WaterHydra Is Back: Tracing a 4-Year DarkMe Builder Through the "vaeeva" OPSEC Failure

Published: 2026-03-08 | Author: BGI | Classification: TLP:CLEAR

TL;DR

A threat actor operating as evilgrou-tech on GitHub has been attributed with high confidence to the WaterHydra/DarkCasino APT group -- the financially-motivated crew behind CVE-2024-21412 (Windows SmartScreen zero-day) and CVE-2023-38831 (WinRAR zero-day). The link was established through a shared developer workspace path (C:\Users\Administrator\Desktop\vaeeva\shellrundll.tlb) embedded in VB6 type library references across binaries spanning 2022 to 2024, combined with 30 corroborating indicators across code, infrastructure, and targeting. The group's DarkMe VB6 builder -- compiled in May 2022 -- is still producing active malware in March 2026, and their C2 at 91.124.98.29:2626 was confirmed live at time of investigation.

---

The Fingerprint That Survived Four Years

Attribution in APT tracking usually relies on pattern accumulation -- enough weak signals stacked together to form a convincing case. This investigation has that (30 indicators across 6 categories), but it also has something better: a developer fingerprint that the WaterHydra team tried and failed to scrub.

The Visual Basic 6 IDE embeds type library paths into compiled binaries. These paths reference the developer's local filesystem and are not typically modified by downstream operators using a builder tool. In this case, a path to a personal project directory survived across two distinct compilation campaigns:

Sample	Date	APT Tag	Embedded Path
Evilnum DLL (74329f35)	July 2022	Evilnum	C:\Users\Administrator\Desktop\vaeeva\shellrundll.tlb
WaterHydra OCX (8f4c32cf)	January 2024	WaterHydra	C:\Users\Administrator\Desktop\vaeeva\shellrundll.tlb

"vaeeva" is not a tool name, a malware family, or a known word. It is a personal workspace directory on the developer's desktop. The fact that it appears in both a 2022 Evilnum-tagged DLL and a 2024 WaterHydra MSI payload means the same developer compiled both. This is the OPSEC failure that ties the entire chain together.

What makes it worse: the WaterHydra team clearly attempted cleanup between 2022 and 2024. Italian variable names (ciapa, tuttidati, segreto) were stripped. The "DarkMe" mutex string was removed. Project names were genericized from ShellRunDllVb to wordpress and functions. But the type library path -- buried in the binary's COM registration metadata -- was missed.

---

evilgrou-tech: The Operator

Field	Value
Handle	evilgrou-tech
Email	evilgrou@gmail.com
GitHub	github.com/evilgrou-tech (User ID 258457392)
Account Created	January 31, 2026
Activity Window	Jan 31 -- Mar 5, 2026 (34 days)
Language	Russian (all code comments in Cyrillic)
Primary Tools	DarkMe RAT (VB6), QuasarRAT v1.4.1.0 (.NET)
C2	91.124.98.29 (Ukraine/Blockchain Creek B.V.)
Targeting	Forex traders, financial trading platforms

The handle is assessed as a deliberate reference to the predecessor group: Evilnum becomes Evil grou[p]. This operator still uses the un-cleaned DarkMe builder (Italian strings intact), supplements it with commodity QuasarRAT rather than the custom PikoloRAT the main WaterHydra team uses, and relies on GitHub for payload staging rather than WebDAV shares. This profile is consistent with a lower-tier operator or affiliate within the WaterHydra organization who received the original builder toolkit but not subsequent OPSEC updates.

---

DarkMe RAT: A VB6 Artifact Still Going Strong

The DarkMe RAT uses a compile-once, patch-config builder model. The builder was compiled on 2022-05-01 22:07:11 UTC (PE timestamp 0x626F048F) and has been producing active samples for nearly four years. Three 2026 DarkMe samples share the identical PE timestamp, entry point (0x12C4), and .text section hash:

.text SHA256: 6ca93b13b5db11414c6ab928aa0243b65927fcce20c16f9bdcfdddd9461726ce

Between unsigned variants, only 21 bytes differ -- the C2 configuration patched at offset 0x14260. Nine samples spanning 2023-2026 share the same VB6 imphash: 3e847ec4ad926dd89c2f4cb28d036c11.

