{
  "malware_name": "OpenStrike Expanded Toolkit",
  "campaign_id": "OpenStrike-CSBeacon-Toolkit-172.105.0.126",
  "analysis_date": "2026-04-08",
  "confidence_note": "Confidence levels: HIGH (strong evidence from static reverse engineering), MODERATE (inferred from code structure or partial evidence), LOW (weak/circumstantial evidence). This feed contains ONLY new IOCs not present in the April 6 feed (open-directory-172-105-0-126-20260406-iocs.json). All IOCs derived from static analysis of 106 files recovered from the same open directory.",

  "file_indicators": {
    "md5": [
      {"hash": "b6e01011e2d38855dd6a4b10a79acffe", "filename": "beacon_windows_x64.exe", "confidence": "HIGH", "context": "Gen-4 OpenStrike beacon — fully reversed, SHA256 key derivation, 10 commands"},
      {"hash": "1cf68b213a6ba7a2b864822cc72ed4fa", "filename": "beacon_loader.exe", "confidence": "HIGH", "context": "Base shellcode loader — VirtualAlloc(RWX) indirect call"},
      {"hash": "08ca0ff3c1e3c38c6e973654689d8346", "filename": "beacon_rdi.exe", "confidence": "HIGH", "context": "RDI loader — hardcoded offset 0x1649c ReflectiveLoader call"},
      {"hash": "e7765cb6d6c71277d49ef4ca7429638c", "filename": "beacon_dl.exe", "confidence": "HIGH", "context": "CreateThread loader — download-mode beacon payload"},
      {"hash": "3d60ae2e584a1be1c264cfdaa12a5e4d", "filename": "covertvpn.dll", "confidence": "HIGH", "context": "CovertVPN L2 bridge — 5 transport channels, WinPcap driver dropper"},
      {"hash": "b5d391099c1376d81ebdc91b3fc55eae", "filename": "dll_loader.exe", "confidence": "HIGH", "context": "Disk-drop DLL loader — hardcoded C:\\Windows\\Temp\\beacon.dll"}
    ],
    "sha1": [
      {"hash": "12fdfc45cdc448581ba3e64479f079caedba81a3", "filename": "beacon_loader.exe", "confidence": "HIGH", "context": "Base shellcode loader"},
      {"hash": "c2ddca25cff8b1187dc59c67c2a7a6386b4ceba9", "filename": "beacon_rdi.exe", "confidence": "HIGH", "context": "RDI loader"},
      {"hash": "5be73b16cfc8ea42fe0695b58da4e994a0dbcc96", "filename": "beacon_dl.exe", "confidence": "HIGH", "context": "CreateThread loader"},
      {"hash": "811589e4982f25f92725e2bc6646d4e5d1e8b7be", "filename": "dll_loader.exe", "confidence": "HIGH", "context": "Disk-drop DLL loader"}
    ],
    "sha256": [
      {"hash": "042761408e83155d24884a72291d9f10803becd790fbcfa6ff65e9e72eb44446", "filename": "beacon_windows_x64.exe", "confidence": "HIGH", "context": "Gen-4 OpenStrike beacon — 10 commands, AES-128-CBC + HMAC-SHA256, key exchange missing (WIP)"},
      {"hash": "03492f128fcc3910bda15f393c30ad3e04f5a50de36464d1e24038f49d889324", "filename": "mini_beacon.exe", "confidence": "HIGH", "context": "Gen-1 OpenStrike prototype — HTTP-only poller, no crypto, no commands"},
      {"hash": "9bdb680d4368713273509e8c104c1903b9790ee725cc2319997e1da705af5ca0", "filename": "mini_beacon2.exe", "confidence": "HIGH", "context": "Gen-2 OpenStrike — RSA-1024 registration, elevation check, no commands"},
      {"hash": "0d050b35abaa2a47340ec925727b0d508605733676552dbc94080c2da9f863d2", "filename": "beacon_full.x64.dll", "confidence": "HIGH", "context": "CS 4.4 beacon DLL — RSA-1024, watermark=0, port 80"},
      {"hash": "3b2d746d0974bb5ffec7d21b47d793fb1eef2af930d639b2f494cbe900fe0c3e", "filename": "beacon_port80.x64.dll", "confidence": "HIGH", "context": "CS 3.x beacon DLL — RSA-2048 Trinity key, watermark=0, port 80"},
      {"hash": "ad1fc7f801bd2166edeeeb5f97fa087bb1769cde57e500a7c0eb2a844e3ad95f", "filename": "beacon80.dll", "confidence": "HIGH", "context": "CS 4.4 beacon DLL — Malleable C2 profile (/en_US/all.js), watermark=987654321, IE9 UA"},
      {"hash": "af688b120db0a3b324e2cd468cfead71b7895a3c815f4026d51ac7fca0cb8ab4", "filename": "covertvpn.dll", "confidence": "HIGH", "context": "CovertVPN L2 bridge — ICMP tunnel, 5 transport channels, embedded WinPcap 4.1.3"},
      {"hash": "701b4f60411a26abfb137f476c9328900843ee5a49780f2fcd23a5cb15498f16", "filename": "artifact32svc.exe", "confidence": "HIGH", "context": "Artifact Kit service variant — EAX-redirect process hollowing, DceRpcSs service"},
      {"hash": "6797ba96336c64648d6bcccdbead8d9ab6f18d77f0108239e31a063b32665770", "filename": "artifact64svc.exe", "confidence": "HIGH", "context": "x64 Artifact Kit service variant — mirrors artifact32svc hollowing pattern"},
