{ "metadata": { "malware_name": "CVE-2026-41940 cPanel Harvester Toolkit (operator-built, unnamed)", "family": "Unattributed operator-built Python/Bash toolkit; possible 'Beast' self-branding (unverified)", "campaign_id": "OpenDirectory-CVE-2026-41940-cPanel-Harvester-216.126.227.49", "campaign_slug": "opendirectory-216-126-227-49-cve-2026-41940-cpanel-harvester-20260517", "report_date": "2026-05-17", "analyst": "The Hunters Ledger", "confidence": "HIGH", "tlp": "CLEAR", "evidence_posture": "Operator-side artifacts (infrastructure + filenames + hashes) — useful for infrastructure hunting, NOT for victim-endpoint scanning. Toolkit source code was never persisted and is unrecoverable.", "vt_coverage_note": "7 of 7 distinctive toolkit hashes checked returned 'File not found' on VirusTotal — operator-bespoke tooling not seen by the wider security community." }, "file_hashes": { "md5": [], "sha1": [], "sha256": [ { "value": "4b054892b4a5d7811f57562552d1ea0e8ea5bfbf705ceb71e91126482b650a47", "filename": "pipeline-41940.sh", "size_bytes": 10219, "confidence": "HIGH", "context": "CVE-2026-41940 weaponization orchestrator (filename encodes CVE)", "action": "HUNT" }, { "value": "16855dfbb2a8ec40ffa98c5777e598f353e84c4793a0691fa2cb26384e2c23d8", "filename": "live-dashboard-v10.py", "size_bytes": 34294, "confidence": "HIGH", "context": "Operator main Flask C2 dashboard (matches live port-8888 service)", "action": "HUNT" }, { "value": "0442691db9f9aa7cfdc8f04036f74b4b042dce0101325dd30f5ef4d27aa99d2e", "filename": "beast-dashboard.py", "size_bytes": 14812, "confidence": "HIGH", "context": "Earlier or alternate dashboard variant (Beast brand)", "action": "HUNT" }, { "value": "0e566c38bf4046a92dbbec97e27711ec8691006362869fe6aa3c875e3f5b86c4", "filename": "fix_dashboard.py", "size_bytes": 3025, "confidence": "HIGH", "context": "Dashboard hotfix utility", "action": "HUNT" }, { "value": "32b9b9a82913dae5e40842f68791cc639fe690603ccc1d85fe1ae2e99b7bf26b", "filename": "beast-notify.py", "size_bytes": 3960, "confidence": "HIGH", "context": "Notification dispatcher (Telegram/Discord/webhook — channel unknown)", "action": "HUNT" }, { "value": "96babe4f65d33dafcdb2425039012d5b2cf8c01b04d0680c5551482ccea27b64", "filename": "whm-hunter.py", "size_bytes": 20531, "confidence": "HIGH", "context": "Primary WHM credential harvester", "action": "HUNT" }, { "value": "97cd91ad5e65c72e5a92be26477eb55e28fc89ecd8540ca62855effea34feefc", "filename": "harvest_whm.py", "size_bytes": 5504, "confidence": "HIGH", "context": "WHM credential harvester v1", "action": "HUNT" }, { "value": "38f10f41e22192c4f342632f7997e18006eead2610af94712cba3e4220f6bd36", "filename": "harvest_whm_v2.py", "size_bytes": 7239, "confidence": "HIGH", "context": "WHM credential harvester v2", "action": "HUNT" }, { "value": "2f0eafed073d01a909006f18136e46af5b7fb688814cbbed1dad024968d426fa", "filename": "harvest-v3.py", "size_bytes": 12395, "confidence": "HIGH", "context": "Generic credential harvester v3", "action": "HUNT" }, { "value": "c8fe86a54d7fffc0ec89afd9b0988d69bf5b2177f23ddb5ac8940f364c03d766", "filename": "cpanel_aggressive.py", "size_bytes": 6383, "confidence": "HIGH", "context": "cPanel high-throughput aggressive variant", "action": "HUNT" }, { "value": "9df3c0792e2a460825619999f87c0c19d34a74ca6bc4a7dfd80a64e94c68cc76", "filename": "cpanel-scan.sh", "size_bytes": 2862, "confidence": "HIGH", "context": "cPanel scan