Command Protocol

DarkMe stores commands as reversed UTF-16LE strings -- a minimal anti-analysis technique that defeats static string searches:

Stored (Reversed)	Actual Command	Function
EXELHS	SHLEXE	Shell execute
SLFRTS	STRFLS	Directory listing (type 1)
2LFRTS	STRFL2	Directory listing (type 2)
LIFMNR	RNMFIL	Rename file
LEDLED	DELDEL	Delete file
PAMRID	DIRMAP	Directory mapping
PAMLED	DELMAP	Delete directory
SUTIES	SEITUS	System status/info
OLAPIZ	ZIPALO	Create ZIP archive
TAKIRF	FRIKAT	Suspected screenshot
001003	300100	Drive information

Transport is custom TCP over a SOCKET_WINDOW class (VB6 WSAAsyncSelect), with UDP packets confirmed in sandbox analysis (CAPE #55576: 16 UDP packets to 38.57.44.173:4242). The C2 password is sent in cleartext -- every sample analyzed uses the literal string "password."

Persistence Mechanisms

DarkMe EXE variants write to HKLM\...\RunOnce\*RD_ via WScript.Shell.RegWrite. The DLL variant (2022 Evilnum) uses COM CLSID registration executed via rundll32 /sta {CLSID}. The 2024 WaterHydra MSI variant persists through HKCU\...\Run\HomeDLL pointing to rundll32 /sta {AAE802DB-FB67-4407-A175-61223EFF30D4}.

The Developer's Language

The DarkMe codebase is rich with Italian-language artifacts that fingerprint the original developer:

String	Meaning
ciapa	Northern Italian dialect: "grab/take"
tuttidati	"all data"
segreto	"secret"
stocavoloccio	Vulgar Italian slang
squola	Misspelled "scuola" (school)
estatolui	"it was him"
zalone	Reference to Italian comedian Checco Zalone

The system locale code 0x0C0A (Spanish - Modern Sort) and a Spanish error string ("Error al enviar un paquete, Modulo WinSock32") indicate a bilingual Italian/Spanish developer.

---

QuasarRAT: Fully Decrypted Configuration

evilgrou-tech supplements DarkMe with QuasarRAT v1.4.1.0, a .NET RAT whose configuration was fully decrypted from a captured binary.

Decrypted C2 Config

Setting	Value
Version	1.4.1
C2 Server	91.124.98.29:2626
Install Path	%APPDATA%\Microsoft\Windows\RuntimeBroker.exe
Mutex	0e24ec19-b49b-4673-881d-cd316a038e80
Registry Key Name	Windows Update Runtime Broker
Campaign Tag	Office04
Encryption Key	2B817FAEAC306BC3D2E98F2F86FA181F91AE1645

Encryption Scheme

Parameter	Value
Algorithm	AES-256-CBC + HMAC-SHA256
Key Derivation	PBKDF2-SHA1, 50,000 iterations
Salt	bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
Packet Format	[4-byte LE length][HMAC-SHA256(32)][IV(16)][AES-CBC ciphertext]
Serialization	protobuf-net
Compression	SafeQuickLZ

The encryption key is the SHA1 thumbprint of a self-signed server certificate:

Subject:     CN = Quasar Server CA
Serial:      a2:1a:8a:2a:b5:91:1c:be:af:52:39:d7:27:b3:59
Algorithm:   sha512WithRSAEncryption
Key:         RSA 4096-bit
Valid From:  Dec 27, 2025 19:39:34 UTC
SHA1:        2B817FAEAC306BC3D2E98F2F86FA181F91AE1645