      {"hash": "820cf45c92b9cce9536ad108fc4b8c1c501bb6f4e30119b1bef0486670de02e4", "filename": "beacon_dl.exe", "confidence": "HIGH", "context": "Custom CreateThread loader — download-mode beacon payload"},
      {"hash": "89ec81f862be889f6e8bfbad7c3c39410a9039467f1fdfe8752f64a59e113d10", "filename": "beacon_full.exe", "confidence": "HIGH", "context": "Custom CreateThread loader — full-feature beacon payload"},
      {"hash": "04720e01f0599ff97d85f74d1483245c59353bb5ea391f2c4c9cb6ce4ef46d35", "filename": "beacon_loader.exe", "confidence": "HIGH", "context": "Base shellcode indirect-call loader"},
      {"hash": "f0fc7d3b3f7b2fa10b796102889a44d57a7ad403d2038bada3c0fbd983d13c81", "filename": "beacon_rdi.exe", "confidence": "HIGH", "context": "Hardcoded-offset RDI loader — call buf+0x1649c"},
      {"hash": "7c643568b3212363cd97511f2607ad2481b9f3b6f6a829999df469af7c0184b7", "filename": "beacon_srdi2.exe", "confidence": "HIGH", "context": "sRDI v2 loader — same base loader as beacon_loader, 310KB payload"},
      {"hash": "b0f0fe97b653e4564db8cf24cbd4cc2cad46f9c6629b67c2f147e647729f5b46", "filename": "dll_loader.exe", "confidence": "HIGH", "context": "Disk-drop loader — LoadLibraryA(C:\\Windows\\Temp\\beacon.dll), infinite keepalive"},
      {"hash": "8ab7e87b34d65393618fabd5b48017d803e795064d4a290128c3eea1e54742f0", "filename": "dll_exec.exe", "confidence": "HIGH", "context": "Simple LoadLibraryA(argv[1]) utility"},
      {"hash": "86b581e40a9ff912683b6f3579d155a8d765669acbba10d400abce451a898be5", "filename": "stager_http_x64.exe", "confidence": "HIGH", "context": "1KB PE stager — port 80, URI /au2U"},
      {"hash": "f618c8073bbc18f36ebf522aa15e680bf63e867b115c27ab1546c2326507917b", "filename": "stager_http_x64.ps1", "confidence": "HIGH", "context": "PS1 stager wrapper — port 80, URI /msI4"},
      {"hash": "46a74c19bc3fecb149c452c286b912999a43e7808194a55ede4d9a19e56f4081", "filename": "beacon_patched.exe", "confidence": "HIGH", "context": "Artifact-wrapped beacon — Trinity RSA-2048, port 80, watermark 987654321"},
      {"hash": "f0fc7d3b3f7b2fa10b796102889a44d57a7ad403d2038bada3c0fbd983d13c81", "filename": "beacon_cs_debug.exe", "confidence": "HIGH", "context": "Debug beacon config — port 809, 5s sleep, /ga.js URI"},
      {"hash": "5c65b88fe12e6116d917e0a04ca57c4d3784d283a350d9e3dcec2691fe7eff2c", "filename": "beacon_x64_sniff.exe", "confidence": "HIGH", "context": "Sniffer beacon config — port 809, /ga.js URI"},
      {"hash": "5dad2214471215e262910e9dcb348cf42c62fc8d8b26a85c8e959d5f1ce78c80", "filename": "hello.exe", "confidence": "MODERATE", "context": ".NET execute-assembly test binary"}
    ],
    "filenames": [
      {"name": "beacon_windows_x64.exe", "confidence": "HIGH", "context": "Gen-4 OpenStrike custom beacon"},
      {"name": "mini_beacon.exe", "confidence": "HIGH", "context": "Gen-1 OpenStrike prototype"},
      {"name": "mini_beacon2.exe", "confidence": "HIGH", "context": "Gen-2 OpenStrike with RSA"},
      {"name": "beacon_loader.exe", "confidence": "HIGH", "context": "Custom shellcode loader"},
      {"name": "beacon_rdi.exe", "confidence": "HIGH", "context": "Custom RDI loader"},
      {"name": "beacon_dl.exe", "confidence": "HIGH", "context": "Custom CreateThread loader"},
      {"name": "beacon_full.exe", "confidence": "HIGH", "context": "Custom CreateThread loader (full payload)"},
      {"name": "beacon_srdi2.exe", "confidence": "HIGH", "context": "Custom sRDI v2 loader"},
      {"name": "dll_loader.exe", "confidence": "HIGH", "context": "Disk-drop DLL loader"},
      {"name": "dll_exec.exe", "confidence": "HIGH", "context": "Simple DLL execution utility"},
      {"name": "artifact32svc.exe", "confidence": "HIGH", "context": "CS Artifact Kit service (x86, EAX-redirect)"},
      {"name": "artifact64svc.exe", "confidence": "HIGH", "context": "CS Artifact Kit service (x64, EAX-redirect)"},
      {"name": "covertvpn.dll", "confidence": "HIGH", "context": "CS CovertVPN L2 bridge module"}
    ],
    "file_paths": [
      {"value": "C:\\Windows\\Temp\\beacon.dll", "confidence": "HIGH", "context": "dll_loader.exe hardcoded DLL drop/load path"}
    ]
  },

