The VICTOR Connection: One .NET Injector Developer, Two Stealer Families, and a Romanian Beef Breeders Association
The same ALTERNATE.dll PDB path — C:\Users\VICTOR\Documents\CryptoObfuscator_Output — appears in both a Phemedrone campaign targeting Hungary and a Formbook campaign targeting Italy. Same developer, different customers.
Table of Contents
- TL;DR
- What This Report Adds to the Public Record
- The Compromised Host: Romanian Beef Breeders Association
- Kill Chain
- Stage 1: JavaScript Dropper — Hungarian-Language Lure
- Stage 2: AES-256-CBC Encrypted PowerShell
- Stage 3: ALTERNATE.dll — The VICTOR Injector
- Stage 4: Phemedrone Stealer
- The VICTOR Link: Formbook Uses the Same Injector
- Infrastructure
- IOC Table
- MITRE ATT&CK Mapping
- Recommendations
TL;DR
A compromised WordPress site belonging to the Romanian Association of Beef Cattle Breeders (ACBCR) at acbcr[.]ro is hosting a multi-stage Phemedrone Stealer delivery chain targeting Hungarian-speaking victims. The kill chain runs from a Hungarian-language JavaScript dropper through AES-256-CBC encrypted PowerShell, into a .NET process-hollowing injector called ALTERNATE.dll, and finally into Phemedrone Stealer disguised as svchost.exe.
The key finding is ALTERNATE.dll itself. Its PDB path — C:\Users\VICTOR\Documents\CryptoObfuscator_Output\ALTERNATE.pdb — is identical to the injector used in a Formbook campaign we documented on April 20 that used Italian shipping lures and catbox[.]moe for payload hosting. The developer behind the username VICTOR is building .NET process-hollowing injectors for multiple stealer families — operating as either a shared-tool developer or a loader-as-a-service provider.
Credit: @smica83 for the initial tip that led to this investigation.
What This Report Adds to the Public Record
- Links ALTERNATE.dll across two separate stealer campaigns (Phemedrone and Formbook) via identical PDB paths, connecting a single developer ("VICTOR") to both operations.
- Documents the full Phemedrone delivery chain from compromised Romanian livestock association website through AES+XOR layered decryption to process-hollowed stealer execution.
- Identifies the compromised WordPress site (
acbcr[.]ro) with directory listing enabled, exposed admin username, and active payload hosting — actionable for defenders and the site owner.
The Compromised Host: Romanian Beef Breeders Association
The payload hosting site is acbcr[.]ro — the official website of the Asociația Crescătorilor de Bovine pentru Carne din România (Romanian Association of Beef Cattle Breeders), directed by Costel Țaran.
The WordPress installation shows multiple signs of compromise and poor security hygiene:
| Indicator | Detail |
|---|---|
| Domain | acbcr[.]ro |
| IP | 188.241.74[.]68 |
| ASN | AS5606 — Hostico Romania |
| CMS | WordPress (version undetermined) |
| Admin user | admin_acbcr (exposed via wp-json/wp/v2/users) |
| Directory listing | Enabled on /wp-content/uploads/ and /wp-includes/ |
| Payload path | /wp-content/update.ps1 (3.4 MB encrypted PowerShell) |
The exposed user enumeration endpoint and enabled directory listing suggest this site has been poorly maintained — making it an easy target for automated WordPress exploitation scanners. The attackers placed their encrypted PowerShell payload at a path (update.ps1) designed to blend in with legitimate WordPress update files.
Kill Chain
[1] JS Dropper (Hungarian lure)
Rendelés_aqualing_2026_22445146200001.js
│
▼
[2] AES-256-CBC Encrypted PowerShell
acbcr[.]ro/wp-content/update.ps1 (3.4 MB)
Key: wgJ/fzXmOQvFo6Edg9U0SoQr6rEdvegLcUT35OSmDQ0=
IV: YzVJsAmkpoAPJnVvW5n1dA==
│
▼
[3] XOR-Decrypted .NET Assembly
Key: "vkSecretKey765"
│
▼
[4] ALTERNATE.dll (.NET Loader)
PDB: C:\Users\VICTOR\Documents\CryptoObfuscator_Output\ALTERNATE.pdb
Class: ALTERNATE.EXECUTE → Method: LAUNCH
Process hollows aspnet_compiler.exe
│
▼
[5] Phemedrone Stealer
750 KB .NET, Costura/Fody packed
Disguised as svchost.exe
Embedded shellcode handle: ~draGon~
Stage 1: JavaScript Dropper — Hungarian-Language Lure
The initial access vector is a JavaScript file named:
Rendelés_aqualing_2026_22445146200001.js
"Rendelés" is Hungarian for "Order" — this is a purchase-order themed social engineering lure targeting Hungarian-speaking victims. The filename references "aqualing," likely impersonating a legitimate Hungarian business to add credibility.
