high🔑Stealer

publishedMarch 12, 2026

XWorm Meets Multi-RAT: A Single Oracle Cloud VPS Running DCRat, Hook, and XWorm Behind LocaltoNet Tunnels

#stealer#xworm#social-engineering#credential-theft#c2#apt

TL;DR: Two XWorm samples submitted to MalwareBazaar on March 9, 2026 trace back to a single multi-RAT C2 server on Oracle Cloud free-tier infrastructure (143.47.53.106) that has been running DCRat, Hook banking trojan, and now XWorm campaigns since at least January 2026. The operator hides behind LocaltoNet tunneling to rotate C2 endpoints without moving servers. One sample is a Go-compiled dropper with only 44% AV detection that chains PowerShell execution through temp-directory staging. The other is a .NET XWorm/njRAT hybrid disguised as "Token GrabberV2.exe" -- almost certainly distributed through Discord and gaming communities -- packing keylogging, webcam capture, USB spreading, DDoS, and a BSoD kill switch into a single 111 KB binary obfuscated with Control Flow Flattening and Georgian Unicode variable names.

Two Samples, One Operator

MalwareBazaar received two XWorm-family submissions on March 9. On the surface they look unrelated: one is a 3.4 MB Go binary compiled for x86-64, the other a 111 KB .NET GUI assembly. But infrastructure analysis connects them to the same C2 endpoint -- mzsgu2rhxn.localto.net:3480 -- and that endpoint resolves to an Oracle Cloud IP that has been hosting commodity RATs for at least six weeks.

The two samples serve complementary roles in the attack chain. The Go binary is a loader: it drops staging files, invokes hidden PowerShell, and prepares the environment. The .NET binary is the payload: a full-featured RAT with command execution, credential theft, and lateral spreading capabilities.

Sample 1: Go-Based Dropper -- 44% Detection Rate

Property	Value
SHA-256	`109b233024348f26571c086aa6aae6eeedb062a704b4a23e0d87dd2234659103`
Size	3,564,544 bytes (3.4 MB)
Type	PE32+ executable (console) x86-64, Go
Imphash	`d42595b695fc008ef2c56aabd8efd68e`
Origin	Sweden
First Seen	2026-03-09 15:39:42 UTC
AV Detection	16/36 engines (44%)

The Go compiler is doing a lot of heavy lifting for evasion here. Go binaries are large, statically linked, and structurally unfamiliar to most AV heuristics designed around C/C++ and .NET patterns. At 44% detection, this dropper would sail past default configurations on most consumer endpoints.

Obfuscated Function Names

The main package contains randomized identifiers -- no semantic meaning, no operational strings:

main.V0RItosZlbN
main.VRanbd8cq28RGC
main.Y9dgSZxw9Ie
main.ZPFxSmvHI2
main.bmH5hXGEvhxg
main.oh8uTMgA2DZb
main.rrKAIy6w

Execution Chain

The dropper follows a predictable but effective staging sequence:

Go binary
  -> cd %temp% & powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command [...]
     -> drops .cmd file (~200 bytes)
     -> drops .bat file (~226 KB)
        -> CMD spawns additional hidden PowerShell
           -> SeDebugPrivilege for cross-process memory writes (injection)

The use of SeDebugPrivilege is the escalation moment -- it enables the dropper to write into other processes' memory space, a prerequisite for process injection. Combined with VM detection techniques flagged by YARA during sandbox analysis, this loader is designed to be cautious: it checks its environment before committing the payload.

No direct C2 communication was observed from this sample in sandbox. It is purely a loader.

Sample 2: .NET XWorm/njRAT Hybrid -- The Payload

Property	Value
SHA-256	`84fae604e319f9bede31f822019f1b35a9a893c0873b195d85b0a9c486f40e9a`
Size	114,176 bytes (111 KB)
Type	PE32 executable (GUI), .NET Framework v4.0.30319
Compile Time	2026-03-09 01:48:07 UTC
Internal Name	`Token GrabberV2.exe`
Imphash	`f34d5f2d4577ed6d9ceec516c1f5a744`
Origin	Netherlands
GUID	`469ff7a0-5aea-4dde-b17b-4b772472a42b`
AV Detection	MALICIOUS -- ReversingLabs 66.7%, Kaspersky positive, Triage 10/10

The internal name Token GrabberV2.exe is the social engineering hook. This is almost certainly distributed through Discord servers and gaming communities as a fake "Discord token grabber" -- a common lure targeting younger, less security-aware users who think they are downloading a hacking tool.