  "network_indicators": {
    "ipv4": [
      {"ip": "172.105.0.126", "port": "80", "protocol": "TCP", "confidence": "HIGH", "context": "C2 listener — stagers (/au2U, /msI4) and multiple beacon configs. NOTE: port 8443 C2 already in April 6 feed.", "false_positive_risk": "MODERATE - Linode shared hosting IP; block only in context of associated behavioral indicators"},
      {"ip": "172.105.0.126", "port": "809", "protocol": "TCP", "confidence": "HIGH", "context": "Additional C2 listener — debug and sniffer beacon configs (/ga.js)"},
      {"ip": "172.105.0.126", "port": "50050", "protocol": "TCP", "confidence": "HIGH", "context": "CS team server management port — if externally accessible, additional exposure vector"}
    ],
    "ipv6": [],
    "domains": [],
    "urls": [
      {"url": "http://172.105.0.126/au2U", "confidence": "HIGH", "context": "Stager shellcode download URI (EXE stager, port 80)"},
      {"url": "http://172.105.0.126/msI4", "confidence": "HIGH", "context": "Stager shellcode download URI (PS1 stager, port 80)"},
      {"url": "http://172.105.0.126/en_US/all.js", "confidence": "HIGH", "context": "beacon80.dll Malleable C2 GET URI (task polling)"},
      {"url": "http://172.105.0.126/submit.php", "confidence": "HIGH", "context": "beacon80.dll and Profile B Malleable C2 POST URI (output submission)"},
      {"url": "http://172.105.0.126/ga.js", "confidence": "HIGH", "context": "Profile B Malleable C2 GET URI — Google Analytics masquerade (3 beacons)"},
      {"url": "http://172.105.0.126:809/ga.js", "confidence": "HIGH", "context": "Profile B on port 809 — debug/sniffer beacon configs"}
    ],
    "user_agents": [
      {"ua": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUSSEM)", "confidence": "HIGH", "context": "beacon80.dll Malleable C2 IE9 User-Agent string", "false_positive_risk": "LOW - distinctive IE9 variant string with BOIE9;ENUSSEM suffix"}
    ]
  },

  "host_indicators": {
    "registry_keys": [],
    "scheduled_tasks": [],
    "services": [
      {"name": "DceRpcSs", "display_name": "DceRpcSs", "binary_path": "[artifact32svc.exe or artifact64svc.exe path]", "confidence": "HIGH", "context": "Artifact Kit service variant — masquerades as legitimate Windows RpcSs service"},
      {"name": "npf", "display_name": "npf", "binary_path": "%TEMP%\\npf.sys", "confidence": "HIGH", "context": "CovertVPN WinPcap kernel driver service — installed from temp directory"}
    ],
    "mutexes": [],
    "named_pipes": []
  },

