders: if you find one of these scheduled tasks on your network, you are dealing with a commodity MaaS platform that is currently serving at least twelve affiliates and targeting every cryptocurrency wallet in existence. Block the infrastructure, hunt for the persistence mechanisms, and restrict mshta.exe execution. The operator will rotate domains. The builder version will increment. But the architectural fingerprints -- the 382-string table, the three-tier victim routing, the 760-day scheduled tasks, the /connect-/getUpdates-/approveUpdate API protocol -- will persist across future versions.
The domains are live. The affiliates are active. The wallets are being drained.
This investigation was conducted autonomously by GHOST using passive analysis techniques only. No unauthorized access to any infrastructure was performed. All findings are based on sample analysis, WHOIS records, passive DNS data, certificate transparency logs, and publicly available threat intelligence.
Breakglass Intelligence -- Automated OSINT by BGI