wrapper", "action": "HUNT" }, { "value": "8132130bb306fc933d5ac92d6cf45024df92c4d9ee424e6a9774fbac9432cfb4", "filename": "plesk_scanner.py", "size_bytes": 8801, "confidence": "HIGH", "context": "Plesk control-panel scanner", "action": "HUNT" }, { "value": "f1d3ac3c111c7684868a2e95b70630221b8287c6db68776b13867bd57b495106", "filename": "da_wm_scanner.py", "size_bytes": 10088, "confidence": "HIGH", "context": "DirectAdmin Webmail scanner", "action": "HUNT" }, { "value": "972f5025f2675c20824d395271121205ce2b6e1054887845b9c28d62b989a3b6", "filename": "da_fast.py", "size_bytes": 4740, "confidence": "HIGH", "context": "DirectAdmin fast-mode scanner", "action": "HUNT" }, { "value": "e7e5da0cdbeea894ea00db07d72da8ab2954b84867acf4a79ee612a57e8bdd49", "filename": "ssh_scanner.py", "size_bytes": 3888, "confidence": "HIGH", "context": "SSH credential / banner scanner", "action": "HUNT" }, { "value": "e58ba18209f8fdbfb2a04f283dc2111cbc45fd1534068f2da20fb56c3e0313f4", "filename": "mass_scanner_v2.py", "size_bytes": 23144, "confidence": "HIGH", "context": "Mass scanner v2", "action": "HUNT" }, { "value": "9df8d0da0dce17d061a870024f65f066c668c49c3b468727d6badbdd776a5880", "filename": "mass_scanner_v3.py", "size_bytes": 16855, "confidence": "HIGH", "context": "Mass scanner v3 (refactored)", "action": "HUNT" }, { "value": "d0c714b71006ebb87ad3948cbe8b8d8713b7265651c7a64e619c19f5049bdf79", "filename": "mass_v4.py", "size_bytes": 12308, "confidence": "HIGH", "context": "Mass scanner v4", "action": "HUNT" }, { "value": "1bede88ae4cddbaa413b4940485604863cb2bb72ece110d9c9394ad377e96622", "filename": "mass_v5.py", "size_bytes": 11677, "confidence": "HIGH", "context": "Mass scanner v5", "action": "HUNT" }, { "value": "27316a2efb0fa2be4e1ba965f948a8816df75acfe0f30b53b0aaf8624694e098", "filename": "mass_v6.py", "size_bytes": 10758, "confidence": "HIGH", "context": "Mass scanner v6", "action": "HUNT" }, { "value": "47e095505fefdcd5268575186a8355bdeb8846787b95c11148aaa27c35d47dac", "filename": "mass_v7.py", "size_bytes": 9614, "confidence": "HIGH", "context": "Mass scanner v7", "action": "HUNT" }, { "value": "2c92c6d466f33204278d586bcbb4d341bd58362f2c5c904e3164aadf63a236c2", "filename": "mass_v8.py", "size_bytes": 10286, "confidence": "HIGH", "context": "Mass scanner v8 (current iteration)", "action": "HUNT" }, { "value": "4829505f75518154d01ad16d658e4f95be4446d35f10497937197714cb471e1f", "filename": "mass_probe_v3.py", "size_bytes": 7261, "confidence": "HIGH", "context": "Lighter probe variant v3", "action": "HUNT" }, { "value": "f6972b49f717274862cbef73bd91554726f1e0cae61ed72c5b6acda43c8aa128", "filename": "mass_probe_v4.py", "size_bytes": 9053, "confidence": "HIGH", "context": "Lighter probe variant v4", "action": "HUNT" }, { "value": "29cfacedeec7112df7ac4796484afdd0507536d4377233d5580234b065f75b56", "filename": "masscan-boost.sh", "size_bytes": 3044, "confidence": "HIGH", "context": "Wrapper around masscan SYN scanner", "action": "HUNT" }, { "value": "c635f3d808953584614e5128e9039f7644ad51cd903e32015f1cfdbaafea122d", "filename": "megahunt-fast.sh", "size_bytes": 4287, "confidence": "HIGH", "context": "Mass-hunt orchestration bash glue", "action": "HUNT" }, { "value": "a892d7ea50d09f209c8a31439d4c6309143d465cd88ffcf23fb557f22dac5ec6", "filename": "unified_scanner.py", "size_bytes": 9948, "confidence": "HIGH", "context": "Multi-target scanner orchestrator", "action": "HUNT" }, { "value": "6bf4e5e3f377c4ba6efabe2cb003479369e7347bf15d7de139b40bb259ad69ff", "filename": "deep_probe.py", "size_bytes": 