  "behavioral_indicators": {
    "process_patterns": [
      {"pattern": "rundll32.exe spawned with no command-line arguments by a service process, with CREATE_SUSPENDED flag", "confidence": "HIGH", "context": "EAX-redirect process hollowing — Artifact Kit service variant. Detection anchor: SetThreadContext on suspended thread, NOT NtUnmapViewOfSection"},
      {"pattern": "VirtualAllocEx(PAGE_READWRITE) followed by WriteProcessMemory followed by VirtualProtectEx(PAGE_EXECUTE_READ) targeting rundll32.exe", "confidence": "HIGH", "context": "Two-stage RW->RX memory injection (no RWX) in Artifact Kit service variant"},
      {"pattern": "cmd.exe /c executed with CREATE_NO_WINDOW (0x08000000) flag and anonymous pipe stdout/stderr redirection", "confidence": "HIGH", "context": "Gen-4 OpenStrike beacon shell command execution pattern"},
      {"pattern": "HTTP GET /updates?id=[0-9a-f]{8} followed by HTTP POST /submit?id=[0-9a-f]{8} with Content-Type: application/octet-stream", "confidence": "HIGH", "context": "Gen-4 OpenStrike beacon C2 polling and output submission"}
    ],
    "file_access_patterns": [
      {"pattern": "npf.sys, wpcap.dll, and Packet.dll written to %TEMP% directory followed by kernel driver service creation", "confidence": "HIGH", "context": "CovertVPN WinPcap driver deployment sequence"},
      {"pattern": "File created at C:\\Windows\\Temp\\beacon.dll followed by LoadLibraryA call from dll_loader.exe", "confidence": "HIGH", "context": "dll_loader.exe disk-drop DLL loading pattern"},
      {"pattern": "Named pipe created matching \\\\.\\pipe\\MSSE-[0-9]{1,4}-server (range 0-9897)", "confidence": "HIGH", "context": "Artifact Kit default named pipe pattern — MSSE = Microsoft Security Service Extension masquerade. GetTickCount() % 9898 determines pipe number."}
    ]
  },

  "cryptographic_indicators": {
    "rsa_1024_modulus_prefix": "008cadd72dbf3cc108000f1752e32cb6e0ebd1e5f043c4e34301598a5f64f032",
    "rsa_1024_context": "RSA-1024 public key shared across CS 4.4 beacons (beacon_full.x64.dll, beacon80.dll) and gen-2 custom beacon (mini_beacon2.exe). Ties custom implant development to CS 4.4 infrastructure.",
    "aes_iv": "abcdefghijklmnop",
    "aes_iv_context": "Hardcoded AES-128-CBC IV — shared across gen-3 and gen-4 OpenStrike beacons. Already in April 6 feed but confirmed in gen-4.",
    "cs_watermark_987654321": "987654321",
    "cs_watermark_context": "Second cracked CS distribution watermark — found in beacon80.dll and all 7 artifact-wrapped beacons. Associated with Chinese-language cracked CS packages.",
    "ssl_cert_sha256": "6e8efd85110de376426cde809f25d50ffcbb1d0e39d11c82913757cb277e15dd",
    "ssl_cert_context": "Team server SSL certificate — searchable in Shodan/Censys for infrastructure pivoting",
    "jar_authkey_pub_md5": "8bb4df00c120881a1945a43e2bb2379e",
    "jar_authkey_context": "RSA-2048 public key fingerprint from CS 4.9.1 JAR authkey.pub — does NOT match the .auth file (keypair mismatch confirms mixed cracked builds)"
  },

  "cobalt_strike_configs": [
    {
      "sample": "beacon_full.x64.dll",
      "version": "4.4",
      "port": 80,
      "sleeptime_ms": 5000,
      "jitter_pct": 10,
      "c2_server": "172.105.0.126",
      "get_uri": "/updates",
      "post_uri": "/submit",
      "watermark": 0,
      "rsa_key": "RSA-1024"
    },
    {
      "sample": "beacon_port80.x64.dll",
      "version": "3.x",
      "port": 80,
      "c2_server": "172.105.0.126",
      "get_uri": "/updates",
      "post_uri": "/submit",
      "watermark": 0,
      "rsa_key": "RSA-2048 Trinity"
    },
    {
      "sample": "beacon80.dll",
      "version": "4.4",
      "port": 80,
      "sleeptime_ms": 60000,
      "jitter_pct": 0,
      "c2_server": "172.105.0.126",
      "get_uri": "/en_US/all.js",
      "post_uri": "/submit.php",
      "watermark": 987654321,
      "rsa_key": "RSA-1024",
      "user_agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUSSEM)",
      "malleable_c2": true
    },
    {
      "sample": "beacon_cs_debug.exe (artifact-wrapped)",
      "version": "4.4",
      "port": 809,
      "sleeptime_ms": 5000,
      "c2_server": "172.105.0.126",
      "get_uri": "/ga.js",
      "post_uri": "/submit.php",
      "watermark": 987654321,
      "rsa_key": "RSA-1024"
    }
  ],

  "team_server": {
    "version": "4.9.1",
    "license_tag": "Pwn3rs",
    "management_port": 50050,
    "ssl_cert_sha256": "6e8efd85110de376426cde809f25d50ffcbb1d0e39d11c82913757cb277e15dd",
    "beacons_loaded": 7,
    "listener_type": "HTTP",
    "listener_library": "WinInet",
    "listener_exit_function": "Process",
    "listener_syscall": "None"
  }
}