Kill Chain

[1] Initial Access        Forex-themed lure (email/forum/Telegram)
       |
[2] Execution             launcher.bat / forex.sct / drive.js
       |                  -> Downloads forex.ps1 from GitHub
[3] AMSI Bypass           amsiInitFailed reflection + AmsiScanBuffer patch
       |                  -> "most stable AMSI bypass for February 2026"
[4] Payload Download      AES-encrypted .dat/.b64 from GitHub repos
       |
[5] AES Decryption        5 different key schemes (see IOCs below)
       |                  -> Validates MZ header before execution
[6] .NET Assembly Load    Assembly.Load(bytes).EntryPoint.Invoke()
       |                  -> Fileless -- no PE dropped to disk
[7] Persistence           Registry Run key + Startup folder shortcut
       |
[8] Process Masquerade    RuntimeBroker.exe / ctfmon.exe / chrome_update.exe
       |
[9] C2 Comms              TLS 1.2 -> 91.124.98.29:2626
                           AES-256-CBC + HMAC-SHA256 + protobuf-net

Recovered AES Keys (5 Schemes)

Key	IV	Source File
OneDriveSecretKeyForAES256123456	OneDriveIV_12345	drive/OneDriveSetup.dat
SHA256(NewSecret_2000_Forex)	16x \x00	drive/forex_2000.b64
SHA256(NewSecret_2026_Forex)	16x \x00	drivers/encrypted.b64
SHA256(EvilGroup2026_SecretKey)	16x \x00	drivers/forex.ps1
WinUpdate2025SuperKey12345678901	WinUpdateIV2025!	grovi/settings.dat

---

Infrastructure

Active C2: 91.124.98.29

Field	Value
ASN	AS207994 Blockchain Creek B.V.
Hosting	Parrot Systems -- self-described "bulletproof VPS"
Registration	Servcity / Blockchain Creek B.V., Wezepoelstraat 45, 9240 Zele, Belgium
Port 2626	QuasarRAT C2 -- TLS 1.2, ECDHE-RSA-AES256-GCM-SHA384
Port 3389	RDP -- CredSSP/NLA, hostname WIN-0AC24AEI6OV
Behavior	IP-whitelisted -- accepts TLS handshake but does not respond to unknown source IPs
Red Flag	Parent ASN announces bogon prefixes

Blockchain Creek B.V. routes 8 IPv4 prefixes (2,048 IPs) from mixed jurisdictions -- Cyprus, UAE, UK, Jordan, Ukraine, US, France. This is a textbook bulletproof hosting allocation pattern.

Decommissioned C2: 38.57.44.173

Hosted by ThinkHuge (UK-registered, Slough SL1 4PF) on Cogent/Datacamp infrastructure in Secaucus, NJ. DarkMe C2 was on port 4242. All ports closed since approximately August 2025. Two prior OTX associations for Win.Trojan.Midie and Win.Malware.Zard.

ThinkHuge /21 Block: An Almost Entirely Dark Network

A scan of all 2,048 IPs in the 38.57.40.0/21 block revealed infrastructure consistent with bulletproof hosting:

• Active IPs: 15 of 2,048 (0.7% utilization)
• Shodan coverage: Zero results across all 2,048 IPs
• OTX/MalwareBazaar: Zero intelligence on any IP in the block

38.57.40.0/21 (ThinkHuge)
|
+-- 38.57.40.95    Flask C2 "telnet_server" (Werkzeug debug mode ON)
|                  SECRET: UbEujrIJ0uRq66vpJ5nD
+-- 38.57.40.237   Port 7070 custom C2 listener (Windows)
+-- 38.57.41.81    Port 7070 custom C2 listener
+-- 38.57.44.11    Port 7070 custom C2 listener
+-- 38.57.44.173   DarkMe C2 port 4242 (OFFLINE)
+-- 38.57.44.232   Port 7070 custom C2 listener
|
+-- 56 IPs         Dormant snowshoe spam infra (DGA-like domains:
                   fairelement.com, hexadagger.com, wonmaimed.com)
                   Mail-themed rDNS but zero SMTP ports open

Four active hosts on port 7070 across different subnets suggest a shared custom C2 framework operating across the block.