Extracted C2 Configuration

C2 Domain:  mzsgu2rhxn.localto.net
C2 Port:    3480
Protocol:   TCP (raw socket, not HTTP)
Tunneling:  LocaltoNet

DNS resolution showed the C2 rotating between Oracle Cloud IPs during the investigation window -- 143.47.53.106 in sandbox, 158.178.201.63 at time of live DNS query. This is the LocaltoNet tunnel doing its job: the operator's actual server stays hidden behind dynamically assigned exit nodes.

Full Capability Matrix

The .NET assembly structure reveals the complete RAT feature set:

Class	Purpose
`Stub.ClientSocket`	C2 socket communication with BeginConnect, Ping/Pong keepalive
`Stub.Messages`	Command dispatch: Plugin, SendMSG, SendError, TD, Monitoring, OpenUrl, Cam
`Stub.USB`	USB worm spreading (USBStart/USBStop)
`Stub.XLogger`	Keylogger via SetWindowsHookEx, GetKeyState, MapVirtualKey
`Stub.ProcessCritical`	BSoD protection via RtlSetProcessIsCritical
`Stub.Uninstaller`	Self-removal and cleanup
`AlgorithmAES`	AES-encrypted C2 comms (RijndaelManaged + MD5 key derivation)
`Settings`	Config: Hosts, Port, KEY, SPL, Sleep, Groub, USBNM, InstallDir, Mutex

Summarized capabilities:

Remote shell / command execution
Keylogging (low-level keyboard hooks)
Webcam capture (capCreateCaptureWindowA)
Screen capture (CopyFromScreen, Base64-encoded)
DDoS participation
USB worm spreading
File download/upload (WebClient.DownloadString)
Process monitoring
URL opening (browser hijacking)
Anti-analysis (CheckRemoteDebuggerPresent, RunAntiAnalysis)
BSoD kill switch (RtlSetProcessIsCritical -- killing the process crashes Windows)
AES-encrypted C2 communication

Obfuscation: Control Flow Flattening with Georgian Unicode

The binary uses Control Flow Flattening (CFF) -- likely from Agile.NET or a similar commercial obfuscator -- to transform method bodies into switch-based state machines. Variable names use Georgian Unicode characters (Ⴓ, Ⴐ, Ⴈ, Ⴃ, Ⴅ, Ⴀ, Ⴍ, Ⴗ, Ⴜ), and the User Strings heap is empty. All configuration strings are encoded as byte arrays in FieldRVA entries and decoded at runtime through a CFF-obfuscated function.

This is a step above the usual ConfuserEx protection seen on commodity .NET RATs. It makes static analysis painful and breaks most automated config extractors.

Persistence and Evasion

The RAT establishes persistence through three mechanisms:

Self-copy: Drops CrackedLoader.exe to %TEMP%
Startup folder: Creates CrackedLoader.lnk in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
Registry Run key: Adds entry under HKCU\...\Run

Defense evasion is handled by PowerShell commands that add Windows Defender exclusions before the RAT activates. The binary also queries ip-api.com/line/?fields=hosting on first run -- this hosting check is likely a sandbox detection mechanism, since many sandboxes run on cloud infrastructure that would return true for the hosting field.

C2 Infrastructure: One IP, Three RAT Families

The LocaltoNet Tunnel

LocaltoNet is a legitimate port-forwarding service similar to ngrok. The operator uses it to:

Hide the true C2 server behind dynamically assigned exit IPs
Rotate C2 endpoints without changing malware configuration
Avoid IP-based blocklisting (the exit IPs belong to Oracle Cloud, not a bulletproof host)

The subdomain mzsgu2rhxn is a random string assigned by the service -- it maps to whatever backend the operator has configured. Raw TCP on port 3480, no TLS, no HTTP framing.

143.47.53.106: A Multi-RAT Host

ThreatFox historical data reveals this IP has been running multiple RAT families simultaneously, each on a different port:

Date	Malware	Port	ThreatFox ID
2026-01-30	DCRat (DarkCrystal RAT)	8090	#1739174
2026-02-05	Hook (Android banking trojan)	9679	#1741341
2026-03-09	XWorm (this campaign)	3480	--

Three different RAT families from one IP across six weeks. The port separation is consistent with a single operator running multiple campaigns from the same VPS. DCRat for Windows credential theft, Hook for Android banking fraud, XWorm for general-purpose remote access -- this is a commodity operator building a diversified access portfolio.

158.178.201.63: Current DNS Resolution

Property	Value
ASN	AS31898 (ORACLE-BMC-31898)
Organization	Oracle Corporation
Location	Austin, TX

This is the current LocaltoNet exit node. Since LocaltoNet dynamically assigns exit IPs, this IP is likely shared infrastructure rather than attacker-controlled -- blocking it would be a false positive risk.

