.text ; disassembly of megadumper-trumvps-five.md

MegaDumper: One Staging Server, Five Years, Zero Detections

Routine infrastructure scan, Singapore range. Shodan query for open directories, HTTP title “Index of”. Most results are misconfigured personal NAS boxes or forgotten test servers. 103.68.109.59 — ASN 136557, Host Universal Pty Ltd, TRUMVPS — is neither. It is hosting eight files with no identifying context and no detections.

Index of /

1.bin           2026-06-23 02:45    378K
1.exe           2026-06-22 23:11    175K
123.bin         2026-06-23 02:52    175K
Clients123.bin  2026-06-24 19:10    377K
dcaat.bin       2026-06-25 23:40    377K
dcaat1.bin      2026-06-24 22:39    379K
dcap91.bin      2026-06-26 11:33    412K
dcaptk1.bin     2026-06-26 11:34    412K

The server tells you more than the files do. Apache/2.4.58 on Win64, OpenSSL/3.1.3, PHP/8.2.12 — XAMPP, running on Windows. That is not what a clean staging host normally looks like. SMB port 445 is also open, authentication required. The clock is misconfigured several days ahead of UTC, which is why some filenames show future timestamps.


What’s in 1.exe

Only one of the eight files has a standard magic signature. 1.exe opens with 4d5a — a PE32 executable. The rest: random-looking bytes, no recognisable header, fully encrypted.

The PE has three sections — .text, .rsrc, .reloc — and a single import: _CorExeMain from mscoree.dll. This is not a native binary. It is a .NET assembly, where all logic runs as MSIL bytecode and the native PE is just a CLR host stub.

Reading the metadata string heap confirms the runtime target:

BSJB
v2.0.50727
Copyright 2011

.NET Framework 2.0 — a runtime first shipped in 2005 and end-of-life long before the staging server even appeared. The Copyright 2011 date either marks when the codebase was originally written or was frozen there on purpose to mess with timelines.

Deeper into the metadata string heap, the purpose becomes clear:

Thread32First / Thread32Next
Process32First / Process32Next
Module32First / Module32Next
GetModuleFileNameEx
VirtualAllocEx / VirtualFreeEx / VirtualQueryEx
CreateRemoteThread
VMRead / GenericRead / ExecuteRead

This is a process enumerator and remote memory reader. The binary can walk every running process, enumerate its modules, and read and write memory in external processes via CreateRemoteThread + VirtualAllocEx — the standard pattern for process injection.

The UI fingerprints are equally specific. Form names MainFormLoad, Form2Load, Form3Load; controls CheckBox, ComboBox, ListView, TextBox; a named view VirtualMemoryView alongside a HeapView. This is a Windows Forms application with a built-in process memory inspector — a credential stealer with an operator GUI.

One string stands out: CheckStatut. French. “Check status.” The developer, or the code they borrowed from, wrote in French.

Another: LinkSourceforgeLinkClicked — a SourceForge URL embedded in the GUI, likely pointing to the public project page or credits.

And buried in the strings: Spotify.


The Historical Record

VirusTotal records files being downloaded from 103.68.109.59 going back to December 20, 2021. The file at that time was also named 1.exe, but it appeared in the platform under a second name: Spotfy.exe. Misspelled Spotify. A social-engineering lure.

That 2021 binary carried a version resource:

ProductName:    MegaDumper
OriginalFileName: MegaDumper.exe
FileVersion:    1.0.7870.28972
LegalCopyright: Copyright 2011

MegaDumper. The name is the whole pitch. A credential dumper, built on a Windows Forms UI, with its own process memory reader and a SourceForge project link baked into the GUI — presumably for the original author’s credits, left intact across every rebuild since.

The VT family tree of similar files shows the binary has been active since at least April 2019 — this actor did not just appear in 2021. The staging server did.