GitHub Payload Staging

Repository	Created	Key Files	Purpose
evilgrou-tech/drive	Jan 31, 2026	OneDriveSetup.dat, forex.ps1, launcher.bat	AES-encrypted QuasarRAT (7.2 MB)
evilgrou-tech/drivers	Jan 31, 2026	encrypted.b64, RuntimeBroker.b64, drive.js	AES-encrypted payload + JScript droppers
evilgrou-tech/grovi	Mar 4, 2026	settings.dat, forex.ps1 ("ULTIMATE LOADER v48.1")	AES-encrypted QuasarRAT (3.2 MB)

---

OPSEC Evolution: What Was Cleaned and What Was Missed

Tracking what a threat actor removes between campaigns is as valuable as tracking what they add. The WaterHydra team made deliberate cleanup efforts between the 2022 Evilnum DLL and the 2024 MSI campaign -- and those efforts reveal what they consider attributable:

Artifact	Evilnum DLL (2022)	evilgrou-tech EXEs (2026)	WaterHydra OCX (2024)
Italian variable names	Present	Present	Removed
"DarkMe" string/mutex	Present	Not present	Removed
Project name	ShellRunDllVb	Project1 (VB6 default)	wordpress / functions
"vaeeva" TLB path	Present	N/A (EXE format)	Still present
C2 in binary	Not embedded	Plaintext at 0x14260	Runtime config

evilgrou-tech's 2026 EXE samples still contain the Italian variable names. This means the operator is using an older, un-cleaned version of the DarkMe builder -- they either never received the sanitized version, or they are working from a toolkit that predates the 2024 OPSEC pass.

---

Attribution Timeline

2022-05-01  DarkMe VB6 EXE builder compiled (still active in 2026)

2022-07-25  Evilnum DarkMe DLL compiled
            PDB: C:\Users\Administrator\Desktop\ShellRunDllVb.pdb
            TLB: C:\Users\Administrator\Desktop\vaeeva\shellrundll.tlb
            Tagged: apt, DarkMe, Evilnum (reporter: ArkbirdDevil)

2022 H2     NSFOCUS documents "Operation DarkCasino"
            DarkCasino assessed as initially part of Evilnum

Late 2022   DarkCasino/WaterHydra splits from Evilnum
            Develops independent VB-based multi-stage loaders

2023-04     WaterHydra exploits CVE-2023-38831 (WinRAR 0-day)
            130+ trader devices confirmed infected

2023-11     NSFOCUS formally separates DarkCasino from Evilnum

2023-12-31  WaterHydra exploits CVE-2024-21412 (SmartScreen 0-day)

2024-01-11  WaterHydra MSI (oxc.msi) built
            Contains soundtrack.ocx with SAME "vaeeva" path
            Italian strings removed, "DarkMe" brand scrubbed
            BZ.WRAPPED_APPID = "MetaTrader 5"

2024-02-13  Microsoft patches CVE-2024-21412

2025-08     38.57.44.173 last active (DarkMe C2)

2025-12-20  RDP cert created on WIN-0AC24AEI6OV (new VPS provisioned)
2025-12-27  Quasar Server CA cert created (C2 setup begins)

2026-01-31  evilgrou-tech GitHub account created
            "drive" + "drivers" repos: encrypted QuasarRAT payloads

2026-03-04  7 new DarkMe EXEs uploaded to MalwareBazaar
            6 tagged with C2 IP 91.124.98.29
            2 carry fake Microsoft code signing certs
            Reporter: JAMESWT_WT

2026-03-04  "grovi" repo created ("ULTIMATE LOADER v48.1")
2026-03-05  Last known commit