10660, "confidence": "HIGH", "context": "Deeper / more thorough probing", "action": "HUNT" }, { "value": "57abe6de4ecf88da092f22966d0caeda8266dc97d8c64cfaa157d301d917e95f", "filename": "persistent_scanner.py", "size_bytes": 12092, "confidence": "HIGH", "context": "Long-running state-persistent / restart-safe scanner", "action": "HUNT" }, { "value": "94eb05de232d361bd8fd13a2f27b14602e1b47252ca1e67d4e8a8ac4bd6b113f", "filename": "fast-scan.py", "size_bytes": 2422, "confidence": "HIGH", "context": "Lightweight fast scanner", "action": "HUNT" }, { "value": "217236a47ac38db476671b42382fe022d11665e07f42160df0f38cbb9b7e54a5", "filename": "poc-fixed.py", "size_bytes": 3754, "confidence": "HIGH", "context": "Operator-patched public PoC", "action": "HUNT" }, { "value": "51ca6ee17451cd860ddf2f32ef5de86f178d15f479bfe75d256ca92c1ba0d217", "filename": "trace.py", "size_bytes": 1529, "confidence": "HIGH", "context": "Tracing utility", "action": "HUNT" }, { "value": "f06598ef96511ee4e478759241d2902c1233ff46f4dca59ece6ce4f22e9be865", "filename": "trace2.py", "size_bytes": 2883, "confidence": "HIGH", "context": "Tracing utility v2", "action": "HUNT" }, { "value": "99087c222ba3f8122fe122be1241f0aecbddfb8ecd783fd76cca99df33af4a8b", "filename": "trace_auth.py", "size_bytes": 4076, "confidence": "HIGH", "context": "Auth-flow tracing (useful for CRLF-injection exploit dev)", "action": "HUNT" }, { "value": "8360ffe84d85ebce7082e69b05fca351796256de77430e90cd02c89487d33120", "filename": "gen-sessions.py", "size_bytes": 5754, "confidence": "HIGH", "context": "Session-cookie generator / forger", "action": "HUNT" }, { "value": "0330a32ad6cce29a15e238ae1382dc590ff7b2675eef4bdb5b2844c7228bc684", "filename": "gen-beast-page.py", "size_bytes": 23650, "confidence": "HIGH", "context": "Phishing-page generator (Beast-branded)", "action": "HUNT" }, { "value": "664022b84b1ec4bd0bda55fc277bdc232e627be090c37c0266e2505386a5b179", "filename": "gen-logins-instant.py", "size_bytes": 1361, "confidence": "HIGH", "context": "Quick login-URL/page generator", "action": "HUNT" }, { "value": "9f4a96af8c27371bbae17a4f270e29fc4c1b852c83b5625607d123fc0b59802a", "filename": "BL & INV#VNSCM394790049.xls", "size_bytes": null, "confidence": "LOW", "context": "Urcbadur InfoStealer via CVE-2017-0199 on 216.126.224.181 in April 2026. LOW-MODERATE operator-attribution — most likely different RouterHosting tenant after operator vacated.", "action": "MONITOR" }, { "value": "b08d31df351d1249adcae302db3bd5aea1f5e44255d40c2203ef0a2dd37e2f65", "filename": "样品订单确认.xls", "size_bytes": null, "confidence": "LOW", "context": "Urcbadur via CVE-2017-0199; multilingual aliases include Romanian and Bulgarian variants. LOW-MODERATE operator-attribution on .181", "action": "MONITOR" }, { "value": "c0323da18895064aa7b5097885d2e71457e5928bc4ae00f367a28bd40859a7f0", "filename": "LGT81941.xls", "size_bytes": null, "confidence": "LOW", "context": "Alien InfoStealer via CVE-2017-0199 on .181. LOW-MODERATE operator-attribution.", "action": "MONITOR" }, { "value": "dea988c96b02dbbcb36ed3edd096d9c7cf50b28feff461e16c9651fe0dd7c474", "filename": "BL INV#VNSCM394790049.xls", "size_bytes": null, "confidence": "LOW", "context": "Urcbadur via CVE-2017-0199 on .181 (double-space variant). LOW-MODERATE operator-attribution.", "action": "MONITOR" }, { "value": "526bd8c749afe3d281da4e65ec38c96e55748227ed8193e9a20e458381c68278", "filename": "mkaingbestchoiceforme[1].hta", "size_bytes": 