First SeenSHA256ProductNameDets
2019-04-01843827b2dd460aa90ce208736a365594193b061fd81a050b83bf97f078ab9757MegaDumper
2020-08-1066a44a466015e3996f62d80263d15c136be718e3fdd4dbf0b3785b1ee27f5fc6MegaDumper
2021-09-10a52612f0586ec413ab3501e667251fb9d264f8469fbaff3a8720e5aad2074066Microsoft® Windows® Operating System37
2021-09-15440c354463590243075797c7bd1abf4713c7365ce96ee1c36959aaca800fdcdeMicrosoft® Windows® Operating System42
2021-11-083005c9ef39e309dc5a0c51f2ad6ed4b6ba04aa02ea0ef31afec8ca252f3f72ccMegaDumper22
2021-12-208c7f9ec84782eac067ec0c97a307ad21b6283c2800c02293d2cc4bc789df95e0MegaDumper28
2022-01-03d2915c8cbf50b9a555d7ef63b45141ece0f622dc020f33f378b0e92eee2e69b2MegaDumper29
2022-03-23f58d6ac2678c164a972e2d60a658d3e0a7834293b10e8a412f57653ae65b2b07MegaDumper48
2023-01-1703c381ed488688702083667ff6c5dcbeea6fb9a43afcf7602c329f2b95edbd91MegaDumper23
2023-09-209c47f88bb79e137acf53b755f76d5eeec05fbd093c425052395fac4735bed9f0MegaDumper26
2024-03-184896ccea5dd6b6487bbcec6d6d46ac0c797d09effeaa2b212b904094c36c22a4M*3*G*4**D*u*m*p*3*R*11
2026-04-0266ad02669fbe79a9042f3f1be5c2c16603c8a5009d74b8641529e5555e1e1277MegaDumper17
2026-06-22a39bb8a5f205d4cf2b64a042f486df22578505aeede352ca46f72d70d20e758d (current)0

A few patterns are worth calling out.

The Spotify lure has not changed in four years. Spotfy.exe — the same misspelling — appeared as a submission alias for the December 2021 binary, and Spotify sits in the strings of the current one. That is the delivery vehicle: a pirated Spotify installer, probably, or something close to it. The typo is sloppy enough to be real but subtle enough that a victim hurrying to install music software might not notice.

September 2021 saw a different approach. Before the MegaDumper branding solidified, the actor pushed two variants claiming to be Microsoft® Windows® Operating System with OriginalFileName: smartscreen.exe. Both are tagged by VirusTotal as spreaders — observed propagating to additional files or locations. One carries an overlay tag, meaning data was appended after the last PE section, a common way to attach config or a second stage without changing the hash of the main code. Once MegaDumper’s explicit branding took over, the Microsoft impersonation stopped. Distinct phases, distinct objectives.

The detection cycle is the most operationally interesting part. The March 2022 build peaked at 48 detections — that is a lot of AV coverage for a credential stealer trying to stay quiet. The actor responded in March 2024 by rebuilding with leet-speak obfuscation across the product name (M*3*G*4**D*u*m*p*3*R*), dropping the count to 11. By April 2026 they dropped the obfuscation and were back at 17 plain MegaDumper. The June 22 build — staged ten days ago — sits at zero detections. The actor treats the VT detection count as a KPI and rebuilds accordingly.


The Encrypted Payloads

The seven .bin files have fully random first bytes — no standard magic signature. They are encrypted. The sizes cluster into two groups: six files near 377–412K, and 123.bin matching the 1.exe size of 175K exactly — same size, different hash, suggesting a renamed copy of the loader for testing or variant tracking.

Clients123.bin is the most telling filename. In remote-access tooling, a Clients.bin is conventionally the operator’s database of active connections — the list of infected machines, their addresses, connection times, and harvested credentials. The presence of ADO/OLEDB COM interface GUIDs embedded in 1.exe (9613A0E7-5A68-11D3-8F84-00A0C9B4D50C series) confirms the binary uses embedded database functionality to persist and query that client list.

The other named binaries — dcaat.bin, dcaat1.bin, dcap91.bin, dcaptk1.bin — follow a naming pattern suggesting internal versioning or target-specific configurations. Without the decryption key, the contents cannot be read passively.


Infrastructure

PropertyValue
IP103.68.109.59
ASNAS136557 — Host Universal Pty Ltd
Branded asTRUMVPS
CountrySingapore
OSWindows (XAMPP — Apache/2.4.58 Win64, PHP/8.2.12)
Port 80Apache HTTP open directory
Port 445SMB, authentication enabled
First malicious file seen2021-12-20
Current files8 (1 PE + 7 encrypted blobs)
Current PE detections0

SMB with authentication on a staging server is unusual. The most likely explanation is the actor connects to the machine over SMB to push new builds — which fits the pattern of frequent rebuilds. It is also consistent with the lateral propagation behaviour seen in the September 2021 variants, where the binary actively spread to other files.