2026-03-07  Investigation initiated -- C2 confirmed LIVE

---

MITRE ATT&CK Mapping

Technique	ID	Usage
Spearphishing Link	T1566.002	Forex forum posts, Telegram trading channels
User Execution: Malicious File	T1204.002	Disguised trading lures
Exploitation for Client Execution	T1203	CVE-2024-21412, CVE-2023-38831
Command and Scripting Interpreter: PowerShell	T1059.001	Multi-stage PS1 loaders with AMSI bypass
Ingress Tool Transfer	T1105	GitHub-staged AES-encrypted payloads
Signed Binary Proxy Execution: Rundll32	T1218.011	rundll32 /sta {CLSID} for DarkMe
Boot/Logon Autostart Execution	T1547	Registry Run keys, Startup shortcuts
Modify Registry	T1112	COM object persistence, Run keys
Obfuscated Files	T1027	AES encryption, reversed strings, steganography
Invalid Code Signature	T1036.001	Fake "Microsoft Corporation" certificates
Mark-of-the-Web Bypass	T1553.005	CVE-2024-21412 SmartScreen bypass
Screen Capture	T1113	DarkMe FRIKAT command
Input Capture: Keylogging	T1056.001	QuasarRAT Gma.System.MouseKeyHook
Archive Collected Data	T1560	DarkMe ZIPALO command

---

Detection

YARA Rules

rule DarkMe_VB6_Imphash {
    meta:
        description = "DarkMe RAT VB6 variants (WaterHydra/DarkCasino APT)"
        author = "breakglass.intelligence"
        date = "2026-03-08"
        tlp = "TLP:CLEAR"
    condition:
        uint16(0) == 0x5A4D and
        pe.imphash() == "3e847ec4ad926dd89c2f4cb28d036c11"
}

rule DarkMe_RAT_Commands {
    meta:
        description = "DarkMe RAT reversed command strings"
        author = "breakglass.intelligence"
        date = "2026-03-08"
    strings:
        $cmd1 = "EXELHS" wide
        $cmd2 = "SLFRTS" wide
        $cmd3 = "OLAPIZ" wide
        $cmd4 = "SOCKET_WINDOW" wide
        $spanish = "Error al enviar un paquete" wide
    condition:
        uint16(0) == 0x5A4D and 3 of them
}

Network Signatures

# Snort/Suricata
alert tls any any -> any 2626 (msg:"QuasarRAT C2 - Quasar Server CA"; \
  tls.cert_subject; content:"Quasar Server CA"; sid:2026030801; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 4242 (msg:"DarkMe RAT C2"; \
  content:"password"; sid:2026030802; rev:1;)

---

IOCs

Network Indicators

# Active C2
91.124.98.29:2626              # QuasarRAT + DarkMe (LIVE, Blockchain Creek B.V.)
91.124.98.29:3389              # RDP (CN=WIN-0AC24AEI6OV)

# Decommissioned C2
38.57.44.173:4242              # DarkMe (OFFLINE since Aug 2025)

# ThinkHuge /21 Related Infrastructure
38.57.40.95:80                 # Flask C2 "telnet_server"
38.57.40.237:7070              # Custom C2 listener
38.57.41.81:7070               # Custom C2 listener
38.57.44.11:7070               # Custom C2 listener
38.57.44.232:7070              # Custom C2 listener

# Historical WaterHydra
84.32.189.74                   # WebDAV C2 (CVE-2024-21412)
185.236.231.74                 # DarkMe/PikoloRAT C2 (Operation DarkCasino)

# Staging
github[.]com/evilgrou-tech/drive
github[.]com/evilgrou-tech/drivers
github[.]com/evilgrou-tech/grovi
tinyurl[.]com/42pfukca         # Redirector -> loader.ps1 (ACTIVE)

# WaterHydra Domains
fxbulls[.]ru                   # Compromised WordPress lure
87iavv[.]com                   # CVE-2024-21412 infrastructure

File Hashes (SHA256)

