highPhishing

XWorm RAT Masquerading as "Token GrabberV2" -- Bulletproof Hosting on Shinomiya's Ukrainian Infrastructure

PublishedMarch 12, 2026

Threat Actors:ProfileAssessment

phishingvidarstealcasyncratxwormquasarratsocial-engineeringcredential-theftc2apt

Published: 2026-03-10 Author: GHOST -- Breakglass Intelligence Tags: XWorm, NjRAT, bulletproof hosting, Shinomiya, RAT, credential stealer, LocaltoNet, tunneling Read online: https://intel.breakglass.tech/post/xworm-token-grabber-shinomiya-bph-march-2026

TL;DR: A .NET executable disguised as "Token GrabberV2.exe" -- ostensibly a Discord token grabber tool -- is actually an XWorm RAT variant built on NjRAT class architecture with Georgian script obfuscation and dual-layer AES configuration encryption. Compiled on March 9, 2026, less than 12 hours before its first sandbox submission, the sample operates a dual-path C2 strategy: direct IP connections to Shinomiya Hosting (AS215428) infrastructure in Germany at 85[.]137[.]253[.]58 on ports 9000 and 9090, and a resilient tunnel-based C2 via windowsupdateservice[.]localto[.]net. Investigation of the hosting provider reveals a confirmed bulletproof hosting operation -- Shinomiya's 85.137.253.0/24 subnet alone hosts at least four active malware C2 operations including XWorm, two Vidar stealers, and a Stealc stealer. The registrant is traced to Shostka, Sumska Oblast, Ukraine.

Background

The line between commodity RAT families continues to blur. NjRAT, XWorm, AsyncRAT, and QuasarRAT share significant code lineage, and builders frequently incorporate techniques from multiple families. This investigation began with a sample tagged as "njrat" on MalwareBazaar but confirmed as XWorm by six or more vendor detections. More importantly, the infrastructure behind the sample tells a story bigger than a single malware family -- it exposes a small but active bulletproof hosting provider facilitating multiple simultaneous malware operations.

The primary sample (SHA256: 84fae604e319f9bede31f822019f1b35a9a893c0873b195d85b0a9c486f40e9a) was submitted to MalwareBazaar on March 9, 2026, with first sandbox analysis the same day. The "Token GrabberV2" filename is a social engineering choice targeting Discord and gaming communities -- environments where credential-stealing tools are paradoxically sought out by users who then become victims.

Key Findings

1. XWorm, Not NjRAT -- Family Misattribution Explained

The sample was initially tagged as NjRAT on MalwareBazaar due to its use of NjRAT-derived class architecture. The .NET binary contains type names directly inherited from the NjRAT codebase: Stub.Main, Stub.ClientSocket, Stub.Messages, Stub.USB, Stub.XLogger. However, six or more AV/sandbox vendors independently classify it as XWorm, and the capability set -- including plugin loading via reflective assembly loading, process critical protection via RtlSetProcessIsCritical, and the dual-port C2 architecture -- is consistent with XWorm builder output.

This family overlap is important for defenders: hunting exclusively for "NjRAT" or "XWorm" indicators may miss samples that straddle both classification boundaries.

2. Georgian Script Obfuscation + Dual-Layer AES Encryption

The configuration is protected by two encryption layers:

Layer 1: Custom Byte Array Decoder (MethodDef #243) Config values are stored as encrypted byte arrays in .NET FieldRVA entries. The decoder uses an XOR-based switch table with base key 0x4568DE80, with each field decoded using a unique seed constant:

Host config: seed 0x4568DEC9
Port config: seed 0x4568DC8E

Method and field names are obfuscated using Georgian script characters (Unicode block U+10A0-U+10FF), which breaks many automated .NET analysis tools that expect ASCII identifiers.

Layer 2: AES-ECB Decryption (MethodDef #242) After Layer 1 decoding, all config values pass through AES decryption using RijndaelManaged in ECB mode with a 128-bit key derived via MD5CryptoServiceProvider from the config KEY field.

This dual-layer approach prevented static config extraction during the investigation. Full decryption requires either .NET runtime emulation or interactive debugging with ILSpy/dnSpy.

3. Dual-Path C2 for Resilience

The sample implements a two-path C2 strategy designed to survive single-point blocking:

Path 1 -- Direct IP: 85[.]137[.]253[.]58:9000 and :9090 The primary C2 channel connects directly to an IP hosted on Shinomiya Hosting's AS215428. Running on a Windows Server with IIS 10.0, MySQL X Protocol on port 33060 is also exposed -- suggesting the operator uses this server for more than just C2 command relay.