IOC Summary

Current staging — zero detections, not yet blocked:

FileSHA256Size
1.exea39bb8a5f205d4cf2b64a042f486df22578505aeede352ca46f72d70d20e758d175K
1.binfcec08fcc3cc4711531189d8e9b9f7409c2ccde838dcafe1798e40bafb15ed3d378K
123.bin1a4373323b2411164af1ec2c103446c2f02eb128707285b24695effba6cf429b175K
Clients123.bin155421631f69ef0327b26611da9b28ad4fef82d1d758a257fef71496d8141a9f377K
dcaat.bin823f2406f01baeecfa131bd10c43e5f97847e47643f54e6dd5ef8e5b3e97048f377K
dcaat1.bin1adaa0692dba2d20ce38752ceaa172b964cff39991a079748f67714886134c2a379K
dcap91.binee3951c830957a65b26c04f78935fdd9888d31041872705f7c98b45c12e90c78412K
dcaptk1.bin350835a4371d81d2d18c590fe4cf1b71e7f5f7ef8c56441d657a61cf468a2c00412K

Historical MegaDumper variants (documented):

First SeenSHA256Notes
2019-04-01843827b2dd460aa90ce208736a365594193b061fd81a050b83bf97f078ab9757MegaDumper.exe — earliest known
2020-08-1066a44a466015e3996f62d80263d15c136be718e3fdd4dbf0b3785b1ee27f5fc6MegaDumper.exe
2021-09-10a52612f0586ec413ab3501e667251fb9d264f8469fbaff3a8720e5aad2074066smartscreen.exe spoofing, spreader
2021-09-15440c354463590243075797c7bd1abf4713c7365ce96ee1c36959aaca800fdcdesmartscreen.exe spoofing, spreader + overlay
2021-11-083005c9ef39e309dc5a0c51f2ad6ed4b6ba04aa02ea0ef31afec8ca252f3f72ccMegaDumper.exe
2021-12-208c7f9ec84782eac067ec0c97a307ad21b6283c2800c02293d2cc4bc789df95e0MegaDumper.exe / Spotfy.exe / 1.exe
2022-01-03d2915c8cbf50b9a555d7ef63b45141ece0f622dc020f33f378b0e92eee2e69b2MegaDumper.exe
2022-03-23f58d6ac2678c164a972e2d60a658d3e0a7834293b10e8a412f57653ae65b2b07MegaDumper.exe (48 dets peak)
2023-01-1703c381ed488688702083667ff6c5dcbeea6fb9a43afcf7602c329f2b95edbd91MegaDumper.exe
2023-09-209c47f88bb79e137acf53b755f76d5eeec05fbd093c425052395fac4735bed9f0MegaDumper.exe
2024-03-184896ccea5dd6b6487bbcec6d6d46ac0c797d09effeaa2b212b904094c36c22a4M*3*G*4**D*u*m*p*3*R* (leet evasion)
2026-04-0266ad02669fbe79a9042f3f1be5c2c16603c8a5009d74b8641529e5555e1e1277MegaDumper.exe

Infrastructure:

103.68.109.59   # TRUMVPS Singapore — active staging

What To Do

Block at perimeter:

103.68.109.59

Hunt for the Spotify lure:

Get-ChildItem -Path C:\Users -Recurse -Include "Spotfy*.exe","Spotify*.exe" |
  ForEach-Object {
    $v = (Get-Item $_).VersionInfo
    if ($v.ProductName -like "*MegaDumper*" -or $v.ProductName -like "*Dump*") {
      Write-Output "$($_.FullName) — ProductName: $($v.ProductName)"
    }
  }

YARA:

rule MegaDumper {
    strings:
        $pname  = "MegaDumper" wide ascii
        $copy   = "Copyright 2011" wide ascii
        $french = "CheckStatut" wide ascii
        $sf     = "Sourceforge" wide ascii nocase
    condition:
        uint16(0) == 0x5A4D and 2 of them
}

ESET classification: MSIL/HackTool.Agent.EP


The current build is ten days old and completely undetected. The staging server has been up for five years with no sign of disruption. Binaries get rebuilt; infrastructure does not. That is the underlying bet this actor is making, and so far it is paying off. One thing even a complete rebuild cannot fix: the Spotfy typo has been in the lure since at least 2021, and it is still there.


Passive analysis: VirusTotal file/URL/behavior, Shodan, PE string extraction via HTTP Range requests. No live C2 contact. No credentials tested or used. Encrypted .bin files not decrypted.

← back to listing