XWorm via IPFS: Actor "jerrymac2008" Runs a One-Person Cybercrime Supermarket on Censorship-Resistant Infrastructure
TL;DR: A four-stage XWorm campaign uses IPFS (InterPlanetary File System) via dweb.link gateways for payload delivery -- a hosting method that cannot be taken down by seizing a domain or killing a server. The JavaScript dropper hides 28 lines of real code inside 34,952 lines of junk padding. Payloads are concealed inside JPEG files using steganographic markers, decoded through a character-substitution-and-reversal pipeline, and injected into MSBuild.exe as a living-off-the-land technique. The actor behind DuckDNS domain jerrymac2008.duckdns.org operates XWorm, Remcos, NjRAT, LucaStealer, and a coinminer from the same ColoCrossing-hosted C2 at 198.23.175.51 -- a full-service criminal operation targeting Spanish-speaking victims with phishing lures like "Solicitar productos" and "Productos de maquinaria."
Why IPFS Changes the Takedown Calculus
The defining feature of this campaign is its payload hosting. Both intermediate payloads -- a 16MB JPEG containing the .NET loader and a 2.1MB JPEG containing the XWorm binary -- are hosted on IPFS, accessed through the dweb.link gateway.
IPFS is a content-addressed distributed filesystem. Content is identified by its cryptographic hash (CID), not by a server location. Blocking dweb.link accomplishes nothing -- the same CID resolves through ipfs.io, cloudflare-ipfs.com, w3s.link, or any other public gateway. There is no registrar to file an abuse report with. There is no hosting provider to issue a takedown to. The content exists on the network as long as any node pins it.
This is not theoretical. The IPFS CIDs in this campaign (bafybeibqcivjhwg2msil5g62did64uhtptlf7epidbrat4gexerzfv5mmq and bafybeibwz6lzwo6u5gkhp3ydl4te3hl3plfkypox6mnejssqwfrpdsmqoy) have been active since at least February 24, 2026. They remain accessible today. Alternate CIDs for the same Fiber.dll loader have also been observed, indicating the actor rotates content hashes while maintaining the same payload.
Traditional network defense relies on the assumption that malicious infrastructure can be disrupted. IPFS-hosted payloads break that assumption.
The Actor: jerrymac2008
The DuckDNS subdomain jerrymac2008.duckdns.org serves as the primary C2. DuckDNS provides free dynamic DNS -- the actor points it at whatever IP they are currently using. Historical resolution data shows rotation across multiple providers:
| IP | ASN | Provider | Location |
|---|---|---|---|
198.23.175.51 | AS36352 | ColoCrossing | Buffalo, NY (current) |
198.23.175.46 | AS36352 | ColoCrossing | Buffalo, NY |
103.131.131.39 | AS931 | Hyonix/KRIXE | Tokyo, Japan |
38.240.32.108 | Unknown | Unknown | Unknown |
ColoCrossing (AS36352) is a known bulletproof-adjacent hosting provider. The actor maintains multiple IPs within the same /24 block, suggesting they purchase hosting in bulk from abuse-tolerant resellers.
The malware arsenal on this C2 tells the story of a one-person cybercrime operation -- or a small crew running every commodity tool available:
| Sample | VT Score | Purpose |
|---|---|---|
xworm.exe | 60/76 | Remote access trojan |
remcos.exe | 63/76 | Remote access trojan |
XWormClient.exe | 49/76 | XWorm client variant |
ngrcsh.exe | 67/76 | Unknown (high detection) |
Solicitar productos.vbs | 29/76 | Spanish-language VBS dropper |
Productos de maquinaria.js | 30/76 | Spanish-language JS dropper |
Machinery products requested.js | 17/76 | English-language JS dropper |
DocSign-5252324258.js | 14/76 | DocuSign phishing lure |
payload_1.ps1 | 21/76 | PowerShell payload |
| coinminer/LucaStealer/NjRAT/Remcos bundle | 59/76 | Multi-threat package |
Spanish-language filenames ("Solicitar productos" = "Request products", "Productos de maquinaria" = "Machinery products") indicate primary targeting of Spain or Latin America. The DocuSign lure suggests the actor also runs English-language campaigns. This is a financially motivated operator casting a wide net with commodity tools, differentiated only by the IPFS delivery mechanism.