Operator Profile

Assessment: Low-to-mid sophistication, multi-tool operator.

The evidence paints a consistent picture:

Free infrastructure: Oracle Cloud free tier + free LocaltoNet tunneling. Zero operational cost.
Multi-RAT toolkit: DCRat, Hook, and XWorm from the same IP -- testing multiple tools rather than mastering one.
Social engineering lure: "Token GrabberV2.exe" targets Discord/gaming communities. This is a well-worn distribution vector for commodity RATs.
CFF obfuscation: Using a commercial-grade obfuscator (likely Agile.NET) shows some sophistication beyond default ConfuserEx.
Go loader: The 44% detection rate Go dropper is the most sophisticated component -- Go compilation for AV evasion is a current trend that requires slightly more skill than drag-and-drop builders.

The operator is not an APT. But the combination of low detection rates, tunneled C2, and multi-RAT infrastructure means they are operationally effective despite limited sophistication.

IOC Summary

Network Indicators

mzsgu2rhxn.localto.net:3480    # XWorm C2 domain
143.47.53.106:3480             # XWorm C2 (Oracle Cloud)
143.47.53.106:8090             # DCRat C2 (same operator)
143.47.53.106:9679             # Hook C2 (same operator)
ip-api.com                     # External IP / hosting check

File Indicators

Type	Value	Description
SHA-256	`109b233024348f26571c086aa6aae6eeedb062a704b4a23e0d87dd2234659103`	Go XWorm dropper
SHA-256	`84fae604e319f9bede31f822019f1b35a9a893c0873b195d85b0a9c486f40e9a`	.NET XWorm/njRAT hybrid
MD5	`1ca66f5770cff04b03e200aab601cdb8`	Go dropper
MD5	`77b02e0f8651bd735edcca3d2666ba1f`	.NET hybrid
Imphash	`d42595b695fc008ef2c56aabd8efd68e`	Go dropper
Imphash	`f34d5f2d4577ed6d9ceec516c1f5a744`	.NET hybrid

Host Indicators

%TEMP%\CrackedLoader.exe                                                    # Self-copy
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\CrackedLoader.lnk   # Startup LNK
HKCU\Software\Microsoft\Windows\CurrentVersion\Run                          # Registry persistence

Assembly GUID

469ff7a0-5aea-4dde-b17b-4b772472a42b

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Execution	Command and Scripting Interpreter: PowerShell	T1059.001	Hidden PowerShell with ExecutionPolicy Bypass
Execution	User Execution: Malicious File	T1204.002	"Token GrabberV2.exe" social engineering lure
Persistence	Boot or Logon Autostart: Registry Run Keys	T1547.001	HKCU Run key for CrackedLoader.exe
Persistence	Boot or Logon Autostart: Startup Folder	T1547.001	CrackedLoader.lnk in Startup folder
Defense Evasion	Impair Defenses: Disable or Modify Tools	T1562.001	PowerShell Add-MpPreference Defender exclusions
Defense Evasion	Obfuscated Files or Information	T1027	CFF obfuscation, Georgian Unicode, empty User Strings heap
Defense Evasion	Virtualization/Sandbox Evasion	T1497	VM detection (Go dropper), ip-api.com hosting check
Defense Evasion	Process Injection	T1055	SeDebugPrivilege for cross-process memory writes
Credential Access	Input Capture: Keylogging	T1056.001	XLogger class with SetWindowsHookEx
Discovery	System Information Discovery	T1082	ip-api.com external IP enumeration
Collection	Screen Capture	T1113	CopyFromScreen with Base64 encoding
Collection	Video Capture	T1125	Webcam via capCreateCaptureWindowA
Lateral Movement	Replication Through Removable Media	T1091	USB worm spreading (USBStart/USBStop)
Command and Control	Application Layer Protocol	T1071	Raw TCP to LocaltoNet tunnel
Command and Control	Encrypted Channel: Symmetric Cryptography	T1573.001	AES (RijndaelManaged) encrypted C2 traffic
Command and Control	Protocol Tunneling	T1572	LocaltoNet tunnel obscuring true C2 origin
Impact	System Shutdown/Reboot	T1529	RtlSetProcessIsCritical BSoD on process termination

Detection Opportunities

Block at the Perimeter

If *.localto.net is not legitimately used in your environment, block it at DNS or proxy level. The same applies to *.ply.gg and *.portmap.host -- all three tunneling services are increasingly abused by XWorm operators as of early 2026.