2185960, "confidence": "LOW", "context": "ADKP downloader (~2.1MB obfuscated JS/VBS) on .181. LOW-MODERATE operator-attribution.", "action": "MONITOR" }, { "value": "6a43ae28b6e6298b7b8f3a7a2afabfc260af20563591a416ab5a04865b5799c5", "filename": "goodpeopleswellmeans.hta", "size_bytes": null, "confidence": "LOW", "context": "HTA dropper on .181 (1/1 VT scan). LOW-MODERATE operator-attribution.", "action": "MONITOR" } ] }, "network_indicators": { "ipv4": [ { "value": "216.126.227.49", "port": 8888, "protocol": "TCP/HTTP", "purpose": "Current operator Flask C2 dashboard (Werkzeug/3.1.8, /login-2fa)", "asn": "AS14956 RouterHosting LLC", "confidence": "HIGH", "action": "BLOCK", "notes": "Active C2; also TCP/22 SSH open" }, { "value": "144.172.103.253", "purpose": "Current operator Office 365 phishing host", "asn": "AS14956 RouterHosting LLC", "confidence": "HIGH", "action": "BLOCK" }, { "value": "216.126.224.181", "purpose": "Prior operator multi-purpose host (Gen-1, supportsite.info Nov 2025 - Jan 2026)", "asn": "AS14956 RouterHosting LLC", "confidence": "HIGH", "action": "MONITOR", "notes": "April 2026 commodity-malware activity (Urcbadur/Alien/ADKP via CVE-2017-0199) on this IP is LOW-MODERATE operator-attributable; likely different tenant" }, { "value": "144.172.105.176", "purpose": "Prior operator host (Gen-1)", "asn": "AS14956 RouterHosting LLC", "confidence": "MODERATE", "action": "MONITOR" }, { "value": "144.172.97.151", "purpose": "Prior operator host (supportsite.info Sep 2025 + current mailmanagement.cfd)", "asn": "AS14956 RouterHosting LLC", "confidence": "MODERATE", "action": "MONITOR" }, { "value": "45.61.128.128", "purpose": "Early operator IP (supportsite.info Feb-May 2025); medical/government BEC subdomains under *.invoicerequests.net may be different tenant", "asn": "AS14956 RouterHosting LLC", "confidence": "MODERATE", "action": "MONITOR" }, { "value": "144.172.122.226", "purpose": "Earliest mailmanagement.cfd host", "asn": "AS14956 RouterHosting LLC", "confidence": "MODERATE", "action": "MONITOR" }, { "value": "144.172.116.74", "purpose": "Operator IP - hosts mmnsdvrt8.eps-soltec.cloud + mrrbno.shop", "asn": "AS14956 RouterHosting LLC", "confidence": "HIGH", "action": "BLOCK" }, { "value": "216.126.227.148", "purpose": "Operator IP - hosts www.supportsite.info + ltamaeropromoweb-ecuador-travel.shop", "asn": "AS14956 RouterHosting LLC", "confidence": "HIGH", "action": "BLOCK" }, { "value": "38.143.66.193", "purpose": "Operator mail backend - hosts mx.plingest.com (shared MX across supportsite.info, adorarama.com, gocomper.com)", "asn": "AS63023 GTHost", "confidence": "HIGH", "action": "BLOCK", "notes": "Treat any inbound email originating from this MX as high-risk" }, { "value": "172.237.149.231", "purpose": "Parklogic shared TDS landing infrastructure - operator parks 11 TDS landing domains here via customer account pkAId=2143526812", "asn": "AS63949 Akamai/Linode", "confidence": "MODERATE", "action": "MONITOR", "false_positive_risk": "HIGH - shared by all Parklogic customers; do not blocklist the IP without context" }, { "value": "172.234.24.120", "purpose": "Parklogic shared TDS landing infrastructure family member", "asn": "AS63949 Akamai/Linode", "confidence": "MODERATE", "action": "MONITOR", "false_positive_risk": "HIGH - shared Parklogic infrastructure" } ], "ipv6": [], "domains": [ { "value": "pernex.online", "registrar": "HOSTINGER (UAB)", "purpose": "Current operator ops domain - cert subject on 216.126.227.49", "confidence": "HIGH", "action": "BLOCK" }, { "value": "eps-soltec.cloud", "registrar": "NameCheap", "org_id": "4b7a0912c26a13e2", "purpose": "Office 365 phishing (officebyt.e56sutx.eps-soltec.cloud)", "confidence": "HIGH", "action": "BLOCK" }, { "value": "checkwithsec.online", "registrar": "NameCheap", "org_id": "4b7a0912c26a13e2", "purpose": "Security-service spoof (locks to eps-soltec via NameCheap org)", "confidence": "HIGH", "action": "BLOCK" }, { "value": "tesaco.sbs", "registrar": "WEBCC", "org_id": "20c6e82190de8bc4", "purpose": "Staged for next campaign (parked on 127.0.0.1)", "confidence": "HIGH", "action": "BLOCK" }, { "value": "mailmanagement.cfd", "registrar": "WEBCC", "org_id": "20c6e82190de8bc4", "purpose": "Email-management phishing (10/92 VT malicious)", "confidence": "HIGH", "action": "BLOCK" }, { "value": "supportsite.info", "purpose": "Tech-support scam + Amazon spoof + M365 (12/92 VT malicious)", "confidence": "HIGH", "action": "BLOCK" }, { "value": "kwpbby.in", "registrar": "Endurance Digital", "org_id": "8fc09420615ed80d", "purpose": "Disposable .in TLD; Pornography/Scam categorization", "confidence": "HIGH", "action": "BLOCK" }, { "value": "plingest.com", "registrar": "GoDaddy", "purpose": "Operator MX backend host (mx.plingest.com)", "confidence": "HIGH", "action": "BLOCK" }, { "value": "mx.plingest.com", "purpose": "Operator MX hostname - shared across supportsite.info, adorarama.com, gocomper.com", "confidence": "HIGH", "action": "BLOCK" }, { "value": "mrrbno.shop", "purpose": "Current cert subject on operator IP 144.172.116.74", "confidence": "HIGH", "action": "BLOCK" }, { "value": "ltamaeropromoweb-ecuador-travel.shop", "purpose": "Ecuador-travel-themed scam (LATAM Airlines spoof) on operator IP 216.126.227.148", "confidence": "HIGH", "action": "BLOCK" }, { "value": "quick-barber.com", "registrar": "Spaceship", "purpose": "Brand-new local-business spoof (registered 2026-05-02)", "confidence": "HIGH", "action": "BLOCK" }, { "value": "coinbase-co.cc", "registrar": "Dynadot", "org_id": "473daf17453d83cd", "purpose": "Coinbase spoof (15/92 VT malicious)", "confidence": "HIGH", "action": "BLOCK" }, { "value": "receita-federal.com", "registrar": "Dynadot", "org_id": "473daf17453d83cd", "purpose": "Brazilian Federal Revenue spoof", "confidence": "HIGH", "action": "BLOCK" }, { "value": "gocomper.com", "registrar": "Dynadot", "org_id": "473daf17453d83cd", "purpose": "TDS landing parent on Parklogic", "confidence": "HIGH", "action": "BLOCK" }, { "value": "adorarama.com", "registrar": "Dynadot", "purpose": "TDS landing parent on Parklogic", "confidence": "HIGH", "action": "BLOCK" }, { "value": "runwaylander.com", "registrar": "Dynadot", "purpose": "TDS landing parent on Parklogic", "confidence": "HIGH", "action": "BLOCK" }, { "value": "runwaylanderplace.com", "registrar": "Dynadot", "purpose": "TDS landing parent on Parklogic", "confidence": "HIGH", "action": "BLOCK" }, { "value": "runwaylanderhome.com", "registrar": "Dynadot", "purpose": "TDS landing parent on Parklogic", "confidence": "HIGH", "action": "BLOCK" }, { "value": "runwaylanderspot.com", "registrar": "Dynadot", "purpose": "TDS landing parent (98 historical subdomains including ~30 operator kit-pattern UUID-format) on Parklogic", "confidence": "HIGH", "action": "BLOCK" }, { "value": "runwaylanderlights.com", "registrar": "Dynadot", "purpose": "TDS