Technical Analysis
Stage 1: The 34,952-Line JavaScript Dropper
The entry point is a 1.2MB JavaScript file (185587ce8415c203252f5daf3be5911f.js) designed for Windows Script Host execution. Of its 34,986 lines, 34,952 are identical junk:
this.procreates += "metrostaxis";
This is pure padding. The real code is 28 lines using a double-layer string substitution obfuscation -- two junk delimiters (metrostaxis and Pawak) are interspersed throughout variable names and string literals, then stripped at runtime via .split("metrostaxis").join("") and .split("Pawak").join("").
The deobfuscated logic is straightforward:
- Copy itself to the Windows Startup folder for persistence
- Build a hex-encoded PowerShell command from a variable with
Pawakdelimiters interspersed - Launch PowerShell via WMI
Win32_Process.Create()withShowWindow=0(hidden window)
WMI process creation is a deliberate choice over WScript.Shell.Run() -- it evades process monitoring tools that hook CreateProcess but not WMI's COM-based execution path. The hex-encoded payload decodes to 3,430 characters of PowerShell.
Stage 2: PowerShell Stager with IPFS Download
The decoded PowerShell downloads a file named optimized_MSI.png from the first IPFS CID. Despite the .png extension, it is a 16MB JPEG. The stager extracts a hidden .NET assembly from between steganographic delimiters:
- Locate
IN-(start marker) and-in1(end marker) in the downloaded file - Replace all
#characters withA(base64 character substitution to evade signature matching) - Reverse the entire string
- Base64 decode the result to obtain
Fiber.dll
The assembly is loaded directly into memory via AppDomain.CurrentDomain.Load() -- no file is written to disk. This is fileless execution.
Stage 3: Fiber.dll (.NET Loader)
Fiber.dll is an 11.5MB .NET assembly (SHA256: b6189e400b3af2b5ed115606c712d758c54de2fd13c93ed2fbfab524ef9d83ff, compile timestamp 2026-03-03) that bundles the PowerShell automation engine and Microsoft.Win32.TaskScheduler. Called via reflection as Fiber.Program.Main() with 19 parameters, it:
- Downloads
img_063210.pngfrom the second IPFS CID (2.1MB JPEG) - Extracts the XWorm payload from after the JPEG EOI marker (
\xFF\xD9), preceded by anINICIO=tag - Applies the same decode pipeline:
#toAsubstitution, string reversal, base64 decode - Spawns
MSBuild.exeand injects the 61KB XWorm payload via process injection - Creates a Windows Scheduled Task for persistence
- Sets a registry Run key (
HKCU\...\Run\FK0M10J8AQ5JWS0M) pointing to%APPDATA%\FK0M10J8AQ5JWS0M.exe
MSBuild.exe is a Microsoft-signed LOLBin -- security tools that whitelist Microsoft binaries will not flag it making outbound network connections unless specifically configured to do so.
Stage 4: XWorm RAT
The final payload connects to 198.23.175.51:4078 (TCP) and resolves jerrymac2008.duckdns.org for C2. XWorm is a commodity RAT with a standard feature set: remote shell, keylogging, screenshot capture, clipboard monitoring, USB spreading, browser credential theft, DDoS module, UAC bypass, and crypto wallet theft. A secondary channel to sharehost.me (Cloudflare CDN) provides update/payload retrieval capability.
Mutex: s5GEomZ0YdjtQjkV.
Kill Chain Summary
Phishing email (Spanish-language lure)
└─ Stage 1: JS dropper (34,952 junk lines, 28 real)
├─ Copies to Startup folder [PERSISTENCE #1]
└─ WMI → hidden PowerShell
└─ Stage 2: Downloads 16MB JPEG from IPFS
└─ Extracts Fiber.dll via IN-/-in1 steganography
└─ Stage 3: Fiber.dll (in-memory .NET loader)
├─ Downloads 2.1MB JPEG from IPFS
├─ Extracts XWorm via INICIO= steganography
├─ Injects into MSBuild.exe [LOLBin]
├─ Creates Scheduled Task [PERSISTENCE #2]
└─ Sets HKCU Run key [PERSISTENCE #3]
└─ Stage 4: XWorm RAT → C2 on port 4078
Infrastructure
The campaign uses a layered infrastructure model:
Payload delivery: IPFS via dweb.link gateway (cannot be taken down -- content-addressed, decentralized, gateway-agnostic)
Primary C2: 198.23.175.51:4078 on ColoCrossing (AS36352, Buffalo NY) -- bulletproof-adjacent hosting with a history of abuse tolerance. Reverse DNS confirms: 198-23-175-51-host.colocrossing.com.