Path 2 -- Tunnel-Based: windowsupdateservice[.]localto[.]net A fallback C2 leveraging LocaltoNet's tunneling service, resolving to 158[.]178[.]201[.]63. The subdomain name windowsupdateservice is a deliberate attempt to blend in with legitimate Windows Update traffic. LocaltoNet provides a legitimate tunneling service similar to ngrok, and the wildcard Let's Encrypt certificate (*.localto.net) means the tunnel gets valid TLS by default.

4. Shinomiya Hosting: A Confirmed Bulletproof Hosting Provider

This is the most significant finding of the investigation. Pivoting from the C2 IP to the broader hosting infrastructure reveals a pattern of systematic malware hosting:

IP Address	Malware Family	Role
85[.]137[.]253[.]13	Vidar Stealer	C2 (HTTPS/443)
85[.]137[.]253[.]36	Stealc Stealer	C2 (HTTP/80)
85[.]137[.]253[.]58	XWorm RAT	C2 (ports 9000, 9090)
85[.]137[.]253[.]62	solidum-pow.org	Crypto mining
85[.]137[.]253[.]74	Vidar Stealer	C2 (HTTPS/443)

Four confirmed malware C2 operations on a single /24 subnet is not coincidental hosting -- it is bulletproof hosting by design. The fact that a crypto mining operation (solidum-pow.org) also occupies the same range reinforces the pattern.

AS215428 Registration Details:

Owner: Mykyta Skorobohatko
Location: Shostka, Sumska Oblast, Ukraine
Maintainers: merox-mnt, shinomiya-mnt, LocalNCC-mnt
Website: shinomiya-hosting[.]com

IP Ranges Allocated:

77.105.161.0/24   (since 2024-08-18)
85.137.252.0/24   (since 2025-12-29)
85.137.253.0/24   (since 2025-12-29)  <-- C2 subnet
87.120.107.0/24   (since 2025-03-19)

The hosting provider has been accumulating IP space over 18 months, with the most recent allocations (the 85.137.x.x ranges) dating to late December 2025 -- just months before this malware campaign.

5. Comprehensive RAT Capabilities

The XWorm binary packs a full-featured RAT toolkit:

Category	Capabilities
Surveillance	Keylogging (SetWindowsHookEx), screen capture (GDI+), webcam access (avicap32.dll)
Persistence	Registry Run key, Startup folder placement
Spreading	USB autorun injection (USBStart/USBStop functions)
Protection	Process critical flag via `RtlSetProcessIsCritical` -- killing the process causes a BSOD
Extensibility	Plugin loading via reflective assembly (AppDomain.Load + MemoryStream)
Anti-Analysis	CheckRemoteDebuggerPresent, GetModuleHandle sandbox checks, ip-api.com hosting detection
Destruction	DDoS module, self-removal (Uninstaller class)
Management	File manager, self-update, process enumeration

The RtlSetProcessIsCritical trick is particularly nasty -- if an incident responder or automated tool terminates the malware process, the victim machine crashes with a Blue Screen of Death. This can cause data loss and complicates forensic analysis.

Attack Chain

Stage 1: Social Engineering
  "Token GrabberV2.exe" distributed via Discord/gaming communities
  Victims believe they are downloading a credential-stealing tool
  Irony: they become the credential theft victim

Stage 2: Execution
  .NET runtime loads PE32 assembly (VB.NET compiled)
  Anti-analysis checks: CheckRemoteDebuggerPresent, GetModuleHandle
  ip-api.com query to detect sandbox/hosting environments

Stage 3: Configuration Decryption
  Layer 1: Byte array decoder with XOR switch table (base key 0x4568DE80)
  Layer 2: AES-ECB decryption (RijndaelManaged + MD5 key derivation)
  Georgian script obfuscated field/method names

Stage 4: Persistence
  Registry: HKCU\...\Run key with binary path
  Filesystem: Copy to Startup folder
  Process: RtlSetProcessIsCritical (BSoD on termination)

Stage 5: C2 Communication
  Primary: Direct TCP to 85[.]137[.]253[.]58:9000/9090
  Fallback: Tunnel via windowsupdateservice[.]localto[.]net
  Protocol: Custom socket-based with Ping/Pong keepalive

Stage 6: Post-Compromise
  Keylogger deployment (XLogger via SetWindowsHookEx)
  Screen capture (GDI+ CopyFromScreen + JPEG encoding)
  Webcam capture (avicap32.dll DirectShow)
  USB worm spreading (autorun injection to removable media)
  Plugin loading for extended capabilities