The JS dropper's job is simple: download the encrypted PowerShell payload from the compromised ACBCR site and execute it.
Stage 2: AES-256-CBC Encrypted PowerShell
The dropper fetches a 3.4 MB file from:
hxxps://acbcr[.]ro/wp-content/update.ps1
Despite the .ps1 extension, this file is AES-256-CBC encrypted. The decryption parameters are hardcoded in the dropper:
| Parameter | Value |
|---|---|
| Algorithm | AES-256-CBC |
| Key (Base64) | wgJ/fzXmOQvFo6Edg9U0SoQr6rEdvegLcUT35OSmDQ0= |
| IV (Base64) | YzVJsAmkpoAPJnVvW5n1dA== |
After AES decryption, the resulting PowerShell script contains an embedded .NET assembly that is XOR-encrypted with the key vkSecretKey765. The two-layer encryption (AES for the transport layer, XOR for the payload) is a common pattern in commodity loader chains — the AES layer defeats network-level inspection, while the XOR layer adds a second gate that requires execution context to pass through.
Stage 3: ALTERNATE.dll — The VICTOR Injector
After XOR decryption, the PowerShell script reflectively loads a .NET assembly: ALTERNATE.dll.
This is the most significant artifact in the chain. Key properties:
| Property | Value |
|---|---|
| SHA256 | c8a0077a21f2ba22ec5a6d956b012b794c8b5a70e5ccd05adcff786020850791 |
| PDB path | C:\Users\VICTOR\Documents\CryptoObfuscator_Output\ALTERNATE.pdb |
| Obfuscator | CryptoObfuscator |
| Namespace | ALTERNATE |
| Class | ALTERNATE.EXECUTE |
| Entry method | LAUNCH |
| Technique | Process hollowing into aspnet_compiler.exe |
The PDB path reveals two things:
- The developer's Windows username is VICTOR — a consistent artifact that ties this binary to other campaigns.
- The binary was processed through CryptoObfuscator — a commercial .NET obfuscation tool — before compilation.
ALTERNATE.dll's sole function is process hollowing: it spawns a suspended instance of aspnet_compiler.exe (a legitimate .NET Framework utility), hollows out its memory, injects the final payload, and resumes execution. Using aspnet_compiler.exe as the hollowed target is a deliberate choice — it's a signed Microsoft binary that exists on most Windows systems with .NET Framework installed, and its execution is less likely to trigger behavioral alerts than more commonly abused LOLBins.
Stage 4: Phemedrone Stealer
The final payload is Phemedrone Stealer — a well-documented .NET information stealer.
| Property | Value |
|---|---|
| SHA256 | c916f289ff9a05d74d72f28582ff03690d415fe64a4195b4f47195fe286c6d2d |
| Size | ~750 KB |
| Packer | Costura/Fody (embedded dependency bundler) |
| Disguise | Named svchost.exe at runtime |
| Shellcode handle | ~draGon~ |
| Platform | .NET |
Phemedrone targets browser credentials, cryptocurrency wallets, Discord tokens, Telegram sessions, and Steam accounts. The Costura/Fody packing merges all dependencies into a single executable, simplifying deployment and reducing the file's footprint on disk.
The embedded shellcode handle ~draGon~ may serve as an operator tag or campaign identifier — worth tracking as a pivot for related Phemedrone deployments.
The VICTOR Link: Formbook Uses the Same Injector
This is where the investigation gets interesting.
On April 20, 2026, we documented a Formbook campaign that used an Italian-language shipping lure:
- Lure filename: Referenced "Bozza dei documenti di spedizione" (Italian: "Draft shipping documents")
- Payload host:
catbox[.]moe(a public file-sharing service frequently abused for malware staging) - Injector: ALTERNATE.dll — identical PDB path:
C:\Users\VICTOR\Documents\CryptoObfuscator_Output\ALTERNATE.pdb
Two separate campaigns. Two different stealer families. Two different targeting languages (Hungarian vs. Italian). Two different payload hosting strategies (compromised WordPress vs. public file-sharing). But the same .NET process-hollowing injector, built by the same developer.
| Attribute | Phemedrone Campaign | Formbook Campaign |
|---|---|---|
| Lure language | Hungarian | Italian |
| Lure theme | Purchase order | Shipping documents |
| Payload host | acbcr[.]ro (compromised WP) | catbox[.]moe (file sharing) |
| Injector | ALTERNATE.dll | ALTERNATE.dll |
| PDB path | C:\Users\VICTOR\... | C:\Users\VICTOR\... |
| Final payload | Phemedrone Stealer | Formbook |
| Hollowed process | aspnet_compiler.exe | aspnet_compiler.exe |
This pattern suggests one of two operational models:
-
VICTOR is a loader-as-a-service developer — building and selling the ALTERNATE.dll injector to multiple threat actors who deploy their own choice of stealer. This is the more likely scenario given the diversity of final payloads and targeting.