Sigma-Style Log Queries

PowerShell execution with the dropper's exact pattern:

ParentImage: *\powershell.exe
CommandLine contains all of:
  - "-WindowStyle Hidden"
  - "-ExecutionPolicy Bypass"
  - "cd %temp%"

Defender exclusion abuse:

CommandLine contains all of:
  - "Add-MpPreference"
  - "-ExclusionPath"
  - "$env:TEMP" OR "%TEMP%"

Hosting detection check (common across commodity RATs):

dns.query.name: "ip-api.com"
http.request.uri.path: "/line/*fields=hosting*"

YARA Rules

Three YARA rules are provided for endpoint and network scanning:

rule XWorm_Go_Dropper_March2026 {
    meta:
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        description = "Go-compiled XWorm dropper with hidden PowerShell execution chain"
        hash = "109b233024348f26571c086aa6aae6eeedb062a704b4a23e0d87dd2234659103"
        tlp = "TLP:CLEAR"
    strings:
        $go_buildid = "Go build ID:"
        $ps_hidden = "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command"
        $cd_temp = "cd %temp%"
        $go1 = "main.V0RItosZlbN"
        $go2 = "main.VRanbd8cq28RGC"
        $go3 = "main.Y9dgSZxw9Ie"
        $go4 = "main.ZPFxSmvHI2"
        $go5 = "main.bmH5hXGEvhxg"
        $go6 = "main.oh8uTMgA2DZb"
        $go7 = "main.rrKAIy6w"
    condition:
        uint16(0) == 0x5A4D and
        $go_buildid and $ps_hidden and $cd_temp and 3 of ($go*)
}

rule XWorm_njRAT_Hybrid_CFF {
    meta:
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        description = "XWorm/njRAT hybrid with CFF obfuscation and Georgian Unicode identifiers"
        hash = "84fae604e319f9bede31f822019f1b35a9a893c0873b195d85b0a9c486f40e9a"
        tlp = "TLP:CLEAR"
    strings:
        $dotnet = "mscoree.dll" ascii
        $name = "Token GrabberV2" wide
        $cfg1 = "Hosts" ascii
        $cfg2 = "USBNM" ascii
        $cfg3 = "InstallDir" ascii
        $cfg4 = "Groub" ascii
        $cls1 = "ClientSocket" ascii
        $cls2 = "XLogger" ascii
        $cls3 = "AlgorithmAES" ascii
        $cls4 = "ProcessCritical" ascii
        $anti1 = "CheckRemoteDebuggerPresent" ascii
        $anti2 = "RunAntiAnalysis" ascii
        $georgian1 = { E1 82 B3 }
        $georgian2 = { E1 82 B0 }
        $georgian3 = { E1 82 A8 }
    condition:
        uint16(0) == 0x5A4D and $dotnet and $name and
        3 of ($cfg*) and 2 of ($cls*) and
        1 of ($anti*) and 2 of ($georgian*)
}

rule XWorm_LocaltoNet_C2_Generic {
    meta:
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        description = "Generic detection for XWorm variants using LocaltoNet tunneling"
        tlp = "TLP:CLEAR"
    strings:
        $localto = "localto.net" ascii nocase
        $xw1 = "XWorm" ascii nocase
        $xw2 = "XClient" ascii nocase
        $cfg1 = "Hosts" ascii
        $cfg2 = "InstallDir" ascii
        $cfg3 = "USBNM" ascii
        $cfg4 = "Groub" ascii
    condition:
        uint16(0) == 0x5A4D and $localto and
        (1 of ($xw*) or 2 of ($cfg*))
}

Network Signatures

# XWorm C2 — LocaltoNet tunnel to known operator IP
alert tcp $HOME_NET any -> 143.47.53.106 3480 \
  (msg:"XWORM C2 to Oracle Cloud multi-RAT host"; \
  flow:established,to_server; sid:2026030901; rev:1;)

# XWorm C2 — DCRat on same operator IP
alert tcp $HOME_NET any -> 143.47.53.106 8090 \
  (msg:"DCRAT C2 co-hosted with XWorm operator"; \
  flow:established,to_server; sid:2026030902; rev:1;)

# XWorm — ip-api.com hosting check (sandbox detection)
alert http $HOME_NET any -> any any \
  (msg:"XWORM Sandbox Detection via ip-api hosting check"; \
  content:"ip-api.com"; http_host; content:"/line/"; http_uri; \
  content:"fields=hosting"; http_uri; sid:2026030903; rev:1;)

Published by Breakglass Intelligence. Investigation conducted 2026-03-09. 2 MalwareBazaar samples analyzed. Multi-RAT operator infrastructure mapped across 3 malware families. Classification: TLP:CLEAR