Infrastructure Analysis

Hosting Hierarchy

The infrastructure follows a layered allocation model common to bulletproof hosting operations:

RIPE NCC
  |
  AS215428 (Shinomiya Hosting -- Mykyta Skorobohatko, Ukraine)
    |
    85.137.253.0/24
      |
      .13 -- Vidar Stealer C2 (port 443)
      .36 -- Stealc Stealer C2 (port 80)
      .55 -- Next.js + PostgreSQL (legitimate or admin panel)
      .58 -- XWorm C2 (this investigation, ports 9000/9090)
      .62 -- solidum-pow.org (crypto mining)
      .74 -- Vidar Stealer C2 (port 443)

The .55 address running Next.js and PostgreSQL is worth noting -- it could be the hosting provider's management panel, a customer's application, or the malware operator's own administrative interface.

Tunnel Infrastructure

The LocaltoNet tunnel adds operational resilience:

Property	Value
Domain	`windowsupdateservice[.]localto[.]net`
Resolved IP	`158[.]178[.]201[.]63`
Certificate	Let's Encrypt R13 wildcard (*.localto.net)
Validity	2026-02-14 to 2026-05-15
Services	SSH, DNS, HTTP, HTTPS, 3001

If the direct IP (85.137.253.58) is blocked, the tunnel provides an alternative path that resolves to a completely different IP and ASN. Blocking *.localto.net at the DNS level is the most effective mitigation for the tunnel path.

Operational Timeline

Timestamp	Event
2026-03-09 01:48 UTC	Binary compiled (.NET PE timestamp)
2026-03-09 13:27 UTC	First seen on MalwareBazaar (submitted from NL)
2026-03-09 20:02 UTC	85[.]137[.]253[.]58:9000 reported as XWorm C2 on ThreatFox
2026-03-10 03:01 UTC	windowsupdateservice[.]localto[.]net reported as C2
2026-03-10 15:01 UTC	Second C2 port (9090) reported on ThreatFox

The 12-hour gap between compilation and first sighting suggests either a short testing window or immediate deployment. The rapid escalation from port 9000 to dual-port (9000+9090) within 24 hours suggests the operator was actively expanding or reconfiguring the C2 in real time.

Detection

YARA Summary

Detection rules target the following artifacts:

XWorm .NET Structure: The combination of Stub.ClientSocket, Stub.XLogger, Stub.USB, Stub.ProcessCritical, and Stub.AlgorithmAES type names within a single .NET assembly
Georgian Script Obfuscation: .NET metadata containing Georgian Unicode characters (U+10A0-U+10FF range) in method or field names
AES-ECB Config Pattern: Use of RijndaelManaged with CipherMode.ECB and MD5CryptoServiceProvider for key derivation
Process Critical Abuse: Import of RtlSetProcessIsCritical from ntdll.dll in a .NET binary
Assembly GUIDs: Module GUID 3ea5cd63-b359-4a49-82bb-566d8da81403 or Assembly GUID 469ff7a0-5aea-4dde-b17b-4b772472a42b

Suricata Summary

Network detection rules cover:

XWorm C2 Traffic: TCP connections to 85[.]137[.]253[.]58 on ports 9000 or 9090 with XWorm-pattern socket data
LocaltoNet Tunneling: DNS queries for windowsupdateservice.localto.net or TCP connections to 158[.]178[.]201[.]63 on common tunnel ports
Victim Recon: HTTP GET to ip-api[.]com/line/?fields=hosting (sandbox/VM detection)
Shinomiya Range: Any outbound connections to 85.137.253.0/24 on non-standard ports (9000, 9090, 33060)

IOCs (Defanged)

Network Indicators

# XWorm C2 (Shinomiya Hosting, AS215428)
85[.]137[.]253[.]58:9000
85[.]137[.]253[.]58:9090

# C2 tunnel (LocaltoNet)
windowsupdateservice[.]localto[.]net
158[.]178[.]201[.]63

# Co-hosted malware C2s on same /24
85[.]137[.]253[.]13   (Vidar stealer)
85[.]137[.]253[.]36   (Stealc stealer)
85[.]137[.]253[.]74   (Vidar stealer)

# Victim IP check
hxxp://ip-api[.]com/line/?fields=hosting

# Shinomiya Hosting full ranges (consider blocking)
85[.]137[.]252[.]0/24
85[.]137[.]253[.]0/24
77[.]105[.]161[.]0/24
87[.]120[.]107[.]0/24