-
VICTOR is a single operator running multi-regional campaigns with different stealer families optimized for different target demographics.
Either way, the ALTERNATE.dll PDB path is now a reliable hunting pivot. Any future sample with C:\Users\VICTOR\Documents\CryptoObfuscator_Output\ALTERNATE.pdb in its debug directory should be flagged and traced.
Infrastructure
Payload Hosting
| Host | Role | Details |
|---|---|---|
acbcr[.]ro | Encrypted PS1 staging | WordPress, 188.241.74[.]68, AS5606 Hostico RO |
/wp-content/update.ps1 | Payload path | 3.4 MB AES-encrypted PowerShell |
WordPress Exposure
The compromised site leaks significant information:
- User enumeration:
wp-json/wp/v2/usersexposesadmin_acbcr - Directory listing: Both
/wp-content/uploads/and/wp-includes/have indexing enabled - No hardening: Default WordPress API endpoints are fully accessible
IOC Table
File Hashes
| Artifact | SHA256 | Notes |
|---|---|---|
update.ps1 | c023166a028773efc229e5d4a052fd768d356f7674bc57de91169b9c47bcae55 | AES-encrypted PowerShell, 3.4 MB |
ALTERNATE.dll | c8a0077a21f2ba22ec5a6d956b012b794c8b5a70e5ccd05adcff786020850791 | .NET injector, PDB: VICTOR |
| Phemedrone Stealer | c916f289ff9a05d74d72f28582ff03690d415fe64a4195b4f47195fe286c6d2d | 750 KB, Costura/Fody packed |
Network Indicators
| Indicator | Type | Context |
|---|---|---|
acbcr[.]ro | Domain | Compromised WordPress — payload hosting |
188.241.74[.]68 | IPv4 | Hosting IP for acbcr[.]ro |
/wp-content/update.ps1 | URI path | Encrypted PowerShell payload |
Encryption Keys
| Parameter | Value |
|---|---|
| AES-256-CBC Key | wgJ/fzXmOQvFo6Edg9U0SoQr6rEdvegLcUT35OSmDQ0= |
| AES-256-CBC IV | YzVJsAmkpoAPJnVvW5n1dA== |
| XOR Key | vkSecretKey765 |
Developer Artifacts
| Artifact | Value |
|---|---|
| PDB path | C:\Users\VICTOR\Documents\CryptoObfuscator_Output\ALTERNATE.pdb |
| Windows username | VICTOR |
| Shellcode handle | ~draGon~ |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Initial Access | Phishing: Spearphishing Attachment | T1566.001 | Hungarian-language JS dropper |
| Execution | Command and Scripting Interpreter: JavaScript | T1059.007 | .js file executes download chain |
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | Decrypted PS1 loads .NET assembly |
| Defense Evasion | Obfuscated Files or Information: Encrypted/Encoded File | T1027.013 | AES-256-CBC + XOR layered encryption |
| Defense Evasion | Process Injection: Process Hollowing | T1055.012 | ALTERNATE.dll hollows aspnet_compiler.exe |
| Defense Evasion | Masquerading: Match Legitimate Name | T1036.005 | Phemedrone disguised as svchost.exe |
| Defense Evasion | Obfuscated Files or Information: Software Packing | T1027.002 | Costura/Fody packing |
| Resource Development | Compromise Infrastructure: Web Services | T1584.006 | Compromised WordPress site for payload hosting |
| Resource Development | Stage Capabilities: Upload Malware | T1608.001 | update.ps1 staged on compromised site |
| Credential Access | Credentials from Password Stores: Credentials from Web Browsers | T1555.003 | Phemedrone browser credential theft |
| Collection | Data from Local System | T1005 | Wallet, Discord, Telegram, Steam data |
Recommendations
For defenders:
- Hunt for
ALTERNATE.pdbor the PDB pathC:\Users\VICTOR\Documents\CryptoObfuscator_Output\across your .NET binary telemetry. - Block
188.241.74[.]68and monitor for connections toacbcr[.]ro. - Flag any
aspnet_compiler.exeexecution that is not part of a legitimate .NET build pipeline. - Monitor for PowerShell scripts performing AES decryption followed by reflective .NET assembly loading.
For the ACBCR site owner:
- The WordPress installation at
acbcr[.]rois actively compromised and hosting malware. The/wp-content/update.ps1file should be removed immediately. - Disable directory listing, restrict the
wp-json/wp/v2/usersendpoint, rotate theadmin_acbcrcredentials, and audit for webshells.
Credit to @smica83 for the tip that kicked off this investigation.
Published by Breakglass Intelligence — April 20, 2026