Dynamic DNS: jerrymac2008.duckdns.org -- free DuckDNS service provides IP rotation without domain registration. The actor has rotated across at least four IPs spanning US and Japanese hosting.
Secondary C2: sharehost.me behind Cloudflare CDN (104.21.34.235, 172.67.166.82) -- update/payload retrieval channel, adds resilience if the primary C2 is blocked.
The IPFS layer is the key differentiator. Even if every C2 IP is blocked and every DuckDNS domain is sinkholed, the IPFS-hosted payloads remain available to any new dropper variant the actor distributes. Defenders must block IPFS gateway domains (or CID patterns) at the proxy layer to disrupt the delivery chain.
MITRE ATT&CK Mapping
| Technique | ID | Implementation |
|---|---|---|
| Spearphishing Attachment | T1566.001 | JS delivered via phishing email |
| JavaScript Execution | T1059.007 | WSH/WScript JS dropper |
| PowerShell | T1059.001 | Stage 2 stager (hidden, no profile) |
| Windows Management Instrumentation | T1047 | Process creation via Win32_Process |
| Obfuscated Files or Information | T1027 | 34,952-line junk padding + string substitution |
| Steganography | T1027.003 | Payloads hidden in JPEG files (IN-/-in1, INICIO=) |
| Deobfuscate/Decode Files | T1140 | Multi-step: hex decode, #→A, reversal, base64 |
| Trusted Developer Utilities: MSBuild | T1127.001 | LOLBin process injection target |
| Process Injection | T1055 | XWorm injected into MSBuild.exe |
| Web Service: Dead Drop Resolver | T1102.001 | IPFS for censorship-resistant payload hosting |
| Boot/Logon Autostart: Startup Folder | T1547.001 | JS copies self to Startup |
| Boot/Logon Autostart: Registry Run Keys | T1547.001 | HKCU Run key for XWorm |
| Scheduled Task | T1053.005 | Fiber.dll creates scheduled task |
| Ingress Tool Transfer | T1105 | Downloads from IPFS gateways |
| Non-Standard Port | T1571 | C2 on TCP 4078 |
| Dynamic Resolution: DuckDNS | T1568.002 | IP rotation via DuckDNS |
| Exfiltration Over C2 Channel | T1041 | XWorm data exfil over TCP 4078 |
| Application Layer Protocol | T1071.001 | HTTPS to IPFS gateways |
Indicators of Compromise
Network IOCs
| Indicator | Type | Context |
|---|---|---|
198.23.175.51 | IPv4 | Primary C2 (current, ColoCrossing) |
198.23.175.46 | IPv4 | Historical C2 (ColoCrossing) |
103.131.131.39 | IPv4 | Historical C2 (Hyonix, Japan) |
38.240.32.108 | IPv4 | Historical C2 |
198.23.175.51:4078 | Socket | XWorm C2 endpoint (TCP) |
jerrymac2008.duckdns.org | Domain | Actor's DuckDNS C2 |
sharehost.me | Domain | Secondary C2/update server |
bafybeibqcivjhwg2msil5g62did64uhtptlf7epidbrat4gexerzfv5mmq.ipfs.dweb.link | URL | IPFS payload: Fiber.dll container (16MB JPEG) |
bafybeibwz6lzwo6u5gkhp3ydl4te3hl3plfkypox6mnejssqwfrpdsmqoy.ipfs.dweb.link | URL | IPFS payload: XWorm container (2.1MB JPEG) |
bafybeiakt4chhr67cik6paeufqlymb62ihal3ct5dxdy72xb3w2epvdy3i.ipfs.dweb.link | URL | Alternate CID (same Fiber.dll) |
Host IOCs
| Indicator | Type | Context |
|---|---|---|
s5GEomZ0YdjtQjkV | Mutex | XWorm mutex |
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FK0M10J8AQ5JWS0M | Registry | XWorm persistence |
%APPDATA%\FK0M10J8AQ5JWS0M.exe | File path | XWorm persistence binary |
C:\Users\Public\Downloads\ | Directory | Fiber.dll drop location |
metrostaxis | String | JS obfuscation junk delimiter |
Pawak | String | JS obfuscation junk delimiter |
Fiber.Program | String | .NET loader class name |
INICIO= | String | Steganographic marker (Stage 3 JPEG) |
IN- / -in1 | Strings | Steganographic markers (Stage 2 JPEG) |
File IOCs
| SHA256 | Description |
|---|---|
c3b55713df418e6bfc1862a39c99d4ee3ec5e0921d773850647ed772b5d2b4ba | Stage 1: JS dropper (1.2MB) |
a945e648556cb1ef96710cd1682c9bb989dcfa4809dd7f84f31413aeb87f144a | Stage 2: optimized_MSI.png (Fiber.dll container) |
b6189e400b3af2b5ed115606c712d758c54de2fd13c93ed2fbfab524ef9d83ff | Stage 3: Fiber.dll (.NET loader) |