File Indicators

# Primary sample
SHA256: 84fae604e319f9bede31f822019f1b35a9a893c0873b195d85b0a9c486f40e9a
MD5:    77b02e0f8651bd735edcca3d2666ba1f
SHA1:   ee803a4f85baedab1c4eb71872fdc71b79611516
ssdeep: 3072:atBg0zKSHielHLHx7blLPTundZXrYbeVEK:atBX/HrHXbuXYbl
imphash: f34d5f2d4577ed6d9ceec516c1f5a744

# .NET identifiers
Module GUID:   3ea5cd63-b359-4a49-82bb-566d8da81403
Assembly GUID: 469ff7a0-5aea-4dde-b17b-4b772472a42b

Host Indicators

# P/Invoke imports (behavioral)
kernel32.dll!CheckRemoteDebuggerPresent
user32.dll!SetWindowsHookEx
user32.dll!GetKeyState
avicap32.dll!capCreateCaptureWindowA
ntdll.dll!RtlSetProcessIsCritical

# DNS queries
ip-api.com
windowsupdateservice.localto.net
c.pki.goog

# Persistence locations
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\

MITRE ATT&CK Mapping

Tactic	Technique	ID	Notes
Initial Access	Phishing	T1566	"Token GrabberV2" social engineering lure
Execution	User Execution: Malicious File	T1204.002	Victim runs disguised executable
Persistence	Registry Run Keys	T1547.001	HKCU Run key auto-start
Persistence	Boot or Logon Autostart	T1547	Startup folder placement
Defense Evasion	Masquerading	T1036.005	Disguised as Discord token grabber
Defense Evasion	Obfuscated Files	T1027	Georgian script + dual AES encryption
Defense Evasion	Debugger Evasion	T1622	CheckRemoteDebuggerPresent
Defense Evasion	Virtualization/Sandbox Evasion	T1497	ip-api.com hosting detection
Credential Access	Keylogging	T1056.001	XLogger via SetWindowsHookEx
Discovery	System Information Discovery	T1082	OS, RAM, GPU, CPU enumeration
Discovery	Process Discovery	T1057	GetProcesses, AV enumeration
Lateral Movement	Replication via Removable Media	T1091	USB autorun spreading
Collection	Screen Capture	T1113	GDI+ CopyFromScreen
Collection	Video Capture	T1125	Webcam via avicap32.dll
Command and Control	Application Layer Protocol	T1071	TCP socket C2
Command and Control	Protocol Tunneling	T1572	LocaltoNet tunnel
Command and Control	Non-Standard Port	T1571	Ports 9000, 9090
Impact	Endpoint Denial of Service	T1499	DDoS module

Recommendations

Immediate (24-48 hours)

Block 85[.]137[.]253[.]0/24 at your perimeter firewall. The confirmed malware density on this range justifies blocking the entire /24.
Block DNS resolution for windowsupdateservice[.]localto[.]net. Consider blocking all *.localto.net if your organization does not use LocaltoNet.
Search EDR/AV platforms for the SHA256, MD5, and SHA1 hashes listed above.
Search proxy/DNS logs for queries to ip-api[.]com/line/ -- this is a common sandbox detection technique but also a reliable indicator of suspicious activity.

Short-term (1-2 weeks)

Expand firewall blocks to all Shinomiya Hosting ranges: 85[.]137[.]252-253[.]0/24, 77[.]105[.]161[.]0/24, 87[.]120[.]107[.]0/24.
Review all .localto.net DNS traffic in your environment for tunneling abuse patterns.
Hunt for the Assembly GUID (469ff7a0-5aea-4dde-b17b-4b772472a42b) and Module GUID (3ea5cd63-b359-4a49-82bb-566d8da81403) in memory forensics and disk scans.
Alert on any process calling RtlSetProcessIsCritical -- legitimate usage is extremely rare.

Medium-term (1-3 months)

Submit abuse reports to Shinomiya Hosting and LocaltoNet (templates provided in the full investigation report).
Consider blocking AS215428 entirely if your risk tolerance allows -- the confirmed BPH status makes legitimate traffic from this ASN unlikely.
Monitor ThreatFox for new IOCs associated with Shinomiya Hosting or AS215428.
Evaluate blocking tunneling services (localto.net, ngrok, bore.digital) at the DNS level for endpoints that do not require them.

References

GHOST -- Breakglass Intelligence Automated threat intelligence. Zero analyst fatigue.