A 2,253-byte ZIP posing as API documentation for a fake forex CRM delivers a four-stage chain: LNK trojan with conhost --headless hiding, a compiled AutoIt downloader, a PNG/ZIP polyglot Python bundle, and a previously undocumented Socket.IO RAT named ASYNCBOTNET that monitors 14 crypto wallets and 12 exchanges. A single TLS certificate ties WealthGAF to a 13-brand fake forex platform cluster, all sharing the same Kubernetes C2 origin.
grep -rl "infostealer" ./posts
#infostealer
3 matches
A WsgiDAV opendir tip from @smica83 leads to a live SERPENTINE#CLOUD staging server on a Cloudflare Tunnel. Three BAT files, two delivery paths, four Python runtimes, an Early Bird APC DLL, and a naming convention that traces the campaign back to December 2022.
A Shodan scan for Singapore open directories surfaces a TRUMVPS server that has been quietly hosting the same .NET credential stealer — under the same filename — since 2021. The current build has zero detections.