landing parent on Parklogic", "confidence": "HIGH", "action": "BLOCK" }, { "value": "runwayparking.com", "registrar": "Dynadot", "purpose": "TDS landing parent on Parklogic", "confidence": "HIGH", "action": "BLOCK" }, { "value": "runwaylanderstreet.com", "registrar": "Dynadot", "purpose": "TDS landing parent on Parklogic", "confidence": "HIGH", "action": "BLOCK" }, { "value": "kucoinsgem.xyz", "purpose": "KuCoin spoof (operator brand-spoof in TDS chain)", "confidence": "HIGH", "action": "BLOCK" }, { "value": "yahoohelp.com", "registrar": "Rebel.com", "purpose": "Yahoo support spoof (HIGH-MONETIZED, ownership ambiguous - full operator infra pattern but Rebel org-hash differs)", "confidence": "MODERATE", "action": "MONITOR" }, { "value": "promo-de-natal-livelo.com", "purpose": "Brazilian Livelo rewards spoof; resolves to operator MX backend", "confidence": "MODERATE", "action": "MONITOR" }, { "value": "groundsstudio.com", "purpose": "Operator wildcard-DNS abuse (kjeywrgo.groundsstudio.com, _dmarc.qavfcyopzp.groundsstudio.com)", "confidence": "MODERATE", "action": "MONITOR" }, { "value": "officebyt.e56sutx.eps-soltec.cloud", "purpose": "Operator Office 365 phishing subdomain", "confidence": "HIGH", "action": "BLOCK" }, { "value": "mmnsdvrt8.eps-soltec.cloud", "purpose": "Operator kit-generated random subdomain (hosted on 144.172.116.74)", "confidence": "HIGH", "action": "BLOCK" }, { "value": "mail.hcjs2.jlengineering.se", "purpose": "Operator-created afraid.org FreeDNS abuse subdomain (jlengineering.se is multi-tenant donor domain on afraid.org NS)", "confidence": "HIGH", "action": "BLOCK", "notes": "Do NOT blocklist apex jlengineering.se - it is a multi-tenant donor domain" } ], "urls": [ { "value": "https://officebyt.e56sutx.eps-soltec.cloud/f/d6aba322369c", "purpose": "Office 365 phishing payload-fetch URL (/f/<12-hex> kit pattern)", "confidence": "HIGH", "action": "BLOCK" }, { "value": "https://216.126.224.181/24/mkaingbestchoiceforme.hta", "purpose": "HTA dropper on Gen-1 box", "confidence": "MODERATE", "action": "BLOCK" }, { "value": "http://216.126.224.181/23/goodpersonforbetterthings.hta", "purpose": "HTA dropper on Gen-1 box", "confidence": "MODERATE", "action": "BLOCK" }, { "value": "http://216.126.224.181/22/evc/goodpeopleswellmeans.hta", "purpose": "HTA dropper on Gen-1 box", "confidence": "MODERATE", "action": "BLOCK" }, { "value": "http://216.126.224.181/wem/img_191738.png", "purpose": "Phishing asset / tracking pixel on Gen-1 box", "confidence": "MODERATE", "action": "MONITOR" }, { "value": "https://mgcountyks.invoicerequests.net/", "purpose": "Per-target invoice phish (US county-government BEC adjacency)", "confidence": "MODERATE", "action": "MONITOR", "notes": "Operator-attribution via IP co-tenancy at 45.61.128.128 only" } ], "email_addresses": [], "user_agents": [] }, "host_indicators": { "registry_keys": [], "file_paths": [ { "value": "/cpanel-toolkit-export/", "context": "Operator toolkit bundle directory (was briefly exposed via python -m http.server on TCP/7777)", "confidence": "HIGH" }, { "value": "/openclaw/2026.4.29/", "context": "OpenClaw AI agent platform install footprint on operator filesystem", "confidence": "HIGH" }, { "value": "/asteroid/", "context": "Operator-internal project directory (contents unknown)", "confidence": "MODERATE" }, { "value": "/krypto/", "context": "Operator-internal project directory (cryptography/wallet connotation)", "confidence": "MODERATE" }, { "value": "/cdc_hunt/", "context": "Operator-internal project directory (possible Chrome DevTools Cookies hunt)", "confidence": "MODERATE" } ], "mutex_names": [], "service_names": [], "scheduled_tasks": [], "named_pipes": [], "machine_ids": [ { "value": "6e3644a97f844763a34565b865d35310", "type": "Linux /etc/machine-id", "context": "Operator's VM machine-ID leaked via systemd-private-tmp paths. Survives reboots; propagates to VM clones. If observed in any future open-dir / leaked log / sample debug string, DEFINITIVE same-VM pivot.", "confidence": "HIGH" } ] }, "behavioral_indicators": { "c2_banner": [ { "pattern": "HTTP Server: Werkzeug/3.1.8 Python/3.13.12 AND Location: /login-2fa AND status 302", "purpose": "Live operator C2 dashboard fingerprint - use for Shodan/Censys/FOFA peer-infrastructure hunting", "confidence": "HIGH" } ], "tls_fingerprint": [ { "value": "27d40d40d00040d00042d43d000000", "type": "JARM 30-char prefix (Gen-2 template)", "purpose": "Cross-IP operator template signal - CORROBORATING ONLY (Ubuntu + OpenSSL + Python + Let's Encrypt is too common standalone)", "confidence": "MODERATE", "false_positive_risk": "HIGH - shared by tens of thousands of legitimate Ubuntu/Python deployments" }, { "value": "2ad2ad16d2ad2ad00042d42d000000", "type": "JARM Gen-1 prefix", "purpose": "Windows XAMPP default stack - very common public-internet signature; NOT a same-operator pivot", "confidence": "LOW", "false_positive_risk": "VERY HIGH" } ], "url_patterns": [ { "pattern": "/?d=&a=2143526812&s=<64-hex>", "purpose": "Operator Parklogic TDS URL shape - constant operator account ID 2143526812", "confidence": "HIGH" }, { "pattern": "/f/<12-hex>", "purpose": "Operator phishing-kit payload-fetch URL pattern", "confidence": "HIGH" }, { "pattern": "/<2-digit-numeric>/.hta", "purpose": "Gen-1 box HTA dropper URL pattern (operator-attribution LOW-MODERATE for April 2026 .181 activity)", "confidence": "MODERATE" } ], "subdomain_patterns": [ { "pattern": ".<8-12-char hex-token>.", "examples": "officebyt.e56sutx.eps-soltec.cloud, mmnsdvrt8.eps-soltec.cloud, kjeywrgo.groundsstudio.com, mail.hcjs2.jlengineering.se", "purpose": "Operator kit-generated tokenized subdomain pattern (NOT full DGA - uses pre-registered parent domains)", "confidence": "HIGH" } ] }, "registrar_org_locks": [ { "registrar": "WEBCC (Web Commerce Communications, MY)", "org_id": "20c6e82190de8bc4", "domains": ["tesaco.sbs", "mailmanagement.cfd"], "confidence": "HIGH", "hunting_use": "Future operator domains registered through WEBCC with this org-ID hash are HIGH-confidence same-operator" }, { "registrar": "NameCheap", "org_id": "4b7a0912c26a13e2", "domains": ["eps-soltec.cloud", "checkwithsec.online"], "confidence": "HIGH", "hunting_use": "Future operator domains registered through NameCheap with this org-ID hash are HIGH-confidence same-operator" }, { "registrar": "Dynadot", "org_id": "473daf17453d83cd", "domains": ["gocomper.com", "coinbase-co.cc", "receita-federal.com"], "additional_likely_locked": ["adorarama.com", "runwaylander.com", "runwaylanderplace.com", "runwaylanderhome.com", "runwaylanderspot.com", "runwaylanderlights.com", "runwayparking.com", "runwaylanderstreet.com"], "confidence": "HIGH", "hunting_use": "Future operator domains registered through Dynadot with Super Privacy contact pattern matching this org-ID are HIGH-confidence same-operator" } ] }