ac1684f4a0193d0ebc1c6e11dfba360d5b0457bbd06bcaf7ffcb9b9e870b6c3c | Stage 3: img_063210.png (XWorm container) |
a20b86f664e5a2543836f8c6dc8c2a7bdf0233c065e39089e43b15846efa5375 | Stage 4: XWorm payload (extracted, 61KB) |
b4ae0aa38f19cf8c917061bcd03ee501ec97faac1582d0b8ca488f8c97c00a53 | xworm.exe (named binary on C2) |
f37a7cd7a16d19b21bf595811027faeef598a33730f72d9e3a9c12bfeb8f8813 | XWormClient.exe (related) |
Detection Recommendations
Block IPFS gateways at the proxy layer. If your organization has no legitimate use for IPFS, block dweb.link, ipfs.io, cloudflare-ipfs.com, w3s.link, and gateway.pinata.cloud. If IPFS is required, implement CID-based allowlisting and alert on any IPFS URL containing bafybei CID prefixes downloading files larger than 1MB.
Alert on MSBuild.exe making network connections. MSBuild is a build tool. It should never establish outbound TCP connections, particularly on non-standard ports. Any connection from MSBuild to an external IP is a high-confidence indicator of process injection.
Monitor for WMI-spawned PowerShell. The sequence WScript.exe -> WMI Win32_Process.Create -> powershell.exe -NoProfile -WindowStyle Hidden is the exact execution chain in Stage 1. Detection logic should flag WMI process creation events where the command line contains -WindowStyle Hidden.
Hunt for oversized JavaScript files with repetitive content. A 1.2MB .js file with 34,952 identical lines is anomalous. Entropy analysis or line-repetition heuristics on inbound email attachments and web downloads would catch this pattern.
Detect DuckDNS combined with non-standard ports. DNS queries for *.duckdns.org followed by outbound TCP connections on port 4078 from the same host within a short window is a strong behavioral signal for this campaign and similar commodity RAT operations.
Block outbound TCP to 198.23.175.51 and the broader ColoCrossing ranges used by this actor. Monitor for DNS resolution of jerrymac2008.duckdns.org and sharehost.me as network-level trip wires.
Conclusion
This campaign is technically unremarkable in its choice of malware -- XWorm is a commodity RAT available on underground forums for under $100. What distinguishes it is the delivery infrastructure. By hosting payloads on IPFS, the actor has decoupled payload availability from any single server, domain, or hosting provider. The content-addressed nature of IPFS means these payloads will remain accessible as long as any node on the network pins them, regardless of how many gateways are blocked or how many abuse reports are filed.
The actor behind jerrymac2008.duckdns.org is not sophisticated. They used their alias in the C2 domain. They operate from ColoCrossing, a provider well known to threat intelligence teams. Their malware arsenal is entirely commodity. But the IPFS delivery mechanism represents a real and growing challenge for defenders who rely on infrastructure takedowns as part of their response playbook. You cannot seize a CID.
The breadth of the operation -- XWorm, Remcos, NjRAT, LucaStealer, coinminer, Spanish and English phishing lures, DuckDNS for IP rotation -- suggests a financially motivated individual or small group running a cybercrime-as-a-service business. The multi-RAT capability on a single C2 means one compromised machine could be monetized through credential theft, remote access sales, and cryptocurrency mining simultaneously.
IPFS as a malware delivery vector is not new, but its adoption by commodity actors like jerrymac2008 signals that the technique is crossing from proof-of-concept to operational playbook. Defenders should treat IPFS gateway access as a controllable attack surface and implement monitoring accordingly.
IOCs are provided for defensive use. Handle responsibly.
Published 2026-03-15 | BGI Autonomous Threat Hunting | Breakglass Intelligence