# DarkMe RAT -- evilgrou-tech (March 2026)
20a97423107a79b20ee6be999387778a2172febed1d2be2a0ec6211aa7fc2a2a
78b5f70a2481c430f483f263a7045d64c18e2aabaad48b9c8b0c80cd8d90980b
a4bdf7e2013ab46af409dec58ca822b4fe971a6991f231253c9471aabcab5c91
d26acc49e0a1d0be5863f0407d64a622f6a37c474481df23948eb9e05021b0c4

# DarkMe RAT -- Evilnum (2022)
74329f3585df9b4ac4a0bc4476369dc08975201d7fc326d2b0f7b7a4c1eab22b

# DarkMe RAT -- WaterHydra MSI (2024)
c6de06a61756dc3b5d4ee71674d4132971fb7ed8db7b2e504905f23571ed7bf2  # oxc.msi
1cbb6ed84195d88da51de5ecf1fd06815d10b582942fb92266b34ceb5f77e826  # MAFWIKFNMUI9430.ocx
8f4c32cfe1a449fd8bdb929025f61522c574e82a3667c936a306f35976efe2de  # soundtrack.ocx (vaeeva)

# QuasarRAT -- evilgrou-tech
b9b51e29d004739a401a3628bd5b48cccb9bfa5bbc67dbacd3be197a5be32285
f6f19c898956e618648964187d110f88542491cb30a69db18da0c58b5f422dbe
283d94b92c5af150941993e642612386dbefd44c6298898fb8e544fa3e389a4c

Host-Based Indicators

# Registry Persistence
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update Runtime Broker
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdateHelper
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveUpdateHelper
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HomeDLL

# File Paths
%APPDATA%\Microsoft\Windows\RuntimeBroker.exe
%LOCALAPPDATA%\Microsoft\CLR_v4\update.ps1
%LOCALAPPDATA%\Microsoft\CLR_v4\Update.bin
%APPDATA%\Microsoft\Windows\Caches\OneDriveSetup.ps1
%APPDATA%\Microsoft\Windows\ctfmon.js

# Startup
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk

# Process Names (masquerading)
RuntimeBroker.exe, ctfmon.exe, dwm.exe, TextInputHost.exe
chrome_update.exe, edge_update.exe, windows_update.exe

# Mutexes
0e24ec19-b49b-4673-881d-cd316a038e80     # QuasarRAT
Global\OneDriveSync_{USERNAME}            # Loader

# DarkMe VB6 Imphash
3e847ec4ad926dd89c2f4cb28d036c11

# Fake Code Signing Certificate Thumbprints
f850089a914d876ca90a97cbed22da1e1ab7201e5d85406bedfdd5dba72e1a02  # "Microsoft Corporation"
cbf2209d6ee6e791bfcff184e0611c413ce6cf70f998266694db622cea1057d3  # "Microsoft Windows Publisher"

# QuasarRAT Server Certificate
CN=Quasar Server CA
SHA1=2B817FAEAC306BC3D2E98F2F86FA181F91AE1645

Payload Decryption Keys

# QuasarRAT C2 Encryption
PBKDF2 Input:  2B817FAEAC306BC3D2E98F2F86FA181F91AE1645
Salt:          bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
Iterations:    50000
Algorithm:     PBKDF2-SHA1 -> AES-256-CBC + HMAC-SHA256

# Payload AES Keys
OneDriveSecretKeyForAES256123456 / OneDriveIV_12345
SHA256("NewSecret_2000_Forex") / 16x00
SHA256("NewSecret_2026_Forex") / 16x00
SHA256("EvilGroup2026_SecretKey") / 16x00
WinUpdate2025SuperKey12345678901 / WinUpdateIV2025!

---

Investigation: 16+ hours across multiple sessions. 14 DarkMe samples, 5 QuasarRAT binaries, 1 WaterHydra MSI, and 2 Amadey-distributed variants analyzed. 2,048+ IPs scanned. 21 QuasarRAT settings and 7 payload encryption keys decrypted.